samba - Mar 2021 - Domain member cannot authenticate when first domain controller is down

On 3/4/21 11:03 AM, Rowland penny via samba wrote:
> On 04/03/2021 16:49, Dale via samba wrote:
>>
>> A little more complicated than that, but not by much.
>>
>> 1.? Before Louis' (and Jason's) suggestions, either long lag
time
>> before authentication or a timeout.
>
>
> Understood, but was there anything tin the logs on DC2 ?
There were no errors in the BIND logs.

In the samba logs that had entries for today, there were no errors 
listed on the client from which I connected.? DC2 only had errors 
related to being unable to find DC1 on port 135.? These errors were 
during the time that DC1 was down, so the reason for them is
obvious.
>
>> 2. After Louis' suggestions, either long lag time before 
>> authentication or a timeout, but with a huge correlating increase in 
>> the number of SRV queries on DC2.
>
>
> If there wasn't anything in the logs on DC2 before adding Louis's,
but
> there is afterwards, then this would suggest that Louis's suggestions 
> are working.
I'm in total agreement.
>
>>
>> 3.? After trying krb5.conf suggestions, no authentication at all.
>> 4.? Revert the krb5.conf suggestions, but still no authentication.
>
>
> I am a bit doubtful about the krb5.conf modifications, I have never 
> used them, but they seem to be valid, so who knows ?
I certainly don't. ?
>
>>
>> It certainly looks like DC2, but it passes every test that the wiki 
>> has, plus every additional one that you and Louis gave me to try 
>> while troubleshooting various issues.
>
>
> Perhaps we have missed something ?
I'm very open to suggestions.

Dale
>
> Rowland
>
>
>
>

On 04/03/2021 17:39, Dale via samba wrote:
>
> I'm very open to suggestions.
>
OK, I tested this on my small domain, from an rpi running 4.13.4. I did 
not change anything except for resolv.conf, which I changed to this:

# wait 2 seconds : default 5 seconds
options timeout:2
# make 1 attempt before trying next nameserver : default 2
options attempts:1
# round robin nameservers
#options rotate
search samdom.example.com
nameserver 192.168.0.8
nameserver 192.168.0.6

I commented 'rotate' because it round robins nameservers, something I 
didn't want to happen.

Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is 
dc4.samdom.example.com

Ran this command on the rpi:

time host -v -t SRV _ldap._tcp.samdom.example.com.

And got this output:

Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.??? IN??? SRV

;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc01.samdom.example.com.

;; AUTHORITY SECTION:
samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com.
samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com.

;; ADDITIONAL SECTION:
dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6
dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8

Received 192 bytes from 192.168.0.8#53 in 78 ms

real??? 0m0.153s
user??? 0m0.038s
sys??? ??? 0m0.038s

So far, so good.

I then turned off bind9 on dc01 and ran the command again, this time the 
output was:

Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.??? IN??? SRV

;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc01.samdom.example.com.

Received 132 bytes from 192.168.0.6#53 in 6 ms

real??? 0m1.074s
user??? 0m0.031s
sys? ??? 0m0.041s

As you can see, this time dc4 replied and fairly quickly.

I think you may have missing or incorrect records for DC2, I will try 
and come up with something to check your records.

Rowland