samba - Mar 2021 - Domain member cannot authenticate when first domain controller is down

This thread is already pretty long and so I'm not sure if this has been
looked at yet, but my linux clients would experience this same issue unless I
made sure to replicate idmappings on a new DC after it was joined:

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings

Jake 


From: "Jason Keltz" <jas at eecs.yorku.ca> 
To: "Dale" <samba at txschroeder.family> 
Cc: samba at lists.samba.org 
Sent: Wednesday, March 3, 2021 10:14:07 AM 
Subject: Re: [Samba] Domain member cannot authenticate when first domain
controller is down

Hi Dale/Josh, 

I had opened a ticket about this issue back in December (at least I 
think this is similar): 

https://bugzilla.samba.org/show_bug.cgi?id=14597 

I consider failover to be very important. Unfortunately, the Samba 
developers haven't had time to work on it. I've had a few users email 
me over the course of the last months stating similar problems. Maybe 
you or anyone else who has the problem might add a similar "me too" to
the bug so that the information is all available when the developers do 
have time to work on it, and we can all benefit. 

I suppose there's still a benefit to having multiple DC for load 
balancing. However, yes, when the DC goes out, in my experience, 
there's definately trouble. 

Jason. 

On 3/3/2021 10:25 AM, Dale via samba wrote: 
> Josh, I don't have the answer to your question, but if you ever figure 
> it out, I would like to know the answer, too. 
> 
> The 2nd DC that I built has been of very little use. While building, 
> it passed all the tests in the wiki. After building, I found some DNS 
> entries that were not created during the join. Rowland kindly helped 
> me add and/or edit the affected entries, and I hoped for better 
> results. However, it was not to be. If the 1st DC is removed from 
> the network, any kind of login or getent is interminably long or times 
> out. So, while I easily see the theoretical value of having multiple 
> DC's, I'm having trouble seeing the actual, practical benefit of 
> having them. There is no instant failover, and often times, there is 
> complete failure of necessary AD functions. While it's certainly 
> possible the problem could be me, I cannot troubleshoot what the 
> problem is. 
> 
> Dale 
> 
> 
> On 3/1/21 6:25 PM, Josh T via samba wrote: 
>> Further fiddling with this has shown something strange. If I enter my 
>> username and password in an attempt to authenticate a domain user, it 
>> will take 60+ seconds for it to fail to log in. However, during said 
>> 60+ seconds, if I log in via SSH as a non-domain user, then the 
>> domain user login succeeds. What could cause that? 
>> 
>> 
>> ________________________________ 
>> From: Roy Eastwood <spindles7 at gmail.com> 
>> Sent: Saturday, February 27, 2021 1:27 AM 
>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at
lists.samba.org
>> <samba at lists.samba.org> 
>> Subject: Re: [Samba] Domain member cannot authenticate when first 
>> domain controller is down 
>> 
>> 
>> 
>> On 27 February 2021 03:35 Josh T wrote: 
>>> //Problem: 
>>> I am unable to authenticate a domain user on a Samba domain member 
>>> while the 
>>> first Samba directory controller DC1 is powered off and the second 
>>> Samba 
>>> directory controller DC2 is powered on. 
>>> 
>>> While DC1 is powered on, I can log in as a domain user with no 
>>> problems. While 
>>> DC1 is powered off, attempting to log in usually results in waiting
60+
>> seconds 
>>> followed by a login failure message. If I had already logged in 
>>> prior to 
>> powering 
>>> off DC1, then I can see the same long delay and authentication 
>>> failures when 
>>> entering my sudo password. Intermittently I can sometimes manage to
>>> log in 
>>> while DC1 is powered off, but there is still the 60+ second delay;
I
>>> haven't 
>> been 
>>> able to link this intermittent behavior to any of my own 
>>> troubleshooting 
>> actions. 
>>> In any case, a 60+ second delay is undesirable. 
>>> 
>>> //Environment description: 
>>> The first Samba domain controller DC1 was created following these 
>>> instructions 
>>> on the Samba wiki: 
>>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>>> 
>>> Domain_Controller 
>>> It was provisioned using the command "samba-tool domain
provision
>>> --use- 
>>> rfc2307 --interactive". 
>>> The BIND9_DLZ DNS backend was selected during provisioning. 
>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt
command.
>>> 
>>> The second Samba domain controller DC2 was created following these 
>>> instructions on the Samba wiki: 
>>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>>> 
>>> _Directory 
>>> It was joined using the command "samba-tool domain join 
>>> my.domain.tld --dns- 
>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 =
yes'".
>> The above is missing the letters "DC" in the command line.
This may
>> be the 
>> issue. 
>> 
>> HTH 
>> 
>> Roy 
>> 
>> 
>> 
>> 
> 
>

Jake,

I can't speak for the others in this thread, but I can vouch that I did 
do the replication.

