[Samba] Domain member cannot authenticate when first domain controller is down

L.P.H. van Belle belle at bazuin.nl
Mon Mar 8 11:25:21 UTC 2021


Yeah, we dont have to much differences in the settings. 

but i would remove the text file forwarders in bind. 

not that im using that but the link below shows the picture. 
https://www.interfacett.com/blogs/how-to-configure-a-dns-stub-zone-in-windows-server/ 


Greetz, 

 

Louis

 


Van: Dale [mailto:samba at txschroeder.family] 
Verzonden: vrijdag 5 maart 2021 18:04
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain controller is down


 

On 3/5/21 2:04 AM, L.P.H. van Belle via samba wrote:



 

So, failover appears to be acceptably working now, but I can't explain 

the lack of two sections in the first "time host..." command results.

 

Can you post your fulll bind9 config? Maybe your still missing something here. 

 

This is my current config as example

// named.conf.options

options {

        directory "/var/cache/bind";

        dnssec-validation auto;

        listen-on port 53 { 192.168.0.1; 127.0.0.1; };

        listen-on-v6 { ::1; };

        version "0.0.7";

 

        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

        auth-nxdomain yes

        notify no;

        empty-zones-enable no;

        minimal-responses yes;

 

        max-cache-size 100m;

        allow-query { 192.168.0.0/24; 127.0.0.1/32; };

        allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; };

        allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };

        allow-transfer {

            none;

        };

};

 

Greetz, 

 

Louis

Here you go, Louis.  I noticed a few differences from yours, but it should be very close to the Samba wiki, from which it is derived.

Thanks for the help.
Dale

named.conf.options



// Managing acls

acl internals { 127.0.0.0/8; 192.168.0.0/24; };

 

options {

   directory "/var/cache/bind";

   version "";

   masterfile-format text;

   notify no;

   empty-zones-enable no;

   auth-nxdomain yes;

   allow-transfer { none; };

 

   dnssec-validation no;

   //dnssec-enable no; (obsolete)

   //dnssec-lookaside no; (obsolete)

 

   // If you only use IPv4

   listen-on-v6 { none; };

 

   // Listen on these IP numbers

   listen-on port 53 { 192.168.0.8; 127.0.0.1; };

 

   // Added Per Debian buster Bind9

   // Due to : resolver: info: resolver priming query complete messages in the logs

   // See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42

   minimal-responses yes;

 

   // Add any subnets or hosts you want to allow to use this DNS server

   allow-query { "internals"; };

   allow-query-cache { "internals"; };

 

   // Add any subnets or hosts you want to allow to use recursive queries

   recursion yes;

   allow-recursion { "internals"; };

 

   // If there is a firewall between you and nameservers you want

   // to talk to, you may need to fix the firewall to allow multiple

   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

 

   // If your ISP provided one or more IP addresses for stable 

   // nameservers, you probably want to use them as forwarders.  

   // Uncomment the following block, and insert the addresses replacing 

   // the all-0's placeholder.

 

   // forwarders {

   //    0.0.0.0;

   // };

 

   include "/etc/bind/named.conf.fwd";

 

   //========================================================================

   // If BIND logs error messages about the root key being expired,

   // you will need to update your keys.  See https://www.isc.org/bind-keys

   //========================================================================

 

   // https://wiki.samba.org/index.php/Dns-backend_bind

   // DNS dynamic updates via Kerberos (optional, but recommended)

   // ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz

   // or AFTER upgrading your dns from internal to bind9_dlz

   // Before Samba 4.9.0

   // tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

   // From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. )

   tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

 

};

 

named.conf.local

//

// Do any local configuration here

//

 

// Consider adding the 1918 zones here, if they are not used in your

// organization

//include "/etc/bind/zones.rfc1918";

 

// adding the Samba dlopen (Bind DLZ) module

include "/var/lib/samba/bind-dns/named.conf";

 

 

 

-----Oorspronkelijk bericht-----

Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org"  mailto:samba-bounces at lists.samba.org] Namens Dale via samba

Verzonden: vrijdag 5 maart 2021 5:29

Aan: samba at lists.samba.org

Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain

controller is down

 

 

 

On 3/4/21 1:46 PM, Rowland penny via samba wrote:

On 04/03/2021 17:39, Dale via samba wrote:

 

I'm very open to suggestions.

