Ole Traupe
2015-Dec-18  15:27 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 18.12.2015 um 15:42 schrieb Rowland penny:> On 18/12/15 14:23, Ole Traupe wrote: >> >> >> Am 18.12.2015 um 14:56 schrieb Rowland penny: >>> On 18/12/15 12:07, Ole Traupe wrote: >>>> >>>> >>>> Am 18.12.2015 um 12:30 schrieb Rowland penny: >>>>> On 18/12/15 11:19, Ole Traupe wrote: >>>>>> Hi Rowland, >>>>>> >>>>>> I am very thankful, that you take the time and test all this! >>>>> >>>>> No problem. >>>>> >>>>>> >>>>>> Before I go and check if this is the same with my setup and >>>>>> possibly the problem, could you perhaps try a logon to a member >>>>>> server, while the 1st DC is unavailable? >>>>> >>>>> Ah, slight problem there, as I said, this is just a couple of test >>>>> DCs and there are no test domain members, you will have to bear >>>>> with me whilst I create one. >>>> >>>> I would be very greatful, and I guess many others too. >>>> >>>> I heard from many sides that you should really only use bind9 in >>>> case you plan a more complicated setup. Until now I thought that >>>> having 2 DCs wasn't considered as such. >>>> >>>> >>> >>> Hi Ole, Would you like to know how to set up bind9 ? or to put it >>> another way, you cannot login via ssh to a domain member if the the >>> first DC goes down when you are using the internal dns server. If >>> you use bind9, you can login, although there is a bit of a lag. >>> >>> Rowland >>> >> >> Hi Rowland, >> >> yes, I would like to know how to migrate. But before that: are you >> 100% sure that this is the problem? Before having tested it? >> >> How much lag? >> >> Ole >> >> >> > > Hi Ole, all I can say is that I have two DCs running in VMs, they use > the internal dns server. I have joined a samba domain member (again > running in a VM) to the domain. If I turn off the first DC I created, > I cannot log into the domain member via ssh, but if I have both DCs > running, I can.Ok, that is enough confirmation for me. Thank you very much, I highly appreciate this.> There is another problem, after I restart the first DC, I still cannot > login, I had to restart Samba on all three machines before I could log > into the domain member again.Strange, but that is different here. Do you use a different Samba version, possibly 4.3.x? I still have 4.2.5.> > With my domain that uses Bind9, I turned off the first DC and > attempted to log into a domain member via ssh, after a few seconds > (approx 5) it logged me in, I then exited again, restarted the first > DC again and tried to log in again, this time there was no lag and I > logged in straight away.This sounds promising and as expected: a short timeout due to the (preferred?) DNS server being offline.> > Can I suggest that you do what I did, create your own small test > domain in VMs using Bind9Yes, that is a good idea. However, from what I had read before, much of it on the Samba wiki, I was expecting Samba4 to just work with multiple DCs. I still wonder why no one ever seems to have tested or questioned that (publicly). And I don't feel that I have to question something myself that is broadly recommended: use the internal DNS unless you really have to do otherwise (even by the developers, it seems). In addition, bind9 working with multiple DC's does not necessarily mean that internal DNS won't. I also feel the need to would like to state that I am a part-time admin and I can't test something for a year or so (like others) before I go into production. With Samba 4 I was rather happy to find something that won't require so much work (although it feels differently now, partially due to me being more or less a newbee to unix-based systems, I guess). In any way, I would like to avoid any more unnecessary effort due to missing or misleading information (what I tried was never expected to work; and some of us have invested a lot of time to find out). That is why I asked so explicitly for your (or others') experience on that matter. Also, it might have been, that I am doing something else wrong, which might have interfered with my own experience being diagnostic of Samba internal DNS. -- Now I can finally stop thinking about internal DNS anymore and what might or might not have misconfigured. So, how can I migrate my DNS from internal to bind with hopefully not so much effort (as to create a bunch of new DCs)? In particular: how can I avoid carrying over any mis-configurations to my new DNS? I would be very happy about any suggestions. Ole> > Rowland > >
Rowland penny
