[Samba] Failover DC did not work when Main DC failed

Paul Littlefield info at paully.co.uk
Mon Feb 3 13:24:10 UTC 2020 

Hello Kris,


On 03/02/2020 07:15, Kris Lou via samba wrote:
> Unless it's_not_  a global catalog.  Check your SRV records again, there
> should be corresponding "_gc" records (similar to "_ldap") for each DC.

Checked and both DCs pass all tests:-

host -t SRV _ldap._tcp.mydomain.com.
host -t SRV _gc._tcp.mydomain.com.
host -t SRV _kerberos._udp.mydomain.com.
host -t A dc3.mydomain.com.
host -t A dc4.mydomain.com.

e.g. (for _gc)

root at dc3.mydomain.com ~ $ (screen) host -t SRV _gc._tcp.mydomain.com.
_gc._tcp.mydomain.com has SRV record 0 100 3268 dc3.mydomain.com.
_gc._tcp.mydomain.com has SRV record 0 100 3268 dc4.mydomain.com.


> So, based upon the link/graphic I posted earlier:
> * either your 2nd DC isn't being returned as a part of DNS lookups

For the Windows desktops and the QNAP server, they have the IP addresses for both DCs in their respective DNS settings.

For a Windows desktop tested this morning, the command nslookup defaults to DC3 at 192.168.0.218 but when that was "down" DNS queries timed out.


> * or that 2nd DC isn't responding to queries for authentication

Both DCs have this as their Kerberos configuration (/etc/krb5.conf):-

[libdefaults]
         default_realm = MYDOMAIN.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

If I run this command, authentication works:-

smbclient //dc4/netlogon -U jbloggs


> * or the client isn't storing/retrieving the 2nd DC's availability for
> future lookups

If it's in Windows network settings or a QNAP's resolver file, where else should it be?!


> ** could be related to DNS? storage via registry-equivalents? no idea here,
> but putting it as "client side"

I am happy to accept any suggestions here. There is no point in having multiple DNS servers for Windows or another DC joined for failover if none of it works as it is supposed to.


> FWIW, I checked my file server (winbind, not sssd):
> * checked the logonserver (which DC it was authenticating against)
> * stopped samba on that DC
> * checked logonserver again -- and it had switched to a different one.  So
> 4.10 Louis winbind works (for me).

Winbind is definitely running on both DCs and I followed the Wiki instructions to the letter.

Both DCs are talking to one another for replication and I can authenticate (manually using kinit) on each DC but when one virtual machine fails to boot then problems happen.

Thanks.

Paul

More information about the samba mailing list