samba - Feb 2020 - Failover DC did not work when Main DC failed

On 01/02/2020 15:10, Rowland penny via samba wrote:
> Not really, all Samba AD DC's are global catalogs ;-)
Ah, OK... so we don't need to worry about that then?

-- 

Paul Littlefield

Telephone: 07801 125705
Email: info at paully.co.uk
Wiki: http://wiki.indie-it.com/wiki/Special:AllPages
LinkedIn: https://www.linkedin.com/in/paullittlefield

Paul Littlefield is environmentally responsible. Please consider the environment
before printing this email. This email and any attachment is intended for the
named addressee only, or person authorised to receive it on their behalf. The
content should be treated as confidential and the recipient may not disclose
this message or any attachment to anyone else without authorisation. If this
transmission is received in error please notify the sender immediately and
delete this message from your email system. All electronic transmissions to and
from me are recorded and may be monitored. Finally, the recipient should check
this email and any attachments for viruses. Paul Littlefield accepts no
liability for any damage caused by any virus transmitted by this email.

Ubuntu 18.04.3 LTS (x86_64)

Tmesis is a linguistic phenomenon in which a word or phrase is separated into
two parts, with other words interrupting between them... well,
abso-blooming-lutely.

Unless it's _not_ a global catalog.  Check your SRV records again, there
should be corresponding "_gc" records (similar to "_ldap")
for each DC.

So, based upon the link/graphic I posted earlier:
* either your 2nd DC isn't being returned as a part of DNS lookups
* or that 2nd DC isn't responding to queries for authentication
* or the client isn't storing/retrieving the 2nd DC's availability for
future lookups
** could be related to DNS? storage via registry-equivalents? no idea here,
but putting it as "client side"

FWIW, I checked my file server (winbind, not sssd):
* checked the logonserver (which DC it was authenticating against)
* stopped samba on that DC
* checked logonserver again -- and it had switched to a different one.  So
4.10 Louis winbind works (for me).

Kris Lou
klou at themusiclink.net


On Sat, Feb 1, 2020 at 8:23 AM Paul Littlefield via samba <
samba at lists.samba.org> wrote:
> On 01/02/2020 15:10, Rowland penny via samba wrote:
> > Not really, all Samba AD DC's are global catalogs ;-)
>
> Ah, OK... so we don't need to worry about that then?
>
> --
>
> Paul Littlefield
>
> Telephone: 07801 125705
> Email: info at paully.co.uk
> Wiki: http://wiki.indie-it.com/wiki/Special:AllPages
> LinkedIn: https://www.linkedin.com/in/paullittlefield
>
> Paul Littlefield is environmentally responsible. Please consider the
> environment before printing this email. This email and any attachment is
> intended for the named addressee only, or person authorised to receive it
> on their behalf. The content should be treated as confidential and the
> recipient may not disclose this message or any attachment to anyone else
> without authorisation. If this transmission is received in error please
> notify the sender immediately and delete this message from your email
> system. All electronic transmissions to and from me are recorded and may be
> monitored. Finally, the recipient should check this email and any
> attachments for viruses. Paul Littlefield accepts no liability for any
> damage caused by any virus transmitted by this email.
>
> Ubuntu 18.04.3 LTS (x86_64)
>
> Tmesis is a linguistic phenomenon in which a word or phrase is separated
> into two parts, with other words interrupting between them... well,
> abso-blooming-lutely.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 03/02/2020 07:15, Kris Lou via samba wrote:
> Unless it's_not_  a global catalog.  Check your SRV records again,
there
> should be corresponding "_gc" records (similar to
"_ldap") for each DC.
> 
> So, based upon the link/graphic I posted earlier:
> * either your 2nd DC isn't being returned as a part of DNS lookups
> * or that 2nd DC isn't responding to queries for authentication
> * or the client isn't storing/retrieving the 2nd DC's availability
for
> future lookups
> ** could be related to DNS? storage via registry-equivalents? no idea here,
> but putting it as "client side"
> 
> FWIW, I checked my file server (winbind, not sssd):
> * checked the logonserver (which DC it was authenticating against)
> * stopped samba on that DC
> * checked logonserver again -- and it had switched to a different one.  So
> 4.10 Louis winbind works (for me).
> 
> Kris Lou
> klou at themusiclink.net

Thanks Kris for your helpful and full information (yay).