2015-Dec-18  16:04 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 18/12/15 15:27, Ole Traupe wrote:> > > Am 18.12.2015 um 15:42 schrieb Rowland penny: >> >> Hi Ole, all I can say is that I have two DCs running in VMs, they use >> the internal dns server. I have joined a samba domain member (again >> running in a VM) to the domain. If I turn off the first DC I created, >> I cannot log into the domain member via ssh, but if I have both DCs >> running, I can. > > Ok, that is enough confirmation for me. Thank you very much, I highly > appreciate this. > > >> There is another problem, after I restart the first DC, I still >> cannot login, I had to restart Samba on all three machines before I >> could log into the domain member again. > > Strange, but that is different here. Do you use a different Samba > version, possibly 4.3.x? I still have 4.2.5. > >This is with 4.1.17 from wheezy backports, though as far as I know the dns server part of Samba hasn't changed much since.>> >> With my domain that uses Bind9, I turned off the first DC and >> attempted to log into a domain member via ssh, after a few seconds >> (approx 5) it logged me in, I then exited again, restarted the first >> DC again and tried to log in again, this time there was no lag and I >> logged in straight away. > > This sounds promising and as expected: a short timeout due to the > (preferred?) DNS server being offline. > > >> >> Can I suggest that you do what I did, create your own small test >> domain in VMs using Bind9 > > Yes, that is a good idea. However, from what I had read before, much > of it on the Samba wiki, I was expecting Samba4 to just work with > multiple DCs. I still wonder why no one ever seems to have tested or > questioned that (publicly). And I don't feel that I have to question > something myself that is broadly recommended: use the internal DNS > unless you really have to do otherwise (even by the developers, it > seems). In addition, bind9 working with multiple DC's does not > necessarily mean that internal DNS won't. >I am going to discuss this with Marc and the rest of the team, like you, I am surprised that nobody has raised this before. I have always used Samba with Bind9, so was unaware of this possible problem, it only came to head for me when you mentioned it. I then found I only had one NS record in the SOA and this lead to where we are now.> I also feel the need to would like to state that I am a part-time > admin and I can't test something for a year or so (like others) before > I go into production. With Samba 4 I was rather happy to find > something that won't require so much work (although it feels > differently now, partially due to me being more or less a newbee to > unix-based systems, I guess).It doesn't need much looking after, once you have got it up and running :-) Rowland> > > In any way, I would like to avoid any more unnecessary effort due to > missing or misleading information (what I tried was never expected to > work; and some of us have invested a lot of time to find out). That is > why I asked so explicitly for your (or others') experience on that > matter. Also, it might have been, that I am doing something else > wrong, which might have interfered with my own experience being > diagnostic of Samba internal DNS. > > -- >> Now I can finally stop thinking about internal DNS anymore and what > might or might not have misconfigured. > > So, how can I migrate my DNS from internal to bind with hopefully not > so much effort (as to create a bunch of new DCs)? In particular: how > can I avoid carrying over any mis-configurations to my new DNS? > > I would be very happy about any suggestions. > > Ole > > > > >> >> Rowland >> >> > >
Ole Traupe
2015-Dec-22  10:44 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
>>> >>> Can I suggest that you do what I did, create your own small test >>> domain in VMs using Bind9 >> >> Yes, that is a good idea. However, from what I had read before, much >> of it on the Samba wiki, I was expecting Samba4 to just work with >> multiple DCs. I still wonder why no one ever seems to have tested or >> questioned that (publicly). And I don't feel that I have to question >> something myself that is broadly recommended: use the internal DNS >> unless you really have to do otherwise (even by the developers, it >> seems). In addition, bind9 working with multiple DC's does not >> necessarily mean that internal DNS won't. >> > > I am going to discuss this with Marc and the rest of the team, like > you, I am surprised that nobody has raised this before. I have always > used Samba with Bind9, so was unaware of this possible problem, it > only came to head for me when you mentioned it. I then found I only > had one NS record in the SOA and this lead to where we are now.Hi Rowland, Again: thanks a lot for your support. Merry Christmas and good holidays to the list! Ole> >> I also feel the need to would like to state that I am a part-time >> admin and I can't test something for a year or so (like others) >> before I go into production. With Samba 4 I was rather happy to find >> something that won't require so much work (although it feels >> differently now, partially due to me being more or less a newbee to >> unix-based systems, I guess). > > It doesn't need much looking after, once you have got it up and > running :-) > > Rowland
Apparently Analagous Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline