[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

L.P.H. van Belle belle at bazuin.nl
Fri Dec 11 14:31:28 UTC 2015


Commented inbetween. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: vrijdag 11 december 2015 14:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> Hi folks,
> 
> a) thank you all for your help, I highly appreciate you time and effort,
> and I am sure I can resolve this issue very soon!
> b) I have to delay this until early next week, as I have to attend to
> other matters for now.
> 
> All I can say, Louis, is that I won't set up a new DC to resolve this -
> at least not for now. This seems to be another problem of Samba4 not
> being able to deal with multiple DCs properly. And this has to be able
> to be resolved on an otherwise working domain without changing its
> architecture or other more drastic measures. This is my point of view at
> the moment. Your suggestion reminds me a bit of some typical forum
> replies to "Reinstall the OS" in case of any problems that can't be
> solved in an instant.
[L.P.H. van Belle] 
I dont think this is another problem of samba4, but this is a problem which started in the begining of your install, at least thats what i suppect based on all your info on the list. 
I suspect that, then you "installed" the new DC with the old name/ip. 
You forgot somewhere to remove old entries in AD and/or DNS.
And this is why i suggested it, normaly i dont suggest something like this, but i do think that if you setup clean you wil have a better running server with less problems , but what you choose is all up to you. 
Do what you thinks is best for you.

> 
> If necessary, I will just create the missing DNS entries of my 2nd DC by
> hand. Although I would prefer a working script supplied by a
> professional (which I am not). At least I would like to know which DNS
> entries for my 2nd DC are essential for logins to work. I wouldn't very
> much like to try this out. However, I am aware that your time is as
> limited as mine (of not even more so), and you are in no obligation in
> any way.
[L.P.H. van Belle] 

>). At least I would like to know which DNS
> entries for my 2nd DC are essential for logins to work.
And what you ask here is already answered few times imo. 

Again, your quicker with a clean install, and you learn more from it. 
And with clean, i dont mean dropping your AD, just add new "DC Join" to hold the AD data so you can remove the faulty server and then you can install that server again, but now as it should. 
AND when you join a DC your login problem is fixed also.  ;-) 


> Besides, I didn't forget do delete anything. I used the script from the
> wiki to get rid of old records pertaining to my former 1st DC after I
> had created the records of my *new* 1st DC. I checked the results:
> everything related to my former first DC was gone. Also I
> documented/discussed this process here on the list. And nobody pointed
> me to things I forgot or was leaving out. I know that use of this script
> was totally "on my own risk". But the results were as they should have
> been, at least as far I am able to tell.[L.P.H. van Belle] 

[L.P.H. van Belle] which script ? can anyone point that one for me, cant find it. I only know about 
https://bugzilla.samba.org/show_bug.cgi?id=10595 

> 
> That said, I will go through your responses and get back to you with
> results.
> 
> Best, have a good weekend!
> Ole
[L.P.H. van Belle] 
Thank you, and have a very good weekend also, i hope your problem is fixed soon. 

> 
> 
> Am 11.12.2015 um 13:33 schrieb mathias dufresne:
> > Thank you Rowland to noticed that.
> >
> > Here it is:
> > ------------------------------------------------------------------
> > #!/usr/bin/awk
> >
> > BEGIN {
> >    ad_zone = "YOUR.DOMAIN.TLD"
> >    msdcs_zone = "_msdcs." ad_zone
> >    dns_server = "YOUR-DC"
> > }
> > {
> >    if ($0 ~ /UPDATE SECTION:/) {
> >      getline
> >      print NF, $0
> >      if ($4 == "A") {
> >        if($1 ~ /_msdcs/) {
> >          zone = msdcs_zone
> >        } else {
> >          zone = ad_zone
> >        }
> >        record = $1
> >        regexp = "." zone "."
> >        sub(regexp, "", record)
> >        cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record
> " A
> > " $5 " --kerberos=yes"
> >        #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record
> " A
> > " $5 " " $2
> >        print cmd
> >        cmd | getline
> >        close(cmd)
> >      }
> >      if ($4 == "SRV") {
> >        if($1 ~ /_msdcs/) {
> >          zone = msdcs_zone
> >        } else {
> >          zone = ad_zone
> >        }
> >        record = $1
> >        regexp = "." zone "."
> >        sub(regexp, "", record)
> >        cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record
> "
> > SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes"
> >        #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record
> "
> > SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2
> >        print cmd
> >        cmd | getline
> >        close(cmd)
> >      }
> >    }
> > }
> > ------------------------------------------------------------------
> >
> > This script does not take in account missing NS records as
> samba_dnsupdate
> > does not try to create them.
> >
> >
> > 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:
> >
> >> On 11/12/15 10:29, mathias dufresne wrote:
> >>
> >>> Hi Ole,
> >>>
> >>> Using internal DNS samba_dnsupdate does not work correctly, at least
> not
> >>> every time.
> >>>
> >>> Someone modified this samba_dnsupdate tool commenting this line:
> >>> os.unlink(tmpfile)
> >>> which should line 413.
> >>>
> >>> Doing that he was able to get files generated by samba_dnsupdate to
> use
> >>> them as argument of nsupdate command (without -g switch and with
> "allow
> >>> dns
> >>> updates = nonsecure" in smb.conf).
> >>>
> >>> I was not able to make that process work here but I did not tried
> hard. As
> >>> this process was sent directly to me I share it.
> >>>
> >>> The process I use to generate all DNS records is to run
> samba_dnsupdate
> >>> --all-names --verbose and send output of that command to attached awk
> >>> script.
> >>> The awk script get information from samba_dnsupdate for each record
> and
> >>> launch samba-tool to create DNS record. This script is not clever: it
> >>> tries
> >>> to create all mentioned DNS record, generating warnings when record
> >>> already
> >>> exists.
> >>>
> >>> You will have to modify this awk script as the BEGIN section contains
> fake
> >>> information related to AD domain:
> >>>
> >>> BEGIN {
> >>>     ad_zone = "YOUR.DOMAIN.TLD"
> >>>     msdcs_zone = "_msdcs." ad_zone
> >>>     dns_server = "YOUR-DC"
> >>> }
> >>>
> >>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain
> >>> configuration.
> >>>
> >>> The awk script uses kerberos authentication when running samba-tool so
> you
> >>> will need to generate a kerberos ticket for some AD admin before:
> >>> 1°) kinit administrator
> >>> 2°) samba_dnsupdate | awk -f dnsupdate.awk
> >>>
> >>> As it is not an issue to try create an entry which already exists you
> can
> >>> run it that script on each DC to assure you all entries are correctly
> >>> created on all DC.
> >>>
> >>> Best regards,
> >>>
> >>> mathias dufresne
> >>>
> >>>
> >>>
> >> There is a flaw with your script!
> >>
> >>
> >>
> >>
> >>
> >> This mailing list strips off attachments, you are going to have to
> paste
> >> it into post. :-)
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list