[Samba] Domain member cannot authenticate when first domain controller is down

Dale samba at txschroeder.family
Tue Mar 9 03:42:38 UTC 2021 

Jake,

I can't speak for the others in this thread, but I can vouch that I did 
do the replication.

Thanks,
Dale

On 3/8/21 9:20 AM, Jake Black via samba wrote:
> This thread is already pretty long and so I'm not sure if this has been looked at yet, but my linux clients would experience this same issue unless I made sure to replicate idmappings on a new DC after it was joined:
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
>
> Jake
>
>
> From: "Jason Keltz" <jas at eecs.yorku.ca>
> To: "Dale" <samba at txschroeder.family>
> Cc: samba at lists.samba.org
> Sent: Wednesday, March 3, 2021 10:14:07 AM
> Subject: Re: [Samba] Domain member cannot authenticate when first domain controller is down
>
> Hi Dale/Josh,
>
> I had opened a ticket about this issue back in December (at least I
> think this is similar):
>
> https://bugzilla.samba.org/show_bug.cgi?id=14597
>
> I consider failover to be very important. Unfortunately, the Samba
> developers haven't had time to work on it. I've had a few users email
> me over the course of the last months stating similar problems. Maybe
> you or anyone else who has the problem might add a similar "me too" to
> the bug so that the information is all available when the developers do
> have time to work on it, and we can all benefit.
>
> I suppose there's still a benefit to having multiple DC for load
> balancing. However, yes, when the DC goes out, in my experience,
> there's definately trouble.
>
> Jason.
>
> On 3/3/2021 10:25 AM, Dale via samba wrote:
>> Josh, I don't have the answer to your question, but if you ever figure
>> it out, I would like to know the answer, too.
>>
>> The 2nd DC that I built has been of very little use. While building,
>> it passed all the tests in the wiki. After building, I found some DNS
>> entries that were not created during the join. Rowland kindly helped
>> me add and/or edit the affected entries, and I hoped for better
>> results. However, it was not to be. If the 1st DC is removed from
>> the network, any kind of login or getent is interminably long or times
>> out. So, while I easily see the theoretical value of having multiple
>> DC's, I'm having trouble seeing the actual, practical benefit of
>> having them. There is no instant failover, and often times, there is
>> complete failure of necessary AD functions. While it's certainly
>> possible the problem could be me, I cannot troubleshoot what the
>> problem is.
>>
>> Dale
>>
>>
>> On 3/1/21 6:25 PM, Josh T via samba wrote:
>>> Further fiddling with this has shown something strange. If I enter my
>>> username and password in an attempt to authenticate a domain user, it
>>> will take 60+ seconds for it to fail to log in. However, during said
>>> 60+ seconds, if I log in via SSH as a non-domain user, then the
>>> domain user login succeeds. What could cause that?
>>>
>>>
>>> ________________________________
>>> From: Roy Eastwood <spindles7 at gmail.com>
>>> Sent: Saturday, February 27, 2021 1:27 AM
>>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org
>>> <samba at lists.samba.org>
>>> Subject: Re: [Samba] Domain member cannot authenticate when first
>>> domain controller is down
>>>
>>>
>>>
>>> On 27 February 2021 03:35 Josh T wrote:
>>>> //Problem:
>>>> I am unable to authenticate a domain user on a Samba domain member
>>>> while the
>>>> first Samba directory controller DC1 is powered off and the second
>>>> Samba
>>>> directory controller DC2 is powered on.
>>>>
>>>> While DC1 is powered on, I can log in as a domain user with no
>>>> problems. While
>>>> DC1 is powered off, attempting to log in usually results in waiting 60+
>>> seconds
>>>> followed by a login failure message. If I had already logged in
>>>> prior to
>>> powering
>>>> off DC1, then I can see the same long delay and authentication
>>>> failures when
>>>> entering my sudo password. Intermittently I can sometimes manage to
>>>> log in
>>>> while DC1 is powered off, but there is still the 60+ second delay; I
>>>> haven't
>>> been
>>>> able to link this intermittent behavior to any of my own
>>>> troubleshooting
>>> actions.
>>>> In any case, a 60+ second delay is undesirable.
>>>>
>>>> //Environment description:
>>>> The first Samba domain controller DC1 was created following these
>>>> instructions
>>>> on the Samba wiki:
>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>>>>
>>>> Domain_Controller
>>>> It was provisioned using the command "samba-tool domain provision
>>>> --use-
>>>> rfc2307 --interactive".
>>>> The BIND9_DLZ DNS backend was selected during provisioning.
>>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
>>>>
>>>> The second Samba domain controller DC2 was created following these
>>>> instructions on the Samba wiki:
>>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>>>>
>>>> _Directory
>>>> It was joined using the command "samba-tool domain join
>>>> my.domain.tld --dns-
>>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
>>> The above is missing the letters "DC" in the command line. This may
>>> be the
>>> issue.
>>>
>>> HTH
>>>
>>> Roy
>>>
>>>
>>>
>>>
>>

More information about the samba mailing list