[Samba] DC's are unavailable when PDC halted

Ervin Hegedüs airween at gmail.com
Wed Nov 8 15:47:54 UTC 2017


On Wed, Nov 08, 2017 at 03:21:28PM +0000, Rowland Penny wrote:
> On Wed, 8 Nov 2017 14:33:28 +0100
> Ervin Hegedüs <airween at gmail.com> wrote:
> 
> > The current device (Aruba) can authenticate only if the
> > 
> >   ntlm auth = yes
> > 
> > had turned on (but I'll check it again, may be the ntlmv2 is
> > enough).
> 
> All I can do is advise you, NTLMv1 is easily crackable, so, if you can
> use a stronger authentication method, then I suggest you use it.

yes, thanks - I'll check it that when I drop the ntlm auth from
config, the CP will work away.

> If you are only using the Unix domain member for authentication, you
> might as well remove it and use one or both of the DCs instead.

this Unix domain member test (with Linux) is just a "test". The
final box will an Aruba cluster. That's also a Linux box, but we
don't know what works inside of that.
  
> > real	1m2.640s
> > user	0m0.012s
> > sys	0m0.000s
> > 
> > it waits 1 minute, and then I got the message.
> > 
> > When I turned off the open-ldap2, and open-ldap works, then the
> > wbinfo -a returns with succeed, but only after 30 seconds.
> 
> 
> OK, the problem here is not that you have turned off the first DC, it
> is that the client keeps trying to connect to it for 30 seconds.
> 
> You need to add: 
> 
> 'timeout:1 attempts:2 rotate' 
> 
> to /etc/resolv.conf

# cat /etc/resolv.conf 
options timeout:1
options attempts:2
options rotate
search core.mydomain.hu
nameserver 10.10.20.202
nameserver 10.10.20.204

# wbinfo --ntlmv2 -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication failed
wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user abc_airween with challenge/response


but I wrote the lines above, and about after 2-3 minutes, now it
works:

# wbinfo --ntlmv2 -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication succeeded


I'm not sure that _this_ is the solution. I've never read this
DNS settings is required.

How can I check that the Samba4 DNS service is works correctly?

The regular checks (host -t A some.domain.com, etc...) are works.

I've set up both DC for _ldap._tcp.core.mydomain.hu SRV, 
_kerberos._udp SRV, and core.mydomain.hu A records. Now the
client got both DC for all DNS requests. Is that correct?


Thanks again,


a.





More information about the samba mailing list