[Samba] Domain member cannot authenticate when first domain controller is down

Rowland penny rpenny at samba.org
Thu Mar 4 19:46:10 UTC 2021 

On 04/03/2021 17:39, Dale via samba wrote:
>
> I'm very open to suggestions.
>

OK, I tested this on my small domain, from an rpi running 4.13.4. I did 
not change anything except for resolv.conf, which I changed to this:

# wait 2 seconds : default 5 seconds
options timeout:2
# make 1 attempt before trying next nameserver : default 2
options attempts:1
# round robin nameservers
#options rotate
search samdom.example.com
nameserver 192.168.0.8
nameserver 192.168.0.6

I commented 'rotate' because it round robins nameservers, something I 
didn't want to happen.

Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is 
dc4.samdom.example.com

Ran this command on the rpi:

time host -v -t SRV _ldap._tcp.samdom.example.com.

And got this output:

Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.    IN    SRV

;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389 
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389 
dc01.samdom.example.com.

;; AUTHORITY SECTION:
samdom.example.com.    900    IN    NS    dc4.samdom.example.com.
samdom.example.com.    900    IN    NS    dc01.samdom.example.com.

;; ADDITIONAL SECTION:
dc4.samdom.example.com.    900    IN    A    192.168.0.6
dc01.samdom.example.com. 900    IN    A    192.168.0.8

Received 192 bytes from 192.168.0.8#53 in 78 ms

real    0m0.153s
user    0m0.038s
sys        0m0.038s

So far, so good.

I then turned off bind9 on dc01 and ran the command again, this time the 
output was:

Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.    IN    SRV

;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389 
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389 
dc01.samdom.example.com.

Received 132 bytes from 192.168.0.6#53 in 6 ms

real    0m1.074s
user    0m0.031s
sys      0m0.041s

As you can see, this time dc4 replied and fairly quickly.

I think you may have missing or incorrect records for DC2, I will try 
and come up with something to check your records.

Rowland

More information about the samba mailing list