L.P.H. van Belle
2016-Jan-07  08:45 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hai Ole, What does this give you as output? host bpn.tu-berlin.de I assum you dnsdomain name is the same as your REALM_NAME ? For me it show the 2 ipadresses of my DC's. And my MX record. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens James > Verzonden: woensdag 6 januari 2016 19:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 1/6/2016 10:56 AM, Ole Traupe wrote: > > Ok, I updated resolv.conf as you said. Then I restarted the network > > service on this member server and afterwords suspended the 1st DC. > > Now, kinit gives me again: > > > > "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting > > initial credentials" > > > > Ole > > > > > > Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle: > >> For the member servers, to reduce timeouts etc when one DC is down. > >> > >> Change your resolv.conf to : > >> domain internal.domain.tld > >> search internal.domain.tld > >> > >> nameserver IP_DC1 > >> nameserver IP_DC2 > >> > >> options timeout:2 > >> options attempts:2 > >> options rotate > >> options edns0 > >> > >> see man resolv.conf for the options explained. > >> > >> Ow.. and .. > >> > >> domain and search are NOT exclusive anymore in Debian Jessie and up. > >> At least, i didnt find it anymore. > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > >>> Verzonden: dinsdag 5 januari 2016 12:30 > >>> Aan: samba at lists.samba.org > >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > >>> initially fails when PDC is offline > >>> > >>> > >>>> I can't recall but are you able to get a packet trace? This may > >>>> help further troubleshoot. > >>> I'll look into this. However, Rowland stated that bind9 will be the > >>> only > >>> solution. > >>> > >>> > >>>> Just to recap you do you both servers listed as available DNS servers > >>>> on your workstations? As well as your member server? > >>> Yes, of course. For member servers, this is the content of > >>> /etc/resolv.conf: > >>> > >>> search my.domain.tld > >>> nameserver IP_of_1st_DC > >>> nameserver IP_of_2nd_DC > >>> > >>> > >>>> I made a small tweak but haven't fully tested is adding the following > >>>> options to my resolv.conf. > >>>> > >>>> cat /etc/resolvconf/resolv.conf.d/tail > >>>> options timeout:1 > >>> Great, this sounds exactly as what I need! However, I tried this: no > >>> effect. I created this file and restarted the network service. But I > >>> still get long timeouts and can't login via ssh, when I suspend my > >>> 1st DC. > >>> > >>> # cat /etc/resolvconf/resolv.conf.d/tail > >>> options timeout:1 > >>> options edns0 > >>> > >>> Or do I need Network Manager for that? > >>> > >>> > >>>> options edns0 > >>> What's that for, particularly? > >>> > >>> > >>>> timeout:n > >>>> sets the amount of time the resolver will wait > >>>> for a response from a remote name server before retrying the query > >>>> via a different name > >>>> server. Measured in seconds, the default is > >>>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option > >>>> is silently capped to 30. > >>>> > >>>> edns0 (since glibc 2.6) > >>>> sets RES_USE_EDNSO in _res.options. This > enables > >>>> support for the DNS extensions described in RFC 2671. > >>>> > >>>> From what I researched, this is the intended behavior on a Microsoft > >>>> Server. Again I can disable my "PDC" and log in from a windows > >>>> workstation just fine. It appears for some users after a hour or so > >>>> they run into issues > >>> I thought this was only happening with roaming machines resulting in > >>> cached logins. > >>> > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > Ole, > > Sorry you are having so many issues. I've tried reading back > through this thread to verify everything that has been covered. Can you > try this command with the "PDC up and down? Reply with your findings. > > KRB5_TRACE=/dev/stdout kinit administrator > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2016-Jan-07  09:20 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 07/01/16 08:45, L.P.H. van Belle wrote:> Hai Ole, > > What does this give you as output? > host bpn.tu-berlin.de > > I assum you dnsdomain name is the same as your REALM_NAME ? > > For me it show the 2 ipadresses of my DC's. > And my MX record. > > Greetz, > > Louis >Hi Louis and Ole, Just for interest I ran 'host bpn.tu-berlin.de' in a terminal, all I get back is: bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de. No NS records Yet when I search on my dns/kerberos domain: host samdom.example.com samdom.example.com has address 192.168.0.6 samdom.example.com has address 192.168.0.5 Rowland
L.P.H. van Belle
