[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Thu Dec 24 11:16:22 UTC 2015

Hi James and everyone,

There is a real issue with samba_dnsupdate and DNS records creation with
Samba 4 as AD when it comes to AD Sites.

Samba does not seems to create at all any Site relevant DNS record. As AD
relies on DNS to find DC on the correct AD site, if no DNS entry is created
related to AD Site, no usage of AD Sites.

Here Win client ask for domain
11:37:28.671044 IP 10.207.102.32.50193 >
dns1.ad.dgfip.finances.gouv.fr.domain: 50244+ SRV? _ldap._tcp.pdc._
msdcs.ad.dgfip.finances.gouv.fr. (65)
11:37:28.671308 IP dns1.ad.dgfip.finances.gouv.fr.domain >
10.207.102.32.50193: 50244 1/2/3 SRV m702.ad.dgfip.finances.gouv.fr.:389 0
100 (202)

Just after that it asks for kerberos service on "SCIF" AD Site:
11:44:59.550011 IP 10.207.102.32.52905 >
dns1.ad.dgfip.finances.gouv.fr.domain: 17936+ SRV?
_kerberos._tcp.SCIF._sites.dc._msdcs.AD.DGFIP.FINANCES.GOUV.FR. (80)
11:44:59.550979 IP dns1.ad.dgfip.finances.gouv.fr.domain >
10.207.102.32.52905: 17936 NXDomain 0/0/0 (80)
And no entry.

So falling back to domain without site mentioned
11:44:59.621886 IP 10.207.102.32.58708 >
dns1.ad.dgfip.finances.gouv.fr.domain: 40345+ SRV? _kerberos._tcp.dc._
msdcs.AD.DGFIP.FINANCES.GOUV.FR. (68)
11:44:59.622133 IP dns1.ad.dgfip.finances.gouv.fr.domain >
10.207.102.32.58708: 40345 5/5/5 SRV m704.ad.dgfip.finances.gouv.fr.:88 0
100, SRV m705.ad.dgfip.finances.gouv.fr.:88 0 100, SRV
m702.ad.dgfip.finances.gouv.fr.:88 0 100, SRV
m706.ad.dgfip.finances.gouv.fr.:88 0 100, SRV
m703.ad.dgfip.finances.gouv.fr.:88 0 100 (468)

In DNS MS console from RSAT we can see a directory "_sites" in default
domain zone and in _msdcs domain zone. There is no directory related to
others sites.

In samba.domain.tld -> _sites -> Default-First-Site-Name there are entries
related to DC and associated SRV records.
I expect this should be the same for any AD Site we configure.

And solving these lack of DNS configuration should help to deal with AD
Sites and so with AD failover.

I did tried to use samba_dnsupdate to create these entries but nothing
related to AD Sites except for Default-First-Site-Name site.

To be able to manage that first thing would be to have a samba command to
list declared Sites (samba-tool sites list ?) then we should have a command
to list declared DC in that site.
Then we would be able to rely on samba commands to list sites and DC in
each sites, so we would be able to script something to create needed
entries (these needed entries should be the same or almost as
for Default-First-Site-Name, anyway tcpdump could help to find which
entries are requested by clients).

Best regards, wishing you all a merry Christmas : )

mathias

2015-12-23 20:37 GMT+01:00 mathias dufresne <infractory at gmail.com>:

