samba - Mar 2021 - Domain member cannot authenticate when first domain controller is down

On 3/3/21 9:58 AM, L.P.H. van Belle via samba wrote:
> Check the following.
>
> dig ns $(hostname -d)
> You should see all the AD-DC servers, if not add the NS record of the
missing ones, then when thats done.
>
> try these settings and test what works best for you, add in
/etc/resolv.conf
>
> options timeout:3
> options attempts:2
> options rotate
>
> (see : man resolv.conf what these do)
>
> in smb.conf..
> Try setting :
>
> cache directory = /var/cache/samba
> (do check if the folder exists. )
>
> these parts would be the first one's i would look into.
>
> I hope this can help you.
>
> Greetz,
>
> Louis
_@ Louis_

The dig command returns the correct results, and the cache directory 
setting already matches what you had suggested.

I will experiment with the resolv.conf options that you mentioned.

_@ Jason_

I have requested a bugzilla account in order to add a "me too" to your
bug report.? If what I'm experiencing is not identical, it is most 
certainly similar.

_@ Kris_

I'll need some direction for this -

<KL> "Also, are the _kerberos SRV records correct for DC2?"


Where/How do I find this, and what _are_ the expected values?

Thanks to all for the suggestions.

Dale
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via
samba
>> Verzonden: woensdag 3 maart 2021 16:25
>> Aan: Josh T; Roy Eastwood; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Domain member cannot authenticate when first
domain
>> controller is down
>>
>> Josh, I don't have the answer to your question, but if you ever
figure
>> it out, I would like to know the answer, too.
>>
>> The 2nd DC that I built has been of very little use.? While building,
it
>> passed all the tests in the wiki.? After building, I found some DNS
>> entries that were not created during the join. Rowland kindly helped me
>> add and/or edit the affected entries, and I hoped for better results.
>> However, it was not to be.? If the 1st DC is removed from the network,
>> any kind of login or getent is interminably long or times out.? So,
>> while I easily see the theoretical value of having multiple DC's,
I'm
>> having trouble seeing the actual, practical benefit of having them.
>> There is no instant failover, and often times, there is complete
failure
>> of necessary AD functions.? While it's certainly possible the
problem
>> could be me, I cannot troubleshoot what the problem is.
>>
>> Dale
>>
>>
>> On 3/1/21 6:25 PM, Josh T via samba wrote:
>>> Further fiddling with this has shown something strange. If I enter
my
>> username and password in an attempt to authenticate a domain user, it
will
>> take 60+ seconds for it to fail to log in. However, during said 60+
>> seconds, if I log in via SSH as a non-domain user, then the domain user
>> login succeeds. What could cause that?
>>>
>>> ________________________________
>>> From: Roy Eastwood <spindles7 at gmail.com>
>>> Sent: Saturday, February 27, 2021 1:27 AM
>>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at
lists.samba.org
>> <samba at lists.samba.org>
>>> Subject: Re: [Samba] Domain member cannot authenticate when first
domain
>> controller is down
>>>
>>>
>>> On 27 February 2021 03:35 Josh T wrote:
>>>> //Problem:
>>>> I am unable to authenticate a domain user on a Samba domain
member
>> while the
>>>> first Samba directory controller DC1 is powered off and the
second
>> Samba
>>>> directory controller DC2 is powered on.
>>>>
>>>> While DC1 is powered on, I can log in as a domain user with no
>> problems. While
>>>> DC1 is powered off, attempting to log in usually results in
waiting 60+
>>> seconds
>>>> followed by a login failure message. If I had already logged in
prior
>> to
>>> powering
>>>> off DC1, then I can see the same long delay and authentication
failures
>> when
>>>> entering my sudo password. Intermittently I can sometimes
manage to log
>> in
>>>> while DC1 is powered off, but there is still the 60+ second
delay; I
>> haven't
>>> been
>>>> able to link this intermittent behavior to any of my own
>> troubleshooting
>>> actions.
>>>> In any case, a 60+ second delay is undesirable.
>>>>
>>>> //Environment description:
>>>> The first Samba domain controller DC1 was created following
these
>> instructions
>>>> on the Samba wiki:
>>>>
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>>>> Domain_Controller
>>>> It was provisioned using the command "samba-tool domain
provision --
>> use-
>>>> rfc2307 --interactive".
>>>> The BIND9_DLZ DNS backend was selected during provisioning.
>>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt
command.
>>>>
>>>> The second Samba domain controller DC2 was created following
these
>>>> instructions on the Samba wiki:
>>>>
>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>>>> _Directory
>>>> It was joined using the command "samba-tool domain join
my.domain.tld -
>> -dns-
>>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 =
yes'".
>>> The above is missing the letters  "DC" in the command
line.   This may
>> be the
>>> issue.
>>>
>>> HTH
>>>
>>> Roy
>>>
>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Domain member krb.conf (mostly stolen from Jason's ticket above, but you
get the point. : https://bugzilla.samba.org/show_bug.cgi?id=14597)

