[Samba] Samba 4 AD member loose membership after DC reboot (SOLVED)

Frank frank at si.ct.upc.edu
Fri Apr 22 07:50:11 UTC 2022 

Hi everybody,

just in case someone has a similar issue, may be this can help.

Problem was DNS configuration and the way dns resolver works on ubuntu 20.04

Often the way dns resolver use dns servers has been confused. It's 
supposed when the first dns gets offline, resolver uses next one on the 
dns list. But,  how long does it take this change?
And, when the first dns gets online again, is it used again as the first 
dns to look up?

Well, in ubuntu 20.04, which uses netplan by default, dns resolution 
works in a dynamic way, and as it is expected. So, when first dns in 
list goes offline, in few seconds the second one (if there is any) take 
its place, and remains as the first, even if the previous first dns goes 
online again. You can see this with "resolvectl status" command.

In my case, the first dns in the list was the DC, as expected, but the 
next two ones were global dns that were unable to resolve AD queries.

So when DC went offline, may be just a reboot, members took the second 
dns, and set it as their first dns, even when DC went online again. We 
thought that when first dns in the list were up again it would be the 
first one  used again, but it is not how it works.
That made members unable to works with the AD, unable to find any DC. 
Just a reboot of the member, or a "netplan apply" made DC was the first 
dns used again.

Solution: set up ONLY DCs as dns in domain members. Perhaps it sounds 
obvious, but it has been a nightmare for us.

Best regards.


Francesc Bassas Serramià
Serveis Informàtics Campus Terrassa
C/ Colom 2
08222 Terrassa (Barcelona)
Telèfon : 93.73.98630
https://serveis.terrassa.upc.edu/sict

El 1/4/2022 a les 14:00, samba-request at lists.samba.org ha escrit:
> Assumpte:
> Re: [Samba] Samba 4 AD member loose membership after DC reboot
> De:
> Rowland Penny <rpenny at samba.org>
> Data:
> 31/3/2022, 15:56
>
> A:
> samba at lists.samba.org
>
>
> On Thu, 2022-03-31 at 14:29 +0200, Frank via samba wrote:
>> Hi Rowland,
>>
>> thanks for your quick response.
>>
>> Here it is a member smb.conf:
>>
>> # Global parameters
>> [global]
>>           workgroup = UPC-CT
>>           realm = UPC-CT.UPC.EDU
>>           netbios name = RADI
>>           netbios aliases = RADI.UPC.ES RADI.UPC.EDU
> You cannot use netbios aliases on a Unix domain member, use a CNAME
> instead.
>
>>           security = ADS
>>
>>           log level = 5
>>           username map = /var/lib/samba/user.map
>>
>>           winbind enum users = yes
>>           winbind enum groups = yes
> Remove the above two lines when you are sure everything is working
> correctly, they should not be used in production.
>
>>           winbind nss info = rfc2307
>>           winbind use default domain = Yes
>>           winbind refresh tickets = yes
>>           winbind offline logon = yes
>>           winbind cache time = 60
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 100-499
>> idmap config UPC-CT:backend = ad
>> idmap config UPC-CT:schema_mode = rfc2307
>> idmap config UPC-CT:range = 500-999999
>> idmap config UPC-CT:unix_nss_info = yes
> Was this an upgrade from an NT4-style domain ?
> Even if it was, your '*' range is clobbering local system users.
>
> Rowland
>
>
>
>
-- 
Aquest missatge ha estat escanejat per trobar-hi virus i
contingut perillós per MailScanner i es
considera que és net.

More information about the samba mailing list