Ole Traupe
2015-Dec-18 14:23 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 18.12.2015 um 14:56 schrieb Rowland penny:> On 18/12/15 12:07, Ole Traupe wrote: >> >> >> Am 18.12.2015 um 12:30 schrieb Rowland penny: >>> On 18/12/15 11:19, Ole Traupe wrote: >>>> Hi Rowland, >>>> >>>> I am very thankful, that you take the time and test all this! >>> >>> No problem. >>> >>>> >>>> Before I go and check if this is the same with my setup and >>>> possibly the problem, could you perhaps try a logon to a member >>>> server, while the 1st DC is unavailable? >>> >>> Ah, slight problem there, as I said, this is just a couple of test >>> DCs and there are no test domain members, you will have to bear with >>> me whilst I create one. >> >> I would be very greatful, and I guess many others too. >> >> I heard from many sides that you should really only use bind9 in case >> you plan a more complicated setup. Until now I thought that having 2 >> DCs wasn't considered as such. >> >> > > Hi Ole, Would you like to know how to set up bind9 ? or to put it > another way, you cannot login via ssh to a domain member if the the > first DC goes down when you are using the internal dns server. If you > use bind9, you can login, although there is a bit of a lag. > > Rowland >Hi Rowland, yes, I would like to know how to migrate. But before that: are you 100% sure that this is the problem? Before having tested it? How much lag? Ole
Rowland penny
2015-Dec-18 14:42 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 18/12/15 14:23, Ole Traupe wrote:> > > Am 18.12.2015 um 14:56 schrieb Rowland penny: >> On 18/12/15 12:07, Ole Traupe wrote: >>> >>> >>> Am 18.12.2015 um 12:30 schrieb Rowland penny: >>>> On 18/12/15 11:19, Ole Traupe wrote: >>>>> Hi Rowland, >>>>> >>>>> I am very thankful, that you take the time and test all this! >>>> >>>> No problem. >>>> >>>>> >>>>> Before I go and check if this is the same with my setup and >>>>> possibly the problem, could you perhaps try a logon to a member >>>>> server, while the 1st DC is unavailable? >>>> >>>> Ah, slight problem there, as I said, this is just a couple of test >>>> DCs and there are no test domain members, you will have to bear >>>> with me whilst I create one. >>> >>> I would be very greatful, and I guess many others too. >>> >>> I heard from many sides that you should really only use bind9 in >>> case you plan a more complicated setup. Until now I thought that >>> having 2 DCs wasn't considered as such. >>> >>> >> >> Hi Ole, Would you like to know how to set up bind9 ? or to put it >> another way, you cannot login via ssh to a domain member if the the >> first DC goes down when you are using the internal dns server. If you >> use bind9, you can login, although there is a bit of a lag. >> >> Rowland >> > > Hi Rowland, > > yes, I would like to know how to migrate. But before that: are you > 100% sure that this is the problem? Before having tested it? > > How much lag? > > Ole > > >Hi Ole, all I can say is that I have two DCs running in VMs, they use the internal dns server. I have joined a samba domain member (again running in a VM) to the domain. If I turn off the first DC I created, I cannot log into the domain member via ssh, but if I have both DCs running, I can. There is another problem, after I restart the first DC, I still cannot login, I had to restart Samba on all three machines before I could log into the domain member again. With my domain that uses Bind9, I turned off the first DC and attempted to log into a domain member via ssh, after a few seconds (approx 5) it logged me in, I then exited again, restarted the first DC again and tried to log in again, this time there was no lag and I logged in straight away. Can I suggest that you do what I did, create your own small test domain in VMs using Bind9 Rowland
Ole Traupe
2015-Dec-18 15:27 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 18.12.2015 um 15:42 schrieb Rowland penny:> On 18/12/15 14:23, Ole Traupe wrote: >> >> >> Am 18.12.2015 um 14:56 schrieb Rowland penny: >>> On 18/12/15 12:07, Ole Traupe wrote: >>>> >>>> >>>> Am 18.12.2015 um 12:30 schrieb Rowland penny: >>>>> On 18/12/15 11:19, Ole Traupe wrote: >>>>>> Hi Rowland, >>>>>> >>>>>> I am very thankful, that you take the time and test all this! >>>>> >>>>> No problem. >>>>> >>>>>> >>>>>> Before I go and check if this is the same with my setup and >>>>>> possibly the problem, could you perhaps try a logon to a member >>>>>> server, while the 1st DC is unavailable? >>>>> >>>>> Ah, slight problem there, as I said, this is just a couple of test >>>>> DCs and there are no test domain members, you will have to bear >>>>> with me whilst I create one. >>>> >>>> I would be very greatful, and I guess many others too. >>>> >>>> I heard from many sides that you should really only use bind9 in >>>> case you plan a more complicated setup. Until now I thought that >>>> having 2 DCs wasn't considered as such. >>>> >>>> >>> >>> Hi Ole, Would you like to know how to set up bind9 ? or to put it >>> another way, you cannot login via ssh to a domain member if the the >>> first DC goes down when you are using the internal dns server. If >>> you use bind9, you can login, although there is a bit of a lag. >>> >>> Rowland >>> >> >> Hi Rowland, >> >> yes, I would like to know how to migrate. But before that: are you >> 100% sure that this is the problem? Before having tested it? >> >> How much lag? >> >> Ole >> >> >> > > Hi Ole, all I can say is that I have two DCs running in VMs, they use > the internal dns server. I have joined a samba domain member (again > running in a VM) to the domain. If I turn off the first DC I created, > I cannot log into the domain member via ssh, but if I have both DCs > running, I can.Ok, that is enough confirmation for me. Thank you very much, I highly appreciate this.> There is another problem, after I restart the first DC, I still cannot > login, I had to restart Samba on all three machines before I could log > into the domain member again.Strange, but that is different here. Do you use a different Samba version, possibly 4.3.x? I still have 4.2.5.> > With my domain that uses Bind9, I turned off the first DC and > attempted to log into a domain member via ssh, after a few seconds > (approx 5) it logged me in, I then exited again, restarted the first > DC again and tried to log in again, this time there was no lag and I > logged in straight away.This sounds promising and as expected: a short timeout due to the (preferred?) DNS server being offline.> > Can I suggest that you do what I did, create your own small test > domain in VMs using Bind9Yes, that is a good idea. However, from what I had read before, much of it on the Samba wiki, I was expecting Samba4 to just work with multiple DCs. I still wonder why no one ever seems to have tested or questioned that (publicly). And I don't feel that I have to question something myself that is broadly recommended: use the internal DNS unless you really have to do otherwise (even by the developers, it seems). In addition, bind9 working with multiple DC's does not necessarily mean that internal DNS won't. I also feel the need to would like to state that I am a part-time admin and I can't test something for a year or so (like others) before I go into production. With Samba 4 I was rather happy to find something that won't require so much work (although it feels differently now, partially due to me being more or less a newbee to unix-based systems, I guess). In any way, I would like to avoid any more unnecessary effort due to missing or misleading information (what I tried was never expected to work; and some of us have invested a lot of time to find out). That is why I asked so explicitly for your (or others') experience on that matter. Also, it might have been, that I am doing something else wrong, which might have interfered with my own experience being diagnostic of Samba internal DNS. -- Now I can finally stop thinking about internal DNS anymore and what might or might not have misconfigured. So, how can I migrate my DNS from internal to bind with hopefully not so much effort (as to create a bunch of new DCs)? In particular: how can I avoid carrying over any mis-configurations to my new DNS? I would be very happy about any suggestions. Ole> > Rowland > >
Possibly Parallel Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline