[Samba] Domain member cannot authenticate when first domain controller is down

Jake Black jblack at xes-inc.com
Mon Mar 8 15:20:03 UTC 2021 

This thread is already pretty long and so I'm not sure if this has been looked at yet, but my linux clients would experience this same issue unless I made sure to replicate idmappings on a new DC after it was joined: 

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings 

Jake 


From: "Jason Keltz" <jas at eecs.yorku.ca> 
To: "Dale" <samba at txschroeder.family> 
Cc: samba at lists.samba.org 
Sent: Wednesday, March 3, 2021 10:14:07 AM 
Subject: Re: [Samba] Domain member cannot authenticate when first domain controller is down 

Hi Dale/Josh, 

I had opened a ticket about this issue back in December (at least I 
think this is similar): 

https://bugzilla.samba.org/show_bug.cgi?id=14597 

I consider failover to be very important. Unfortunately, the Samba 
developers haven't had time to work on it. I've had a few users email 
me over the course of the last months stating similar problems. Maybe 
you or anyone else who has the problem might add a similar "me too" to 
the bug so that the information is all available when the developers do 
have time to work on it, and we can all benefit. 

I suppose there's still a benefit to having multiple DC for load 
balancing. However, yes, when the DC goes out, in my experience, 
there's definately trouble. 

Jason. 

On 3/3/2021 10:25 AM, Dale via samba wrote: 
> Josh, I don't have the answer to your question, but if you ever figure 
> it out, I would like to know the answer, too. 
> 
> The 2nd DC that I built has been of very little use. While building, 
> it passed all the tests in the wiki. After building, I found some DNS 
> entries that were not created during the join. Rowland kindly helped 
> me add and/or edit the affected entries, and I hoped for better 
> results. However, it was not to be. If the 1st DC is removed from 
> the network, any kind of login or getent is interminably long or times 
> out. So, while I easily see the theoretical value of having multiple 
> DC's, I'm having trouble seeing the actual, practical benefit of 
> having them. There is no instant failover, and often times, there is 
> complete failure of necessary AD functions. While it's certainly 
> possible the problem could be me, I cannot troubleshoot what the 
> problem is. 
> 
> Dale 
> 
> 
> On 3/1/21 6:25 PM, Josh T via samba wrote: 
>> Further fiddling with this has shown something strange. If I enter my 
>> username and password in an attempt to authenticate a domain user, it 
>> will take 60+ seconds for it to fail to log in. However, during said 
>> 60+ seconds, if I log in via SSH as a non-domain user, then the 
>> domain user login succeeds. What could cause that? 
>> 
>> 
>> ________________________________ 
>> From: Roy Eastwood <spindles7 at gmail.com> 
>> Sent: Saturday, February 27, 2021 1:27 AM 
>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org 
>> <samba at lists.samba.org> 
>> Subject: Re: [Samba] Domain member cannot authenticate when first 
>> domain controller is down 
>> 
>> 
>> 
>> On 27 February 2021 03:35 Josh T wrote: 
>>> //Problem: 
>>> I am unable to authenticate a domain user on a Samba domain member 
>>> while the 
>>> first Samba directory controller DC1 is powered off and the second 
>>> Samba 
>>> directory controller DC2 is powered on. 
>>> 
>>> While DC1 is powered on, I can log in as a domain user with no 
>>> problems. While 
>>> DC1 is powered off, attempting to log in usually results in waiting 60+ 
>> seconds 
>>> followed by a login failure message. If I had already logged in 
>>> prior to 
>> powering 
>>> off DC1, then I can see the same long delay and authentication 
>>> failures when 
>>> entering my sudo password. Intermittently I can sometimes manage to 
>>> log in 
>>> while DC1 is powered off, but there is still the 60+ second delay; I 
>>> haven't 
>> been 
>>> able to link this intermittent behavior to any of my own 
>>> troubleshooting 
>> actions. 
>>> In any case, a 60+ second delay is undesirable. 
>>> 
>>> //Environment description: 
>>> The first Samba domain controller DC1 was created following these 
>>> instructions 
>>> on the Samba wiki: 
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_ 
>>> 
>>> Domain_Controller 
>>> It was provisioned using the command "samba-tool domain provision 
>>> --use- 
>>> rfc2307 --interactive". 
>>> The BIND9_DLZ DNS backend was selected during provisioning. 
>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command. 
>>> 
>>> The second Samba domain controller DC2 was created following these 
>>> instructions on the Samba wiki: 
>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active 
>>> 
>>> _Directory 
>>> It was joined using the command "samba-tool domain join 
>>> my.domain.tld --dns- 
>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'". 
>> The above is missing the letters "DC" in the command line. This may 
>> be the 
>> issue. 
>> 
>> HTH 
>> 
>> Roy 
>> 
>> 
>> 
>> 
> 
>

More information about the samba mailing list