samba - Jan 2016 - Authentication to Secondary Domain Controller initially fails when PDC is offline

On 1/6/2016 10:56 AM, Ole Traupe wrote:
> Ok, I updated resolv.conf as you said. Then I restarted the network 
> service on this member server and afterwords suspended the 1st DC. 
> Now, kinit gives me again:
>
> "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while
getting
> initial credentials"
>
> Ole
>
>
> Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle:
>> For the member servers, to reduce timeouts etc when one DC is down.
>>
>> Change your resolv.conf to :
>> domain internal.domain.tld
>> search internal.domain.tld
>>
>> nameserver IP_DC1
>> nameserver IP_DC2
>>
>> options timeout:2
>> options attempts:2
>> options rotate
>> options edns0
>>
>> see man resolv.conf for the options explained.
>>
>> Ow.. and ..
>>
>> domain and search are NOT exclusive anymore in Debian Jessie and up.
>> At least, i didnt find it anymore.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole
Traupe
>>> Verzonden: dinsdag 5 januari 2016 12:30
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain
Controller
>>> initially fails when PDC is offline
>>>
>>>
>>>>      I can't recall but are you able to get a packet trace?
This may
>>>> help further troubleshoot.
>>> I'll look into this. However, Rowland stated that bind9 will be
the
>>> only
>>> solution.
>>>
>>>
>>>> Just to recap you do you both servers listed as available DNS
servers
>>>> on your workstations? As well as your member server?
>>> Yes, of course. For member servers, this is the content of
>>> /etc/resolv.conf:
>>>
>>> search my.domain.tld
>>> nameserver IP_of_1st_DC
>>> nameserver IP_of_2nd_DC
>>>
>>>
>>>> I made a small tweak but haven't fully tested is adding the
following
>>>> options to my resolv.conf.
>>>>
>>>> cat /etc/resolvconf/resolv.conf.d/tail
>>>> options timeout:1
>>> Great, this sounds exactly as what I need! However, I tried this:
no
>>> effect. I created this file and restarted the network service. But
I
>>> still get long timeouts and can't login via ssh, when I suspend
my
>>> 1st DC.
>>>
>>> # cat /etc/resolvconf/resolv.conf.d/tail
>>> options timeout:1
>>> options edns0
>>>
>>> Or do I need Network Manager for that?
>>>
>>>
>>>> options edns0
>>> What's that for, particularly?
>>>
>>>
>>>> timeout:n
>>>>                       sets the amount of time the resolver will
wait
>>>> for a response from a remote name server before retrying the
query
>>>> via  a  different  name
>>>>                       server.  Measured in seconds, the default
is
>>>> RES_TIMEOUT (currently 5, see <resolv.h>).  The value for
this option
>>>> is silently capped to 30.
>>>>
>>>> edns0 (since glibc 2.6)
>>>>                       sets RES_USE_EDNSO in _res.options. This
enables
>>>> support for the DNS extensions described in RFC 2671.
>>>>
>>>>  From what I researched, this is the intended behavior on a
Microsoft
>>>> Server. Again I can disable my "PDC" and log in from
a windows
>>>> workstation just fine. It appears for some users after a hour
or so
>>>> they run into issues
>>> I thought this was only happening with roaming machines resulting
in
>>> cached logins.
>>>
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>
Ole,

     Sorry you are having so many issues. I've tried reading back 
through this thread to verify everything that has been covered. Can you 
try this command with the "PDC up and down? Reply with your findings.

KRB5_TRACE=/dev/stdout kinit administrator

-- 
-James

>>
> Ole,
>
>     Sorry you are having so many issues. I've tried reading back 
> through this thread to verify everything that has been covered. Can 
> you try this command with the "PDC up and down? Reply with your
findings.
>
> KRB5_TRACE=/dev/stdout kinit administrator
>
up:


[25392] 1452162640.959713: Getting initial credentials for 
administrator at my.domain.tld
[25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld
[25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld.
[25392] 1452162640.964554: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25392] 1452162640.972442: Received answer from dgram IP_of_1st_DC:88
[25392] 1452162640.973243: Response was not from master KDC
[25392] 1452162640.973293: Received error from KDC: 
-1765328359/Additional pre-authentication required
[25392] 1452162640.973381: Processing preauth types: 16, 15, 2, 19
[25392] 1452162640.973412: Selected etype info: etype aes256-cts, salt 
"my.domain.tldAdministrator", params "
Password for administrator at my.domain.tld:
[25392] 1452162654.272879: AS key obtained for encrypted timestamp: 
aes256-cts/000A
[25392] 1452162654.272939: Encrypted timestamp (for 1452162654.272886): 
plain 301AA011180F32303136303130373130333035345AA10502030429F6, 
encrypted 
0587DE7E7028F2F0FA2301D9752568B10A38B2612FFBCF1E45238C54655F2590A6BDA0B7892D871D74D01F0C6A8FB8D98189C827FB508E6D
[25392] 1452162654.272964: Preauth module encrypted_timestamp (2) 
(flags=1) returned: 0/Success
[25392] 1452162654.272970: Produced preauth for next request: 2
[25392] 1452162654.272991: Sending request (276 bytes) to my.domain.tld
[25392] 1452162654.275253: Resolving hostname dc2.my.domain.tld.
[25392] 1452162654.276241: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25392] 1452162654.293008: Received answer from dgram IP_of_1st_DC:88
[25392] 1452162654.293846: Response was not from master KDC
[25392] 1452162654.293884: Received error from KDC: -1765328332/Response 
too big for UDP, retry with TCP
[25392] 1452162654.293896: Request or response is too big for UDP; 
retrying with TCP
[25392] 1452162654.293905: Sending request (276 bytes) to my.domain.tld 
(tcp only)
[25392] 1452162654.294950: Resolving hostname dc2.my.domain.tld.
[25392] 1452162654.295961: Initiating TCP connection to stream 
IP_of_1st_DC:88
[25392] 1452162654.296311: Sending TCP request to stream IP_of_1st_DC:88
[25392] 1452162654.306517: Received answer from stream IP_of_1st_DC:88
[25392] 1452162654.307269: Response was not from master KDC
[25392] 1452162654.307329: Processing preauth types: 3
[25392] 1452162654.307338: Received salt "▒▒" via padata type 3
[25392] 1452162654.307346: Produced preauth for next request: (empty)
[25392] 1452162654.307362: AS key determined by preauth: aes256-cts/000A
[25392] 1452162654.307519: Decrypted AS reply; session key is: 
aes256-cts/CC03
[25392] 1452162654.307530: FAST negotiation: unavailable
[25392] 1452162654.307584: Initializing FILE:/tmp/krb5cc_500 with 
default princ administrator at my.domain.tld
[25392] 1452162654.307878: Removing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
[25392] 1452162654.307896: Storing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500


down:


[25433] 1452162724.421830: Getting initial credentials for 
administrator at my.domain.tld
[25433] 1452162724.422374: Sending request (196 bytes) to my.domain.tld
[25433] 1452162734.434842: Resolving hostname dc2.my.domain.tld.
[25433] 1452162739.441465: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25433] 1452162740.442397: Resolving hostname dc3.my.domain.tld.
[25433] 1452162745.448521: Sending initial UDP request to dgram 
IP_of_2nd_DC:88
[25433] 1452162745.457681: Received answer from dgram IP_of_2nd_DC:88
[25433] 1452162750.463572: Response was not from master KDC
[25433] 1452162750.463632: Received error from KDC: 
-1765328359/Additional pre-authentication required
[25433] 1452162750.463730: Processing preauth types: 16, 15, 2, 19
[25433] 1452162750.463760: Selected etype info: etype aes256-cts, salt 
"my.domain.tldAdministrator", params "
Password for administrator at my.domain.tld:
[25433] 1452162816.498918: AS key obtained for encrypted timestamp: 
aes256-cts/000A
[25433] 1452162816.498982: Encrypted timestamp (for 1452162816.498929): 
plain 301AA011180F32303136303130373130333333365AA1050203079CF1, 
encrypted 
92F31344A600C388356043A6DCA99852E03F80BC71B95326657F1DCCA430CD627B0DFFFF6485933DA506843C7CEB25C769781170587918F0
[25433] 1452162816.499008: Preauth module encrypted_timestamp (2) 
(flags=1) returned: 0/Success
[25433] 1452162816.499014: Produced preauth for next request: 2
[25433] 1452162816.499037: Sending request (276 bytes) to my.domain.tld
[25433] 1452162826.511008: Resolving hostname dc2.my.domain.tld.
[25433] 1452162831.517053: Sending initial UDP request to dgram 
IP_of_1st_DC:88
[25433] 1452162832.517377: Resolving hostname dc3.my.domain.tld.
[25433] 1452162837.523435: Sending initial UDP request to dgram 
IP_of_2nd_DC:88
[25433] 1452162837.542201: Received answer from dgram IP_of_2nd_DC:88
[25433] 1452162842.548057: Response was not from master KDC
[25433] 1452162842.548097: Received error from KDC: -1765328332/Response 
too big for UDP, retry with TCP
[25433] 1452162842.548110: Request or response is too big for UDP; 
retrying with TCP
[25433] 1452162842.548119: Sending request (276 bytes) to my.domain.tld 
(tcp only)
[25433] 1452162847.554168: Resolving hostname dc2.my.domain.tld.
[25433] 1452162852.560277: Initiating TCP connection to stream 
IP_of_1st_DC:88
[25433] 1452162853.561334: Resolving hostname dc3.my.domain.tld.
[25433] 1452162858.567424: Initiating TCP connection to stream 
IP_of_2nd_DC:88
[25433] 1452162858.567481: Terminating TCP connection to stream 
IP_of_1st_DC:88
[25433] 1452162858.567629: Sending TCP request to stream IP_of_2nd_DC:88
[25433] 1452162858.586625: Received answer from stream IP_of_2nd_DC:88
[25433] 1452162863.592199: Response was not from master KDC
[25433] 1452162863.592323: Processing preauth types: 3
[25433] 1452162863.592336: Received salt "▒▒" via padata type 3
[25433] 1452162863.592346: Produced preauth for next request: (empty)
[25433] 1452162863.592376: AS key determined by preauth: aes256-cts/000A
[25433] 1452162863.592512: Decrypted AS reply; session key is: 
aes256-cts/22DC
[25433] 1452162863.592521: FAST negotiation: unavailable
[25433] 1452162863.592584: Initializing FILE:/tmp/krb5cc_500 with 
default princ administrator at my.domain.tld
[25433] 1452162863.592868: Removing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
[25433] 1452162863.592885: Storing administrator at my.domain.tld -> 
krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500


