[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Fri Dec 18 15:27:30 UTC 2015 


Am 18.12.2015 um 15:42 schrieb Rowland penny:
> On 18/12/15 14:23, Ole Traupe wrote:
>>
>>
>> Am 18.12.2015 um 14:56 schrieb Rowland penny:
>>> On 18/12/15 12:07, Ole Traupe wrote:
>>>>
>>>>
>>>> Am 18.12.2015 um 12:30 schrieb Rowland penny:
>>>>> On 18/12/15 11:19, Ole Traupe wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> I am very thankful, that you take the time and test all this!
>>>>>
>>>>> No problem.
>>>>>
>>>>>>
>>>>>> Before I go and check if this is the same with my setup and 
>>>>>> possibly the problem, could you perhaps try a logon to a member 
>>>>>> server, while the 1st DC is unavailable?
>>>>>
>>>>> Ah, slight problem there, as I said, this is just a couple of test 
>>>>> DCs and there are no test domain members, you will have to bear 
>>>>> with me whilst I create one.
>>>>
>>>> I would be very greatful, and I guess many others too.
>>>>
>>>> I heard from many sides that you should really only use bind9 in 
>>>> case you plan a more complicated setup. Until now I thought that 
>>>> having 2 DCs wasn't considered as such.
>>>>
>>>>
>>>
>>> Hi Ole, Would you like to know how to set up bind9 ? or to put it 
>>> another way, you cannot login via ssh to a domain member if the the 
>>> first DC goes down when you are using the internal dns server. If 
>>> you use bind9, you can login, although there is a bit of a lag.
>>>
>>> Rowland
>>>
>>
>> Hi Rowland,
>>
>> yes, I would like to know how to migrate. But before that: are you 
>> 100% sure that this is the problem? Before having tested it?
>>
>> How much lag?
>>
>> Ole
>>
>>
>>
>
> Hi Ole, all I can say is that I have two DCs running in VMs, they use 
> the internal dns server. I have joined a samba domain member (again 
> running in a VM) to the domain. If I turn off the first DC I created, 
> I cannot log into the domain member via ssh, but if I have both DCs 
> running, I can.

Ok, that is enough confirmation for me. Thank you very much, I highly 
appreciate this.


> There is another problem, after I restart the first DC, I still cannot 
> login, I had to restart Samba on all three machines before I could log 
> into the domain member again.

Strange, but that is different here. Do you use a different Samba 
version, possibly 4.3.x? I still have 4.2.5.


>
> With my domain that uses Bind9, I turned off the first DC and 
> attempted to log into a domain member via ssh, after a few seconds 
> (approx 5) it logged me in, I then exited again, restarted the first 
> DC again and tried to log in again, this time there was no lag and I 
> logged in straight away.

This sounds promising and as expected: a short timeout due to the 
(preferred?) DNS server being offline.


>
> Can I suggest that you do what I did, create your own small test 
> domain in VMs using Bind9

Yes, that is a good idea. However, from what I had read before, much of 
it on the Samba wiki, I was expecting Samba4 to just work with multiple 
DCs. I still wonder why no one ever seems to have tested or questioned 
that (publicly). And I don't feel that I have to question something 
myself that is broadly recommended: use the internal DNS unless you 
really have to do otherwise (even by the developers, it seems). In 
addition, bind9 working with multiple DC's does not necessarily mean 
that internal DNS won't.

I also feel the need to would like to state that I am a part-time admin 
and I can't test something for a year or so (like others) before I go 
into production. With Samba 4 I was rather happy to find something that 
won't require so much work (although it feels differently now, partially 
due to me being more or less a newbee to unix-based systems, I guess).

In any way, I would like to avoid any more unnecessary effort due to 
missing or misleading information (what I tried was never expected to 
work; and some of us have invested a lot of time to find out). That is 
why I asked so explicitly for your (or others') experience on that 
matter. Also, it might have been, that I am doing something else wrong, 
which might have interfered with my own experience being diagnostic of 
Samba internal DNS.

--

Now I can finally stop thinking about internal DNS anymore and what 
might or might not have misconfigured.

So, how can I migrate my DNS from internal to bind with hopefully not so 
much effort (as to create a bunch of new DCs)? In particular: how can I 
avoid carrying over any mis-configurations to my new DNS?

I would be very happy about any suggestions.

Ole




>
> Rowland
>
>

More information about the samba mailing list