[Samba] Domain member cannot authenticate when first domain controller is down

L.P.H. van Belle belle at bazuin.nl
Fri Mar 5 08:04:15 UTC 2021 

>> So, failover appears to be acceptably working now, but I can't explain 
>> the lack of two sections in the first "time host..." command results.

Can you post your fulll bind9 config? Maybe your still missing something here. 

This is my current config as example
// named.conf.options
options {
        directory "/var/cache/bind";
        dnssec-validation auto;
        listen-on port 53 { 192.168.0.1; 127.0.0.1; };
        listen-on-v6 { ::1; };
        version "0.0.7";

        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
        auth-nxdomain yes
        notify no;
        empty-zones-enable no;
        minimal-responses yes;

        max-cache-size 100m;
        allow-query { 192.168.0.0/24; 127.0.0.1/32; };
        allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; };
        allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
        allow-transfer {
            none;
        };
};

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba
> Verzonden: vrijdag 5 maart 2021 5:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
> controller is down
> 
> 
> 
> On 3/4/21 1:46 PM, Rowland penny via samba wrote:
> > On 04/03/2021 17:39, Dale via samba wrote:
> >>
> >> I'm very open to suggestions.
> >>
> >
> > OK, I tested this on my small domain, from an rpi running 4.13.4. I
> > did not change anything except for resolv.conf, which I changed to this:
> >
> > # wait 2 seconds : default 5 seconds
> > options timeout:2
> > # make 1 attempt before trying next nameserver : default 2
> > options attempts:1
> > # round robin nameservers
> > #options rotate
> > search samdom.example.com
> > nameserver 192.168.0.8
> > nameserver 192.168.0.6
> >
> > I commented 'rotate' because it round robins nameservers, something I
> > didn't want to happen.
> >
> > Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is
> > dc4.samdom.example.com
> >
> > Ran this command on the rpi:
> >
> > time host -v -t SRV _ldap._tcp.samdom.example.com.
> >
> > And got this output:
> >
> > Trying "_ldap._tcp.samdom.example.com"
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;_ldap._tcp.samdom.example.com.    IN    SRV
> >
> > ;; ANSWER SECTION:
> > _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
> > dc4.samdom.example.com.
> > _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
> > dc01.samdom.example.com.
> >
> > ;; AUTHORITY SECTION:
> > samdom.example.com.    900    IN    NS    dc4.samdom.example.com.
> > samdom.example.com.    900    IN    NS    dc01.samdom.example.com.
> >
> > ;; ADDITIONAL SECTION:
> > dc4.samdom.example.com.    900    IN    A    192.168.0.6
> > dc01.samdom.example.com. 900    IN    A    192.168.0.8
> >
> > Received 192 bytes from 192.168.0.8#53 in 78 ms
> >
> > real    0m0.153s
> > user    0m0.038s
> > sys        0m0.038s
> >
> > So far, so good.
> >
> > I then turned off bind9 on dc01 and ran the command again, this time
> > the output was:
> >
> > Trying "_ldap._tcp.samdom.example.com"
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;_ldap._tcp.samdom.example.com.    IN    SRV
> >
> > ;; ANSWER SECTION:
> > _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
> > dc4.samdom.example.com.
> > _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
> > dc01.samdom.example.com.
> >
> > Received 132 bytes from 192.168.0.6#53 in 6 ms
> >
> > real    0m1.074s
> > user    0m0.031s
> > sys      0m0.041s
> >
> > As you can see, this time dc4 replied and fairly quickly.
> >
> > I think you may have missing or incorrect records for DC2, I will try
> > and come up with something to check your records.
> >
> > Rowland
> 
> Running the same commands that you did, I have good news and what I
> think might be bad news.
> 
> Good - Using the resolv.conf options values that you have (no rotate), I
> was able to log into other member servers fairly quickly.  A "getent
> user" took a little longer, but was acceptable.
> Bad - Running the "time host..." command that you used returns only 2
> sections, QUESTION and ANSWER.  There is no AUTHORITY or ADDITIONAL
> section.  I don't know how essential that is.
> 
> _*Client resolv.conf
> *_The client is LMDE4 and Samba is 4.13.4 from Louis' repo.
> [I get consistent values from resolvconf by editing
> /etc/resolvconf/resolv.conf.d/base to get the values shown below in
> /etc/resolv.conf.]
> **_**_
> 
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.168.0.7
> nameserver 192.168.0.8
> search workgroup.realm.tld
> options timeout:2
> options attempts:1
> 
> _*Both DC's on the network*_
> Trying "_ldap._tcp.workgroup.realm.tld"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;_ldap._tcp.workgroup.realm.tld.	IN SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc1.workgroup.realm.tld.
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc2.workgroup.realm.tld.
> 
> Received 158 bytes from*192.168.0.7*#53 in 6 ms
> 
> real	0m0.025s
> user	0m0.010s
> sys	0m0.010s
> 
> *_Ethernet cable unplugged from DC1_*
> Trying "_ldap._tcp.workgroup.realm.tld"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;_ldap._tcp.workgroup.realm.tld.	IN SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc1.workgroup.realm.tld.
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc2.workgroup.realm.tld.
> 
> Received 158 bytes from*192.168.0.8*#53 in 8 ms
> 
> real	0m1.032s
> user	0m0.020s
> sys	0m0.005s
> 
> So, failover appears to be acceptably working now, but I can't explain
> the lack of two sections in the first "time host..." command results.
> 
> Dale
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list