Josh T
2021-Feb-27 03:34 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
//Problem:
I am unable to authenticate a domain user on a Samba domain member while the
first Samba directory controller DC1 is powered off and the second Samba
directory controller DC2 is powered on.
While DC1 is powered on, I can log in as a domain user with no problems. While
DC1 is powered off, attempting to log in usually results in waiting 60+ seconds
followed by a login failure message. If I had already logged in prior to
powering off DC1, then I can see the same long delay and authentication failures
when entering my sudo password. Intermittently I can sometimes manage to log in
while DC1 is powered off, but there is still the 60+ second delay; I haven't
been able to link this intermittent behavior to any of my own troubleshooting
actions. In any case, a 60+ second delay is undesirable.
//Environment description:
The first Samba domain controller DC1 was created following these instructions
on the Samba wiki:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
It was provisioned using the command "samba-tool domain provision
--use-rfc2307 --interactive".
The BIND9_DLZ DNS backend was selected during provisioning.
Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
The second Samba domain controller DC2 was created following these instructions
on the Samba wiki:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
It was joined using the command "samba-tool domain join my.domain.tld
--dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
Samba version 4.11.6-Ubuntu was installed on DC2 using the apt command.
The Samba domain members were created following these instructions on the Samba
wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
They were joined using the command "net ads join".
Samba version 4.11.6-Ubuntu was installed on the members using the apt command.
All machines are virtual machines on the same subnet. There are a total of two
Ubuntu Server 20.04.2 LTS Samba domain controllers, four Ubuntu Server 20.04.2
LTS Samba domain member servers, one Windows Server 2012R2 domain member, and
one (non- domain member) Pfsense server on the network; this is the entirety of
the network.
//List of configuration files whose contents is provided below
Domain Controller DC1
/etc/samba/smb.conf
/etc/krb5.conf
/etc/resolv.conf
/etc/hosts
/etc/bind/named.conf.options
Domain Controller DC2
/etc/samba/smb.conf
/etc/krb5.conf
/etc/resolv.conf
/etc/hosts
/etc/bind/named.conf.options
Domain Member
/etc/samba/smb.conf
/etc/krb5.conf
/etc/resolv.conf
/etc/hosts
//Configuration file contents
//============================================================//
// Domain Controller DC1: /etc/samba/smb.conf
//============================================================//
[global]
netbios name = DC1
workgroup = DOMAIN
realm = MY.DOMAIN.TLD
log file = /var/log/samba/log.%m
max log size = 1000
logging = files syslog at 1
panic action = /usr/share/samba/panic-action %d
server role = active directory domain controller
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template shell = /bin/bash
template homedir = /home/%D/%U
idmap_ldb:use rfc2307 = yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
time server = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/my.domain.tld/scripts
read only = No
//============================================================//
// Domain Controller DC1: /etc/krb5.conf
//============================================================//
[libdefaults]
default_realm = MY.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
//============================================================//
// Domain Controller DC1: /etc/resolv.conf
//============================================================//
nameserver <DC1 IP Address>
nameserver <DC2 IP Address>
search my.domain.tld
//============================================================//
// Domain Controller DC1: /etc/hosts
//============================================================//
127.0.0.1 localhost
<DC1 IP address> dc1.my.domain.tld dc1
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
//============================================================//
// Domain Controller DC1: /etc/bind/named.conf.options
//============================================================//
acl "internal_addresses" { 127.0.0.0/8; <My IP address block>;
};
acl "admin_addresses" { <DC1 IP address>; <DC2 IP
address>; };
options {
directory "/var/cache/bind";
forwarders { <Pfsense router/firewall IP address>; };
dnssec-validation no;
version none;
notify no;
empty-zones-enable no;
auth-nxdomain yes;
listen-on-v6 { none; };
listen-on port 53 { <DC1 IP address>; 127.0.0.1; };
minimal-responses yes;
allow-query { "internal_addresses"; };
allow-query-cache { "internal_addresses"; };
recursion yes;
allow-recursion { "internal_addresses"; };
allow-transfer { "admin_addresses"; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
logging {
channel hd_security {
file "/var/log/named/named.security" versions 3 size 5m;
print-time yes;
print-severity yes;
print-category yes;
};
category security { hd_security; };
};
//============================================================//
// Domain Controller DC2: /etc/samba/smb.conf
//============================================================//
[global]
netbios name = DC2
workgroup = DOMAIN
realm = MY.DOMAIN.TLD
log file = /var/log/samba/log.%m
max log size = 1000
logging = files syslog at 1
panic action = /usr/share/samba/panic-action %d
log level = 2
server role = active directory domain controller
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
template shell = /bin/bash
template homedir = /home/%D/%U
idmap_ldb:use rfc2307 = yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
time server = yes
name resolve order = wins bcast
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/my.domain.tld/scripts
read only = No
//============================================================//
// Domain Controller DC2: /etc/krb5.conf
//============================================================//
[libdefaults]
default_realm = MY.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
//============================================================//
// Domain Controller DC2: /etc/resolv.conf
//============================================================//
nameserver <DC2 IP address>
nameserver <DC1 IP address>
search my.domain.tld
//============================================================//
// Domain Controller DC2: /etc/hosts
//============================================================//
127.0.0.1 localhost
<DC2 IP address> dc2.my.domain.tld dc2
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
//============================================================//
// Domain Controller DC2: /etc/bind/named.conf.options
//============================================================//
acl "internal_addresses" { 127.0.0.0/8; <My IP address block>;
};
acl "admin_addresses" { <DC1 IP address>; <DC2 IP
address>; };
options {
directory "/var/cache/bind";
forwarders { <IP address of pfsense router/firewall>; };
dnssec-validation no;
version none;
notify no;
empty-zones-enable no;
auth-nxdomain yes;
listen-on-v6 { none; };
listen-on port 53 { <DC2 IP address>; 127.0.0.1; };
minimal-responses yes;
allow-query { "internal_addresses"; };
allow-query-cache { "internal_addresses"; };
recursion yes;
allow-recursion { "internal_addresses"; };
allow-transfer { "admin_addresses"; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
logging {
channel hd_security {
file "/var/log/named/named.security" versions 3 size 5m;
print-time yes;
print-severity yes;
print-category yes;
};
category security { hd_security; };
};
//============================================================//
// Domain Member: /etc/samba/smb.conf
//============================================================//
[global]
workgroup = DOMAIN
realm = MY.DOMAIN.TLD
log file = /var/log/samba/log.%m
max log size = 1000
logging = files syslog at 1
panic action = /usr/share/samba/panic-action %d
security = ads
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
vfs objects = acl_xattr
map acl inherit = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-19999
idmap config DOMAIN : unix_nss_info = yes
idmap config DOMAIN : unix_primary_group = yes
idmap config DOMAIN : schema_mode = rfc2307
template shell = /bin/false
template homedir = /home/%D/%U
//============================================================//
// Domain Member: /etc/krb5.conf
//============================================================//
[libdefaults]
default_realm = MY.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
//============================================================//
// Domain Member: /etc/resolv.conf
//============================================================//
nameserver <DC1 IP address>
nameserver <DC2 IP address>
search my.domain.tld
//============================================================//
// Domain Member: /etc/hosts
//============================================================//
127.0.0.1 localhost
<Member IP address> member.my.domain.tld member
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Roy Eastwood
2021-Feb-27 08:27 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
On 27 February 2021 03:35 Josh T wrote:> //Problem: > I am unable to authenticate a domain user on a Samba domain member while the > first Samba directory controller DC1 is powered off and the second Samba > directory controller DC2 is powered on. > > While DC1 is powered on, I can log in as a domain user with no problems. While > DC1 is powered off, attempting to log in usually results in waiting 60+seconds> followed by a login failure message. If I had already logged in prior topowering> off DC1, then I can see the same long delay and authentication failures when > entering my sudo password. Intermittently I can sometimes manage to log in > while DC1 is powered off, but there is still the 60+ second delay; I haven'tbeen> able to link this intermittent behavior to any of my own troubleshootingactions.> In any case, a 60+ second delay is undesirable. > > //Environment description: > The first Samba domain controller DC1 was created following these instructions > on the Samba wiki: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_ > Domain_Controller > It was provisioned using the command "samba-tool domain provision --use- > rfc2307 --interactive". > The BIND9_DLZ DNS backend was selected during provisioning. > Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command. > > The second Samba domain controller DC2 was created following these > instructions on the Samba wiki: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active > _Directory > It was joined using the command "samba-tool domain join my.domain.tld --dns- > backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".The above is missing the letters "DC" in the command line. This may be the issue. HTH Roy
Josh T
2021-Mar-02 00:25 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
Further fiddling with this has shown something strange. If I enter my username and password in an attempt to authenticate a domain user, it will take 60+ seconds for it to fail to log in. However, during said 60+ seconds, if I log in via SSH as a non-domain user, then the domain user login succeeds. What could cause that? ________________________________ From: Roy Eastwood <spindles7 at gmail.com> Sent: Saturday, February 27, 2021 1:27 AM To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at lists.samba.org <samba at lists.samba.org> Subject: Re: [Samba] Domain member cannot authenticate when first domain controller is down On 27 February 2021 03:35 Josh T wrote:> //Problem: > I am unable to authenticate a domain user on a Samba domain member while the > first Samba directory controller DC1 is powered off and the second Samba > directory controller DC2 is powered on. > > While DC1 is powered on, I can log in as a domain user with no problems. While > DC1 is powered off, attempting to log in usually results in waiting 60+seconds> followed by a login failure message. If I had already logged in prior topowering> off DC1, then I can see the same long delay and authentication failures when > entering my sudo password. Intermittently I can sometimes manage to log in > while DC1 is powered off, but there is still the 60+ second delay; I haven'tbeen> able to link this intermittent behavior to any of my own troubleshootingactions.> In any case, a 60+ second delay is undesirable. > > //Environment description: > The first Samba domain controller DC1 was created following these instructions > on the Samba wiki: > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_ > Domain_Controller > It was provisioned using the command "samba-tool domain provision --use- > rfc2307 --interactive". > The BIND9_DLZ DNS backend was selected during provisioning. > Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command. > > The second Samba domain controller DC2 was created following these > instructions on the Samba wiki: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active > _Directory > It was joined using the command "samba-tool domain join my.domain.tld --dns- > backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".The above is missing the letters "DC" in the command line. This may be the issue. HTH Roy