[Samba] Domain member cannot authenticate when first domain controller is down

Dale samba at txschroeder.family
Wed Mar 3 19:08:50 UTC 2021

On 3/3/21 9:58 AM, L.P.H. van Belle via samba wrote:
> Check the following.
> dig ns $(hostname -d)
> You should see all the AD-DC servers, if not add the NS record of the missing ones, then when thats done.
> try these settings and test what works best for you, add in /etc/resolv.conf
> options timeout:3
> options attempts:2
> options rotate
> (see : man resolv.conf what these do)
> in smb.conf..
> Try setting :
> cache directory = /var/cache/samba
> (do check if the folder exists. )
> these parts would be the first one's i would look into.
> I hope this can help you.
> Greetz,
> Louis
_@ Louis_

The dig command returns the correct results, and the cache directory 
setting already matches what you had suggested.

I will experiment with the resolv.conf options that you mentioned.

_@ Jason_

I have requested a bugzilla account in order to add a "me too" to your 
bug report.  If what I'm experiencing is not identical, it is most 
certainly similar.

_@ Kris_

I'll need some direction for this -

<KL> "Also, are the _kerberos SRV records correct for DC2?"

Where/How do I find this, and what _are_ the expected values?

Thanks to all for the suggestions.


>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba
>> Verzonden: woensdag 3 maart 2021 16:25
>> Aan: Josh T; Roy Eastwood; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
>> controller is down
>> Josh, I don't have the answer to your question, but if you ever figure
>> it out, I would like to know the answer, too.
>> The 2nd DC that I built has been of very little use.  While building, it
>> passed all the tests in the wiki.  After building, I found some DNS
>> entries that were not created during the join. Rowland kindly helped me
>> add and/or edit the affected entries, and I hoped for better results.
>> However, it was not to be.  If the 1st DC is removed from the network,
>> any kind of login or getent is interminably long or times out.  So,
>> while I easily see the theoretical value of having multiple DC's, I'm
>> having trouble seeing the actual, practical benefit of having them.
>> There is no instant failover, and often times, there is complete failure
>> of necessary AD functions.  While it's certainly possible the problem
>> could be me, I cannot troubleshoot what the problem is.
>> Dale
>> On 3/1/21 6:25 PM, Josh T via samba wrote:
>>> Further fiddling with this has shown something strange. If I enter my
>> username and password in an attempt to authenticate a domain user, it will
>> take 60+ seconds for it to fail to log in. However, during said 60+
>> seconds, if I log in via SSH as a non-domain user, then the domain user
>> login succeeds. What could cause that?
>>> ________________________________
>>> From: Roy Eastwood <spindles7 at gmail.com>
>>> Sent: Saturday, February 27, 2021 1:27 AM
>>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org
>> <samba at lists.samba.org>
>>> Subject: Re: [Samba] Domain member cannot authenticate when first domain
>> controller is down
>>> On 27 February 2021 03:35 Josh T wrote:
>>>> //Problem:
>>>> I am unable to authenticate a domain user on a Samba domain member
>> while the
>>>> first Samba directory controller DC1 is powered off and the second
>> Samba
>>>> directory controller DC2 is powered on.
>>>> While DC1 is powered on, I can log in as a domain user with no
>> problems. While
>>>> DC1 is powered off, attempting to log in usually results in waiting 60+
>>> seconds
>>>> followed by a login failure message. If I had already logged in prior
>> to
>>> powering
>>>> off DC1, then I can see the same long delay and authentication failures
>> when
>>>> entering my sudo password. Intermittently I can sometimes manage to log
>> in
>>>> while DC1 is powered off, but there is still the 60+ second delay; I
>> haven't
>>> been
>>>> able to link this intermittent behavior to any of my own
>> troubleshooting
>>> actions.
>>>> In any case, a 60+ second delay is undesirable.
>>>> //Environment description:
>>>> The first Samba domain controller DC1 was created following these
>> instructions
>>>> on the Samba wiki:
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>>>> Domain_Controller
>>>> It was provisioned using the command "samba-tool domain provision --
>> use-
>>>> rfc2307 --interactive".
>>>> The BIND9_DLZ DNS backend was selected during provisioning.
>>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
>>>> The second Samba domain controller DC2 was created following these
>>>> instructions on the Samba wiki:
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>>>> _Directory
>>>> It was joined using the command "samba-tool domain join my.domain.tld -
>> -dns-
>>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
>>> The above is missing the letters  "DC" in the command line.   This may
>> be the
>>> issue.
>>> HTH
>>> Roy
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list