[Samba] Domain member cannot authenticate when first domain controller is down
Rowland penny
rpenny at samba.org
Thu Mar 4 19:46:10 UTC 2021
On 04/03/2021 17:39, Dale via samba wrote:
>
> I'm very open to suggestions.
>
OK, I tested this on my small domain, from an rpi running 4.13.4. I did
not change anything except for resolv.conf, which I changed to this:
# wait 2 seconds : default 5 seconds
options timeout:2
# make 1 attempt before trying next nameserver : default 2
options attempts:1
# round robin nameservers
#options rotate
search samdom.example.com
nameserver 192.168.0.8
nameserver 192.168.0.6
I commented 'rotate' because it round robins nameservers, something I
didn't want to happen.
Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is
dc4.samdom.example.com
Ran this command on the rpi:
time host -v -t SRV _ldap._tcp.samdom.example.com.
And got this output:
Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc01.samdom.example.com.
;; AUTHORITY SECTION:
samdom.example.com. 900 IN NS dc4.samdom.example.com.
samdom.example.com. 900 IN NS dc01.samdom.example.com.
;; ADDITIONAL SECTION:
dc4.samdom.example.com. 900 IN A 192.168.0.6
dc01.samdom.example.com. 900 IN A 192.168.0.8
Received 192 bytes from 192.168.0.8#53 in 78 ms
real 0m0.153s
user 0m0.038s
sys 0m0.038s
So far, so good.
I then turned off bind9 on dc01 and ran the command again, this time the
output was:
Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc01.samdom.example.com.
Received 132 bytes from 192.168.0.6#53 in 6 ms
real 0m1.074s
user 0m0.031s
sys 0m0.041s
As you can see, this time dc4 replied and fairly quickly.
I think you may have missing or incorrect records for DC2, I will try
and come up with something to check your records.
Rowland
More information about the samba
mailing list