James
2016-Jan-06 18:09 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 1/6/2016 10:56 AM, Ole Traupe wrote:> Ok, I updated resolv.conf as you said. Then I restarted the network > service on this member server and afterwords suspended the 1st DC. > Now, kinit gives me again: > > "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting > initial credentials" > > Ole > > > Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle: >> For the member servers, to reduce timeouts etc when one DC is down. >> >> Change your resolv.conf to : >> domain internal.domain.tld >> search internal.domain.tld >> >> nameserver IP_DC1 >> nameserver IP_DC2 >> >> options timeout:2 >> options attempts:2 >> options rotate >> options edns0 >> >> see man resolv.conf for the options explained. >> >> Ow.. and .. >> >> domain and search are NOT exclusive anymore in Debian Jessie and up. >> At least, i didnt find it anymore. >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe >>> Verzonden: dinsdag 5 januari 2016 12:30 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>> initially fails when PDC is offline >>> >>> >>>> I can't recall but are you able to get a packet trace? This may >>>> help further troubleshoot. >>> I'll look into this. However, Rowland stated that bind9 will be the >>> only >>> solution. >>> >>> >>>> Just to recap you do you both servers listed as available DNS servers >>>> on your workstations? As well as your member server? >>> Yes, of course. For member servers, this is the content of >>> /etc/resolv.conf: >>> >>> search my.domain.tld >>> nameserver IP_of_1st_DC >>> nameserver IP_of_2nd_DC >>> >>> >>>> I made a small tweak but haven't fully tested is adding the following >>>> options to my resolv.conf. >>>> >>>> cat /etc/resolvconf/resolv.conf.d/tail >>>> options timeout:1 >>> Great, this sounds exactly as what I need! However, I tried this: no >>> effect. I created this file and restarted the network service. But I >>> still get long timeouts and can't login via ssh, when I suspend my >>> 1st DC. >>> >>> # cat /etc/resolvconf/resolv.conf.d/tail >>> options timeout:1 >>> options edns0 >>> >>> Or do I need Network Manager for that? >>> >>> >>>> options edns0 >>> What's that for, particularly? >>> >>> >>>> timeout:n >>>> sets the amount of time the resolver will wait >>>> for a response from a remote name server before retrying the query >>>> via a different name >>>> server. Measured in seconds, the default is >>>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option >>>> is silently capped to 30. >>>> >>>> edns0 (since glibc 2.6) >>>> sets RES_USE_EDNSO in _res.options. This enables >>>> support for the DNS extensions described in RFC 2671. >>>> >>>> From what I researched, this is the intended behavior on a Microsoft >>>> Server. Again I can disable my "PDC" and log in from a windows >>>> workstation just fine. It appears for some users after a hour or so >>>> they run into issues >>> I thought this was only happening with roaming machines resulting in >>> cached logins. >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > >Ole, Sorry you are having so many issues. I've tried reading back through this thread to verify everything that has been covered. Can you try this command with the "PDC up and down? Reply with your findings. KRB5_TRACE=/dev/stdout kinit administrator -- -James
Ole Traupe
2016-Jan-07 10:38 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
>> > Ole, > > Sorry you are having so many issues. I've tried reading back > through this thread to verify everything that has been covered. Can > you try this command with the "PDC up and down? Reply with your findings. > > KRB5_TRACE=/dev/stdout kinit administrator >up: [25392] 1452162640.959713: Getting initial credentials for administrator at my.domain.tld [25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld [25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld. [25392] 1452162640.964554: Sending initial UDP request to dgram IP_of_1st_DC:88 [25392] 1452162640.972442: Received answer from dgram IP_of_1st_DC:88 [25392] 1452162640.973243: Response was not from master KDC [25392] 1452162640.973293: Received error from KDC: -1765328359/Additional pre-authentication required [25392] 1452162640.973381: Processing preauth types: 16, 15, 2, 19 [25392] 1452162640.973412: Selected etype info: etype aes256-cts, salt "my.domain.tldAdministrator", params " Password for administrator at my.domain.tld: [25392] 1452162654.272879: AS key obtained for encrypted timestamp: aes256-cts/000A [25392] 1452162654.272939: Encrypted timestamp (for 1452162654.272886): plain 301AA011180F32303136303130373130333035345AA10502030429F6, encrypted 0587DE7E7028F2F0FA2301D9752568B10A38B2612FFBCF1E45238C54655F2590A6BDA0B7892D871D74D01F0C6A8FB8D98189C827FB508E6D [25392] 1452162654.272964: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [25392] 1452162654.272970: Produced preauth for next request: 2 [25392] 1452162654.272991: Sending request (276 bytes) to my.domain.tld [25392] 1452162654.275253: Resolving hostname dc2.my.domain.tld. [25392] 1452162654.276241: Sending initial UDP request to dgram IP_of_1st_DC:88 [25392] 1452162654.293008: Received answer from dgram IP_of_1st_DC:88 [25392] 1452162654.293846: Response was not from master KDC [25392] 1452162654.293884: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [25392] 1452162654.293896: Request or response is too big for UDP; retrying with TCP [25392] 1452162654.293905: Sending request (276 bytes) to my.domain.tld (tcp only) [25392] 1452162654.294950: Resolving hostname dc2.my.domain.tld. [25392] 1452162654.295961: Initiating TCP connection to stream IP_of_1st_DC:88 [25392] 1452162654.296311: Sending TCP request to stream IP_of_1st_DC:88 [25392] 1452162654.306517: Received answer from stream IP_of_1st_DC:88 [25392] 1452162654.307269: Response was not from master KDC [25392] 1452162654.307329: Processing preauth types: 3 [25392] 1452162654.307338: Received salt "▒▒" via padata type 3 [25392] 1452162654.307346: Produced preauth for next request: (empty) [25392] 1452162654.307362: AS key determined by preauth: aes256-cts/000A [25392] 1452162654.307519: Decrypted AS reply; session key is: aes256-cts/CC03 [25392] 1452162654.307530: FAST negotiation: unavailable [25392] 1452162654.307584: Initializing FILE:/tmp/krb5cc_500 with default princ administrator at my.domain.tld [25392] 1452162654.307878: Removing administrator at my.domain.tld -> krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500 [25392] 1452162654.307896: Storing administrator at my.domain.tld -> krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500 down: [25433] 1452162724.421830: Getting initial credentials for administrator at my.domain.tld [25433] 1452162724.422374: Sending request (196 bytes) to my.domain.tld [25433] 1452162734.434842: Resolving hostname dc2.my.domain.tld. [25433] 1452162739.441465: Sending initial UDP request to dgram IP_of_1st_DC:88 [25433] 1452162740.442397: Resolving hostname dc3.my.domain.tld. [25433] 1452162745.448521: Sending initial UDP request to dgram IP_of_2nd_DC:88 [25433] 1452162745.457681: Received answer from dgram IP_of_2nd_DC:88 [25433] 1452162750.463572: Response was not from master KDC [25433] 1452162750.463632: Received error from KDC: -1765328359/Additional pre-authentication required [25433] 1452162750.463730: Processing preauth types: 16, 15, 2, 19 [25433] 1452162750.463760: Selected etype info: etype aes256-cts, salt "my.domain.tldAdministrator", params " Password for administrator at my.domain.tld: [25433] 1452162816.498918: AS key obtained for encrypted timestamp: aes256-cts/000A [25433] 1452162816.498982: Encrypted timestamp (for 1452162816.498929): plain 301AA011180F32303136303130373130333333365AA1050203079CF1, encrypted 92F31344A600C388356043A6DCA99852E03F80BC71B95326657F1DCCA430CD627B0DFFFF6485933DA506843C7CEB25C769781170587918F0 [25433] 1452162816.499008: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [25433] 1452162816.499014: Produced preauth for next request: 2 [25433] 1452162816.499037: Sending request (276 bytes) to my.domain.tld [25433] 1452162826.511008: Resolving hostname dc2.my.domain.tld. [25433] 1452162831.517053: Sending initial UDP request to dgram IP_of_1st_DC:88 [25433] 1452162832.517377: Resolving hostname dc3.my.domain.tld. [25433] 1452162837.523435: Sending initial UDP request to dgram IP_of_2nd_DC:88 [25433] 1452162837.542201: Received answer from dgram IP_of_2nd_DC:88 [25433] 1452162842.548057: Response was not from master KDC [25433] 1452162842.548097: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [25433] 1452162842.548110: Request or response is too big for UDP; retrying with TCP [25433] 1452162842.548119: Sending request (276 bytes) to my.domain.tld (tcp only) [25433] 1452162847.554168: Resolving hostname dc2.my.domain.tld. [25433] 1452162852.560277: Initiating TCP connection to stream IP_of_1st_DC:88 [25433] 1452162853.561334: Resolving hostname dc3.my.domain.tld. [25433] 1452162858.567424: Initiating TCP connection to stream IP_of_2nd_DC:88 [25433] 1452162858.567481: Terminating TCP connection to stream IP_of_1st_DC:88 [25433] 1452162858.567629: Sending TCP request to stream IP_of_2nd_DC:88 [25433] 1452162858.586625: Received answer from stream IP_of_2nd_DC:88 [25433] 1452162863.592199: Response was not from master KDC [25433] 1452162863.592323: Processing preauth types: 3 [25433] 1452162863.592336: Received salt "▒▒" via padata type 3 [25433] 1452162863.592346: Produced preauth for next request: (empty) [25433] 1452162863.592376: AS key determined by preauth: aes256-cts/000A [25433] 1452162863.592512: Decrypted AS reply; session key is: aes256-cts/22DC [25433] 1452162863.592521: FAST negotiation: unavailable [25433] 1452162863.592584: Initializing FILE:/tmp/krb5cc_500 with default princ administrator at my.domain.tld [25433] 1452162863.592868: Removing administrator at my.domain.tld -> krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500 [25433] 1452162863.592885: Storing administrator at my.domain.tld -> krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500 If you find any sensitive (un-sanitized) info, you can keep it. ;)
Ole Traupe
2016-Jan-07 10:40 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 07.01.2016 um 11:38 schrieb Ole Traupe:> >>> >> Ole, >> >> Sorry you are having so many issues. I've tried reading back >> through this thread to verify everything that has been covered. Can >> you try this command with the "PDC up and down? Reply with your >> findings. >> >> KRB5_TRACE=/dev/stdout kinit administrator >> > > up: > > > [25392] 1452162640.959713: Getting initial credentials for > administrator at my.domain.tld > [25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld > [25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld. > [25392] 1452162640.964554: Sending initial UDP request to dgram > IP_of_1st_DC:88 > [25392] 1452162640.972442: Received answer from dgram IP_of_1st_DC:88 > [25392] 1452162640.973243: Response was not from master KDC > [25392] 1452162640.973293: Received error from KDC: > -1765328359/Additional pre-authentication required > [25392] 1452162640.973381: Processing preauth types: 16, 15, 2, 19 > [25392] 1452162640.973412: Selected etype info: etype aes256-cts, salt > "my.domain.tldAdministrator", params " > Password for administrator at my.domain.tld: > [25392] 1452162654.272879: AS key obtained for encrypted timestamp: > aes256-cts/000A > [25392] 1452162654.272939: Encrypted timestamp (for > 1452162654.272886): plain > 301AA011180F32303136303130373130333035345AA10502030429F6, encrypted > 0587DE7E7028F2F0FA2301D9752568B10A38B2612FFBCF1E45238C54655F2590A6BDA0B7892D871D74D01F0C6A8FB8D98189C827FB508E6D > [25392] 1452162654.272964: Preauth module encrypted_timestamp (2) > (flags=1) returned: 0/Success > [25392] 1452162654.272970: Produced preauth for next request: 2 > [25392] 1452162654.272991: Sending request (276 bytes) to my.domain.tld > [25392] 1452162654.275253: Resolving hostname dc2.my.domain.tld. > [25392] 1452162654.276241: Sending initial UDP request to dgram > IP_of_1st_DC:88 > [25392] 1452162654.293008: Received answer from dgram IP_of_1st_DC:88 > [25392] 1452162654.293846: Response was not from master KDC > [25392] 1452162654.293884: Received error from KDC: > -1765328332/Response too big for UDP, retry with TCP > [25392] 1452162654.293896: Request or response is too big for UDP; > retrying with TCP > [25392] 1452162654.293905: Sending request (276 bytes) to > my.domain.tld (tcp only) > [25392] 1452162654.294950: Resolving hostname dc2.my.domain.tld. > [25392] 1452162654.295961: Initiating TCP connection to stream > IP_of_1st_DC:88 > [25392] 1452162654.296311: Sending TCP request to stream IP_of_1st_DC:88 > [25392] 1452162654.306517: Received answer from stream IP_of_1st_DC:88 > [25392] 1452162654.307269: Response was not from master KDC > [25392] 1452162654.307329: Processing preauth types: 3 > [25392] 1452162654.307338: Received salt "▒▒" via padata type 3 > [25392] 1452162654.307346: Produced preauth for next request: (empty) > [25392] 1452162654.307362: AS key determined by preauth: aes256-cts/000A > [25392] 