[libdefaults]
 default_realm = AD.SAMDOM
 dns_lookup_realm = false
 dns_lookup_kdc = false <----------------------
 rdns = false
 forwardable = true
 renew_lifetime = 7d

[realms] <---------------
 AD.SAMDOM = {
  kdc = ip.add.re.ss1:88
  kdc = ip.add.re.ss2:88
 }

When we tested this a while ago (same issues, with ... sssd, so take with a
grain of salt), the above was supposed to specify the KDC instead of
relying on DNS.  I hope the syntax is right, I haven't checked the man
pages in a while.

Also, Verifying kerberos SRV records:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS

They should exist for each DC.


Kris Lou
klou at themusiclink.net


On Wed, Mar 3, 2021 at 11:08 AM Dale <samba at txschroeder.family> wrote:
> On 3/3/21 9:58 AM, L.P.H. van Belle via samba wrote:
>
> Check the following.
>
> dig ns $(hostname -d)
> You should see all the AD-DC servers, if not add the NS record of the
missing ones, then when thats done.
>
> try these settings and test what works best for you, add in
/etc/resolv.conf
>
> options timeout:3
> options attempts:2
> options rotate
>
> (see : man resolv.conf what these do)
>
> in smb.conf..
> Try setting :
>
> cache directory = /var/cache/samba
> (do check if the folder exists. )
>
> these parts would be the first one's i would look into.
>
> I hope this can help you.
>
> Greetz,
>
> Louis
>
> *@ Louis*
>
> The dig command returns the correct results, and the cache directory
> setting already matches what you had suggested.
>
> I will experiment with the resolv.conf options that you mentioned.
>
> *@ Jason*
>
> I have requested a bugzilla account in order to add a "me too" to
your bug
> report.  If what I'm experiencing is not identical, it is most
certainly
> similar.
>
> *@ Kris*
>
> I'll need some direction for this -
>
> <KL> "Also, are the _kerberos SRV records correct for DC2?"
>
>
> Where/How do I find this, and what *are* the expected values?
>
> Thanks to all for the suggestions.
>
> Dale
>
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org <samba-bounces at
lists.samba.org>] Namens Dale via samba
> Verzonden: woensdag 3 maart 2021 16:25
> Aan: Josh T; Roy Eastwood; samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
> controller is down
>
> Josh, I don't have the answer to your question, but if you ever figure
> it out, I would like to know the answer, too.
>
> The 2nd DC that I built has been of very little use.  While building, it
> passed all the tests in the wiki.  After building, I found some DNS
> entries that were not created during the join. Rowland kindly helped me
> add and/or edit the affected entries, and I hoped for better results.
> However, it was not to be.  If the 1st DC is removed from the network,
> any kind of login or getent is interminably long or times out.  So,
> while I easily see the theoretical value of having multiple DC's,
I'm
> having trouble seeing the actual, practical benefit of having them.
> There is no instant failover, and often times, there is complete failure
> of necessary AD functions.  While it's certainly possible the problem
> could be me, I cannot troubleshoot what the problem is.
>
> Dale
>
>
> On 3/1/21 6:25 PM, Josh T via samba wrote:
>
> Further fiddling with this has shown something strange. If I enter my
>
> username and password in an attempt to authenticate a domain user, it will
> take 60+ seconds for it to fail to log in. However, during said 60+
> seconds, if I log in via SSH as a non-domain user, then the domain user
> login succeeds. What could cause that?
>
> ________________________________
> From: Roy Eastwood <spindles7 at gmail.com> <spindles7 at
gmail.com>