 

 

OK, I tested this on my small domain, from an rpi running 4.13.4. I

did not change anything except for resolv.conf, which I changed to this:

 

# wait 2 seconds : default 5 seconds

options timeout:2

# make 1 attempt before trying next nameserver : default 2

options attempts:1

# round robin nameservers

#options rotate

search samdom.example.com

nameserver 192.168.0.8

nameserver 192.168.0.6

 

I commented 'rotate' because it round robins nameservers, something I

didn't want to happen.

 

Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is

dc4.samdom.example.com

 

Ran this command on the rpi:

 

time host -v -t SRV _ldap._tcp.samdom.example.com.

 

And got this output:

 

Trying "_ldap._tcp.samdom.example.com"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

 

;; QUESTION SECTION:

;_ldap._tcp.samdom.example.com.    IN    SRV

 

;; ANSWER SECTION:

_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389

dc4.samdom.example.com.

_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389

dc01.samdom.example.com.

 

;; AUTHORITY SECTION:

samdom.example.com.    900    IN    NS    dc4.samdom.example.com.

samdom.example.com.    900    IN    NS    dc01.samdom.example.com.

 

;; ADDITIONAL SECTION:

dc4.samdom.example.com.    900    IN    A    192.168.0.6

dc01.samdom.example.com. 900    IN    A    192.168.0.8

 

Received 192 bytes from 192.168.0.8#53 in 78 ms

 

real    0m0.153s

user    0m0.038s

sys        0m0.038s

 

So far, so good.

 

I then turned off bind9 on dc01 and ran the command again, this time

the output was:

 

Trying "_ldap._tcp.samdom.example.com"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;_ldap._tcp.samdom.example.com.    IN    SRV

 

;; ANSWER SECTION:

_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389

dc4.samdom.example.com.

_ldap._tcp.samdom.example.com. 900 IN    SRV    0 100 389

dc01.samdom.example.com.

 

Received 132 bytes from 192.168.0.6#53 in 6 ms

 

real    0m1.074s

user    0m0.031s

sys      0m0.041s

 

As you can see, this time dc4 replied and fairly quickly.

 

I think you may have missing or incorrect records for DC2, I will try

and come up with something to check your records.

 

Rowland

 

Running the same commands that you did, I have good news and what I

think might be bad news.

 

Good - Using the resolv.conf options values that you have (no rotate), I

was able to log into other member servers fairly quickly.  A "getent

user" took a little longer, but was acceptable.

Bad - Running the "time host..." command that you used returns only 2

sections, QUESTION and ANSWER.  There is no AUTHORITY or ADDITIONAL

section.  I don't know how essential that is.

 

_*Client resolv.conf

*_The client is LMDE4 and Samba is 4.13.4 from Louis' repo.

[I get consistent values from resolvconf by editing

/etc/resolvconf/resolv.conf.d/base to get the values shown below in

/etc/resolv.conf.]

**_**_

 

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by

resolvconf(8)

#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

nameserver 192.168.0.7

nameserver 192.168.0.8

search workgroup.realm.tld

options timeout:2

options attempts:1

 

_*Both DC's on the network*_

Trying "_ldap._tcp.workgroup.realm.tld"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;_ldap._tcp.workgroup.realm.tld.   IN SRV

 

;; ANSWER SECTION:

_ldap._tcp.workgroup.realm.tld.   900 IN SRV 0 100 389

dc1.workgroup.realm.tld.

_ldap._tcp.workgroup.realm.tld.   900 IN SRV 0 100 389

dc2.workgroup.realm.tld.

 

Received 158 bytes from*192.168.0.7*#53 in 6 ms

 

real   0m0.025s

user   0m0.010s

sys   0m0.010s

 

*_Ethernet cable unplugged from DC1_*

Trying "_ldap._tcp.workgroup.realm.tld"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;_ldap._tcp.workgroup.realm.tld.   IN SRV

 

;; ANSWER SECTION:

_ldap._tcp.workgroup.realm.tld.   900 IN SRV 0 100 389

dc1.workgroup.realm.tld.

_ldap._tcp.workgroup.realm.tld.   900 IN SRV 0 100 389

dc2.workgroup.realm.tld.

 

Received 158 bytes from*192.168.0.8*#53 in 8 ms

 

real   0m1.032s

user   0m0.020s

sys   0m0.005s

 

So, failover appears to be acceptably working now, but I can't explain

the lack of two sections in the first "time host..." command results.

 

Dale

 

 

--

To unsubscribe from this list go to the following URL and read the

instructions:  https://lists.samba.org/mailman/options/samba

 

 

 

 




More information about the samba mailing list