[Samba] DC's are unavailable when PDC halted

Ervin Hegedüs airween at gmail.com
Wed Nov 8 13:33:28 UTC 2017 

Hi Rowland,

On Wed, Nov 08, 2017 at 12:12:20PM +0000, Rowland Penny wrote:
> On Wed, 8 Nov 2017 12:43:16 +0100
> Ervin Hegedüs <airween at gmail.com> wrote:
> 
> > > You would be better using the DCs ipaddress rather than '127.0.0.1'.
> > > You should also remove '10.10.0.1' it doesn't seem to be a DC.
> > 
> > yes, that's the forwarder (see in smb.conf). Most documents
> > notives that keep it in resolv.conf.
> 
> And most documents get it wrong, The DC is a DNS server and your
> clients should use it as their nameserver. Your DC should forward
> anything unknown to the nameserver that is set in the DCs smb.conf if
> using the internal DNS server, or if in the named conf files if using
> Bind9

right, I've removed it, now all DC uses only themselves as
nameserver.

> > > > /etc/samba/smb.conf
> > > > # Global parameters
> > > > [global]
> > > > 	netbios name = OPEN-LDAP
> > > > 	realm = CORE.MYDOMAIN.HU
> > > > 	workgroup = CORE
> > > > 	dns forwarder = 10.10.10.1
> > > > 	server role = active directory domain controller
> > > > 	idmap_ldb:use rfc2307 = yes
> > > > 
> > > > 	log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > > > 	ntlm auth = yes
> > > > 	lanman auth = yes
> > > > 	client ntlmv2 auth = yes
> > > 
> > > I would investigate upgrading security on the clients, rather than
> > > turning it down on the DC
> > 
> > I'm sorry, what do you think about exactly?
> 
> You have set 'ntlm auth = yes' in the smb.conf, this means your clients
> can use NTLMv1, this is insecure, you would be better off removing this
> line and then make your clients use NTLMv2 (at least) by default.

well, this line needs some clarification - see below
 
> > > > ========
> > > > client:
> > > > 
> > > > --------
> > > > /etc/krb5.conf
> > > 
> > > The krb5.conf only needs to match the ones on the DCs, so you don't
> > > need all of the following.
> > 
> > does it mean that the krb5.conf should be empty?
> 
> No, the /etc/krb5.conf on all the machines needs to be only this:
> 
> [libdefaults]
>  	default_realm = CORE.MYDOMAIN.HU
>  	dns_lookup_realm = false
>  	dns_lookup_kdc = true

right,
 
> > > and probably this:
> > > 
> > > https://wiki.samba.org/index.php/Idmap_config_rid
> > 
> > I'm afraid I don't need to that :)
> 
> Yes you do :)

no, I don't :)
 
> windbind needs to map your windows users & groups to Unix IDs in the
> 'CORE' domain, not the '*' domain. The '*' domain is reserved for the
> well known SIDs and anything outside the 'CORE' domain.

there will _not_ any Linux user - see below :)
  
> > 
> > I don't want to build the fileserver, I just need the user
> > management - these blocks stayed from the previous install.
> 
> Then why have the Unix domain member ???

so, the directory service needs because we have a captive portal,
to authenticate users for several services - eg. network access,
network groups. But only for these. There will _not_ any file
sharing.

The current device (Aruba) can authenticate only if the

  ntlm auth = yes

had turned on (but I'll check it again, may be the ntlmv2 is
enough).

We configured the CP that use this AD. We joined the deices to
domain, set up the both DC's. Then when I turned off the "first"
DC (which isn't the PDC :), I just installed and configred
first), then the auth service stops to work. The device doesn't
use the backup server (in the device config we see the "Backup
device" - I'm sorry).

So, I ask from the provider a "client" machine, which is a Linux
(I prefer the Linux), and this is the open-client.

Now I'ld like to test the redundant work of both DC's, and that's
why I don't need to any Linux user, user mapping, or any other
specific things. There will be thousends of users, everyone has a
login and a password. Connected to WiFI/eth LAN with 802.1x, and
use the network.

> Hopefully I have answered these questions above.

yes, thank you for all of your help again.


I left the domain (from client), and re-join again, but now I got
this message:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- CORE
Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu'
DNS Update for open-client.core.mydomain.hu failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

# wbinfo --ping-dc
checking the NETLOGON for domain[CORE] dc connection to "open-ldap.core.mydomain.hu" succeeded 

# ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu
NT_STATUS_OK: Success (0x0)
# ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu
NT_STATUS_OK: Success (0x0)

# ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
# ntlm_auth --username=abc_airween --password=WRONGPASS # --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

so, looks like it works.

# net ads status

gives a very long output.

And wbinfo gives only open-ldap as DC:

# wbinfo --dsgetdcname=CORE
open-ldap.core.mydomain.hu
\\10.10.20.202
1
37241698-63dd-40d5-805b-d83f4a35223a
core.mydomain.hu
core.mydomain.hu
0xe00013fd
Default-First-Site-Name
Default-First-Site-Name

# wbinfo --getdcname=CORE
OPEN-LDAP

# wbinfo -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication succeeded

# wbinfo -a abc_airween%WRONGPASS
plaintext password authentication failed
Could not authenticate user abc_airween%WRONGPASS with plaintext password
challenge/response password authentication failed
wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user abc_airween with challenge/response


At this point I made open-ldap (the first server) as
unattainable, and the result of the command above:

# time wbinfo -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication failed
Could not authenticate user abc_airween with challenge/response

real	1m2.640s
user	0m0.012s
sys	0m0.000s

it waits 1 minute, and then I got the message.

When I turned off the open-ldap2, and open-ldap works, then the
wbinfo -a returns with succeed, but only after 30 seconds.



So, looks like something is still wrong - may be I'm using wbinfo
as wrong way?


What should I do that the auth method works as well, when a DC
kicked out?



a.

More information about the samba mailing list