[Samba] DC's are unavailable when PDC halted
Ervin Hegedüs
airween at gmail.com
Wed Nov 8 15:47:54 UTC 2017
On Wed, Nov 08, 2017 at 03:21:28PM +0000, Rowland Penny wrote:
> On Wed, 8 Nov 2017 14:33:28 +0100
> Ervin Hegedüs <airween at gmail.com> wrote:
>
> > The current device (Aruba) can authenticate only if the
> >
> > ntlm auth = yes
> >
> > had turned on (but I'll check it again, may be the ntlmv2 is
> > enough).
>
> All I can do is advise you, NTLMv1 is easily crackable, so, if you can
> use a stronger authentication method, then I suggest you use it.
yes, thanks - I'll check it that when I drop the ntlm auth from
config, the CP will work away.
> If you are only using the Unix domain member for authentication, you
> might as well remove it and use one or both of the DCs instead.
this Unix domain member test (with Linux) is just a "test". The
final box will an Aruba cluster. That's also a Linux box, but we
don't know what works inside of that.
> > real 1m2.640s
> > user 0m0.012s
> > sys 0m0.000s
> >
> > it waits 1 minute, and then I got the message.
> >
> > When I turned off the open-ldap2, and open-ldap works, then the
> > wbinfo -a returns with succeed, but only after 30 seconds.
>
>
> OK, the problem here is not that you have turned off the first DC, it
> is that the client keeps trying to connect to it for 30 seconds.
>
> You need to add:
>
> 'timeout:1 attempts:2 rotate'
>
> to /etc/resolv.conf
# cat /etc/resolv.conf
options timeout:1
options attempts:2
options rotate
search core.mydomain.hu
nameserver 10.10.20.202
nameserver 10.10.20.204
# wbinfo --ntlmv2 -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication failed
wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user abc_airween with challenge/response
but I wrote the lines above, and about after 2-3 minutes, now it
works:
# wbinfo --ntlmv2 -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication succeeded
I'm not sure that _this_ is the solution. I've never read this
DNS settings is required.
How can I check that the Samba4 DNS service is works correctly?
The regular checks (host -t A some.domain.com, etc...) are works.
I've set up both DC for _ldap._tcp.core.mydomain.hu SRV,
_kerberos._udp SRV, and core.mydomain.hu A records. Now the
client got both DC for all DNS requests. Is that correct?
Thanks again,
a.
More information about the samba
mailing list