[Samba] Domain member cannot authenticate when first domain controller is down

Kris Lou klou at themusiclink.net
Wed Mar 3 20:42:55 UTC 2021 

Domain member krb.conf (mostly stolen from Jason's ticket above, but you
get the point. : https://bugzilla.samba.org/show_bug.cgi?id=14597)

[libdefaults]
 default_realm = AD.SAMDOM
 dns_lookup_realm = false
 dns_lookup_kdc = false <----------------------
 rdns = false
 forwardable = true
 renew_lifetime = 7d

[realms] <---------------
 AD.SAMDOM = {
  kdc = ip.add.re.ss1:88
  kdc = ip.add.re.ss2:88
 }

When we tested this a while ago (same issues, with ... sssd, so take with a
grain of salt), the above was supposed to specify the KDC instead of
relying on DNS.  I hope the syntax is right, I haven't checked the man
pages in a while.

Also, Verifying kerberos SRV records:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS

They should exist for each DC.


Kris Lou
klou at themusiclink.net


On Wed, Mar 3, 2021 at 11:08 AM Dale <samba at txschroeder.family> wrote:

> On 3/3/21 9:58 AM, L.P.H. van Belle via samba wrote:
>
> Check the following.
>
> dig ns $(hostname -d)
> You should see all the AD-DC servers, if not add the NS record of the missing ones, then when thats done.
>
> try these settings and test what works best for you, add in /etc/resolv.conf
>
> options timeout:3
> options attempts:2
> options rotate
>
> (see : man resolv.conf what these do)
>
> in smb.conf..
> Try setting :
>
> cache directory = /var/cache/samba
> (do check if the folder exists. )
>
> these parts would be the first one's i would look into.
>
> I hope this can help you.
>
> Greetz,
>
> Louis
>
> *@ Louis*
>
> The dig command returns the correct results, and the cache directory
> setting already matches what you had suggested.
>
> I will experiment with the resolv.conf options that you mentioned.
>
> *@ Jason*
>
> I have requested a bugzilla account in order to add a "me too" to your bug
> report.  If what I'm experiencing is not identical, it is most certainly
> similar.
>
> *@ Kris*
>
> I'll need some direction for this -
>
> <KL> "Also, are the _kerberos SRV records correct for DC2?"
>
>
> Where/How do I find this, and what *are* the expected values?
>
> Thanks to all for the suggestions.
>
> Dale
>
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org <samba-bounces at lists.samba.org>] Namens Dale via samba
> Verzonden: woensdag 3 maart 2021 16:25
> Aan: Josh T; Roy Eastwood; samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
> controller is down
>
> Josh, I don't have the answer to your question, but if you ever figure
> it out, I would like to know the answer, too.
>
> The 2nd DC that I built has been of very little use.  While building, it
> passed all the tests in the wiki.  After building, I found some DNS
> entries that were not created during the join. Rowland kindly helped me
> add and/or edit the affected entries, and I hoped for better results.
> However, it was not to be.  If the 1st DC is removed from the network,
> any kind of login or getent is interminably long or times out.  So,
> while I easily see the theoretical value of having multiple DC's, I'm
> having trouble seeing the actual, practical benefit of having them.
> There is no instant failover, and often times, there is complete failure
> of necessary AD functions.  While it's certainly possible the problem
> could be me, I cannot troubleshoot what the problem is.
>
> Dale
>
>
> On 3/1/21 6:25 PM, Josh T via samba wrote:
>
> Further fiddling with this has shown something strange. If I enter my
>
> username and password in an attempt to authenticate a domain user, it will
> take 60+ seconds for it to fail to log in. However, during said 60+
> seconds, if I log in via SSH as a non-domain user, then the domain user
> login succeeds. What could cause that?
>
> ________________________________
> From: Roy Eastwood <spindles7 at gmail.com> <spindles7 at gmail.com>
> Sent: Saturday, February 27, 2021 1:27 AM
> To: 'Josh T' <c3h4ohcooh3 at hotmail.com> <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org
>
> <samba at lists.samba.org> <samba at lists.samba.org>
>
> Subject: Re: [Samba] Domain member cannot authenticate when first domain
>
> controller is down
>
> On 27 February 2021 03:35 Josh T wrote:
>
> //Problem:
> I am unable to authenticate a domain user on a Samba domain member
>
> while the
>
> first Samba directory controller DC1 is powered off and the second
>
> Samba
>
> directory controller DC2 is powered on.
>
> While DC1 is powered on, I can log in as a domain user with no
>
> problems. While
>
> DC1 is powered off, attempting to log in usually results in waiting 60+
>
> seconds
>
> followed by a login failure message. If I had already logged in prior
>
> to
>
> powering
>
> off DC1, then I can see the same long delay and authentication failures
>
> when
>
> entering my sudo password. Intermittently I can sometimes manage to log
>
> in
>
> while DC1 is powered off, but there is still the 60+ second delay; I
>
> haven't
>
> been
>
> able to link this intermittent behavior to any of my own
>
> troubleshooting
>
> actions.
>
> In any case, a 60+ second delay is undesirable.
>
> //Environment description:
> The first Samba domain controller DC1 was created following these
>
> instructions
>
> on the Samba wiki:
>
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>
> Domain_Controller
> It was provisioned using the command "samba-tool domain provision --
>
> use-
>
> rfc2307 --interactive".
> The BIND9_DLZ DNS backend was selected during provisioning.
> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
>
> The second Samba domain controller DC2 was created following these
> instructions on the Samba wiki:
>
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>
> _Directory
> It was joined using the command "samba-tool domain join my.domain.tld -
>
> -dns-
>
> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
>
> The above is missing the letters  "DC" in the command line.   This may
>
> be the
>
> issue.
>
> HTH
>
> Roy
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>

More information about the samba mailing list