If you find any sensitive (un-sanitized) info, you can keep it. ;)

Am 07.01.2016 um 11:38 schrieb Ole Traupe:
>
>>>
>> Ole,
>>
>>     Sorry you are having so many issues. I've tried reading back 
>> through this thread to verify everything that has been covered. Can 
>> you try this command with the "PDC up and down? Reply with your 
>> findings.
>>
>> KRB5_TRACE=/dev/stdout kinit administrator
>>
>
> up:
>
>
> [25392] 1452162640.959713: Getting initial credentials for 
> administrator at my.domain.tld
> [25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld
> [25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld.
> [25392] 1452162640.964554: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25392] 1452162640.972442: Received answer from dgram IP_of_1st_DC:88
> [25392] 1452162640.973243: Response was not from master KDC
> [25392] 1452162640.973293: Received error from KDC: 
> -1765328359/Additional pre-authentication required
> [25392] 1452162640.973381: Processing preauth types: 16, 15, 2, 19
> [25392] 1452162640.973412: Selected etype info: etype aes256-cts, salt 
> "my.domain.tldAdministrator", params "
> Password for administrator at my.domain.tld:
> [25392] 1452162654.272879: AS key obtained for encrypted timestamp: 
> aes256-cts/000A
> [25392] 1452162654.272939: Encrypted timestamp (for 
> 1452162654.272886): plain 
> 301AA011180F32303136303130373130333035345AA10502030429F6, encrypted 
>
0587DE7E7028F2F0FA2301D9752568B10A38B2612FFBCF1E45238C54655F2590A6BDA0B7892D871D74D01F0C6A8FB8D98189C827FB508E6D
> [25392] 1452162654.272964: Preauth module encrypted_timestamp (2) 
> (flags=1) returned: 0/Success
> [25392] 1452162654.272970: Produced preauth for next request: 2
> [25392] 1452162654.272991: Sending request (276 bytes) to my.domain.tld
> [25392] 1452162654.275253: Resolving hostname dc2.my.domain.tld.
> [25392] 1452162654.276241: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25392] 1452162654.293008: Received answer from dgram IP_of_1st_DC:88
> [25392] 1452162654.293846: Response was not from master KDC
> [25392] 1452162654.293884: Received error from KDC: 
> -1765328332/Response too big for UDP, retry with TCP
> [25392] 1452162654.293896: Request or response is too big for UDP; 
> retrying with TCP
> [25392] 1452162654.293905: Sending request (276 bytes) to 
> my.domain.tld (tcp only)
> [25392] 1452162654.294950: Resolving hostname dc2.my.domain.tld.
> [25392] 1452162654.295961: Initiating TCP connection to stream 
> IP_of_1st_DC:88
> [25392] 1452162654.296311: Sending TCP request to stream IP_of_1st_DC:88
> [25392] 1452162654.306517: Received answer from stream IP_of_1st_DC:88
> [25392] 1452162654.307269: Response was not from master KDC
> [25392] 1452162654.307329: Processing preauth types: 3
> [25392] 1452162654.307338: Received salt "▒▒" via padata type 3
> [25392] 1452162654.307346: Produced preauth for next request: (empty)
> [25392] 1452162654.307362: AS key determined by preauth: aes256-cts/000A
> [25392] 1452162654.307519: Decrypted AS reply; session key is: 
> aes256-cts/CC03
> [25392] 1452162654.307530: FAST negotiation: unavailable
> [25392] 1452162654.307584: Initializing FILE:/tmp/krb5cc_500 with 
> default princ administrator at my.domain.tld
> [25392] 1452162654.307878: Removing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
> [25392] 1452162654.307896: Storing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500
>
>
> down:
>
>
> [25433] 1452162724.421830: Getting initial credentials for 
> administrator at my.domain.tld
> [25433] 1452162724.422374: Sending request (196 bytes) to my.domain.tld
