Stefan G. Weichinger
2017-Dec-28 13:53 UTC
[Samba] 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS
I added a 2nd DC (ADC2) to a samba-ADS today.
debian-9.3, samba-4.6.11 from Louis
followed
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
replication works afai see
-
We wanted to test services after turning off the first DC, and running
ADC2 and a DM file-server only.
DC1/backup: 10.0.0.224
ADC2: 10.0.0.230
We then get NT_STATUS_NO_LOGON_SERVERS
On the DM server "main" we get:
# nmblookup ARBEITSGRUPPE#1c
added interface em1 ip=10.0.0.221 bcast=10.0.0.255 netmask=255.255.255.0
10.0.0.224 ARBEITSGRUPPE<1c>
10.0.0.230 ARBEITSGRUPPE<1c>
# nmblookup ARBEITSGRUPPE#1b
added interface em1 ip=10.0.0.221 bcast=10.0.0.255 netmask=255.255.255.0
10.0.0.224 ARBEITSGRUPPE<1b>
-
adc2:~# samba-tool testparm
Press enter to see a dump of your service definitions
# Global parameters
[global]
netbios name = ADC2
realm = ARBEITSGRUPPE.HIDDEN.AT
workgroup = ARBEITSGRUPPE
dns forwarder = 10.0.0.254
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/arbeitsgruppe.hidden.at/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-
main # cat /etc/resolv.conf
# Generated by net-scripts for interface eth0
search arbeitsgruppe.hidden.at
nameserver 10.0.0.230
nameserver 10.0.0.224
-
root at adc2:~# systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
vendor preset: enabled)
Active: active (running) since Thu 2017-12-28 14:43:39 CET; 8min ago
Docs: man:samba(8)
man:samba(7)
man:smb.conf(5)
Main PID: 1000 (samba)
Status: "smbd: ready to serve connections..."
Tasks: 22 (limit: 4915)
CGroup: /system.slice/samba-ad-dc.service
├─1000 /usr/sbin/samba
├─1001 /usr/sbin/samba
├─1002 /usr/sbin/samba
├─1003 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─1004 /usr/sbin/samba
├─1005 /usr/sbin/samba
├─1006 /usr/sbin/samba
├─1007 /usr/sbin/samba
├─1008 /usr/sbin/samba
├─1009 /usr/sbin/samba
├─1010 /usr/sbin/samba
├─1011 /usr/sbin/samba
├─1012 /usr/sbin/samba
├─1013 /usr/sbin/samba
├─1014 /usr/sbin/samba
├─1015 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
├─1018 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─1019 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─1021 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
├─1022 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─1047 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
└─1048 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
What do I miss here? Had to install "dnsutils" to make dns_update work
... I set up krb5.conf, nsswitch.conf ...
Hai Stephan,
You need also this in smb.conf
# enable offline logins
winbind offline logon = yes
I did also test my logins with one DC turned off.
And login on the DM is no problem or my pcs, no problem.
I did not test the AD logins thats because these have only linux logins for
maintainance.
And that always works.
In a 2 DC setup, setup your nameservers first to the LAN ip of the server
itself.
Resolv.conf example in a 2 DC setup when both servers are ALREADY in the AD.
When the second DC isnt in the AD jet, switch the servers in resolv.conf
Reboot and then switch them base as shown below and test again.
# Sample DC1.
search arbeitsgruppe.hidden.at
# DC1
nameserver 192.168.0.1
# DC2
nameserver 192.168.0.2
# Internet Fallback (optional)
#nameserver 8.8.8.8
# Sample DC2.
search arbeitsgruppe.hidden.at
# DC2
nameserver 192.168.0.2
# DC1
nameserver 192.168.0.1
# Internet Fallback (optional)
#nameserver 8.8.8.8
And you know, samba AD DC, does not run NMBD.
For the member resolv.conf which server goes first is up2you, but i suggest you
also low the timeout.
These are good, and adjust to your need if you want bit quickers login when a DC
is off/down.
# options to add in resolv.conf
# timeout, default 30 sec.
options timeout:3
# attempts defaults to 5.
options attempts:2
# Rotate between the name servers.
options rotate
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: donderdag 28 december 2017 14:54
> Aan: samba
> Onderwerp: [Samba] 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS
>
>
> I added a 2nd DC (ADC2) to a samba-ADS today.
>
> debian-9.3, samba-4.6.11 from Louis
>
> followed
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Exis
> ting_Active_Directory
>
> replication works afai see
>
> -
>
> We wanted to test services after turning off the first DC, and running
> ADC2 and a DM file-server only.
