[Samba] Domain member cannot authenticate when first domain controller is down
Jake Black
jblack at xes-inc.com
Mon Mar 8 15:20:03 UTC 2021
This thread is already pretty long and so I'm not sure if this has been looked at yet, but my linux clients would experience this same issue unless I made sure to replicate idmappings on a new DC after it was joined:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
Jake
From: "Jason Keltz" <jas at eecs.yorku.ca>
To: "Dale" <samba at txschroeder.family>
Cc: samba at lists.samba.org
Sent: Wednesday, March 3, 2021 10:14:07 AM
Subject: Re: [Samba] Domain member cannot authenticate when first domain controller is down
Hi Dale/Josh,
I had opened a ticket about this issue back in December (at least I
think this is similar):
https://bugzilla.samba.org/show_bug.cgi?id=14597
I consider failover to be very important. Unfortunately, the Samba
developers haven't had time to work on it. I've had a few users email
me over the course of the last months stating similar problems. Maybe
you or anyone else who has the problem might add a similar "me too" to
the bug so that the information is all available when the developers do
have time to work on it, and we can all benefit.
I suppose there's still a benefit to having multiple DC for load
balancing. However, yes, when the DC goes out, in my experience,
there's definately trouble.
Jason.
On 3/3/2021 10:25 AM, Dale via samba wrote:
> Josh, I don't have the answer to your question, but if you ever figure
> it out, I would like to know the answer, too.
>
> The 2nd DC that I built has been of very little use. While building,
> it passed all the tests in the wiki. After building, I found some DNS
> entries that were not created during the join. Rowland kindly helped
> me add and/or edit the affected entries, and I hoped for better
> results. However, it was not to be. If the 1st DC is removed from
> the network, any kind of login or getent is interminably long or times
> out. So, while I easily see the theoretical value of having multiple
> DC's, I'm having trouble seeing the actual, practical benefit of
> having them. There is no instant failover, and often times, there is
> complete failure of necessary AD functions. While it's certainly
> possible the problem could be me, I cannot troubleshoot what the
> problem is.
>
> Dale
>
>
> On 3/1/21 6:25 PM, Josh T via samba wrote:
>> Further fiddling with this has shown something strange. If I enter my
>> username and password in an attempt to authenticate a domain user, it
>> will take 60+ seconds for it to fail to log in. However, during said
>> 60+ seconds, if I log in via SSH as a non-domain user, then the
>> domain user login succeeds. What could cause that?
>>
>>
>> ________________________________
>> From: Roy Eastwood <spindles7 at gmail.com>
>> Sent: Saturday, February 27, 2021 1:27 AM
>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org
>> <samba at lists.samba.org>
>> Subject: Re: [Samba] Domain member cannot authenticate when first
>> domain controller is down
>>
>>
>>
>> On 27 February 2021 03:35 Josh T wrote:
>>> //Problem:
>>> I am unable to authenticate a domain user on a Samba domain member
>>> while the
>>> first Samba directory controller DC1 is powered off and the second
>>> Samba
>>> directory controller DC2 is powered on.
>>>
>>> While DC1 is powered on, I can log in as a domain user with no
>>> problems. While
>>> DC1 is powered off, attempting to log in usually results in waiting 60+
>> seconds
>>> followed by a login failure message. If I had already logged in
>>> prior to
>> powering
>>> off DC1, then I can see the same long delay and authentication
>>> failures when
>>> entering my sudo password. Intermittently I can sometimes manage to
>>> log in
>>> while DC1 is powered off, but there is still the 60+ second delay; I
>>> haven't
>> been
>>> able to link this intermittent behavior to any of my own
>>> troubleshooting
>> actions.
>>> In any case, a 60+ second delay is undesirable.
>>>
>>> //Environment description:
>>> The first Samba domain controller DC1 was created following these
>>> instructions
>>> on the Samba wiki:
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>>>
>>> Domain_Controller
>>> It was provisioned using the command "samba-tool domain provision
>>> --use-
>>> rfc2307 --interactive".
>>> The BIND9_DLZ DNS backend was selected during provisioning.
>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
>>>
>>> The second Samba domain controller DC2 was created following these
>>> instructions on the Samba wiki:
>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>>>
>>> _Directory
>>> It was joined using the command "samba-tool domain join
>>> my.domain.tld --dns-
>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
>> The above is missing the letters "DC" in the command line. This may
>> be the
>> issue.
>>
>> HTH
>>
>> Roy
>>
>>
>>
>>
>
>
More information about the samba
mailing list