> Hi James,
>
> First thanks for you detailed answer and the tests you did to be able to
> write this.
>
> Before reading your mail I was believing MS Windows keeps only one
> credentials, those for last connected account. This is why I did not pushed
> too far authentication process.
> Tomorrow I'm back to work and I'll redo this test, using some others users
> to test than some I have already used to connect on that MS Windows acting
> as client.
>
> I'll try to power down the DC in the morning and I'll try to make tests in
> the afternoon. If I can't tomorrow I won't be able to do these tests before
> January.
>
> The caching of credentials is default behaviour of Windows systems yes.
> You can have similar behavior on Linux with SSSD and also Winbind or nslcd,
> I believe (so I'm not sure).
>
> SSSD is also supposed to come with AD Sites management but I missed
> something during the few time I tried that. Two reasons could have made me
> failed on that: a too old SSSD version or a bad admin (me). I expect it's
> the latter.
>
> What I wrote about NS and SOA came from a discussion I had several weeks
> ago with one person managing Bind daily for the company I work for. She
> agreed client should not use NS nor SOA but as this is not one of her
> problem, this was just thoughts (but her thoughts seems more trustable as
> most of mines :D)
>
> 2015-12-23 19:46 GMT+01:00 James <lingpanda101 at gmail.com>:
>
>> On 12/23/2015 12:39 PM, mathias dufresne wrote:
>>
>> And for Ole, the OP, to solve its own failover issue:
>> As there is 2 physical sites and only 2 DC.
>> Let's say
>> Site1 is 10.1.0.0/16
>> Site2 <http://10.1.0.0/16Site2> is 10.2.0.0/16
>> I would create 2 additional AD Sites : Site1 + Site2
>> To AD site "Site1" I would associate 10.1.0.0/16 and associate also DC1
>> To AD site "Site2" I would associate 10.2.0.0/16 and associate also DC2
>> To Default-First-Site-Name no network is associated but both DC must be in
>> that site too.
>>
>> Client from 10.2.0.0/16 will be asked to launch DNS query to look for DC on
>> "Site2" and as long as DC2 is UP this client should use DC2.
>> DC2 is out. This means no DC is available for client's AD site, so the
>> client fall back to default behaviour which is finding a DC
>> in Default-First-Site-Name where the DC are declared ==> this client would
>> be able to use DC1 to authenticate.
>>
>> Cheers
>>
>> mathias
>>
>>
>>
>>
>> 2015-12-23 18:14 GMT+01:00 mathias dufresne <infractory at gmail.com> <infractory at gmail.com>:
>>
>>
>> Once both DC were rebooted, after the MS Windows was also rebooted (here I
>> could have just wait I think) this MS Windows client is connecting on DC
>> from its AD Site again.
>>
>> 2015-12-23 16:51 GMT+01:00 mathias dufresne <infractory at gmail.com> <infractory at gmail.com>:
>>
>>
>> Hi all,
>>
>> Firs I apologize I did not manage to find time to reply earlier.
>>
>> The initial issue was about how Samba AD react when one DC is out and
>> more specifically about what happen when FSMO ower is unreachable (poweroff
>> in Ole tests).
>>
>> This issue is solved using a correct AD Sites configuration.
>>
>> Here I kept 3 DCs in my domain.
>> Sites:
>> I set up a second site named "authentication" and I've added in that site
>> 2 DCs, including FSMO owner.
>> On that "authentication" site I've added the network on which my clients
>> are.
>> On "Default-First-Site-Name" I do not configured any network addresses.
>> All 3 DCs are declared in "Default-First-Site-Name".
>>
>> All DC up behaviour:
>> The windows client when connecting ask to AD for a DC, AD answer this
>> client it depends of "authentication" site and this client re-launch DNS
>> requests taking in account AD Site information to retrieve DC list for that
>> site.
>> Then the client connects to AD.
>>
>> To check which AD DC was used to connected on: launch "cmd" then in that
>> window type "set". In "set" result there is a line
>> LOGONSERVER=<DCname>
>> This is the DC used for connection (and later normally).
>>
>> The test:
>> I powered off both DC in "authentication" site. So only one DC is up and
>> running, the one *outside* of that site.
>> Login in Windows works.
>> Using cmd -> set -> LOGONSERVER=<the last remaining DC>
>>
>> I waited something like one hour then I rebooted my MS Windows client. I
>> can still log in using differnt accounts (administrator then my own
>> account).
>> This MS Windows client is still using the only running DC, the one
>> outside of client's site, this because this DC is in
>> Default-First-Site-Name.
>>
>> This behaviour is normal. It is Site behaviour. It is AD Sites purpose.
>>
>> So configuring AD Sites correctly would solve the issue about failover.
>>
>>
>> DNS issue:
>> SOA and NS records are used when DNS servers are discussing together but
>> not when a DNS client is asking for records (execpt for SOA or NS
>> obvisouly).
>> SOA and NS records are, in my understanding, used when the DNS server
>> receive a request for a zone this server does not know. In that specific
>> case the DNS server must find a name server for that zone, so our DNS
>> server is asking to upper level for a NS in the mentioned zone.
>>
>> So, if my understanding is correct, client never uses NS record (not in
>> normal mode). And so there is no much issue that Samba DNS has only one SOA
>> and one NS.
>>
>> Regarding NS records, I create them manually because it matches our real
>> configuration (each DC is DNS, each DNS as NS record).
>>
>> The point to make Samba AD works with internal is to work around the
>> issue of samba_dnsupdate. At least it is all I have to do on all domains I
>> tested, even with the 4.3.3.
>>
>> samba_dnsupdate could work with some option in smb.conf to grant unsecure
