[Samba] [airween at gmail.com: DC's are still unavailable when PDC halted]
Hegedüs Ervin
airween at gmail.com
Tue Nov 14 10:07:11 UTC 2017
Hello,
I've increased the loglevel to get some info on client.
When I turned off the DC, I've got these lines in log:
[2017/11/14 10:10:25.398269, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *"
[2017/11/14 10:10:26.438916, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/11/14 10:10:26.439488, 5] ../source3/winbindd/winbindd_cm.c:1113(cm_prepare_connection)
connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local]
[2017/11/14 10:10:26.439747, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2017/11/14 10:10:26.439965, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2017/11/14 10:10:26.440268, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178 at please_ignore
[2017/11/14 10:10:26.440393, 3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal)
cli_session_setup_spnego: using target hostname not SPNEGO principal
[2017/11/14 10:10:26.440496, 3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal)
cli_session_setup_spnego: guessed server principal=cifs/open-ldap2.wificloud.local at WIFICLOUD.LOCAL
[2017/11/14 10:10:26.683320, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2017/11/14 10:10:26.689164, 1] ../source3/rpc_client/cli_pipe.c:421(cli_pipe_validate_current_pdu)
../source3/rpc_client/cli_pipe.c:421: Bind NACK received from host open-ldap2.wificloud.local!
[2017/11/14 10:10:26.689801, 3] ../source3/rpc_client/cli_pipe.c:1926(rpc_pipe_bind_step_one_done)
rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.690068, 1] ../source3/rpc_client/cli_pipe.c:3311(cli_rpc_pipe_open_schannel_with_creds)
cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.690203, 3] ../source3/winbindd/winbindd_cm.c:3405(cm_connect_netlogon_transport)
Could not open schannel'ed NETLOGON pipe. Error was NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.691016, 3] ../source3/winbindd/winbindd_dual_srv.c:758(_wbint_PingDc)
could not open handle to NETLOGON pipe: NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.691185, 4] ../source3/winbindd/winbindd_dual.c:1396(child_handler)
Finished processing child request 56
So, it looks like the first message containst the preffered
server list, and at the first place is the halted server.
get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *"
but the client connects to open-ldap2:
connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local]
and then comes the error message:
rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED
...
But I don't know, why? Till those lines comes to the log, the
wbinfo timed out, and after a minute it gives:
wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)
And the next request, it works... Why? What'em I missing?
Thanks,
a.
On Mon, Nov 13, 2017 at 03:31:16PM +0100, Ervin Hegedüs wrote:
> Hi folks,
>
> sorry for the re-post, I need some help to solve this problem.
>
> Since my previous e-mail, we made a set-up: there is a Clear Pass
> device (Aruba), which controlls the network access for users.
>
> Between the CP and these two DC's there is a load balancer.
>
> But, when we stopped the DC1, which was set up first, and the DC2
> works continously, then the authentication of users is stopped
> for few minutes. Without LB, there is the same situation.
>
> Looks like the DC2 (which had joined later to the domain) needs
> for DC1.
>
> But now, here is the original e-mail:
>
>
>
> I've completely re-installed my DC's and Linux member. I've
> followed the docs step-by-step on Samba's wiki page, everything
> is works as well.
>
> Here is what I see on my member
>
> # cat /etc/hosts
> 127.0.0.1 localhost localhost.localdomain
>
> 192.168.255.98 open-client.wificloud.local open-client
>
>
> # cat /etc/resolv.conf
> options timeout:1
> options attempts:2
> options rotate
> search wificloud.local
> nameserver 192.168.255.99
> nameserver 192.168.255.100
>
> first check:
>
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded
>
> real 0m0.017s
> user 0m0.012s
> sys 0m0.000s
>
> right, seems like it works, shutted down the DC above
> (open-ldap), and check again:
>
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" failed
> wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)
>
> real 1m4.560s
> user 0m0.008s
> sys 0m0.004s
> # time wbinfo --ping-dc
> hecking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" succeeded
>
> real 0m40.595s
> user 0m0.008s
> sys 0m0.008s
>
> okay, it works after sime sleeping... open-ldap bringed up,
> open-ldap2 shutted down, check again:
>
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" failed
> wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)
>
> real 0m16.309s
> user 0m0.004s
> sys 0m0.008s
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded
>
> real 0m1.260s
> user 0m0.008s
> sys 0m0.004s
>
> well done - it works, but after the DC stops, there are too much
> timeout. How can I decrease it?
>
>
>
> Thanks,
>
>
>
> a.
>
>
More information about the samba
mailing list