It now happened for the second time: Out of the blue, I could not login from windows machines or authenticate using smbclient, while Kerberos/nslcd were still working fine, after setting a password. The cause is that the password change didn' reach both AD DCs, but only one. The other one still had the old value as could be seen by samba-tool ldapcmp. Restarting the DCs and waiting for a couple of seconds brings them back to sync and Windows logons work as they used to. samba-tool drs showrepl does not show any failure, beyond: Warning: No NC replicated for Connection! Any idea, what I should do next time to obtain valuable output for debugging? Kind regards, - lars.
Hello Lars, Am 11.03.2015 um 18:01 schrieb Lars Hanke:> It now happened for the second time: Out of the blue, I could not login > from windows machines or authenticate using smbclient, while > Kerberos/nslcd were still working fine, after setting a password. > > The cause is that the password change didn' reach both AD DCs, but only > one. The other one still had the old value as could be seen by > samba-tool ldapcmp. Restarting the DCs and waiting for a couple of > seconds brings them back to sync and Windows logons work as they used to. > > samba-tool drs showrepl does not show any failure, beyond: Warning: No > NC replicated for Connection!This warning you can ignore.> Any idea, what I should do next time to obtain valuable output for > debugging?* What Samba version are you running? * How many DCs? * Can you force this problem to appear? Just an idea: AD problems are often caused by DNS problems and we got the keyword "DNS islanding" in an other threat at the moment: Which DNS do your DCs use as primary? Their own or a different one? See http://retrohack.com/a-word-or-two-about-dns-islanding/ Regards, Marc
Hi Marc, >> The cause is that the password change didn' reach both AD DCs, but only>> one. The other one still had the old value as could be seen by >> samba-tool ldapcmp. Restarting the DCs and waiting for a couple of >> seconds brings them back to sync and Windows logons work as they used to. >> Any idea, what I should do next time to obtain valuable output for >> debugging? > > * What Samba version are you running?The DCs are 4.1.17-Debian.> * How many DCs?Just two.> * Can you force this problem to appear?Need some more investigation here - I did not find any way reproducible under arbitrary conditions.> Just an idea: AD problems are often caused by DNS problems and we got > the keyword "DNS islanding" in an other threat at the moment: Which DNS > do your DCs use as primary? Their own or a different one? See > http://retrohack.com/a-word-or-two-about-dns-islanding/As I understood Linux resolving there is no static primary-secondary concept for DNS. So I'll try to remove the self-dependence altogether and see, if it enhances the situation. Regards, - lars.