>
> DC1/backup: 10.0.0.224
> ADC2: 10.0.0.230
>
> We then get NT_STATUS_NO_LOGON_SERVERS
>
> On the DM server "main" we get:
>
> # nmblookup ARBEITSGRUPPE#1c
> added interface em1 ip=10.0.0.221 bcast=10.0.0.255
> netmask=255.255.255.0
>
> 10.0.0.224 ARBEITSGRUPPE<1c>
> 10.0.0.230 ARBEITSGRUPPE<1c>
>
> # nmblookup ARBEITSGRUPPE#1b
> added interface em1 ip=10.0.0.221 bcast=10.0.0.255
> netmask=255.255.255.0
> 10.0.0.224 ARBEITSGRUPPE<1b>
>
> -
>
> adc2:~# samba-tool testparm
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> netbios name = ADC2
> realm = ARBEITSGRUPPE.HIDDEN.AT
> workgroup = ARBEITSGRUPPE
> dns forwarder = 10.0.0.254
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/arbeitsgruppe.hidden.at/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -
>
> main # cat /etc/resolv.conf
> # Generated by net-scripts for interface eth0
> search arbeitsgruppe.hidden.at
> nameserver 10.0.0.230
> nameserver 10.0.0.224
>
> -
> root at adc2:~# systemctl status samba-ad-dc.service
> ??? samba-ad-dc.service - Samba AD Daemon
> Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
> vendor preset: enabled)
> Active: active (running) since Thu 2017-12-28 14:43:39
> CET; 8min ago
> Docs: man:samba(8)
> man:samba(7)
> man:smb.conf(5)
> Main PID: 1000 (samba)
> Status: "smbd: ready to serve connections..."
> Tasks: 22 (limit: 4915)
> CGroup: /system.slice/samba-ad-dc.service
> ??????1000 /usr/sbin/samba
> ??????1001 /usr/sbin/samba
> ??????1002 /usr/sbin/samba
> ??????1003 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ??????1004 /usr/sbin/samba
> ??????1005 /usr/sbin/samba
> ??????1006 /usr/sbin/samba
> ??????1007 /usr/sbin/samba
> ??????1008 /usr/sbin/samba
> ??????1009 /usr/sbin/samba
> ??????1010 /usr/sbin/samba
> ??????1011 /usr/sbin/samba
> ??????1012 /usr/sbin/samba
> ??????1013 /usr/sbin/samba
> ??????1014 /usr/sbin/samba
> ??????1015 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ??????1018 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ??????1019 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ??????1021 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ??????1022 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ??????1047 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ??????1048 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
>
> What do I miss here? Had to install "dnsutils" to make dns_update
work
> ... I set up krb5.conf, nsswitch.conf ...
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Stefan G. Weichinger
2017-Dec-28 15:07 UTC
[Samba] 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS
Am 2017-12-28 um 15:55 schrieb L.P.H. van Belle via samba:> Hai Stephan, > > You need also this in smb.conf > > # enable offline logins > winbind offline logon = yesOn which server(s)? The DCs? the DM?> I did also test my logins with one DC turned off. > And login on the DM is no problem or my pcs, no problem. > > I did not test the AD logins thats because these have only linux logins for maintainance. > And that always works.We have logins via ADC2 working for 15 mins now. I have set up sysvol-rsync (works), but the ADC2 logs failing access to the ADC1. Seems as if the GPOs point to ADC1 somehow?> In a 2 DC setup, setup your nameservers first to the LAN ip of the server itself. > Resolv.conf example in a 2 DC setup when both servers are ALREADY in the AD. > When the second DC isnt in the AD jet, switch the servers in resolv.conf > Reboot and then switch them base as shown below and test again. > > # Sample DC1. > search arbeitsgruppe.hidden.at > # DC1 > nameserver 192.168.0.1 > # DC2 > nameserver 192.168.0.2 > # Internet Fallback (optional) > #nameserver 8.8.8.8 > > # Sample DC2. > search arbeitsgruppe.hidden.at > # DC2 > nameserver 192.168.0.2 > # DC1 > nameserver 192.168.0.1 > # Internet Fallback (optional) > #nameserver 8.8.8.8 > > And you know, samba AD DC, does not run NMBD.I think we have that quite this way already, will check later.> For the member resolv.conf which server goes first is up2you, but i suggest you also low the timeout. > These are good, and adjust to your need if you want bit quickers login when a DC is off/down. > # options to add in resolv.conf > # timeout, default 30 sec. > options timeout:3 > # attempts defaults to 5. > options attempts:2 > # Rotate between the name servers. > options rotateok