Thanks, I will try that. What about krb.conf? Any changes required there? (Sorry about the top post. Your MUA's message quoting mechanism makes it hard to bottom post as I am normally used to doing.)
-- Eric Robinson ________________________________ From: Robinson, Eric Sent: Monday, May 27, 2013 11:39 AM To: 'Rowland Penny' Cc: 'Marc Muehlfeld'; 'samba@lists.samba.org' Subject: RE: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers On 27 May 2013 19:14, Robinson, Eric <eric.robin...@psmnv.com<mailto:eric.robin...@psmnv.com>> wrote: > -----Original Message----- > From: Marc Muehlfeld > [mailto:sa...@marc-muehlfeld.de<mailto:sa...@marc-muehlfeld.de>] > Sent: Saturday, May 25, 2013 3:31 PM > To: Robinson, Eric > Cc: samba@lists.samba.org<mailto:samba@lists.samba.org> > Subject: Re: [Samba] Linux Servers in an AD Domain with > Multiple Windows Domain Controllers > > Hello Eric, > > Am 25.05.2013 18<tel:25.05.2013%2018>:29, schrieb Robinson, Eric: > > We have three Windows domain controllers in our AD domain. They are > > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers > in the > domain as well. The Linux servers are working fine > with AD. However, > they are currently configured in > krb.conf and krb5.conf to use only > DC01 for AD domain > controller. if DC01 is down, Linux servers cannot > > authenticate. How do we configure the Linux servers to use > multiple > domain controllers for AD, so if DC01 is down > everything continues > to work on the Linux side? > > I saw, that you asked that question already 1.5 years ago on > this list: > http://markmail.org/message/slugpbka33ap4ima > > Didn't the two suggestions from Marcel and Andrew work? If > not, what were the problems with them? Then maybe we find a > way to get it work. > > Regards, > Marc > Hi Marc -- Thanks very much for following up on this. I did try Marcel and Andrew's suggestions (see below) but it did not work. When server DC01 is down, Windows users can still login fine, but when I try to ssh to a Linux box, the login hangs for a long time or forever. Also, Marcel and Andrew did not address my follow-up question about the krb.conf file. They only mentioned the krb5.conf file. For reference, my krb.conf looks like this... MYCHARTS.MD<http://MYCHARTS.MD> dc01.mycharts.md:88<http://dc01.mycharts.md:88> MYCHARTS.MD<http://MYCHARTS.MD> dc01.mycharts.md:749<http://dc01.mycharts.md:749> admin server My krb5.conf looks like the following... note the second entry for the DC named TS04. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYCHARTS.MD<http://MYCHARTS.MD> dns_lookup_realm = true dns_lookup_kdc = true [realms] MYCHARTS.MD<http://MYCHARTS.MD> = { kdc = dc01.mycharts.md:88<http://dc01.mycharts.md:88> kdc = ts04.mycharts.md:88<http://ts04.mycharts.md:88> admin_server = dc01.mycharts.md:749<http://dc01.mycharts.md:749> kpasswd_server = dc01.mycharts.md:464<http://dc01.mycharts.md:464> kpasswd_protocol = SET_CHANGE #default_domain = example.com<http://example.com> } [domain_realm] *.mycharts.md<http://mycharts.md> = MYCHARTS.MD<http://MYCHARTS.MD> .mycharts.md<http://mycharts.md> = MYCHARTS.MD<http://MYCHARTS.MD> [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --Eric Disclaimer - May 27, 2013 This email and any files transmitted with it are confidential and intended solely for 'Marc Muehlfeld',samba@lists.samba.org<mailto:samba@lists.samba.org>. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physicians' Managed Care or Physician Select Management. Warning: Although Physicians' Managed Care or Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. This disclaimer was added by Policy Patrol: http://www.policypatrol.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
