Ole Traupe
2015-Dec-17 12:50 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 11.12.2015 um 15:31 schrieb L.P.H. van Belle:> Commented inbetween. > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe >> Verzonden: vrijdag 11 december 2015 14:59 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> Hi folks, >> >> a) thank you all for your help, I highly appreciate you time and effort, >> and I am sure I can resolve this issue very soon! >> b) I have to delay this until early next week, as I have to attend to >> other matters for now. >> >> All I can say, Louis, is that I won't set up a new DC to resolve this - >> at least not for now. This seems to be another problem of Samba4 not >> being able to deal with multiple DCs properly. And this has to be able >> to be resolved on an otherwise working domain without changing its >> architecture or other more drastic measures. This is my point of view at >> the moment. Your suggestion reminds me a bit of some typical forum >> replies to "Reinstall the OS" in case of any problems that can't be >> solved in an instant. > [L.P.H. van Belle] > I dont think this is another problem of samba4, but this is a problem which started in the begining of your install, at least thats what i suppect based on all your info on the list. > I suspect that, then you "installed" the new DC with the old name/ip.Yes, maybe, but why/how?> You forgot somewhere to remove old entries in AD and/or DNS.Not that I know of. This is pure speculation. My domain is not that large and I can go through all DNS records in 5 min. There wasn't anything left pointing to the demoted DC.> And this is why i suggested it, normaly i dont suggest something like this, but i do think that if you setup clean you wil have a better running server with less problems , but what you choose is all up to you. > Do what you thinks is best for you.I am still considering this as a last resort.> >> If necessary, I will just create the missing DNS entries of my 2nd DC by >> hand. Although I would prefer a working script supplied by a >> professional (which I am not). At least I would like to know which DNS >> entries for my 2nd DC are essential for logins to work. I wouldn't very >> much like to try this out. However, I am aware that your time is as >> limited as mine (of not even more so), and you are in no obligation in >> any way. > [L.P.H. van Belle] > >> ). At least I would like to know which DNS >> entries for my 2nd DC are essential for logins to work. > And what you ask here is already answered few times imo.Where? Point me to it, please!> > Again, your quicker with a clean install, and you learn more from it. > And with clean, i dont mean dropping your AD, just add new "DC Join" to hold the AD data so you can remove the faulty server and then you can install that server again, but now as it should. > AND when you join a DC your login problem is fixed also. ;-)I somehow doubt that. Still it seems that no one here has an idea of why log-on from member servers isn't working properly (for me). However, in the meantime I have created all the necessary DNS records. This can't be the issue anymore.> > >> Besides, I didn't forget do delete anything. I used the script from the >> wiki to get rid of old records pertaining to my former 1st DC after I >> had created the records of my *new* 1st DC. I checked the results: >> everything related to my former first DC was gone. Also I >> documented/discussed this process here on the list. And nobody pointed >> me to things I forgot or was leaving out. I know that use of this script >> was totally "on my own risk". But the results were as they should have >> been, at least as far I am able to tell.[L.P.H. van Belle] > [L.P.H. van Belle] which script ? can anyone point that one for me, cant find it. I only know about > https://bugzilla.samba.org/show_bug.cgi?id=10595It is this one: https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content> >> That said, I will go through your responses and get back to you with >> results. >> >> Best, have a good weekend! >> Ole > [L.P.H. van Belle] > Thank you, and have a very good weekend also, i hope your problem is fixed soon.Thanks, me too. Ole> >> >> Am 11.12.2015 um 13:33 schrieb mathias dufresne: >>> Thank you Rowland to noticed that. >>> >>> Here it is: >>> ------------------------------------------------------------------ >>> #!/usr/bin/awk >>> >>> BEGIN { >>> ad_zone = "YOUR.DOMAIN.TLD" >>> msdcs_zone = "_msdcs." ad_zone >>> dns_server = "YOUR-DC" >>> } >>> { >>> if ($0 ~ /UPDATE SECTION:/) { >>> getline >>> print NF, $0 >>> if ($4 == "A") { >>> if($1 ~ /_msdcs/) { >>> zone = msdcs_zone >>> } else { >>> zone = ad_zone >>> } >>> record = $1 >>> regexp = "." zone "." >>> sub(regexp, "", record) >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " A >>> " $5 " --kerberos=yes" >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " A >>> " $5 " " $2 >>> print cmd >>> cmd | getline >>> close(cmd) >>> } >>> if ($4 == "SRV") { >>> if($1 ~ /_msdcs/) { >>> zone = msdcs_zone >>> } else { >>> zone = ad_zone >>> } >>> record = $1 >>> regexp = "." zone "." >>> sub(regexp, "", record) >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 >>> print cmd >>> cmd | getline >>> close(cmd) >>> } >>> } >>> } >>> ------------------------------------------------------------------ >>> >>> This script does not take in account missing NS records as >> samba_dnsupdate >>> does not try to create them. >>> >>> >>> 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>: >>> >>>> On 11/12/15 10:29, mathias dufresne wrote: >>>> >>>>> Hi Ole, >>>>> >>>>> Using