> [25433] 1452162734.434842: Resolving hostname dc2.my.domain.tld.
> [25433] 1452162739.441465: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25433] 1452162740.442397: Resolving hostname dc3.my.domain.tld.
> [25433] 1452162745.448521: Sending initial UDP request to dgram 
> IP_of_2nd_DC:88
> [25433] 1452162745.457681: Received answer from dgram IP_of_2nd_DC:88
> [25433] 1452162750.463572: Response was not from master KDC
> [25433] 1452162750.463632: Received error from KDC: 
> -1765328359/Additional pre-authentication required
> [25433] 1452162750.463730: Processing preauth types: 16, 15, 2, 19
> [25433] 1452162750.463760: Selected etype info: etype aes256-cts, salt 
> "my.domain.tldAdministrator", params "
> Password for administrator at my.domain.tld:
> [25433] 1452162816.498918: AS key obtained for encrypted timestamp: 
> aes256-cts/000A
> [25433] 1452162816.498982: Encrypted timestamp (for 
> 1452162816.498929): plain 
> 301AA011180F32303136303130373130333333365AA1050203079CF1, encrypted 
>
92F31344A600C388356043A6DCA99852E03F80BC71B95326657F1DCCA430CD627B0DFFFF6485933DA506843C7CEB25C769781170587918F0
> [25433] 1452162816.499008: Preauth module encrypted_timestamp (2) 
> (flags=1) returned: 0/Success
> [25433] 1452162816.499014: Produced preauth for next request: 2
> [25433] 1452162816.499037: Sending request (276 bytes) to my.domain.tld
> [25433] 1452162826.511008: Resolving hostname dc2.my.domain.tld.
> [25433] 1452162831.517053: Sending initial UDP request to dgram 
> IP_of_1st_DC:88
> [25433] 1452162832.517377: Resolving hostname dc3.my.domain.tld.
> [25433] 1452162837.523435: Sending initial UDP request to dgram 
> IP_of_2nd_DC:88
> [25433] 1452162837.542201: Received answer from dgram IP_of_2nd_DC:88
> [25433] 1452162842.548057: Response was not from master KDC
> [25433] 1452162842.548097: Received error from KDC: 
> -1765328332/Response too big for UDP, retry with TCP
> [25433] 1452162842.548110: Request or response is too big for UDP; 
> retrying with TCP
> [25433] 1452162842.548119: Sending request (276 bytes) to 
> my.domain.tld (tcp only)
> [25433] 1452162847.554168: Resolving hostname dc2.my.domain.tld.
> [25433] 1452162852.560277: Initiating TCP connection to stream 
> IP_of_1st_DC:88
> [25433] 1452162853.561334: Resolving hostname dc3.my.domain.tld.
> [25433] 1452162858.567424: Initiating TCP connection to stream 
> IP_of_2nd_DC:88
> [25433] 1452162858.567481: Terminating TCP connection to stream 
> IP_of_1st_DC:88
> [25433] 1452162858.567629: Sending TCP request to stream IP_of_2nd_DC:88
> [25433] 1452162858.586625: Received answer from stream IP_of_2nd_DC:88
> [25433] 1452162863.592199: Response was not from master KDC
> [25433] 1452162863.592323: Processing preauth types: 3
> [25433] 1452162863.592336: Received salt "▒▒" via padata type 3
> [25433] 1452162863.592346: Produced preauth for next request: (empty)
> [25433] 1452162863.592376: AS key determined by preauth: aes256-cts/000A
> [25433] 1452162863.592512: Decrypted AS reply; session key is: 
> aes256-cts/22DC
> [25433] 1452162863.592521: FAST negotiation: unavailable
> [25433] 1452162863.592584: Initializing FILE:/tmp/krb5cc_500 with 
> default princ administrator at my.domain.tld
> [25433] 1452162863.592868: Removing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500
> [25433] 1452162863.592885: Storing administrator at my.domain.tld -> 
> krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500
>
>
> If you find any sensitive (un-sanitized) info, you can keep it. ;)
This is without the timeout adjustments to resolv.conf we discussed earlier.