> Sent: Saturday, February 27, 2021 1:27 AM
> To: 'Josh T' <c3h4ohcooh3 at hotmail.com> <c3h4ohcooh3 at
hotmail.com>; samba at lists.samba.org
>
> <samba at lists.samba.org> <samba at lists.samba.org>
>
> Subject: Re: [Samba] Domain member cannot authenticate when first domain
>
> controller is down
>
> On 27 February 2021 03:35 Josh T wrote:
>
> //Problem:
> I am unable to authenticate a domain user on a Samba domain member
>
> while the
>
> first Samba directory controller DC1 is powered off and the second
>
> Samba
>
> directory controller DC2 is powered on.
>
> While DC1 is powered on, I can log in as a domain user with no
>
> problems. While
>
> DC1 is powered off, attempting to log in usually results in waiting 60+
>
> seconds
>
> followed by a login failure message. If I had already logged in prior
>
> to
>
> powering
>
> off DC1, then I can see the same long delay and authentication failures
>
> when
>
> entering my sudo password. Intermittently I can sometimes manage to log
>
> in
>
> while DC1 is powered off, but there is still the 60+ second delay; I
>
> haven't
>
> been
>
> able to link this intermittent behavior to any of my own
>
> troubleshooting
>
> actions.
>
> In any case, a 60+ second delay is undesirable.
>
> //Environment description:
> The first Samba domain controller DC1 was created following these
>
> instructions
>
> on the Samba wiki:
>
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>
> Domain_Controller
> It was provisioned using the command "samba-tool domain provision --
>
> use-
>
> rfc2307 --interactive".
> The BIND9_DLZ DNS backend was selected during provisioning.
> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.
>
> The second Samba domain controller DC2 was created following these
> instructions on the Samba wiki:
>
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>
> _Directory
> It was joined using the command "samba-tool domain join my.domain.tld
-
>
> -dns-
>
> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".
>
> The above is missing the letters  "DC" in the command line.  
This may
>
> be the
>
> issue.
>
> HTH
>
> Roy
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>

I saw a reasonable improvement from including this line at the top of
resolv.conf:
options rotate timeout:1

I can now consistently log in to domain members. There is still a ~20 second
delay, but I can live with this. Are there any downsides to setting the timeout
so low? I haven't experimented with other timeouts yet.

As per Louis's suggestion, I ran "dig ns $(hostname -d)", and it
does show all AD-DC servers. I also verified that the directory
"/var/cache/samba" exists. I can see that the smb.conf option
"cache directory" is already set to this value using "testparm
-v".

Regards,

Josh


________________________________
From: Dale <samba at txschroeder.family>
Sent: Wednesday, March 3, 2021 12:08 PM
To: samba at lists.samba.org <samba at lists.samba.org>; Jason Keltz
<jas at eecs.yorku.ca>; Josh T <c3h4ohcooh3 at hotmail.com>; Kris
Lou <klou at themusiclink.net>
Subject: Re: [Samba] Domain member cannot authenticate when first domain
controller is down

On 3/3/21 9:58 AM, L.P.H. van Belle via samba wrote:

Check the following.

dig ns $(hostname -d)
You should see all the AD-DC servers, if not add the NS record of the missing
ones, then when thats done.

try these settings and test what works best for you, add in /etc/resolv.conf

options timeout:3
options attempts:2
options rotate

(see : man resolv.conf what these do)

in smb.conf..
Try setting :

cache directory = /var/cache/samba
(do check if the folder exists. )

these parts would be the first one's i would look into.

