[Samba] Domain member cannot authenticate when first domain controller is down

L.P.H. van Belle belle at bazuin.nl
Wed Mar 3 15:58:06 UTC 2021 

Check the following. 

dig ns $(hostname -d)
You should see all the AD-DC servers, if not add the NS record of the missing ones, then when thats done.

try these settings and test what works best for you, add in /etc/resolv.conf

options timeout:3
options attempts:2
options rotate

(see : man resolv.conf what these do) 

in smb.conf.. 
Try setting : 

cache directory = /var/cache/samba
(do check if the folder exists. )

these parts would be the first one's i would look into. 

I hope this can help you. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba
> Verzonden: woensdag 3 maart 2021 16:25
> Aan: Josh T; Roy Eastwood; samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
> controller is down
> 
> Josh, I don't have the answer to your question, but if you ever figure
> it out, I would like to know the answer, too.
> 
> The 2nd DC that I built has been of very little use.  While building, it
> passed all the tests in the wiki.  After building, I found some DNS
> entries that were not created during the join. Rowland kindly helped me
> add and/or edit the affected entries, and I hoped for better results.
> However, it was not to be.  If the 1st DC is removed from the network,
> any kind of login or getent is interminably long or times out.  So,
> while I easily see the theoretical value of having multiple DC's, I'm
> having trouble seeing the actual, practical benefit of having them.
> There is no instant failover, and often times, there is complete failure
> of necessary AD functions.  While it's certainly possible the problem
> could be me, I cannot troubleshoot what the problem is.
> 
> Dale
> 
> 
> On 3/1/21 6:25 PM, Josh T via samba wrote:
> > Further fiddling with this has shown something strange. If I enter my
> username and password in an attempt to authenticate a domain user, it will
> take 60+ seconds for it to fail to log in. However, during said 60+
> seconds, if I log in via SSH as a non-domain user, then the domain user
> login succeeds. What could cause that?
> >
> >
> > ________________________________
> > From: Roy Eastwood <spindles7 at gmail.com>
> > Sent: Saturday, February 27, 2021 1:27 AM
> > To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org
> <samba at lists.samba.org>
> > Subject: Re: [Samba] Domain member cannot authenticate when first domain
> controller is down
> >
> >
> >
> > On 27 February 2021 03:35 Josh T wrote:
> >> //Problem:
> >> I am unable to authenticate a domain user on a Samba domain member
> while the
> >> first Samba directory controller DC1 is powered off and the second
> Samba
> >> directory controller DC2 is powered on.
> >>
> >> While DC1 is powered on, I can log in as a domain user with no
> problems. While
> >> DC1 is powered off, attempting to log in usually results in waiting 60+
> > seconds
> >> followed by a login failure message. If I had already logged in prior
> to
> > powering
> >> off DC1, then I can see the same long delay and authentication failures
> when
> >> entering my sudo password. Intermittently I can sometimes manage to log
> in
> >> while DC1 is powered off, but there is still the 60+ second delay; I
> haven't
> > been
> >> able to link this intermittent behavior to any of my own
> troubleshooting
> > actions.
> >> In any case, a 60+ second delay is undesirable.
> >>
> >> //Environment description:
> >> The first Samba domain controller DC1 was created following these
> instructions
> >> on the Samba wiki:
> >>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
> >> Domain_Controller
> >> It was provisioned using the command "samba-tool domain provision --
> use-
> >> rfc2307 --interactive".
> >> The BIND9_DLZ DNS backend was selected during provisioning.
> >> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
> >>
> >> The second Samba domain controller DC2 was created following these
> >> instructions on the Samba wiki:
> >>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
> >> _Directory
> >> It was joined using the command "samba-tool domain join my.domain.tld -
> -dns-
> >> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
> > The above is missing the letters  "DC" in the command line.   This may
> be the
> > issue.
> >
> > HTH
> >
> > Roy
> >
> >
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list