Thanks,
Dale

On 3/8/21 9:20 AM, Jake Black via samba wrote:
> This thread is already pretty long and so I'm not sure if this has been
looked at yet, but my linux clients would experience this same issue unless I
made sure to replicate idmappings on a new DC after it was joined:
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
>
> Jake
>
>
> From: "Jason Keltz" <jas at eecs.yorku.ca>
> To: "Dale" <samba at txschroeder.family>
> Cc: samba at lists.samba.org
> Sent: Wednesday, March 3, 2021 10:14:07 AM
> Subject: Re: [Samba] Domain member cannot authenticate when first domain
controller is down
>
> Hi Dale/Josh,
>
> I had opened a ticket about this issue back in December (at least I
> think this is similar):
>
> https://bugzilla.samba.org/show_bug.cgi?id=14597
>
> I consider failover to be very important. Unfortunately, the Samba
> developers haven't had time to work on it. I've had a few users
email
> me over the course of the last months stating similar problems. Maybe
> you or anyone else who has the problem might add a similar "me
too" to
> the bug so that the information is all available when the developers do
> have time to work on it, and we can all benefit.
>
> I suppose there's still a benefit to having multiple DC for load
> balancing. However, yes, when the DC goes out, in my experience,
> there's definately trouble.
>
> Jason.
>
> On 3/3/2021 10:25 AM, Dale via samba wrote:
>> Josh, I don't have the answer to your question, but if you ever
figure
>> it out, I would like to know the answer, too.
>>
>> The 2nd DC that I built has been of very little use. While building,
>> it passed all the tests in the wiki. After building, I found some DNS
>> entries that were not created during the join. Rowland kindly helped
>> me add and/or edit the affected entries, and I hoped for better
>> results. However, it was not to be. If the 1st DC is removed from
>> the network, any kind of login or getent is interminably long or times
>> out. So, while I easily see the theoretical value of having multiple
>> DC's, I'm having trouble seeing the actual, practical benefit
of
>> having them. There is no instant failover, and often times, there is
>> complete failure of necessary AD functions. While it's certainly
>> possible the problem could be me, I cannot troubleshoot what the
>> problem is.
>>
>> Dale
>>
>>
>> On 3/1/21 6:25 PM, Josh T via samba wrote:
>>> Further fiddling with this has shown something strange. If I enter
my
>>> username and password in an attempt to authenticate a domain user,
it
>>> will take 60+ seconds for it to fail to log in. However, during
said
>>> 60+ seconds, if I log in via SSH as a non-domain user, then the
>>> domain user login succeeds. What could cause that?
>>>
>>>
>>> ________________________________
>>> From: Roy Eastwood <spindles7 at gmail.com>
>>> Sent: Saturday, February 27, 2021 1:27 AM
>>> To: 'Josh T' <c3h4ohcooh3 at hotmail.com>; samba at
lists.samba.org
>>> <samba at lists.samba.org>
>>> Subject: Re: [Samba] Domain member cannot authenticate when first
>>> domain controller is down
>>>
>>>
>>>
>>> On 27 February 2021 03:35 Josh T wrote:
>>>> //Problem:
>>>> I am unable to authenticate a domain user on a Samba domain
member
>>>> while the
>>>> first Samba directory controller DC1 is powered off and the
second
>>>> Samba
>>>> directory controller DC2 is powered on.
>>>>
>>>> While DC1 is powered on, I can log in as a domain user with no
>>>> problems. While
>>>> DC1 is powered off, attempting to log in usually results in
waiting 60+
>>> seconds
>>>> followed by a login failure message. If I had already logged in
>>>> prior to
>>> powering
>>>> off DC1, then I can see the same long delay and authentication
>>>> failures when
>>>> entering my sudo password. Intermittently I can sometimes
manage to
>>>> log in
>>>> while DC1 is powered off, but there is still the 60+ second
delay; I
>>>> haven't
>>> been
>>>> able to link this intermittent behavior to any of my own
>>>> troubleshooting
>>> actions.
>>>> In any case, a 60+ second delay is undesirable.
>>>>
>>>> //Environment description:
>>>> The first Samba domain controller DC1 was created following
these
>>>> instructions
>>>> on the Samba wiki:
>>>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_
>>>>
>>>> Domain_Controller
>>>> It was provisioned using the command "samba-tool domain
provision
>>>> --use-
>>>> rfc2307 --interactive".
>>>> The BIND9_DLZ DNS backend was selected during provisioning.
>>>> Samba version 4.11.6-Ubuntu was installed on DC1 using the apt
command.
>>>>
>>>> The second Samba domain controller DC2 was created following
these
>>>> instructions on the Samba wiki:
>>>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active
>>>>
>>>> _Directory
>>>> It was joined using the command "samba-tool domain join
>>>> my.domain.tld --dns-
>>>> backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 =
yes'".
>>> The above is missing the letters "DC" in the command
line. This may
>>> be the
>>> issue.
>>>
>>> HTH
>>>
>>> Roy
>>>
>>>
>>>
>>>
>>