[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Fri Dec 18 16:04:30 UTC 2015

On 18/12/15 15:27, Ole Traupe wrote:
>
>
> Am 18.12.2015 um 15:42 schrieb Rowland penny:
>>
>> Hi Ole, all I can say is that I have two DCs running in VMs, they use 
>> the internal dns server. I have joined a samba domain member (again 
>> running in a VM) to the domain. If I turn off the first DC I created, 
>> I cannot log into the domain member via ssh, but if I have both DCs 
>> running, I can.
>
> Ok, that is enough confirmation for me. Thank you very much, I highly 
> appreciate this.
>
>
>> There is another problem, after I restart the first DC, I still 
>> cannot login, I had to restart Samba on all three machines before I 
>> could log into the domain member again.
>
> Strange, but that is different here. Do you use a different Samba 
> version, possibly 4.3.x? I still have 4.2.5.
>
>

This is with 4.1.17 from wheezy backports, though as far as I know the 
dns server part of Samba hasn't changed much since.

>>
>> With my domain that uses Bind9, I turned off the first DC and 
>> attempted to log into a domain member via ssh, after a few seconds 
>> (approx 5) it logged me in, I then exited again, restarted the first 
>> DC again and tried to log in again, this time there was no lag and I 
>> logged in straight away.
>
> This sounds promising and as expected: a short timeout due to the 
> (preferred?) DNS server being offline.
>
>
>>
>> Can I suggest that you do what I did, create your own small test 
>> domain in VMs using Bind9
>
> Yes, that is a good idea. However, from what I had read before, much 
> of it on the Samba wiki, I was expecting Samba4 to just work with 
> multiple DCs. I still wonder why no one ever seems to have tested or 
> questioned that (publicly). And I don't feel that I have to question 
> something myself that is broadly recommended: use the internal DNS 
> unless you really have to do otherwise (even by the developers, it 
> seems). In addition, bind9 working with multiple DC's does not 
> necessarily mean that internal DNS won't.
>

I am going to discuss this with Marc and the rest of the team, like you, 
I am surprised that nobody has raised this before. I have always used 
Samba with Bind9, so was unaware of this possible problem, it only came 
to head for me when you mentioned it. I then found I only had one NS  
record in the SOA and this lead to where we are now.

> I also feel the need to would like to state that I am a part-time 
> admin and I can't test something for a year or so (like others) before 
> I go into production. With Samba 4 I was rather happy to find 
> something that won't require so much work (although it feels 
> differently now, partially due to me being more or less a newbee to 
> unix-based systems, I guess).

It doesn't need much looking after, once you have got it up and running :-)

Rowland

>
>
> In any way, I would like to avoid any more unnecessary effort due to 
> missing or misleading information (what I tried was never expected to 
> work; and some of us have invested a lot of time to find out). That is 
> why I asked so explicitly for your (or others') experience on that 
> matter. Also, it might have been, that I am doing something else 
> wrong, which might have interfered with my own experience being 
> diagnostic of Samba internal DNS.
>
> -- 
>

> Now I can finally stop thinking about internal DNS anymore and what 
> might or might not have misconfigured.
>
> So, how can I migrate my DNS from internal to bind with hopefully not 
> so much effort (as to create a bunch of new DCs)? In particular: how 
> can I avoid carrying over any mis-configurations to my new DNS?
>
> I would be very happy about any suggestions.
>
> Ole
>
>
>
>
>>
>> Rowland
>>
>>
>
>