[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
rpenny at samba.org
Fri Dec 18 16:04:30 UTC 2015
On 18/12/15 15:27, Ole Traupe wrote:
> Am 18.12.2015 um 15:42 schrieb Rowland penny:
>> Hi Ole, all I can say is that I have two DCs running in VMs, they use
>> the internal dns server. I have joined a samba domain member (again
>> running in a VM) to the domain. If I turn off the first DC I created,
>> I cannot log into the domain member via ssh, but if I have both DCs
>> running, I can.
> Ok, that is enough confirmation for me. Thank you very much, I highly
> appreciate this.
>> There is another problem, after I restart the first DC, I still
>> cannot login, I had to restart Samba on all three machines before I
>> could log into the domain member again.
> Strange, but that is different here. Do you use a different Samba
> version, possibly 4.3.x? I still have 4.2.5.
This is with 4.1.17 from wheezy backports, though as far as I know the
dns server part of Samba hasn't changed much since.
>> With my domain that uses Bind9, I turned off the first DC and
>> attempted to log into a domain member via ssh, after a few seconds
>> (approx 5) it logged me in, I then exited again, restarted the first
>> DC again and tried to log in again, this time there was no lag and I
>> logged in straight away.
> This sounds promising and as expected: a short timeout due to the
> (preferred?) DNS server being offline.
>> Can I suggest that you do what I did, create your own small test
>> domain in VMs using Bind9
> Yes, that is a good idea. However, from what I had read before, much
> of it on the Samba wiki, I was expecting Samba4 to just work with
> multiple DCs. I still wonder why no one ever seems to have tested or
> questioned that (publicly). And I don't feel that I have to question
> something myself that is broadly recommended: use the internal DNS
> unless you really have to do otherwise (even by the developers, it
> seems). In addition, bind9 working with multiple DC's does not
> necessarily mean that internal DNS won't.
I am going to discuss this with Marc and the rest of the team, like you,
I am surprised that nobody has raised this before. I have always used
Samba with Bind9, so was unaware of this possible problem, it only came
to head for me when you mentioned it. I then found I only had one NS
record in the SOA and this lead to where we are now.
> I also feel the need to would like to state that I am a part-time
> admin and I can't test something for a year or so (like others) before
> I go into production. With Samba 4 I was rather happy to find
> something that won't require so much work (although it feels
> differently now, partially due to me being more or less a newbee to
> unix-based systems, I guess).
It doesn't need much looking after, once you have got it up and running :-)
> In any way, I would like to avoid any more unnecessary effort due to
> missing or misleading information (what I tried was never expected to
> work; and some of us have invested a lot of time to find out). That is
> why I asked so explicitly for your (or others') experience on that
> matter. Also, it might have been, that I am doing something else
> wrong, which might have interfered with my own experience being
> diagnostic of Samba internal DNS.
> Now I can finally stop thinking about internal DNS anymore and what
> might or might not have misconfigured.
> So, how can I migrate my DNS from internal to bind with hopefully not
> so much effort (as to create a bunch of new DCs)? In particular: how
> can I avoid carrying over any mis-configurations to my new DNS?
> I would be very happy about any suggestions.
More information about the samba