Dale
2021-Mar-04 16:49 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
On 3/4/21 10:29 AM, Rowland penny via samba wrote:> On 04/03/2021 15:48, Dale via samba wrote: >> Unfortunately, after making the resolv.conf and krb5.conf changes, >> things actually became worse.? All connection attempts timed out, >> even after reverting krb5.conf back to the way it was.? For >> completeness, I disabled pam_winbind.conf to make sure that a cached >> login was not interfering. >> >> The strange thing is that I can see all sorts of successful SRV query >> results in the BIND query logs of DC2.? The "options rotate"in >> resolv.conf has had a significant effect.? Counting the SRV queries >> in old BIND log files (query.log.x) shows only a handful of SRV >> queries per log file.? Since adding the rotate option, SRV queries >> are in the 1000's per log file.? So, it's doing something, but not >> failover in any form or fashion. >> > > Trying to understand this, without any of Louis's suggestions in > place, then if DC1 disappears, authentication stops and there is > nothing in the logs on DC2. With Louis's suggestions and if DC1 > disappears, authentication still stops, but you get log messages on DC2. > > Is the above true ? If it is, it is pointing at a problem on DC2. > > RowlandA little more complicated than that, but not by much. 1.? Before Louis' (and Jason's) suggestions, either long lag time before authentication or a timeout. 2.? After Louis' suggestions, either long lag time before authentication or a timeout, but with a huge correlating increase in the number of SRV queries on DC2. 3.? After trying krb5.conf suggestions, no authentication at all. 4.? Revert the krb5.conf suggestions, but still no authentication. It certainly looks like DC2, but it passes every test that the wiki has, plus every additional one that you and Louis gave me to try while troubleshooting various issues. Dale
Rowland penny
2021-Mar-04 17:03 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
On 04/03/2021 16:49, Dale via samba wrote:> > A little more complicated than that, but not by much. > > 1.? Before Louis' (and Jason's) suggestions, either long lag time > before authentication or a timeout.Understood, but was there anything tin the logs on DC2 ?> 2. After Louis' suggestions, either long lag time before > authentication or a timeout, but with a huge correlating increase in > the number of SRV queries on DC2.If there wasn't anything in the logs on DC2 before adding Louis's, but there is afterwards, then this would suggest that Louis's suggestions are working.> > 3.? After trying krb5.conf suggestions, no authentication at all. > 4.? Revert the krb5.conf suggestions, but still no authentication.I am a bit doubtful about the krb5.conf modifications, I have never used them, but they seem to be valid, so who knows ?> > It certainly looks like DC2, but it passes every test that the wiki > has, plus every additional one that you and Louis gave me to try while > troubleshooting various issues.Perhaps we have missed something ? Rowland