[Samba] DC's are unavailable when PDC halted

Rowland Penny rpenny at samba.org
Wed Nov 8 15:21:28 UTC 2017 

On Wed, 8 Nov 2017 14:33:28 +0100
Ervin Hegedüs <airween at gmail.com> wrote:

> The current device (Aruba) can authenticate only if the
> 
>   ntlm auth = yes
> 
> had turned on (but I'll check it again, may be the ntlmv2 is
> enough).

All I can do is advise you, NTLMv1 is easily crackable, so, if you can
use a stronger authentication method, then I suggest you use it.

If you are only using the Unix domain member for authentication, you
might as well remove it and use one or both of the DCs instead.
 
 
> 
> I left the domain (from client), and re-join again, but now I got
> this message:
> 
> # net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- CORE
> Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu'
> DNS Update for open-client.core.mydomain.hu failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> # wbinfo --ping-dc
> checking the NETLOGON for domain[CORE] dc connection to
> "open-ldap.core.mydomain.hu" succeeded 
> 
> # ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE
> --target-hostname=open-ldap2.core.mydomain.hu NT_STATUS_OK: Success
> (0x0) # ntlm_auth --username=abc_airween --password=GOODPASS
> --domain=CORE --target-hostname=open-ldap.core.mydomain.hu
> NT_STATUS_OK: Success (0x0)
> 
> # ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE
> --target-hostname=open-ldap.core.mydomain.hu
> NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) # ntlm_auth
> --username=abc_airween --password=WRONGPASS # --domain=CORE
> --target-hostname=open-ldap2.core.mydomain.hu
> NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
> 
> so, looks like it works.
> 
> # net ads status
> 
> gives a very long output.
> 
> And wbinfo gives only open-ldap as DC:
> 
> # wbinfo --dsgetdcname=CORE
> open-ldap.core.mydomain.hu
> \\10.10.20.202
> 1
> 37241698-63dd-40d5-805b-d83f4a35223a
> core.mydomain.hu
> core.mydomain.hu
> 0xe00013fd
> Default-First-Site-Name
> Default-First-Site-Name
> 
> # wbinfo --getdcname=CORE
> OPEN-LDAP
> 
> # wbinfo -a abc_airween%GOODPASS
> plaintext password authentication failed
> Could not authenticate user abc_airween%GOODPASS with plaintext
> password challenge/response password authentication succeeded
> 
> # wbinfo -a abc_airween%WRONGPASS
> plaintext password authentication failed
> Could not authenticate user abc_airween%WRONGPASS with plaintext
> password challenge/response password authentication failed
> wbcAuthenticateUserEx(CORE\abc_airween): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong
> Password Could not authenticate user abc_airween with
> challenge/response
> 
> 
> At this point I made open-ldap (the first server) as
> unattainable, and the result of the command above:
> 
> # time wbinfo -a abc_airween%GOODPASS
> plaintext password authentication failed
> Could not authenticate user abc_airween%GOODPASS with plaintext
> password challenge/response password authentication failed
> Could not authenticate user abc_airween with challenge/response
> 
> real	1m2.640s
> user	0m0.012s
> sys	0m0.000s
> 
> it waits 1 minute, and then I got the message.
> 
> When I turned off the open-ldap2, and open-ldap works, then the
> wbinfo -a returns with succeed, but only after 30 seconds.


OK, the problem here is not that you have turned off the first DC, it
is that the client keeps trying to connect to it for 30 seconds.

You need to add: 

'timeout:1 attempts:2 rotate' 

to /etc/resolv.conf

Rowland


> 
> 
> So, looks like something is still wrong - may be I'm using wbinfo
> as wrong way?
> 
> 
> What should I do that the auth method works as well, when a DC
> kicked out?
> 
> 
> 
> a.
>

More information about the samba mailing list