[Samba] Domain member cannot authenticate when first domain controller is down

Dale samba at txschroeder.family
Fri Mar 5 17:04:13 UTC 2021


On 3/5/21 2:04 AM, L.P.H. van Belle via samba wrote:
>>> So, failover appears to be acceptably working now, but I can't explain
>>> the lack of two sections in the first "time host..." command results.
> Can you post your fulll bind9 config? Maybe your still missing something here.
>
> This is my current config as example
> // named.conf.options
> options {
>          directory "/var/cache/bind";
>          dnssec-validation auto;
>          listen-on port 53 { 192.168.0.1; 127.0.0.1; };
>          listen-on-v6 { ::1; };
>          version "0.0.7";
>
>          tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>          auth-nxdomain yes
>          notify no;
>          empty-zones-enable no;
>          minimal-responses yes;
>
>          max-cache-size 100m;
>          allow-query { 192.168.0.0/24; 127.0.0.1/32; };
>          allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; };
>          allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
>          allow-transfer {
>              none;
>          };
> };
>
> Greetz,
>
> Louis
Here you go, Louis.  I noticed a few differences from yours, but it 
should be very close to the Samba wiki, from which it is derived.

Thanks for the help.
Dale

_*named.conf.options*_

// Managing acls
acl internals { 127.0.0.0/8; 192.168.0.0/24; };

options {
	directory "/var/cache/bind";
	version "";
	masterfile-format text;
	notify no;
	empty-zones-enable no;
	auth-nxdomain yes;
	allow-transfer { none; };

	dnssec-validation no;
	//dnssec-enable no; (obsolete)
	//dnssec-lookaside no; (obsolete)

	// If you only use IPv4
	listen-on-v6 { none; };

	// Listen on these IP numbers
	listen-on port 53 { 192.168.0.8; 127.0.0.1; };

	// Added Per Debian buster Bind9
	// Due to : resolver: info: resolver priming query complete messages in the logs
	// See:https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
	minimal-responses yes;

	// Add any subnets or hosts you want to allow to use this DNS server
	allow-query { "internals"; };
	allow-query-cache { "internals"; };

	// Add any subnets or hosts you want to allow to use recursive queries
	recursion yes;
	allow-recursion { "internals"; };

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  Seehttp://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	include "/etc/bind/named.conf.fwd";

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  Seehttps://www.isc.org/bind-keys
	//========================================================================

	//https://wiki.samba.org/index.php/Dns-backend_bind
	// DNS dynamic updates via Kerberos (optional, but recommended)
	// ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz
	// or AFTER upgrading your dns from internal to bind9_dlz
	// Before Samba 4.9.0
	// tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
	// From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. )
	tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

};

_*named.conf.local*_
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// adding the Samba dlopen (Bind DLZ) module
include "/var/lib/samba/bind-dns/named.conf";