1452162654.307519: Decrypted AS reply; session key is: > aes256-cts/CC03 > [25392] 1452162654.307530: FAST negotiation: unavailable > [25392] 1452162654.307584: Initializing FILE:/tmp/krb5cc_500 with > default princ administrator at my.domain.tld > [25392] 1452162654.307878: Removing administrator at my.domain.tld -> > krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500 > [25392] 1452162654.307896: Storing administrator at my.domain.tld -> > krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500 > > > down: > > > [25433] 1452162724.421830: Getting initial credentials for > administrator at my.domain.tld > [25433] 1452162724.422374: Sending request (196 bytes) to my.domain.tld > [25433] 1452162734.434842: Resolving hostname dc2.my.domain.tld. > [25433] 1452162739.441465: Sending initial UDP request to dgram > IP_of_1st_DC:88 > [25433] 1452162740.442397: Resolving hostname dc3.my.domain.tld. > [25433] 1452162745.448521: Sending initial UDP request to dgram > IP_of_2nd_DC:88 > [25433] 1452162745.457681: Received answer from dgram IP_of_2nd_DC:88 > [25433] 1452162750.463572: Response was not from master KDC > [25433] 1452162750.463632: Received error from KDC: > -1765328359/Additional pre-authentication required > [25433] 1452162750.463730: Processing preauth types: 16, 15, 2, 19 > [25433] 1452162750.463760: Selected etype info: etype aes256-cts, salt > "my.domain.tldAdministrator", params " > Password for administrator at my.domain.tld: > [25433] 1452162816.498918: AS key obtained for encrypted timestamp: > aes256-cts/000A > [25433] 1452162816.498982: Encrypted timestamp (for > 1452162816.498929): plain > 301AA011180F32303136303130373130333333365AA1050203079CF1, encrypted > 92F31344A600C388356043A6DCA99852E03F80BC71B95326657F1DCCA430CD627B0DFFFF6485933DA506843C7CEB25C769781170587918F0 > [25433] 1452162816.499008: Preauth module encrypted_timestamp (2) > (flags=1) returned: 0/Success > [25433] 1452162816.499014: Produced preauth for next request: 2 > [25433] 1452162816.499037: Sending request (276 bytes) to my.domain.tld > [25433] 1452162826.511008: Resolving hostname dc2.my.domain.tld. > [25433] 1452162831.517053: Sending initial UDP request to dgram > IP_of_1st_DC:88 > [25433] 1452162832.517377: Resolving hostname dc3.my.domain.tld. > [25433] 1452162837.523435: Sending initial UDP request to dgram > IP_of_2nd_DC:88 > [25433] 1452162837.542201: Received answer from dgram IP_of_2nd_DC:88 > [25433] 1452162842.548057: Response was not from master KDC > [25433] 1452162842.548097: Received error from KDC: > -1765328332/Response too big for UDP, retry with TCP > [25433] 1452162842.548110: Request or response is too big for UDP; > retrying with TCP > [25433] 1452162842.548119: Sending request (276 bytes) to > my.domain.tld (tcp only) > [25433] 1452162847.554168: Resolving hostname dc2.my.domain.tld. > [25433] 1452162852.560277: Initiating TCP connection to stream > IP_of_1st_DC:88 > [25433] 1452162853.561334: Resolving hostname dc3.my.domain.tld. > [25433] 1452162858.567424: Initiating TCP connection to stream > IP_of_2nd_DC:88 > [25433] 1452162858.567481: Terminating TCP connection to stream > IP_of_1st_DC:88 > [25433] 1452162858.567629: Sending TCP request to stream IP_of_2nd_DC:88 > [25433] 1452162858.586625: Received answer from stream IP_of_2nd_DC:88 > [25433] 1452162863.592199: Response was not from master KDC > [25433] 1452162863.592323: Processing preauth types: 3 > [25433] 1452162863.592336: Received salt "▒▒" via padata type 3 > [25433] 1452162863.592346: Produced preauth for next request: (empty) > [25433] 1452162863.592376: AS key determined by preauth: aes256-cts/000A > [25433] 1452162863.592512: Decrypted AS reply; session key is: > aes256-cts/22DC > [25433] 1452162863.592521: FAST negotiation: unavailable > [25433] 1452162863.592584: Initializing FILE:/tmp/krb5cc_500 with > default princ administrator at my.domain.tld > [25433] 1452162863.592868: Removing administrator at my.domain.tld -> > krbtgt/my.domain.tld at my.domain.tld from FILE:/tmp/krb5cc_500 > [25433] 1452162863.592885: Storing administrator at my.domain.tld -> > krbtgt/my.domain.tld at my.domain.tld in FILE:/tmp/krb5cc_500 > > > If you find any sensitive (un-sanitized) info, you can keep it. ;)This is without the timeout adjustments to resolv.conf we discussed earlier.
Apparently Analagous Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline