[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

L.P.H. van Belle belle at bazuin.nl
Thu Dec 17 13:22:53 UTC 2015


Commented inbetween.

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: donderdag 17 december 2015 13:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> 
> 
> Am 11.12.2015 um 15:31 schrieb L.P.H. van Belle:
> > Commented inbetween.
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> >> Verzonden: vrijdag 11 december 2015 14:59
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> >> initially fails when PDC is offline
> >>
> >> Hi folks,
> >>
> >> a) thank you all for your help, I highly appreciate you time and
> effort,
> >> and I am sure I can resolve this issue very soon!
> >> b) I have to delay this until early next week, as I have to attend to
> >> other matters for now.
> >>
> >> All I can say, Louis, is that I won't set up a new DC to resolve this -
> >> at least not for now. This seems to be another problem of Samba4 not
> >> being able to deal with multiple DCs properly. And this has to be able
> >> to be resolved on an otherwise working domain without changing its
> >> architecture or other more drastic measures. This is my point of view
> at
> >> the moment. Your suggestion reminds me a bit of some typical forum
> >> replies to "Reinstall the OS" in case of any problems that can't be
> >> solved in an instant.
> > [L.P.H. van Belle]
> > I dont think this is another problem of samba4, but this is a problem
> which started in the begining of your install, at least thats what i
> suppect based on all your info on the list.
> > I suspect that, then you "installed" the new DC with the old name/ip.
> 
> Yes, maybe, but why/how?
[L.P.H. van Belle]  I could answere that i would, but i dont know how you exactly installed. I'v scripted my installs, so it always the same. 
I have no problems with my config, or on all my servers. 
So one fix fixes all in my case. 


> 
> > You forgot somewhere to remove old entries in AD and/or DNS.
> 
> Not that I know of. This is pure speculation. My domain is not that
> large and I can go through all DNS records in 5 min. There wasn't
> anything left pointing to the demoted DC.
> 
> > And this is why i suggested it, normaly i dont suggest something like
> this, but i do think that if you setup clean you wil have a better running
> server with less problems , but what you choose is all up to you.
> > Do what you thinks is best for you.
> 
> I am still considering this as a last resort.
[L.P.H. van Belle] from a learning point this is always good. 
fist installs are always hard, i've tested my setup/configs for about 6-8 month before production, and i screwed also things up, so i reinstalled and learned also the hard way. 
And thankfully there is the samba list, which helped me a lot. 

> 
> >
> >> If necessary, I will just create the missing DNS entries of my 2nd DC
> by
> >> hand. Although I would prefer a working script supplied by a
> >> professional (which I am not). At least I would like to know which DNS
> >> entries for my 2nd DC are essential for logins to work. I wouldn't very
> >> much like to try this out. However, I am aware that your time is as
> >> limited as mine (of not even more so), and you are in no obligation in
> >> any way.
> > [L.P.H. van Belle]
> >
> >> ). At least I would like to know which DNS
> >> entries for my 2nd DC are essential for logins to work.
> > And what you ask here is already answered few times imo.
> 
> Where? Point me to it, please! 

Uhh, somehere in the emails of 10-dec, see whats in the 
samba_dnsupdate --verbose that are the needed dns records. 


[L.P.H. van Belle]  in the AD and dns, open the user managment tool ( the AD user manager ) 
klik on view, enable advanced..  
now klik through the complete ad and find old entries. 
Dont forget the "computers" OU 


and do the same in the DNS manager. 
also, make sure you DNS zone (SOA) record contains the PRIMARY DC. 

Above can be done also with ldapsearch. 


> 
> >
> > Again, your quicker with a clean install, and you learn more from it.
> > And with clean, i dont mean dropping your AD, just add new "DC Join" to
> hold the AD data so you can remove the faulty server and then you can
> install that server again, but now as it should.
> > AND when you join a DC your login problem is fixed also.  ;-)
> 
> I somehow doubt that. Still it seems that no one here has an idea of why
> log-on from member servers isn't working properly (for me). However, in
> the meantime I have created all the necessary DNS records. This can't be
> the issue anymore.

[L.P.H. van Belle] 
a delay for the login when one dns is done is normal, it needs to timeout first. 
when you type : 
dig a internal.domain.tld 
you should see 2 responses, and the results are your 2 DC's. 


