[Samba] Domain member cannot authenticate when first domain controller is down

Kris Lou klou at themusiclink.net
Wed Mar 3 17:26:28 UTC 2021 

What happens if you force the domain members to use a specific KDC?

In particular,

 dns_lookup_kdc = false

and specify your kdc(s) in [realms]

Also, are the _kerberos SRV records correct for DC2?

Kris Lou
klou at themusiclink.net


On Wed, Mar 3, 2021 at 8:14 AM Jason Keltz via samba <samba at lists.samba.org>
wrote:

> Hi Dale/Josh,
>
> I had opened a ticket about this issue back in December (at least I
> think this is similar):
>
> https://bugzilla.samba.org/show_bug.cgi?id=14597
>
> I consider failover to be very important.  Unfortunately, the Samba
> developers haven't had time to work on it.  I've had a few users email
> me over the course of the last months stating similar problems.  Maybe
> you or anyone else who has the problem might add a similar "me too" to
> the bug so that the information is all available when the developers do
> have time to work on it, and we can all benefit.
>
> I suppose there's still a benefit to having multiple DC for load
> balancing.  However, yes, when the DC goes out, in my experience,
> there's definately trouble.
>
> Jason.
>
> On 3/3/2021 10:25 AM, Dale via samba wrote:
> > Josh, I don't have the answer to your question, but if you ever figure
> > it out, I would like to know the answer, too.
> >
> > The 2nd DC that I built has been of very little use.  While building,
> > it passed all the tests in the wiki.  After building, I found some DNS
> > entries that were not created during the join. Rowland kindly helped
> > me add and/or edit the affected entries, and I hoped for better
> > results.  However, it was not to be.  If the 1st DC is removed from
> > the network, any kind of login or getent is interminably long or times
> > out.  So, while I easily see the theoretical value of having multiple
> > DC's, I'm having trouble seeing the actual, practical benefit of
> > having them.  There is no instant failover, and often times, there is
> > complete failure of necessary AD functions.  While it's certainly
> > possible the problem could be me, I cannot troubleshoot what the
> > problem is.
> >
> > Dale
> >
> >
> > On 3/1/21 6:25 PM, Josh T via samba wrote:
> >> Further fiddling with this has shown something strange. If I enter my
> >> username and password in an attempt to authenticate a domain user, it
> >> will take 60+ seconds for it to fail to log in. However, during said
> >> 60+ seconds, if I log in via SSH as a non-domain user, then the
> >> domain user login succeeds. What could cause that?
> >>
> >>
> >> ________________________________
> >> From: Roy Eastwood <spindles7 at gmail.com>
> >> Sent: Saturday, February 27, 2021 1:27 AM
> >> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org
> >> <samba at lists.samba.org>
> >> Subject: Re: [Samba] Domain member cannot authenticate when first
> >> domain controller is down
> >>
> >>
> >>
> >> On 27 February 2021 03:35 Josh T wrote:
> >>> //Problem:
> >>> I am unable to authenticate a domain user on a Samba domain member
> >>> while the
> >>> first Samba directory controller DC1 is powered off and the second
> >>> Samba
> >>> directory controller DC2 is powered on.
> >>>
> >>> While DC1 is powered on, I can log in as a domain user with no
> >>> problems. While
> >>> DC1 is powered off, attempting to log in usually results in waiting 60+
> >> seconds
> >>> followed by a login failure message. If I had already logged in
> >>> prior to
> >> powering
> >>> off DC1, then I can see the same long delay and authentication
> >>> failures when
> >>> entering my sudo password. Intermittently I can sometimes manage to
> >>> log in
> >>> while DC1 is powered off, but there is still the 60+ second delay; I
> >>> haven't
> >> been
> >>> able to link this intermittent behavior to any of my own
> >>> troubleshooting
> >> actions.
> >>> In any case, a 60+ second delay is undesirable.
> >>>
> >>> //Environment description:
> >>> The first Samba domain controller DC1 was created following these
> >>> instructions
> >>> on the Samba wiki:
> >>>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
> >>>
> >>> Domain_Controller
> >>> It was provisioned using the command "samba-tool domain provision
> >>> --use-
> >>> rfc2307 --interactive".
> >>> The BIND9_DLZ DNS backend was selected during provisioning.
> >>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
> >>>
> >>> The second Samba domain controller DC2 was created following these
> >>> instructions on the Samba wiki:
> >>>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
> >>>
> >>> _Directory
> >>> It was joined using the command "samba-tool domain join
> >>> my.domain.tld --dns-
> >>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
> >> The above is missing the letters  "DC" in the command line. This may
> >> be the
> >> issue.
> >>
> >> HTH
> >>
> >> Roy
> >>
> >>
> >>
> >>
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list