>> update of DNS zones.
>> If you don't want to allow unsecure update, use the awk script I provided
>> in that thread days (or weeks) ago.
>>
>> I use Samba AD with Internal DNS with no issue except for samba_dnsupdate
>> which not able to create internal record. To solve that issue I provided
>> here a awk script which extract from samba_dnsupdate needed information to
>> force recrods creation using samba-tool. This awk script is not dangerous:
>> you can run it as much you want, it just tries to create entries. If entry
>> exists, an error is displayed:
>> ERROR: Record already exists
>>
>> If you are afraid of that script you can modify its behaviour replacing:
>> cmd = "samba-tool dns add "
>> with
>> cmd = "echo samba-tool dns add "
>>
>> Then the script will do nothing except display what command could be run
>> to force DNS records creation.
>>
>> With all needed DNS records and a well configured AD Sites failover
>> works. Nicely.
>>
>> A last note: 3 DCs means 3 DNS servers. You want your DC can be down so
>> your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf.
>>
>> Another strategy is to build one Bind server with one zone configured
>> with the exact same name as AD domain, this zone will do forward only and
>> will forward to all DCs.
>> Doing that your clients can have only one DNS configured: the one with
>> Bind forwarding to DCs.
>> This bind zone config:
>> ------------------
>> zone "samba.domain.tld" IN {
>>   type forward;
>>   forward only;
>>   forwarders {
>>     IP_DC1;
>>     IP_DC2;
>>     IP_DC3;
>>   };
>> };
>> -------------------
>>
>> I hope you will finally be able to have failover working Ole.
>>
>>
>>
>>
>> 2015-12-22 11:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de> <ole.traupe at tu-berlin.de>:
>>
>>
>> Can I suggest that you do what I did, create your own small test
>> domain in VMs using Bind9
>>
>>
>> Yes, that is a good idea. However, from what I had read before, much
>> of it on the Samba wiki, I was expecting Samba4 to just work with multiple
>> DCs. I still wonder why no one ever seems to have tested or questioned that
>> (publicly). And I don't feel that I have to question something myself that
>> is broadly recommended: use the internal DNS unless you really have to do
>> otherwise (even by the developers, it seems). In addition, bind9 working
>> with multiple DC's does not necessarily mean that internal DNS won't.
>>
>>
>>
>> I am going to discuss this with Marc and the rest of the team, like
>> you, I am surprised that nobody has raised this before. I have always used
>> Samba with Bind9, so was unaware of this possible problem, it only came to
>> head for me when you mentioned it. I then found I only had one NS  record
>> in the SOA and this lead to where we are now.
>>
>>
>> Hi Rowland,
>>
>> Again: thanks a lot for your support.
>>
>> Merry Christmas and good holidays to the list!
>>
>> Ole
>>
>>
>>
>>
>> I also feel the need to would like to state that I am a part-time admin
>>
>> and I can't test something for a year or so (like others) before I go into
>> production. With Samba 4 I was rather happy to find something that won't
>> require so much work (although it feels differently now, partially due to
>> me being more or less a newbee to unix-based systems, I guess).
>>
>>
>> It doesn't need much looking after, once you have got it up and running
>> :-)
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> Mathias,
>>
>>     I discovered similar issues after testing for Ole. I have sites and
>> services configured as well. It took over a hour for issues to arise after
>> shutting down my DC that held all my FSMO roles and SOA record.
>>
>> I decided to do a quick packet capture just now. I shutdown my DC that
>> holds all the roles and SOA record. I logged into the workstation and
>> reviewed the trace. I can see the workstation attempt to locate the SRV
>> records needed from the first DC. It failed so it then asked my 2nd DC in
>> my site. It resolved the SRV records and it allowed me to log in. This
>> process never asks for the SOA. I can rule out it plays no part? It seems
>> fail over works as expected.
>>
>> I decided to shutdown my 2nd DC in my site as test. Logged in as another
>> user(It allowed me) and reviewed the trace. I can see where the workstation
>> attempts to ask both DC's in the site for the SRV records. Of course it
>> fails but I see no trace of authentication happening. Why did it allow me
>> to log in? I look at the windows event viewer and review the auth log. I
>> find this.
>>
>> Logon Type:            11
>>
>> New Logon:
>>     Security ID:        DOMAIN\duser
>>     Account Name:        duser
>>     Account Domain:        DOMAIN
>>     Logon ID:        0x7b11e9
>>     Logon GUID:        {00000000-0000-0000-0000-000000000000}
>>
>> I decided to research logon type 11. I find this.
>>
>> *Logon Type 11 – CachedInteractive*
>>
>> Windows supports a feature called Cached Logons which facilitate mobile
>> users. When you are not connected to the your organization’s network and
>> attempt to logon to your laptop with a domain account there’s no domain
>> controller available to the laptop with which to verify your identity. To
>> solve this problem, Windows caches a hash of the credentials of the last 10
>> interactive domain logons. Later when no domain controller is available,
>> Windows uses these hashes to verify your identity when you attempt to logon
>> with a domain account.
>>
>> I assume this is a windows only feature and not a linux feature? This was
>> on a wired workstation and not a mobile device. The issues with
>> authentication only arouse from mobile devices and only after approximately
>> an hour of the "primary" DC being down.
>>
>>
>>
>> --
>> -James
>>
>>
>