[Samba] Domain member cannot authenticate when first domain controller is down
klou at themusiclink.net
Wed Mar 3 17:26:28 UTC 2021
What happens if you force the domain members to use a specific KDC?
dns_lookup_kdc = false
and specify your kdc(s) in [realms]
Also, are the _kerberos SRV records correct for DC2?
klou at themusiclink.net
On Wed, Mar 3, 2021 at 8:14 AM Jason Keltz via samba <samba at lists.samba.org>
> Hi Dale/Josh,
> I had opened a ticket about this issue back in December (at least I
> think this is similar):
> I consider failover to be very important. Unfortunately, the Samba
> developers haven't had time to work on it. I've had a few users email
> me over the course of the last months stating similar problems. Maybe
> you or anyone else who has the problem might add a similar "me too" to
> the bug so that the information is all available when the developers do
> have time to work on it, and we can all benefit.
> I suppose there's still a benefit to having multiple DC for load
> balancing. However, yes, when the DC goes out, in my experience,
> there's definately trouble.
> On 3/3/2021 10:25 AM, Dale via samba wrote:
> > Josh, I don't have the answer to your question, but if you ever figure
> > it out, I would like to know the answer, too.
> > The 2nd DC that I built has been of very little use. While building,
> > it passed all the tests in the wiki. After building, I found some DNS
> > entries that were not created during the join. Rowland kindly helped
> > me add and/or edit the affected entries, and I hoped for better
> > results. However, it was not to be. If the 1st DC is removed from
> > the network, any kind of login or getent is interminably long or times
> > out. So, while I easily see the theoretical value of having multiple
> > DC's, I'm having trouble seeing the actual, practical benefit of
> > having them. There is no instant failover, and often times, there is
> > complete failure of necessary AD functions. While it's certainly
> > possible the problem could be me, I cannot troubleshoot what the
> > problem is.
> > Dale
> > On 3/1/21 6:25 PM, Josh T via samba wrote:
> >> Further fiddling with this has shown something strange. If I enter my
> >> username and password in an attempt to authenticate a domain user, it
> >> will take 60+ seconds for it to fail to log in. However, during said
> >> 60+ seconds, if I log in via SSH as a non-domain user, then the
> >> domain user login succeeds. What could cause that?
> >> ________________________________
> >> From: Roy Eastwood <spindles7 at gmail.com>
> >> Sent: Saturday, February 27, 2021 1:27 AM
> >> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org
> >> <samba at lists.samba.org>
> >> Subject: Re: [Samba] Domain member cannot authenticate when first
> >> domain controller is down
> >> On 27 February 2021 03:35 Josh T wrote:
> >>> //Problem:
> >>> I am unable to authenticate a domain user on a Samba domain member
> >>> while the
> >>> first Samba directory controller DC1 is powered off and the second
> >>> Samba
> >>> directory controller DC2 is powered on.
> >>> While DC1 is powered on, I can log in as a domain user with no
> >>> problems. While
> >>> DC1 is powered off, attempting to log in usually results in waiting 60+
> >> seconds
> >>> followed by a login failure message. If I had already logged in
> >>> prior to
> >> powering
> >>> off DC1, then I can see the same long delay and authentication
> >>> failures when
> >>> entering my sudo password. Intermittently I can sometimes manage to
> >>> log in
> >>> while DC1 is powered off, but there is still the 60+ second delay; I
> >>> haven't
> >> been
> >>> able to link this intermittent behavior to any of my own
> >>> troubleshooting
> >> actions.
> >>> In any case, a 60+ second delay is undesirable.
> >>> //Environment description:
> >>> The first Samba domain controller DC1 was created following these
> >>> instructions
> >>> on the Samba wiki:
> >>> Domain_Controller
> >>> It was provisioned using the command "samba-tool domain provision
> >>> --use-
> >>> rfc2307 --interactive".
> >>> The BIND9_DLZ DNS backend was selected during provisioning.
> >>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
> >>> The second Samba domain controller DC2 was created following these
> >>> instructions on the Samba wiki:
> >>> _Directory
> >>> It was joined using the command "samba-tool domain join
> >>> my.domain.tld --dns-
> >>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
> >> The above is missing the letters "DC" in the command line. This may
> >> be the
> >> issue.
> >> HTH
> >> Roy
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba