samba - Mar 2021 - Domain member cannot authenticate when first domain controller is down

Check the following. 

dig ns $(hostname -d)
You should see all the AD-DC servers, if not add the NS record of the missing
ones, then when thats done.

try these settings and test what works best for you, add in /etc/resolv.conf

options timeout:3
options attempts:2
options rotate

(see : man resolv.conf what these do) 

in smb.conf.. 
Try setting : 

cache directory = /var/cache/samba
(do check if the folder exists. )

these parts would be the first one's i would look into. 

I hope this can help you. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba
> Verzonden: woensdag 3 maart 2021 16:25
> Aan: Josh T; Roy Eastwood; samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
> controller is down
> 
> Josh, I don't have the answer to your question, but if you ever figure
> it out, I would like to know the answer, too.
> 
> The 2nd DC that I built has been of very little use.? While building, it
> passed all the tests in the wiki.? After building, I found some DNS
> entries that were not created during the join. Rowland kindly helped me
> add and/or edit the affected entries, and I hoped for better results.
> However, it was not to be.? If the 1st DC is removed from the network,
> any kind of login or getent is interminably long or times out.? So,
> while I easily see the theoretical value of having multiple DC's,
I'm
> having trouble seeing the actual, practical benefit of having them.
> There is no instant failover, and often times, there is complete failure
> of necessary AD functions.? While it's certainly possible the problem
> could be me, I cannot troubleshoot what the problem is.
> 
> Dale
> 
> 
> On 3/1/21 6:25 PM, Josh T via samba wrote:
> > Further fiddling with this has shown something strange. If I enter my
> username and password in an attempt to authenticate a domain user, it will
> take 60+ seconds for it to fail to log in. However, during said 60+
> seconds, if I log in via SSH as a non-domain user, then the domain user
> login succeeds. What could cause that?
> >
> >
> > ________________________________
> > From: Roy Eastwood <spindles7 at gmail.com>
> > Sent: Saturday, February 27, 2021 1:27 AM
> > To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at
lists.samba.org
> <samba at lists.samba.org>
> > Subject: Re: [Samba] Domain member cannot authenticate when first
domain
> controller is down
> >
> >
> >
> > On 27 February 2021 03:35 Josh T wrote:
> >> //Problem:
> >> I am unable to authenticate a domain user on a Samba domain member
> while the
> >> first Samba directory controller DC1 is powered off and the second
> Samba
> >> directory controller DC2 is powered on.
> >>
> >> While DC1 is powered on, I can log in as a domain user with no
> problems. While
> >> DC1 is powered off, attempting to log in usually results in
waiting 60+
> > seconds
> >> followed by a login failure message. If I had already logged in
prior
> to
> > powering
> >> off DC1, then I can see the same long delay and authentication
failures
> when
> >> entering my sudo password. Intermittently I can sometimes manage
to log
> in
> >> while DC1 is powered off, but there is still the 60+ second delay;
I
> haven't
> > been
> >> able to link this intermittent behavior to any of my own
> troubleshooting
> > actions.
> >> In any case, a 60+ second delay is undesirable.
> >>
> >> //Environment description:
> >> The first Samba domain controller DC1 was created following these
> instructions
> >> on the Samba wiki:
> >>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
> >> Domain_Controller
> >> It was provisioned using the command "samba-tool domain
provision --
> use-
> >> rfc2307 --interactive".
> >> The BIND9_DLZ DNS backend was selected during provisioning.
> >> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt
command.
> >>
> >> The second Samba domain controller DC2 was created following these
> >> instructions on the Samba wiki:
> >>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
> >> _Directory
> >> It was joined using the command "samba-tool domain join
my.domain.tld -
> -dns-
> >> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 =
yes'".
> > The above is missing the letters  "DC" in the command line. 
This may
> be the
> > issue.
> >
> > HTH
> >
> > Roy
> >
> >
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 3/3/21 9:58 AM, L.P.H. van Belle via samba wrote:
> Check the following.
>
> dig ns $(hostname -d)
> You should see all the AD-DC servers, if not add the NS record of the
missing ones, then when thats done.
>
> try these settings and test what works best for you, add in
/etc/resolv.conf
>
> options timeout:3
> options attempts:2
> options rotate
>
> (see : man resolv.conf what these do)
>
> in smb.conf..
> Try setting :
>
> cache directory = /var/cache/samba
> (do check if the folder exists. )
>
> these parts would be the first one's i would look into.
>
> I hope this can help you.
>
> Greetz,
>
> Louis
_@ Louis_

The dig command returns the correct results, and the cache directory 
setting already matches what you had suggested.