internal DNS samba_dnsupdate does not work correctly, at least >> not >>>>> every time. >>>>> >>>>> Someone modified this samba_dnsupdate tool commenting this line: >>>>> os.unlink(tmpfile) >>>>> which should line 413. >>>>> >>>>> Doing that he was able to get files generated by samba_dnsupdate to >> use >>>>> them as argument of nsupdate command (without -g switch and with >> "allow >>>>> dns >>>>> updates = nonsecure" in smb.conf). >>>>> >>>>> I was not able to make that process work here but I did not tried >> hard. As >>>>> this process was sent directly to me I share it. >>>>> >>>>> The process I use to generate all DNS records is to run >> samba_dnsupdate >>>>> --all-names --verbose and send output of that command to attached awk >>>>> script. >>>>> The awk script get information from samba_dnsupdate for each record >> and >>>>> launch samba-tool to create DNS record. This script is not clever: it >>>>> tries >>>>> to create all mentioned DNS record, generating warnings when record >>>>> already >>>>> exists. >>>>> >>>>> You will have to modify this awk script as the BEGIN section contains >> fake >>>>> information related to AD domain: >>>>> >>>>> BEGIN { >>>>> ad_zone = "YOUR.DOMAIN.TLD" >>>>> msdcs_zone = "_msdcs." ad_zone >>>>> dns_server = "YOUR-DC" >>>>> } >>>>> >>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >>>>> configuration. >>>>> >>>>> The awk script uses kerberos authentication when running samba-tool so >> you >>>>> will need to generate a kerberos ticket for some AD admin before: >>>>> 1°) kinit administrator >>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk >>>>> >>>>> As it is not an issue to try create an entry which already exists you >> can >>>>> run it that script on each DC to assure you all entries are correctly >>>>> created on all DC. >>>>> >>>>> Best regards, >>>>> >>>>> mathias dufresne >>>>> >>>>> >>>>> >>>> There is a flaw with your script! >>>> >>>> >>>> >>>> >>>> >>>> This mailing list strips off attachments, you are going to have to >> paste >>>> it into post. :-) >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Rowland penny
2015-Dec-17 13:32 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 17/12/15 12:50, Ole Traupe wrote:> > I somehow doubt that. Still it seems that no one here has an idea of > why log-on from member servers isn't working properly (for me). > However, in the meantime I have created all the necessary DNS records. > This can't be the issue anymore. > >If you are sure that you now have all the dns records for both DCs in AD, then I would agree that this is probably not the issue (there is just the 0.1% chance you are still missing something) Can your domain members find the DCs ? Do your domain members have a FQDN ? Are they joined to the domain ? What have got in smb.conf on the domain members ? You may have posted all or some of this before, but lets start again. Rowland
Ole Traupe
2015-Dec-17 13:54 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Rowland, thank you, but before we do that: - what now with the 'gc' record? 2nd DC yes or no? - if you say that the internal DNS is not compatible with a multi-DC setting, than we can stop here, no? Ole Am 17.12.2015 um 14:32 schrieb Rowland penny:> On 17/12/15 12:50, Ole Traupe wrote: >> >> I somehow doubt that. Still it seems that no one here has an idea of >> why log-on from member servers isn't working properly (for me). >> However, in the meantime I have created all the necessary DNS >> records. This can't be the issue anymore. >> >> > > If you are sure that you now have all the dns records for both DCs in > AD, then I would agree that this is probably not the issue (there is > just the 0.1% chance you are still missing something) > > Can your domain members find the DCs ? > Do your domain members have a FQDN ? > Are they joined to the domain ? > What have got in smb.conf on the domain members ? > > You may have posted all or some of this before, but lets start again. > > Rowland >
Ole Traupe
2015-Dec-17 14:46 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 17.12.2015 um 14:32 schrieb Rowland penny:> On 17/12/15 12:50, Ole Traupe wrote: >> >> I somehow doubt that. Still it seems that no one here has an idea of >> why log-on from member servers isn't working properly (for me). >> However, in the meantime I have created all the necessary DNS >> records. This can't be the issue anymore. >> >> > > If you are sure that you now have all the dns records for both DCs in > AD, then I would agree that this is probably not the issue (there is > just the 0.1% chance you are still missing something) > > Can your domain members find the DCs ? > Do your domain members have a FQDN ? > Are they joined to the domain ? > What have got in smb.conf on the domain members ? > > You may have posted all or some of this before, but lets start again. > > Rowland >Ok, there were still records missing (according to "samba_dnsupdate --verbose"). I added them manually, and now I get "No DNS updates needed" on both my DCs. Still/again: "kinit" takes more than a minute on member servers, and login via ssh is impossible now (times out eventually). Some questions: - what about that corrupted record I mentioned earlier, how can I get rid if it? - why does "samba_dnsupdate --verbose" on DC1 check records only against 1 instance (record from DC1), while the same command issued on DC2 checks records against both existing instances (records from DC1 and DC2)? - why does the dns update fail in the first place? will I have the same problem again with the next DC I set up? - why do I still have the login problems? Ole