I hope this can help you.

Greetz,

Louis

@ Louis

The dig command returns the correct results, and the cache directory setting
already matches what you had suggested.

I will experiment with the resolv.conf options that you mentioned.

@ Jason

I have requested a bugzilla account in order to add a "me too" to your
bug report.  If what I'm experiencing is not identical, it is most certainly
similar.

@ Kris

I'll need some direction for this -


<KL> "Also, are the _kerberos SRV records correct for DC2?"

Where/How do I find this, and what are the expected values?

Thanks to all for the suggestions.

Dale





-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba
Verzonden: woensdag 3 maart 2021 16:25
Aan: Josh T; Roy Eastwood; samba at lists.samba.org<mailto:samba at
lists.samba.org>
Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
controller is down

Josh, I don't have the answer to your question, but if you ever figure
it out, I would like to know the answer, too.

The 2nd DC that I built has been of very little use.  While building, it
passed all the tests in the wiki.  After building, I found some DNS
entries that were not created during the join. Rowland kindly helped me
add and/or edit the affected entries, and I hoped for better results.
However, it was not to be.  If the 1st DC is removed from the network,
any kind of login or getent is interminably long or times out.  So,
while I easily see the theoretical value of having multiple DC's, I'm
having trouble seeing the actual, practical benefit of having them.
There is no instant failover, and often times, there is complete failure
of necessary AD functions.  While it's certainly possible the problem
could be me, I cannot troubleshoot what the problem is.

Dale


On 3/1/21 6:25 PM, Josh T via samba wrote:


Further fiddling with this has shown something strange. If I enter my


username and password in an attempt to authenticate a domain user, it will
take 60+ seconds for it to fail to log in. However, during said 60+
seconds, if I log in via SSH as a non-domain user, then the domain user
login succeeds. What could cause that?


________________________________
From: Roy Eastwood <spindles7 at gmail.com><mailto:spindles7 at
gmail.com>
Sent: Saturday, February 27, 2021 1:27 AM
To: 'Josh T' <c3h4ohcooh3 at hotmail.com><mailto:c3h4ohcooh3 at
hotmail.com>; samba at lists.samba.org<mailto:samba at lists.samba.org>


<samba at lists.samba.org><mailto:samba at lists.samba.org>


Subject: Re: [Samba] Domain member cannot authenticate when first domain


controller is down



On 27 February 2021 03:35 Josh T wrote:


//Problem:
I am unable to authenticate a domain user on a Samba domain member


while the


first Samba directory controller DC1 is powered off and the second


Samba


directory controller DC2 is powered on.

While DC1 is powered on, I can log in as a domain user with no


problems. While


DC1 is powered off, attempting to log in usually results in waiting 60+


seconds


followed by a login failure message. If I had already logged in prior


to


powering


off DC1, then I can see the same long delay and authentication failures


when


entering my sudo password. Intermittently I can sometimes manage to log


in


while DC1 is powered off, but there is still the 60+ second delay; I


haven't


been


able to link this intermittent behavior to any of my own


troubleshooting


actions.


In any case, a 60+ second delay is undesirable.

//Environment description:
The first Samba domain controller DC1 was created following these


instructions


on the Samba wiki:



https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_


Domain_Controller
It was provisioned using the command "samba-tool domain provision --


use-


rfc2307 --interactive".
The BIND9_DLZ DNS backend was selected during provisioning.
Samba version 4.11.6-Ubuntu was installed on DC1 using the apt command.

The second Samba domain controller DC2 was created following these
instructions on the Samba wiki:



https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active


_Directory
It was joined using the command "samba-tool domain join my.domain.tld -


-dns-


backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes'".


The above is missing the letters  "DC" in the command line.   This may


be the


issue.

HTH

Roy






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba