Frank
2022-Apr-22 07:50 UTC
[Samba] Samba 4 AD member loose membership after DC reboot (SOLVED)
Hi everybody, just in case someone has a similar issue, may be this can help. Problem was DNS configuration and the way dns resolver works on ubuntu 20.04 Often the way dns resolver use dns servers has been confused. It's supposed when the first dns gets offline, resolver uses next one on the dns list. But,? how long does it take this change? And, when the first dns gets online again, is it used again as the first dns to look up? Well, in ubuntu 20.04, which uses netplan by default, dns resolution works in a dynamic way, and as it is expected. So, when first dns in list goes offline, in few seconds the second one (if there is any) take its place, and remains as the first, even if the previous first dns goes online again. You can see this with "resolvectl status" command. In my case, the first dns in the list was the DC, as expected, but the next two ones were global dns that were unable to resolve AD queries. So when DC went offline, may be just a reboot, members took the second dns, and set it as their first dns, even when DC went online again. We thought that when first dns in the list were up again it would be the first one? used again, but it is not how it works. That made members unable to works with the AD, unable to find any DC. Just a reboot of the member, or a "netplan apply" made DC was the first dns used again. Solution: set up ONLY DCs as dns in domain members. Perhaps it sounds obvious, but it has been a nightmare for us. Best regards. Francesc Bassas Serrami? Serveis Inform?tics Campus Terrassa C/ Colom 2 08222 Terrassa (Barcelona) Tel?fon : 93.73.98630 https://serveis.terrassa.upc.edu/sict El 1/4/2022 a les 14:00, samba-request at lists.samba.org ha escrit:> Assumpte: > Re: [Samba] Samba 4 AD member loose membership after DC reboot > De: > Rowland Penny <rpenny at samba.org> > Data: > 31/3/2022, 15:56 > > A: > samba at lists.samba.org > > > On Thu, 2022-03-31 at 14:29 +0200, Frank via samba wrote: >> Hi Rowland, >> >> thanks for your quick response. >> >> Here it is a member smb.conf: >> >> # Global parameters >> [global] >> workgroup = UPC-CT >> realm = UPC-CT.UPC.EDU >> netbios name = RADI >> netbios aliases = RADI.UPC.ES RADI.UPC.EDU > You cannot use netbios aliases on a Unix domain member, use a CNAME > instead. > >> security = ADS >> >> log level = 5 >> username map = /var/lib/samba/user.map >> >> winbind enum users = yes >> winbind enum groups = yes > Remove the above two lines when you are sure everything is working > correctly, they should not be used in production. > >> winbind nss info = rfc2307 >> winbind use default domain = Yes >> winbind refresh tickets = yes >> winbind offline logon = yes >> winbind cache time = 60 >> >> idmap config * : backend = tdb >> idmap config * : range = 100-499 >> idmap config UPC-CT:backend = ad >> idmap config UPC-CT:schema_mode = rfc2307 >> idmap config UPC-CT:range = 500-999999 >> idmap config UPC-CT:unix_nss_info = yes > Was this an upgrade from an NT4-style domain ? > Even if it was, your '*' range is clobbering local system users. > > Rowland > > > >-- Aquest missatge ha estat escanejat per trobar-hi virus i contingut perill?s per MailScanner i es considera que ?s net.
Matthias Kühne | Ellerhold AG
2022-Apr-22 08:01 UTC
[Samba] Samba 4 AD member loose membership after DC reboot (SOLVED)
Hello Frank, you could join a 2nd DC as a replica and never reboot all of them at the same time. See here: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory Best regards, Matthias K?hne. Am 22.04.22 um 09:50 schrieb Frank via samba:> Hi everybody, > > just in case someone has a similar issue, may be this can help. > > Problem was DNS configuration and the way dns resolver works on ubuntu > 20.04 > > Often the way dns resolver use dns servers has been confused. It's > supposed when the first dns gets offline, resolver uses next one on > the dns list. But,? how long does it take this change? > And, when the first dns gets online again, is it used again as the > first dns to look up? > > Well, in ubuntu 20.04, which uses netplan by default, dns resolution > works in a dynamic way, and as it is expected. So, when first dns in > list goes offline, in few seconds the second one (if there is any) > take its place, and remains as the first, even if the previous first > dns goes online again. You can see this with "resolvectl status" command. > > In my case, the first dns in the list was the DC, as expected, but the > next two ones were global dns that were unable to resolve AD queries. > > So when DC went offline, may be just a reboot, members took the second > dns, and set it as their first dns, even when DC went online again. We > thought that when first dns in the list were up again it would be the > first one? used again, but it is not how it works. > That made members unable to works with the AD, unable to find any DC. > Just a reboot of the member, or a "netplan apply" made DC was the > first dns used again. > > Solution: set up ONLY DCs as dns in domain members. Perhaps it sounds > obvious, but it has been a nightmare for us. > > Best regards. > > > Francesc Bassas Serrami? > Serveis Inform?tics Campus Terrassa > C/ Colom 2 > 08222 Terrassa (Barcelona) > Tel?fon : 93.73.98630 > https://serveis.terrassa.upc.edu/sict > > El 1/4/2022 a les 14:00, samba-request at lists.samba.org ha escrit: >> Assumpte: >> Re: [Samba] Samba 4 AD member loose membership after DC reboot >> De: >> Rowland Penny <rpenny at samba.org> >> Data: >> 31/3/2022, 15:56 >> >> A: >> samba at lists.samba.org >> >> >> On Thu, 2022-03-31 at 14:29 +0200, Frank via samba wrote: >>> Hi Rowland, >>> >>> thanks for your quick response. >>> >>> Here it is a member smb.conf: >>> >>> # Global parameters >>> [global] >>> ????????? workgroup = UPC-CT >>> ????????? realm = UPC-CT.UPC.EDU >>> ????????? netbios name = RADI >>> ????????? netbios aliases = RADI.UPC.ES RADI.UPC.EDU >> You cannot use netbios aliases on a Unix domain member, use a CNAME >> instead. >> >>> ????????? security = ADS >>> >>> ????????? log level = 5 >>> ????????? username map = /var/lib/samba/user.map >>> >>> ????????? winbind enum users = yes >>> ????????? winbind enum groups = yes >> Remove the above two lines when you are sure everything is working >> correctly, they should not be used in production. >> >>> ????????? winbind nss info = rfc2307 >>> ????????? winbind use default domain = Yes >>> ????????? winbind refresh tickets = yes >>> ????????? winbind offline logon = yes >>> ????????? winbind cache time = 60 >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 100-499 >>> idmap config UPC-CT:backend = ad >>> idmap config UPC-CT:schema_mode = rfc2307 >>> idmap config UPC-CT:range = 500-999999 >>> idmap config UPC-CT:unix_nss_info = yes >> Was this an upgrade from an NT4-style domain ? >> Even if it was, your '*' range is clobbering local system users. >> >> Rowland >> >> >> >>-- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/