[Samba] samba4 dc to adc failover

Morgan Toal mtoal at burlingtoniowa.org
Mon Dec 31 08:53:10 MST 2012


Hi Andrew,

thanks for your response. I am trying to look into this issue better. 
Regrettably, I've never taken the time to learn to use the packet 
tracer. Need to do this someday. But maybe we can muddle through without it.

THEORY:
DNS is not right somehow.
I am using the internal samba DNS server.
On both test1 and test2, I have the both ip address of test1 and test2 
in resolv.conf
On both test1 and test2, iptables is stopped.
On client, I have ip address of test1 and test2 as dns servers.

I replicated my experiment this morning.

1) I stopped samba on server test1.
2) I set the log level on test2 (the additional domain controller) to 10
3) I tried to log events from my client 18.165 to the server test2.
4) I made sure that the client 18.165 did have test2's ip address as a 
dns server.
5) I made sure iptables was stopped on test2.
6) I started active directory users and computers on the client.
7) I see this on the server:

[root at test2 ~]# tail -f /var/log/samba4.log | grep 18.165
   Received DNS UDP packet of length 34 from ipv4:192.168.18.165:55360
   Received DNS UDP packet of length 34 from ipv4:192.168.18.165:58481
   Received DNS UDP packet of length 34 from ipv4:192.168.18.165:54073

8) I get the following message on the client, which is different than 
what I got before, "Naming information cannot be located"

screenshot at http://imgur.com/LMz6y

9) I run it again, for the heck of it. I get the message about the 
"possible attempt to compromise security" that I had gotten before.

  screenshot at http://imgur.com/xRIYk

10) I brought test1 back up, and checked replication status.

What is with the krb5 errors?????

[root at test1 samba]# samba-tool drs showrepl test1
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 
192.168.18.202
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 
192.168.18.202
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 
192.168.18.202
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 
192.168.18.202
Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED from 
192.168.18.202
Default-First-Site-Name\TEST1
DSA Options: 0x00000001
DSA object GUID: e71bb117-b03e-4e83-b5c0-5db5d8876442
DSA invocationId: 51281f84-6ea0-4c70-ab86-3151ba3f4f39

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ Mon Dec 31 09:46:19 2012 CST was successful
                 0 consecutive failure(s).
                 Last success @ Mon Dec 31 09:46:19 2012 CST

DC=DomainDnsZones,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ Mon Dec 31 09:46:22 2012 CST was successful
                 0 consecutive failure(s).
                 Last success @ Mon Dec 31 09:46:22 2012 CST

DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ Mon Dec 31 09:46:32 2012 CST was successful
                 0 consecutive failure(s).
                 Last success @ Mon Dec 31 09:46:32 2012 CST

CN=Schema,CN=Configuration,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ Mon Dec 31 09:46:32 2012 CST was successful
                 0 consecutive failure(s).
                 Last success @ Mon Dec 31 09:21:20 2012 CST

CN=Configuration,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ Mon Dec 31 09:46:09 2012 CST was successful
                 0 consecutive failure(s).
                 Last success @ Mon Dec 31 09:46:09 2012 CST

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=DomainDnsZones,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

CN=Configuration,DC=test,DC=local
         Default-First-Site-Name\TEST2 via RPC
                 DSA object GUID: 71b2aa4e-902f-4b7f-b6d8-5ce6dfc6b572
                 Last attempt @ NTTIME(0) was successful
                 0 consecutive failure(s).
                 Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
         Connection name: 5e648aea-6308-4ce8-8765-d9c6dd51c75e
         Enabled        : TRUE
         Server DNS name : TEST2.test.local
         Server DN name  : CN=NTDS 
Settings,CN=TEST2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local
                 TransportType: RPC
                 options: 0x00000001
Warning: No NC replicated for Connection!
[root at test1 samba]#



More information about the samba mailing list