On 04.02.2023 15:41, Rowland Penny via samba wrote:>
>
> On 04/02/2023 13:43, Peter Milesson via samba wrote:
>
>>>
>>> I think what is happening here is that your kerberos ticket is too
>>> old, it still has the old keys in it.
>> How can I fix that?
>
> I have never had to do this, but I 'think' you need to run
> 'chgtdcpass' on the DC, which will change the computers password.
>
>
> I have 'CC'ed Andrew on this, so do not do anything until/if he
> replies, I would not like to steer you in the wrong direction and
> destroy your domain.
>
> Rowland
>
Hi Rowland,
Thanks for your answer.
Just one more bit of information. If I run nslookup, the session looks
like this on both DCs:
root at konadc3:~# nslookup
> set type=SRV
> _ldap._tcp.konstrukce.local
;; communications error to 172.16.10.11#53: timed out
Server:???????? 172.16.10.11
Address:??????? 172.16.10.11#53
_ldap._tcp.konstrukce.local???? service = 0 100 389
konadc2.konstrukce.local.
_ldap._tcp.konstrukce.local???? service = 0 100 389
konadc3.konstrukce.local.
If I issue _ldap._tcp.konstrukce.local several times in a row with no,
or a very short delay, the communications error does not show up.
I have checked the ports, and port 53 is opened by a samba task. There
is no other service, or application grabbing the port.
Everything seems to work normally, however. If I add an A record on one
of the DCs, it's on the other DC in a snap. Domain member also seem to
work as they should.
I will wait until further informed.
Best regards,
Peter