I shall check, test and debug!

Regards,

-- 

Paul Littlefield

On 03/02/2020 07:15, Kris Lou via samba wrote:
> * checked the logonserver (which DC it was authenticating against)
Do you have command line for doing this?

-- 

Paul Littlefield

Telephone: 07801 125705
Email: info at paully.co.uk
Wiki: http://wiki.indie-it.com/wiki/Special:AllPages
LinkedIn: https://www.linkedin.com/in/paullittlefield

Paul Littlefield is environmentally responsible. Please consider the environment
before printing this email. This email and any attachment is intended for the
named addressee only, or person authorised to receive it on their behalf. The
content should be treated as confidential and the recipient may not disclose
this message or any attachment to anyone else without authorisation. If this
transmission is received in error please notify the sender immediately and
delete this message from your email system. All electronic transmissions to and
from me are recorded and may be monitored. Finally, the recipient should check
this email and any attachments for viruses. Paul Littlefield accepts no
liability for any damage caused by any virus transmitted by this email.

Ubuntu 18.04.3 LTS (x86_64)

Tmesis is a linguistic phenomenon in which a word or phrase is separated into
two parts, with other words interrupting between them... well,
abso-blooming-lutely.

Hello Kris,


On 03/02/2020 07:15, Kris Lou via samba wrote:
> Unless it's_not_  a global catalog.  Check your SRV records again,
there
> should be corresponding "_gc" records (similar to
"_ldap") for each DC.
Checked and both DCs pass all tests:-

host -t SRV _ldap._tcp.mydomain.com.
host -t SRV _gc._tcp.mydomain.com.
host -t SRV _kerberos._udp.mydomain.com.
host -t A dc3.mydomain.com.
host -t A dc4.mydomain.com.

e.g. (for _gc)

root at dc3.mydomain.com ~ $ (screen) host -t SRV _gc._tcp.mydomain.com.
_gc._tcp.mydomain.com has SRV record 0 100 3268 dc3.mydomain.com.
_gc._tcp.mydomain.com has SRV record 0 100 3268 dc4.mydomain.com.

> So, based upon the link/graphic I posted earlier:
> * either your 2nd DC isn't being returned as a part of DNS lookups
For the Windows desktops and the QNAP server, they have the IP addresses for
both DCs in their respective DNS settings.

For a Windows desktop tested this morning, the command nslookup defaults to DC3
at 192.168.0.218 but when that was "down" DNS queries timed out.

> * or that 2nd DC isn't responding to queries for authentication
Both DCs have this as their Kerberos configuration (/etc/krb5.conf):-

[libdefaults]
         default_realm = MYDOMAIN.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

If I run this command, authentication works:-

smbclient //dc4/netlogon -U jbloggs

> * or the client isn't storing/retrieving the 2nd DC's availability
for
> future lookups
If it's in Windows network settings or a QNAP's resolver file, where
else should it be?!

> ** could be related to DNS? storage via registry-equivalents? no idea here,
> but putting it as "client side"
I am happy to accept any suggestions here. There is no point in having multiple
DNS servers for Windows or another DC joined for failover if none of it works as
it is supposed to.

> FWIW, I checked my file server (winbind, not sssd):
> * checked the logonserver (which DC it was authenticating against)
> * stopped samba on that DC
> * checked logonserver again -- and it had switched to a different one.  So
> 4.10 Louis winbind works (for me).
Winbind is definitely running on both DCs and I followed the Wiki instructions
to the letter.

Both DCs are talking to one another for replication and I can authenticate
(manually using kinit) on each DC but when one virtual machine fails to boot
then problems happen.

Thanks.

Paul