I will experiment with the resolv.conf options that you mentioned.

_@ Jason_

I have requested a bugzilla account in order to add a "me too" to your
bug report.? If what I'm experiencing is not identical, it is most 
certainly similar.

_@ Kris_

I'll need some direction for this -

<KL> "Also, are the _kerberos SRV records correct for DC2?"


Where/How do I find this, and what _are_ the expected values?

Thanks to all for the suggestions.

Dale
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via
samba
>> Verzonden: woensdag 3 maart 2021 16:25
>> Aan: Josh T; Roy Eastwood; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Domain member cannot authenticate when first
domain
>> controller is down
>>
>> Josh, I don't have the answer to your question, but if you ever
figure
>> it out, I would like to know the answer, too.
>>
>> The 2nd DC that I built has been of very little use.? While building,
it
>> passed all the tests in the wiki.? After building, I found some DNS
>> entries that were not created during the join. Rowland kindly helped me
>> add and/or edit the affected entries, and I hoped for better results.
>> However, it was not to be.? If the 1st DC is removed from the network,
>> any kind of login or getent is interminably long or times out.? So,
>> while I easily see the theoretical value of having multiple DC's,
I'm
>> having trouble seeing the actual, practical benefit of having them.
>> There is no instant failover, and often times, there is complete
failure
>> of necessary AD functions.? While it's certainly possible the
problem
>> could be me, I cannot troubleshoot what the problem is.
>>
>> Dale
>>
>>
>> On 3/1/21 6:25 PM, Josh T via samba wrote:
>>> Further fiddling with this has shown something strange. If I enter
my
>> username and password in an attempt to authenticate a domain user, it
will
>> take 60+ seconds for it to fail to log in. However, during said 60+
>> seconds, if I log in via SSH as a non-domain user, then the domain user
>> login succeeds. What could cause that?
>>>
>>> ________________________________
>>> From: Roy Eastwood <spindles7 at gmail.com>
>>> Sent: Saturday, February 27, 2021 1:27 AM
>>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at
lists.samba.org
>> <samba at lists.samba.org>
>>> Subject: Re: [Samba] Domain member cannot authenticate when first
domain
>> controller is down
>>>
>>>
>>> On 27 February 2021 03:35 Josh T wrote:
>>>> //Problem:
>>>> I am unable to authenticate a domain user on a Samba domain
member
>> while the
>>>> first Samba directory controller DC1 is powered off and the
second
>> Samba
>>>> directory controller DC2 is powered on.
>>>>
>>>> While DC1 is powered on, I can log in as a domain user with no
>> problems. While
>>>> DC1 is powered off, attempting to log in usually results in
waiting 60+
>>> seconds
>>>> followed by a login failure message. If I had already logged in
prior
>> to
>>> powering
>>>> off DC1, then I can see the same long delay and authentication
failures
>> when
>>>> entering my sudo password. Intermittently I can sometimes
manage to log
>> in
>>>> while DC1 is powered off, but there is still the 60+ second
delay; I
>> haven't
>>> been
>>>> able to link this intermittent behavior to any of my own
>> troubleshooting
>>> actions.
>>>> In any case, a 60+ second delay is undesirable.
>>>>
>>>> //Environment description:
>>>> The first Samba domain controller DC1 was created following
these
>> instructions
>>>> on the Samba wiki:
>>>>
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>>>> Domain_Controller
>>>> It was provisioned using the command "samba-tool domain
provision --
>> use-
>>>> rfc2307 --interactive".
>>>> The BIND9_DLZ DNS backend was selected during provisioning.
>>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt
command.
>>>>
>>>> The second Samba domain controller DC2 was created following
these
>>>> instructions on the Samba wiki:
>>>>
>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>>>> _Directory
>>>> It was joined using the command "samba-tool domain join
my.domain.tld -
>> -dns-
>>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 =
yes'".
>>> The above is missing the letters  "DC" in the command
line.   This may
>> be the
>>> issue.
>>>
>>> HTH
>>>
>>> Roy
>>>
>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>