[Samba] Domain member cannot authenticate when first domain controller is down
Josh T
c3h4ohcooh3 at hotmail.com
Sat Feb 27 03:34:49 UTC 2021
//Problem:
I am unable to authenticate a domain user on a Samba domain member while the first Samba directory controller DC1 is powered off and the second Samba directory controller DC2 is powered on.
While DC1 is powered on, I can log in as a domain user with no problems. While DC1 is powered off, attempting to log in usually results in waiting 60+ seconds followed by a login failure message. If I had already logged in prior to powering off DC1, then I can see the same long delay and authentication failures when entering my sudo password. Intermittently I can sometimes manage to log in while DC1 is powered off, but there is still the 60+ second delay; I haven't been able to link this intermittent behavior to any of my own troubleshooting actions. In any case, a 60+ second delay is undesirable.
//Environment description:
The first Samba domain controller DC1 was created following these instructions on the Samba wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
It was provisioned using the command "samba-tool domain provision --use-rfc2307 --interactive".
The BIND9_DLZ DNS backend was selected during provisioning.
Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
The second Samba domain controller DC2 was created following these instructions on the Samba wiki: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
It was joined using the command "samba-tool domain join my.domain.tld --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
Samba version 4.11.6-Ubuntu was installed on DC2 using the apt command.
The Samba domain members were created following these instructions on the Samba wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
They were joined using the command "net ads join".
Samba version 4.11.6-Ubuntu was installed on the members using the apt command.
All machines are virtual machines on the same subnet. There are a total of two Ubuntu Server 20.04.2 LTS Samba domain controllers, four Ubuntu Server 20.04.2 LTS Samba domain member servers, one Windows Server 2012R2 domain member, and one (non- domain member) Pfsense server on the network; this is the entirety of the network.
//List of configuration files whose contents is provided below
Domain Controller DC1
/etc/samba/smb.conf
/etc/krb5.conf
/etc/resolv.conf
/etc/hosts
/etc/bind/named.conf.options
Domain Controller DC2
/etc/samba/smb.conf
/etc/krb5.conf
/etc/resolv.conf
/etc/hosts
/etc/bind/named.conf.options
Domain Member
/etc/samba/smb.conf
/etc/krb5.conf
/etc/resolv.conf
/etc/hosts
//Configuration file contents
//============================================================//
// Domain Controller DC1: /etc/samba/smb.conf
//============================================================//
[global]
netbios name = DC1
workgroup = DOMAIN
realm = MY.DOMAIN.TLD
log file = /var/log/samba/log.%m
max log size = 1000
logging = files syslog at 1
panic action = /usr/share/samba/panic-action %d
server role = active directory domain controller
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template shell = /bin/bash
template homedir = /home/%D/%U
idmap_ldb:use rfc2307 = yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
time server = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/my.domain.tld/scripts
read only = No
//============================================================//
// Domain Controller DC1: /etc/krb5.conf
//============================================================//
[libdefaults]
default_realm = MY.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
//============================================================//
// Domain Controller DC1: /etc/resolv.conf
//============================================================//
nameserver <DC1 IP Address>
nameserver <DC2 IP Address>
search my.domain.tld
//============================================================//
// Domain Controller DC1: /etc/hosts
//============================================================//
127.0.0.1 localhost
<DC1 IP address> dc1.my.domain.tld dc1
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
//============================================================//
// Domain Controller DC1: /etc/bind/named.conf.options
//============================================================//
acl "internal_addresses" { 127.0.0.0/8; <My IP address block>; };
acl "admin_addresses" { <DC1 IP address>; <DC2 IP address>; };
options {
directory "/var/cache/bind";
forwarders { <Pfsense router/firewall IP address>; };
dnssec-validation no;
version none;
notify no;
empty-zones-enable no;
auth-nxdomain yes;
listen-on-v6 { none; };
listen-on port 53 { <DC1 IP address>; 127.0.0.1; };
minimal-responses yes;
allow-query { "internal_addresses"; };
allow-query-cache { "internal_addresses"; };
recursion yes;
allow-recursion { "internal_addresses"; };
allow-transfer { "admin_addresses"; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
logging {
channel hd_security {
file "/var/log/named/named.security" versions 3 size 5m;
print-time yes;
print-severity yes;
print-category yes;
};
category security { hd_security; };
};
//============================================================//
// Domain Controller DC2: /etc/samba/smb.conf
//============================================================//
[global]
netbios name = DC2
workgroup = DOMAIN
realm = MY.DOMAIN.TLD
log file = /var/log/samba/log.%m
max log size = 1000
logging = files syslog at 1
panic action = /usr/share/samba/panic-action %d
log level = 2
server role = active directory domain controller
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template shell = /bin/bash
template homedir = /home/%D/%U
idmap_ldb:use rfc2307 = yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
time server = yes
name resolve order = wins bcast
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/my.domain.tld/scripts
read only = No
//============================================================//
// Domain Controller DC2: /etc/krb5.conf
//============================================================//
[libdefaults]
default_realm = MY.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
//============================================================//
// Domain Controller DC2: /etc/resolv.conf
//============================================================//
nameserver <DC2 IP address>
nameserver <DC1 IP address>
search my.domain.tld
//============================================================//
// Domain Controller DC2: /etc/hosts
//============================================================//
127.0.0.1 localhost
<DC2 IP address> dc2.my.domain.tld dc2
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
//============================================================//
// Domain Controller DC2: /etc/bind/named.conf.options
//============================================================//
acl "internal_addresses" { 127.0.0.0/8; <My IP address block>; };
acl "admin_addresses" { <DC1 IP address>; <DC2 IP address>; };
options {
directory "/var/cache/bind";
forwarders { <IP address of pfsense router/firewall>; };
dnssec-validation no;
version none;
notify no;
empty-zones-enable no;
auth-nxdomain yes;
listen-on-v6 { none; };
listen-on port 53 { <DC2 IP address>; 127.0.0.1; };
minimal-responses yes;
allow-query { "internal_addresses"; };
allow-query-cache { "internal_addresses"; };
recursion yes;
allow-recursion { "internal_addresses"; };
allow-transfer { "admin_addresses"; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
logging {
channel hd_security {
file "/var/log/named/named.security" versions 3 size 5m;
print-time yes;
print-severity yes;
print-category yes;
};
category security { hd_security; };
};
//============================================================//
// Domain Member: /etc/samba/smb.conf
//============================================================//
[global]
workgroup = DOMAIN
realm = MY.DOMAIN.TLD
log file = /var/log/samba/log.%m
max log size = 1000
logging = files syslog at 1
panic action = /usr/share/samba/panic-action %d
security = ads
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
vfs objects = acl_xattr
map acl inherit = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-19999
idmap config DOMAIN : unix_nss_info = yes
idmap config DOMAIN : unix_primary_group = yes
idmap config DOMAIN : schema_mode = rfc2307
template shell = /bin/false
template homedir = /home/%D/%U
//============================================================//
// Domain Member: /etc/krb5.conf
//============================================================//
[libdefaults]
default_realm = MY.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
//============================================================//
// Domain Member: /etc/resolv.conf
//============================================================//
nameserver <DC1 IP address>
nameserver <DC2 IP address>
search my.domain.tld
//============================================================//
// Domain Member: /etc/hosts
//============================================================//
127.0.0.1 localhost
<Member IP address> member.my.domain.tld member
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
More information about the samba
mailing list