[Samba] Domain member cannot authenticate when first domain controller is down
L.P.H. van Belle
belle at bazuin.nl
Mon Mar 8 11:25:21 UTC 2021
Yeah, we dont have to much differences in the settings.
but i would remove the text file forwarders in bind.
not that im using that but the link below shows the picture.
https://www.interfacett.com/blogs/how-to-configure-a-dns-stub-zone-in-windows-server/
Greetz,
Louis
Van: Dale [mailto:samba at txschroeder.family]
Verzonden: vrijdag 5 maart 2021 18:04
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain controller is down
On 3/5/21 2:04 AM, L.P.H. van Belle via samba wrote:
So, failover appears to be acceptably working now, but I can't explain
the lack of two sections in the first "time host..." command results.
Can you post your fulll bind9 config? Maybe your still missing something here.
This is my current config as example
// named.conf.options
options {
directory "/var/cache/bind";
dnssec-validation auto;
listen-on port 53 { 192.168.0.1; 127.0.0.1; };
listen-on-v6 { ::1; };
version "0.0.7";
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
auth-nxdomain yes
notify no;
empty-zones-enable no;
minimal-responses yes;
max-cache-size 100m;
allow-query { 192.168.0.0/24; 127.0.0.1/32; };
allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; };
allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
allow-transfer {
none;
};
};
Greetz,
Louis
Here you go, Louis. I noticed a few differences from yours, but it should be very close to the Samba wiki, from which it is derived.
Thanks for the help.
Dale
named.conf.options
// Managing acls
acl internals { 127.0.0.0/8; 192.168.0.0/24; };
options {
directory "/var/cache/bind";
version "";
masterfile-format text;
notify no;
empty-zones-enable no;
auth-nxdomain yes;
allow-transfer { none; };
dnssec-validation no;
//dnssec-enable no; (obsolete)
//dnssec-lookaside no; (obsolete)
// If you only use IPv4
listen-on-v6 { none; };
// Listen on these IP numbers
listen-on port 53 { 192.168.0.8; 127.0.0.1; };
// Added Per Debian buster Bind9
// Due to : resolver: info: resolver priming query complete messages in the logs
// See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
minimal-responses yes;
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "internals"; };
allow-query-cache { "internals"; };
// Add any subnets or hosts you want to allow to use recursive queries
recursion yes;
allow-recursion { "internals"; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
include "/etc/bind/named.conf.fwd";
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
// ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz
// or AFTER upgrading your dns from internal to bind9_dlz
// Before Samba 4.9.0
// tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
// From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. )
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the Samba dlopen (Bind DLZ) module
include "/var/lib/samba/bind-dns/named.conf";
-----Oorspronkelijk bericht-----
Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org] Namens Dale via samba
Verzonden: vrijdag 5 maart 2021 5:29
Aan: samba at lists.samba.org
Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
controller is down
On 3/4/21 1:46 PM, Rowland penny via samba wrote:
On 04/03/2021 17:39, Dale via samba wrote:
I'm very open to suggestions.
OK, I tested this on my small domain, from an rpi running 4.13.4. I
did not change anything except for resolv.conf, which I changed to this:
# wait 2 seconds : default 5 seconds
options timeout:2
# make 1 attempt before trying next nameserver : default 2
options attempts:1
# round robin nameservers
#options rotate
search samdom.example.com
nameserver 192.168.0.8
nameserver 192.168.0.6
I commented 'rotate' because it round robins nameservers, something I
didn't want to happen.
Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is
dc4.samdom.example.com
Ran this command on the rpi:
time host -v -t SRV _ldap._tcp.samdom.example.com.
And got this output:
Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc01.samdom.example.com.
;; AUTHORITY SECTION:
samdom.example.com. 900 IN NS dc4.samdom.example.com.
samdom.example.com. 900 IN NS dc01.samdom.example.com.
;; ADDITIONAL SECTION:
dc4.samdom.example.com. 900 IN A 192.168.0.6
dc01.samdom.example.com. 900 IN A 192.168.0.8
Received 192 bytes from 192.168.0.8#53 in 78 ms
real 0m0.153s
user 0m0.038s
sys 0m0.038s
So far, so good.
I then turned off bind9 on dc01 and ran the command again, this time
the output was:
Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com. IN SRV
;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN SRV 0 100 389
dc01.samdom.example.com.
Received 132 bytes from 192.168.0.6#53 in 6 ms
real 0m1.074s
user 0m0.031s
sys 0m0.041s
As you can see, this time dc4 replied and fairly quickly.
I think you may have missing or incorrect records for DC2, I will try
and come up with something to check your records.
Rowland
Running the same commands that you did, I have good news and what I
think might be bad news.
Good - Using the resolv.conf options values that you have (no rotate), I
was able to log into other member servers fairly quickly. A "getent
user" took a little longer, but was acceptable.
Bad - Running the "time host..." command that you used returns only 2
sections, QUESTION and ANSWER. There is no AUTHORITY or ADDITIONAL
section. I don't know how essential that is.
_*Client resolv.conf
*_The client is LMDE4 and Samba is 4.13.4 from Louis' repo.
[I get consistent values from resolvconf by editing
/etc/resolvconf/resolv.conf.d/base to get the values shown below in
/etc/resolv.conf.]
**_**_
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.7
nameserver 192.168.0.8
search workgroup.realm.tld
options timeout:2
options attempts:1
_*Both DC's on the network*_
Trying "_ldap._tcp.workgroup.realm.tld"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.workgroup.realm.tld. IN SRV
;; ANSWER SECTION:
_ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389
dc1.workgroup.realm.tld.
_ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389
dc2.workgroup.realm.tld.
Received 158 bytes from*192.168.0.7*#53 in 6 ms
real 0m0.025s
user 0m0.010s
sys 0m0.010s
*_Ethernet cable unplugged from DC1_*
Trying "_ldap._tcp.workgroup.realm.tld"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.workgroup.realm.tld. IN SRV
;; ANSWER SECTION:
_ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389
dc1.workgroup.realm.tld.
_ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389
dc2.workgroup.realm.tld.
Received 158 bytes from*192.168.0.8*#53 in 8 ms
real 0m1.032s
user 0m0.020s
sys 0m0.005s
So, failover appears to be acceptably working now, but I can't explain
the lack of two sections in the first "time host..." command results.
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list