[Samba] Inconsistent NT_STATUS_NO_LOGON_SERVERS with AD (muliti domain)
Paul Taylor
ptaylor at scu.edu.au
Mon Sep 19 16:47:43 MDT 2011
Hi
I work for a medium sized University and have recently set up some new infrastructure to authenticate our wireless users of Active Directory. Every thing was working as expected or so I thought. I set up a monitoring script that performs an ntlm_auth every minute and it shows that the authentication is failing inconsistently but for around 5 minutes at a time (see below).
There are two development servers that I am trialling different configurations with to test.
The architecture is currently 5 RHEL5 64bit servers running Radiator 4.4 authenticating off of Active Directory. The database resides on Oracle 11.2g RAC. The service is load balance behind a BIG-IP 6900.
DESIGN
All servers will be load balanced behind the BIG-IP.
2 production servers site1
2 production servers site2
1 production server site3
Database residing on Oracle RAC 11.2g
CONFIGURATION
Radiator 4.4 using NTLM EAP PEAP
SAMBA 3.0.33-3.29 (ntlm_auth)
BIG-IP
Two Virtual Servers. One for auth port. One for accounting port.
Production Radius Pool = 5 servers
Load balanced method Round Robin
Monitors
1. Built in monitors for auth and accounting.
radiusdev1
smb.conf
[global]
workgroup = ROOT
realm = SCU.AD
security = ADS
password server = *
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SCU.AD
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SCU.AD = {
kdc = lp-server2-wv.scu.ad
admin_server = lp-server2-wv.scu.ad
default_domain = scu.ad
}
[domain_realm]
.kerberos.server = SCU.AD
.scu.ad = SCU.AD
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Mon Sep 12 00:38:08
Mon Sep 12 00:38:09
Mon Sep 12 00:39:09
Mon Sep 12 00:39:09
Mon Sep 12 00:40:09
Mon Sep 12 00:40:09
Mon Sep 12 00:41:09
Mon Sep 12 00:41:09
Mon Sep 12 00:42:09
Mon Sep 12 00:42:09
Mon Sep 12 03:26:51
Mon Sep 12 03:26:51
Mon Sep 12 03:27:51
Mon Sep 12 03:27:51
Mon Sep 12 03:28:51
Mon Sep 12 03:28:51
Mon Sep 12 03:29:51
Mon Sep 12 03:29:51
Mon Sep 12 03:30:51
Mon Sep 12 03:30:51
Tue Sep 13 05:55:38
Tue Sep 13 05:55:38
Tue Sep 13 05:56:39
Tue Sep 13 05:56:39
Tue Sep 13 05:57:39
Tue Sep 13 05:57:39
Tue Sep 13 05:58:39
Tue Sep 13 05:58:39
Tue Sep 13 05:59:39
Tue Sep 13 05:59:39
Wed Sep 14 12:32:19
Wed Sep 14 12:32:19
Wed Sep 14 12:33:19
Wed Sep 14 12:33:19
Wed Sep 14 12:34:19
Wed Sep 14 12:34:19
Wed Sep 14 12:35:20
Wed Sep 14 12:35:20
Wed Sep 14 12:36:20
Wed Sep 14 12:36:20
radiusdev2
[global]
workgroup = ROOT
realm = SCU.AD
security = ADS
client schannel = Yes
server schannel = Yes
password server = 10.30.4.20, 10.30.4.21, *
client signing = required
server signing = required
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SCU.AD
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SCU.AD = {
kdc = lp-server2-wv.scu.ad
admin_server = lp-server2-wv.scu.ad
default_domain = scu.ad
}
[domain_realm]
.kerberos.server = SCU.AD
.scu.ad = SCU.AD
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Log of the failed NTLM auth
Mon Sep 12 05:03:38
Mon Sep 12 05:03:39
Mon Sep 12 05:04:39
Mon Sep 12 05:04:39
Mon Sep 12 05:05:39
Mon Sep 12 05:05:39
Mon Sep 12 05:06:39
Mon Sep 12 05:06:39
Mon Sep 12 05:07:39
Mon Sep 12 05:07:39
Mon Sep 12 19:35:32
Mon Sep 12 19:35:32
Mon Sep 12 19:36:32
Mon Sep 12 19:36:32
Mon Sep 12 19:37:32
Mon Sep 12 19:37:32
Mon Sep 12 19:38:32
Mon Sep 12 19:38:32
Mon Sep 12 19:39:32
Mon Sep 12 19:39:32
Mon Sep 12 20:22:42
Mon Sep 12 20:22:42
Mon Sep 12 20:23:42
Mon Sep 12 20:23:43
Mon Sep 12 20:24:43
Mon Sep 12 20:24:43
Mon Sep 12 20:25:43
Mon Sep 12 20:25:43
Mon Sep 12 20:26:43
Mon Sep 12 20:26:43
Mon Sep 12 20:27:43
Mon Sep 12 20:27:43
Mon Sep 12 20:28:43
Mon Sep 12 20:28:43
Mon Sep 12 20:29:43
Mon Sep 12 20:29:43
Mon Sep 12 20:30:43
Mon Sep 12 20:30:43
Mon Sep 12 20:31:43
Mon Sep 12 20:31:43
Tue Sep 13 11:52:40
Tue Sep 13 11:52:40
Tue Sep 13 11:53:40
Tue Sep 13 11:53:40
Tue Sep 13 11:54:40
Tue Sep 13 11:54:40
Tue Sep 13 11:55:40
Tue Sep 13 11:55:40
Tue Sep 13 11:56:40
Tue Sep 13 11:56:40
Tue Sep 13 14:36:01
Tue Sep 13 14:36:01
Tue Sep 13 14:37:01
Tue Sep 13 14:37:01
Tue Sep 13 14:38:01
Tue Sep 13 14:38:01
Tue Sep 13 14:39:01
Tue Sep 13 14:39:01
Tue Sep 13 14:40:01
Tue Sep 13 14:40:02
Wed Sep 14 04:51:52
Wed Sep 14 04:51:52
Wed Sep 14 04:52:52
Wed Sep 14 04:52:52
Wed Sep 14 04:53:53
Wed Sep 14 04:53:53
Wed Sep 14 04:54:53
Wed Sep 14 04:54:53
Wed Sep 14 04:55:53
Wed Sep 14 04:55:53
Wed Sep 14 04:56:53
Wed Sep 14 04:56:53
Wed Sep 14 04:57:53
Wed Sep 14 04:57:53
Wed Sep 14 04:58:53
Wed Sep 14 04:58:53
Wed Sep 14 04:59:53
Wed Sep 14 04:59:53
Wed Sep 14 05:00:53
Wed Sep 14 05:00:53
--
Paul
More information about the samba
mailing list