2016-Jan-07  09:28 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Yes, thats exacly what ole must test. And optionaly the result of : dig A internal.domain.tld @IP_DC1 dig A internal.domain.tld @IP_DC2 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 7 januari 2016 10:20 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 07/01/16 08:45, L.P.H. van Belle wrote: > > Hai Ole, > > > > What does this give you as output? > > host bpn.tu-berlin.de > > > > I assum you dnsdomain name is the same as your REALM_NAME ? > > > > For me it show the 2 ipadresses of my DC's. > > And my MX record. > > > > Greetz, > > > > Louis > > > > Hi Louis and Ole, Just for interest I ran 'host bpn.tu-berlin.de' in a > terminal, all I get back is: > > bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de. > > No NS records > > Yet when I search on my dns/kerberos domain: > > host samdom.example.com > samdom.example.com has address 192.168.0.6 > samdom.example.com has address 192.168.0.5 > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Ole Traupe
2016-Jan-07  10:30 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Yes, it does for me, too. What is an mx record? Am 07.01.2016 um 09:45 schrieb L.P.H. van Belle:> Hai Ole, > > What does this give you as output? > host bpn.tu-berlin.de > > I assum you dnsdomain name is the same as your REALM_NAME ? > > For me it show the 2 ipadresses of my DC's. > And my MX record. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >> Verzonden: woensdag 6 januari 2016 19:10 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> On 1/6/2016 10:56 AM, Ole Traupe wrote: >>> Ok, I updated resolv.conf as you said. Then I restarted the network >>> service on this member server and afterwords suspended the 1st DC. >>> Now, kinit gives me again: >>> >>> "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting >>> initial credentials" >>> >>> Ole >>> >>> >>> Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle: >>>> For the member servers, to reduce timeouts etc when one DC is down. >>>> >>>> Change your resolv.conf to : >>>> domain internal.domain.tld >>>> search internal.domain.tld >>>> >>>> nameserver IP_DC1 >>>> nameserver IP_DC2 >>>> >>>> options timeout:2 >>>> options attempts:2 >>>> options rotate >>>> options edns0 >>>> >>>> see man resolv.conf for the options explained. >>>> >>>> Ow.. and .. >>>> >>>> domain and search are NOT exclusive anymore in Debian Jessie and up. >>>> At least, i didnt find it anymore. >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe >>>>> Verzonden: dinsdag 5 januari 2016 12:30 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>>>> initially fails when PDC is offline >>>>> >>>>> >>>>>> I can't recall but are you able to get a packet trace? This may >>>>>> help further troubleshoot. >>>>> I'll look into this. However, Rowland stated that bind9 will be the >>>>> only >>>>> solution. >>>>> >>>>> >>>>>> Just to recap you do you both servers listed as available DNS servers >>>>>> on your workstations? As well as your member server? >>>>> Yes, of course. For member servers, this is the content of >>>>> /etc/resolv.conf: >>>>> >>>>> search my.domain.tld >>>>> nameserver IP_of_1st_DC >>>>> nameserver IP_of_2nd_DC >>>>> >>>>> >>>>>> I made a small tweak but haven't fully tested is adding the following >>>>>> options to my resolv.conf. >>>>>> >>>>>> cat /etc/resolvconf/resolv.conf.d/tail >>>>>> options timeout:1 >>>>> Great, this sounds exactly as what I need! However, I tried this: no >>>>> effect. I created this file and restarted the network service. But I >>>>> still get long timeouts and can't login via ssh, when I suspend my >>>>> 1st DC. >>>>> >>>>> # cat /etc/resolvconf/resolv.conf.d/tail >>>>> options timeout:1 >>>>> options edns0 >>>>> >>>>> Or do I need Network Manager for that? >>>>> >>>>> >>>>>> options edns0 >>>>> What's that for, particularly? >>>>> >>>>> >>>>>> timeout:n >>>>>> sets the amount of time the resolver will wait >>>>>> for a response from a remote name server before retrying the query >>>>>> via a different name >>>>>> server. Measured in seconds, the default is >>>>>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option >>>>>> is silently capped to 30. >>>>>> >>>>>> edns0 (since glibc 2.6) >>>>>> sets RES_USE_EDNSO in _res.options. This >> enables >>>>>> support for the DNS extensions described in RFC 2671. >>>>>> >>>>>> From what I researched, this is the intended behavior on a Microsoft >>>>>> Server. Again I can disable my "PDC" and log in from a windows >>>>>> workstation just fine. It appears for some users after a hour or so >>>>>> they run into issues >>>>> I thought this was only happening with roaming machines resulting in >>>>> cached logins. >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >> Ole, >> >> Sorry you are having so many issues. I've tried reading back >> through this thread to verify everything that has been covered. Can you >> try this command with the "PDC up and down? Reply with your findings. >> >> KRB5_TRACE=/dev/stdout kinit administrator >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Rowland penny
