Ervin Hegedüs
2017-Nov-13 14:31 UTC
[Samba] [airween@gmail.com: DC's are still unavailable when PDC halted]
Hi folks, sorry for the re-post, I need some help to solve this problem. Since my previous e-mail, we made a set-up: there is a Clear Pass device (Aruba), which controlls the network access for users. Between the CP and these two DC's there is a load balancer. But, when we stopped the DC1, which was set up first, and the DC2 works continously, then the authentication of users is stopped for few minutes. Without LB, there is the same situation. Looks like the DC2 (which had joined later to the domain) needs for DC1. But now, here is the original e-mail: I've completely re-installed my DC's and Linux member. I've followed the docs step-by-step on Samba's wiki page, everything is works as well. Here is what I see on my member # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain 192.168.255.98 open-client.wificloud.local open-client # cat /etc/resolv.conf options timeout:1 options attempts:2 options rotate search wificloud.local nameserver 192.168.255.99 nameserver 192.168.255.100 first check: # time wbinfo --ping-dc checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded real 0m0.017s user 0m0.012s sys 0m0.000s right, seems like it works, shutted down the DC above (open-ldap), and check again: # time wbinfo --ping-dc checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" failed wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca) real 1m4.560s user 0m0.008s sys 0m0.004s # time wbinfo --ping-dc hecking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" succeeded real 0m40.595s user 0m0.008s sys 0m0.008s okay, it works after sime sleeping... open-ldap bringed up, open-ldap2 shutted down, check again: # time wbinfo --ping-dc checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" failed wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca) real 0m16.309s user 0m0.004s sys 0m0.008s # time wbinfo --ping-dc checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded real 0m1.260s user 0m0.008s sys 0m0.004s well done - it works, but after the DC stops, there are too much timeout. How can I decrease it? Thanks, a.
Hegedüs Ervin
2017-Nov-14 10:07 UTC
[Samba] [airween@gmail.com: DC's are still unavailable when PDC halted]
Hello, I've increased the loglevel to get some info on client. When I turned off the DC, I've got these lines in log: [2017/11/14 10:10:25.398269, 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *" [2017/11/14 10:10:26.438916, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/11/14 10:10:26.439488, 5] ../source3/winbindd/winbindd_cm.c:1113(cm_prepare_connection) connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local] [2017/11/14 10:10:26.439747, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send) Doing spnego session setup (blob length=96) [2017/11/14 10:10:26.439965, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 [2017/11/14 10:10:26.440268, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send) got principal=not_defined_in_RFC4178 at please_ignore [2017/11/14 10:10:26.440393, 3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal) cli_session_setup_spnego: using target hostname not SPNEGO principal [2017/11/14 10:10:26.440496, 3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal) cli_session_setup_spnego: guessed server principal=cifs/open-ldap2.wificloud.local at WIFICLOUD.LOCAL [2017/11/14 10:10:26.683320, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/11/14 10:10:26.689164, 1] ../source3/rpc_client/cli_pipe.c:421(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:421: Bind NACK received from host open-ldap2.wificloud.local! [2017/11/14 10:10:26.689801, 3] ../source3/rpc_client/cli_pipe.c:1926(rpc_pipe_bind_step_one_done) rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED [2017/11/14 10:10:26.690068, 1] ../source3/rpc_client/cli_pipe.c:3311(cli_rpc_pipe_open_schannel_with_creds) cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED [2017/11/14 10:10:26.690203, 3] ../source3/winbindd/winbindd_cm.c:3405(cm_connect_netlogon_transport) Could not open schannel'ed NETLOGON pipe. Error was NT_STATUS_NETWORK_ACCESS_DENIED [2017/11/14 10:10:26.691016, 3] ../source3/winbindd/winbindd_dual_srv.c:758(_wbint_PingDc) could not open handle to NETLOGON pipe: NT_STATUS_NETWORK_ACCESS_DENIED [2017/11/14 10:10:26.691185, 4] ../source3/winbindd/winbindd_dual.c:1396(child_handler) Finished processing child request 56 So, it looks like the first message containst the preffered server list, and at the first place is the halted server. get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *" but the client connects to open-ldap2: connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local] and then comes the error message: rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED ... But I don't know, why? Till those lines comes to the log, the wbinfo timed out, and after a minute it gives: wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca) And the next request, it works... Why? What'em I missing? Thanks, a. On Mon, Nov 13, 2017 at 03:31:16PM +0100, Ervin Hegedüs wrote:> Hi folks, > > sorry for the re-post, I need some help to solve this problem. > > Since my previous e-mail, we made a set-up: there is a Clear Pass > device (Aruba), which controlls the network access for users. > > Between the CP and these two DC's there is a load balancer. > > But, when we stopped the DC1, which was set up first, and the DC2 > works continously, then the authentication of users is stopped > for few minutes. Without LB, there is the same situation. > > Looks like the DC2 (which had joined later to the domain) needs > for DC1. > > But now, here is the original e-mail: > > > > I've completely re-installed my DC's and Linux member. I've > followed the docs step-by-step on Samba's wiki page, everything > is works as well. > > Here is what I see on my member > > # cat /etc/hosts > 127.0.0.1 localhost localhost.localdomain > > 192.168.255.98 open-client.wificloud.local open-client > > > # cat /etc/resolv.conf > options timeout:1 > options attempts:2 > options rotate > search wificloud.local > nameserver 192.168.255.99 > nameserver 192.168.255.100 > > first check: > > # time wbinfo --ping-dc > checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded > > real 0m0.017s > user 0m0.012s > sys 0m0.000s > > right, seems like it works, shutted down the DC above > (open-ldap), and check again: > > # time wbinfo --ping-dc > checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" failed > wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca) > > real 1m4.560s > user 0m0.008s > sys 0m0.004s > # time wbinfo --ping-dc > hecking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" succeeded > > real 0m40.595s > user 0m0.008s > sys 0m0.008s > > okay, it works after sime sleeping... open-ldap bringed up, > open-ldap2 shutted down, check again: > > # time wbinfo --ping-dc > checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" failed > wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca) > > real 0m16.309s > user 0m0.004s > sys 0m0.008s > # time wbinfo --ping-dc > checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded > > real 0m1.260s > user 0m0.008s > sys 0m0.004s > > well done - it works, but after the DC stops, there are too much > timeout. How can I decrease it? > > > > Thanks, > > > > a. > >