>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba
>> Verzonden: vrijdag 5 maart 2021 5:29
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
>> controller is down
>>
>>
>>
>> On 3/4/21 1:46 PM, Rowland penny via samba wrote:
>>> On 04/03/2021 17:39, Dale via samba wrote:
>>>> I'm very open to suggestions.
>>>>
>>> OK, I tested this on my small domain, from an rpi running 4.13.4. I
>>> did not change anything except for resolv.conf, which I changed to this:
>>>
>>> # wait 2 seconds : default 5 seconds
>>> options timeout:2
>>> # make 1 attempt before trying next nameserver : default 2
>>> options attempts:1
>>> # round robin nameservers
>>> #options rotate
>>> search samdom.example.com
>>> nameserver 192.168.0.8
>>> nameserver 192.168.0.6
>>>
>>> I commented 'rotate' because it round robins nameservers, something I
>>> didn't want to happen.
>>>
>>> Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is
>>> dc4.samdom.example.com
>>>
>>> Ran this command on the rpi:
>>>
>>> time host -v -t SRV _ldap._tcp.samdom.example.com.
>>>
>>> And got this output:
>>>
>>> Trying "_ldap._tcp.samdom.example.com"
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
>>>
>>> ;; QUESTION SECTION:
>>> ;_ldap._tcp.samdom.example.com.    IN    SRV
>>>
>>> ;; ANSWER SECTION:
>>> _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
>>> dc4.samdom.example.com.
>>> _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
>>> dc01.samdom.example.com.
>>>
>>> ;; AUTHORITY SECTION:
>>> samdom.example.com.    900    IN    NS    dc4.samdom.example.com.
>>> samdom.example.com.    900    IN    NS    dc01.samdom.example.com.
>>>
>>> ;; ADDITIONAL SECTION:
>>> dc4.samdom.example.com.    900    IN    A    192.168.0.6
>>> dc01.samdom.example.com. 900    IN    A    192.168.0.8
>>>
>>> Received 192 bytes from 192.168.0.8#53 in 78 ms
>>>
>>> real    0m0.153s
>>> user    0m0.038s
>>> sys        0m0.038s
>>>
>>> So far, so good.
>>>
>>> I then turned off bind9 on dc01 and ran the command again, this time
>>> the output was:
>>>
>>> Trying "_ldap._tcp.samdom.example.com"
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;_ldap._tcp.samdom.example.com.    IN    SRV
>>>
>>> ;; ANSWER SECTION:
>>> _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
>>> dc4.samdom.example.com.
>>> _ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389
>>> dc01.samdom.example.com.
>>>
>>> Received 132 bytes from 192.168.0.6#53 in 6 ms
>>>
>>> real    0m1.074s
>>> user    0m0.031s
>>> sys      0m0.041s
>>>
>>> As you can see, this time dc4 replied and fairly quickly.
>>>
>>> I think you may have missing or incorrect records for DC2, I will try
>>> and come up with something to check your records.
>>>
>>> Rowland
>> Running the same commands that you did, I have good news and what I
>> think might be bad news.
>>
>> Good - Using the resolv.conf options values that you have (no rotate), I
>> was able to log into other member servers fairly quickly.  A "getent
>> user" took a little longer, but was acceptable.
>> Bad - Running the "time host..." command that you used returns only 2
>> sections, QUESTION and ANSWER.  There is no AUTHORITY or ADDITIONAL
>> section.  I don't know how essential that is.
>>
>> _*Client resolv.conf
>> *_The client is LMDE4 and Samba is 4.13.4 from Louis' repo.
>> [I get consistent values from resolvconf by editing
>> /etc/resolvconf/resolv.conf.d/base to get the values shown below in
>> /etc/resolv.conf.]
>> **_**_
>>
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>> resolvconf(8)
>> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
>> nameserver 192.168.0.7
>> nameserver 192.168.0.8
>> search workgroup.realm.tld
>> options timeout:2
>> options attempts:1
>>
>> _*Both DC's on the network*_
>> Trying "_ldap._tcp.workgroup.realm.tld"
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;_ldap._tcp.workgroup.realm.tld.	IN SRV
>>
>> ;; ANSWER SECTION:
>> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
>> dc1.workgroup.realm.tld.
>> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
>> dc2.workgroup.realm.tld.
>>
>> Received 158 bytes from*192.168.0.7*#53 in 6 ms
>>
>> real	0m0.025s
>> user	0m0.010s
>> sys	0m0.010s
>>
>> *_Ethernet cable unplugged from DC1_*
>> Trying "_ldap._tcp.workgroup.realm.tld"
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;_ldap._tcp.workgroup.realm.tld.	IN SRV
>>
>> ;; ANSWER SECTION:
>> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
>> dc1.workgroup.realm.tld.
>> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
>> dc2.workgroup.realm.tld.
>>
>> Received 158 bytes from*192.168.0.8*#53 in 8 ms
>>
>> real	0m1.032s
>> user	0m0.020s
>> sys	0m0.005s
>>
>> So, failover appears to be acceptably working now, but I can't explain
>> the lack of two sections in the first "time host..." command results.
>>
>> Dale
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list