> 
> >
> >
> >> Besides, I didn't forget do delete anything. I used the script from the
> >> wiki to get rid of old records pertaining to my former 1st DC after I
> >> had created the records of my *new* 1st DC. I checked the results:
> >> everything related to my former first DC was gone. Also I
> >> documented/discussed this process here on the list. And nobody pointed
> >> me to things I forgot or was leaving out. I know that use of this
> script
> >> was totally "on my own risk". But the results were as they should have
> >> been, at least as far I am able to tell.[L.P.H. van Belle]
> > [L.P.H. van Belle] which script ? can anyone point that one for me, cant
> find it. I only know about
> > https://bugzilla.samba.org/show_bug.cgi?id=10595
> 
> It is this one:
> https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-
> 9f97-0e1cc4d577f3#content
> 
> >
> >> That said, I will go through your responses and get back to you with
> >> results.
> >>
> >> Best, have a good weekend!
> >> Ole
> > [L.P.H. van Belle]
> > Thank you, and have a very good weekend also, i hope your problem is
> fixed soon.
> 
> Thanks, me too.
> 
> Ole
> 
> >
> >>
> >> Am 11.12.2015 um 13:33 schrieb mathias dufresne:
> >>> Thank you Rowland to noticed that.
> >>>
> >>> Here it is:
> >>> ------------------------------------------------------------------
> >>> #!/usr/bin/awk
> >>>
> >>> BEGIN {
> >>>     ad_zone = "YOUR.DOMAIN.TLD"
> >>>     msdcs_zone = "_msdcs." ad_zone
> >>>     dns_server = "YOUR-DC"
> >>> }
> >>> {
> >>>     if ($0 ~ /UPDATE SECTION:/) {
> >>>       getline
> >>>       print NF, $0
> >>>       if ($4 == "A") {
> >>>         if($1 ~ /_msdcs/) {
> >>>           zone = msdcs_zone
> >>>         } else {
> >>>           zone = ad_zone
> >>>         }
> >>>         record = $1
> >>>         regexp = "." zone "."
> >>>         sub(regexp, "", record)
> >>>         cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> record
> >> " A
> >>> " $5 " --kerberos=yes"
> >>>         #cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> record
> >> " A
> >>> " $5 " " $2
> >>>         print cmd
> >>>         cmd | getline
> >>>         close(cmd)
> >>>       }
> >>>       if ($4 == "SRV") {
> >>>         if($1 ~ /_msdcs/) {
> >>>           zone = msdcs_zone
> >>>         } else {
> >>>           zone = ad_zone
> >>>         }
> >>>         record = $1
> >>>         regexp = "." zone "."
> >>>         sub(regexp, "", record)
> >>>         cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> record
> >> "
> >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes"
> >>>         #cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> record
> >> "
> >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2
> >>>         print cmd
> >>>         cmd | getline
> >>>         close(cmd)
> >>>       }
> >>>     }
> >>> }
> >>> ------------------------------------------------------------------
> >>>
> >>> This script does not take in account missing NS records as
> >> samba_dnsupdate
> >>> does not try to create them.
> >>>
> >>>
> >>> 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:
> >>>
> >>>> On 11/12/15 10:29, mathias dufresne wrote:
> >>>>
> >>>>> Hi Ole,
> >>>>>
> >>>>> Using internal DNS samba_dnsupdate does not work correctly, at least
> >> not
> >>>>> every time.
> >>>>>
> >>>>> Someone modified this samba_dnsupdate tool commenting this line:
> >>>>> os.unlink(tmpfile)
> >>>>> which should line 413.
> >>>>>
> >>>>> Doing that he was able to get files generated by samba_dnsupdate to
> >> use
> >>>>> them as argument of nsupdate command (without -g switch and with
> >> "allow
> >>>>> dns
> >>>>> updates = nonsecure" in smb.conf).
> >>>>>
> >>>>> I was not able to make that process work here but I did not tried
> >> hard. As
> >>>>> this process was sent directly to me I share it.
> >>>>>
> >>>>> The process I use to generate all DNS records is to run
> >> samba_dnsupdate
> >>>>> --all-names --verbose and send output of that command to attached
> awk
> >>>>> script.
> >>>>> The awk script get information from samba_dnsupdate for each record
> >> and
> >>>>> launch samba-tool to create DNS record. This script is not clever:
> it
> >>>>> tries
> >>>>> to create all mentioned DNS record, generating warnings when record
> >>>>> already
> >>>>> exists.
> >>>>>
> >>>>> You will have to modify this awk script as the BEGIN section
> contains
> >> fake
> >>>>> information related to AD domain:
> >>>>>
> >>>>> BEGIN {
> >>>>>      ad_zone = "YOUR.DOMAIN.TLD"
> >>>>>      msdcs_zone = "_msdcs." ad_zone
> >>>>>      dns_server = "YOUR-DC"
> >>>>> }
> >>>>>
> >>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain
> >>>>> configuration.
> >>>>>
> >>>>> The awk script uses kerberos authentication when running samba-tool
> so
> >> you
> >>>>> will need to generate a kerberos ticket for some AD admin before:
> >>>>> 1°) kinit administrator
> >>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk
> >>>>>
> >>>>> As it is not an issue to try create an entry which already exists
> you
> >> can
> >>>>> run it that script on each DC to assure you all entries are
> correctly
> >>>>> created on all DC.
> >>>>>
> >>>>> Best regards,
> >>>>>
> >>>>> mathias dufresne
> >>>>>
> >>>>>
> >>>>>
> >>>> There is a flaw with your script!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> This mailing list strips off attachments, you are going to have to
> >> paste
> >>>> it into post. :-)
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list