2016-Jan-07  10:41 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 07/01/16 10:30, Ole Traupe wrote:> Yes, it does for me, too. What is an mx record? > >it points to the server that deals with your email i.e. the machine that has postfix installed on it, however it could be pointing to a CNAME and the machine could be called something else. Rowland
Ole Traupe
2016-Jan-07  10:48 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Please don't post any sensitive information - even if I forget sanitizing it. This is probably the reason behind it: Our corporate DNS servers hold info about our machines. This works together with DHCP. By registering the machines I simply prevent any IP conflicts. My domain DNS has nothing to do with it. In my domain members (Win clients and Linux servers) only my DCs are set as DNS servers and these members don't use DHCP. Within my subnet, I get exactly the same as Rowland reported below. Ole Am 07.01.2016 um 10:28 schrieb L.P.H. van Belle:> Yes, thats exacly what ole must test. > > And optionaly the result of : > dig A internal.domain.tld @IP_DC1 > dig A internal.domain.tld @IP_DC2 > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: donderdag 7 januari 2016 10:20 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> On 07/01/16 08:45, L.P.H. van Belle wrote: >>> Hai Ole, >>> >>> What does this give you as output? >>> host bpn.tu-berlin.de >>> >>> I assum you dnsdomain name is the same as your REALM_NAME ? >>> >>> For me it show the 2 ipadresses of my DC's. >>> And my MX record. >>> >>> Greetz, >>> >>> Louis >>> >> Hi Louis and Ole, Just for interest I ran 'host bpn.tu-berlin.de' in a >> terminal, all I get back is: >> >> bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de. >> >> No NS records >> >> Yet when I search on my dns/kerberos domain: >> >> host samdom.example.com >> samdom.example.com has address 192.168.0.6 >> samdom.example.com has address 192.168.0.5 >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2016-Jan-07  11:00 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Ok .. maybe if seen something, dont know for sure, so Rowland, what do you think about below. Post the result of : klist -e -k /etc/krb5.keytab i see in your logs. AS key obtained for encrypted timestamp: aes256-cts/000A In my setup, i dont have aes256-cts available in my keytab, do you? You can try adding this, to krb5.conf. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 And IF your firewalling port 53, make sure you have 53/udp and 53/tcp open. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: donderdag 7 januari 2016 11:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > Please don't post any sensitive information - even if I forget > sanitizing it. > > This is probably the reason behind it: Our corporate DNS servers hold > info about our machines. This works together with DHCP. By registering > the machines I simply prevent any IP conflicts. My domain DNS has > nothing to do with it. In my domain members (Win clients and Linux > servers) only my DCs are set as DNS servers and these members don't use > DHCP. > > Within my subnet, I get exactly the same as Rowland reported below. > > Ole > > > Am 07.01.2016 um 10:28 schrieb L.P.H. van Belle: > > Yes, thats exacly what ole must test. > > > > And optionaly the result of : > > dig A internal.domain.tld @IP_DC1 > > dig A internal.domain.tld @IP_DC2 > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > >> Verzonden: donderdag 7 januari 2016 10:20 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > >> initially fails when PDC is offline > >> > >> On 07/01/16 08:45, L.P.H. van Belle wrote: > >>> Hai Ole, > >>> > >>> What does this give you as output? > >>> host bpn.tu-berlin.de > >>> > >>> I assum you dnsdomain name is the same as your REALM_NAME ? > >>> > >>> For me it show the 2 ipadresses of my DC's. > >>> And my MX record. > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >> Hi Louis and Ole, Just for interest I ran 'host bpn.tu-berlin.de' in a > >> terminal, all I get back is: > >> > >> bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de. > >> > >> No NS records > >> > >> Yet when I search on my dns/kerberos domain: > >> > >> host samdom.example.com > >> samdom.example.com has address 192.168.0.6 > >> samdom.example.com has address 192.168.0.5 > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba