samba - Mar 2021 - Domain member cannot authenticate when first domain controller is down

On 04/03/2021 17:39, Dale via samba wrote:
>
> I'm very open to suggestions.
>
OK, I tested this on my small domain, from an rpi running 4.13.4. I did 
not change anything except for resolv.conf, which I changed to this:

# wait 2 seconds : default 5 seconds
options timeout:2
# make 1 attempt before trying next nameserver : default 2
options attempts:1
# round robin nameservers
#options rotate
search samdom.example.com
nameserver 192.168.0.8
nameserver 192.168.0.6

I commented 'rotate' because it round robins nameservers, something I 
didn't want to happen.

Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is 
dc4.samdom.example.com

Ran this command on the rpi:

time host -v -t SRV _ldap._tcp.samdom.example.com.

And got this output:

Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.??? IN??? SRV

;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc01.samdom.example.com.

;; AUTHORITY SECTION:
samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com.
samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com.

;; ADDITIONAL SECTION:
dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6
dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8

Received 192 bytes from 192.168.0.8#53 in 78 ms

real??? 0m0.153s
user??? 0m0.038s
sys??? ??? 0m0.038s

So far, so good.

I then turned off bind9 on dc01 and ran the command again, this time the 
output was:

Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.??? IN??? SRV

;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
dc01.samdom.example.com.

Received 132 bytes from 192.168.0.6#53 in 6 ms

real??? 0m1.074s
user??? 0m0.031s
sys? ??? 0m0.041s

As you can see, this time dc4 replied and fairly quickly.

I think you may have missing or incorrect records for DC2, I will try 
and come up with something to check your records.

Rowland

On 3/4/21 1:46 PM, Rowland penny via samba wrote:
> On 04/03/2021 17:39, Dale via samba wrote:
>>
>> I'm very open to suggestions.
>>
>
> OK, I tested this on my small domain, from an rpi running 4.13.4. I 
> did not change anything except for resolv.conf, which I changed to this:
>
> # wait 2 seconds : default 5 seconds
> options timeout:2
> # make 1 attempt before trying next nameserver : default 2
> options attempts:1
> # round robin nameservers
> #options rotate
> search samdom.example.com
> nameserver 192.168.0.8
> nameserver 192.168.0.6
>
> I commented 'rotate' because it round robins nameservers, something
I
> didn't want to happen.
>
> Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is 
> dc4.samdom.example.com
>
> Ran this command on the rpi:
>
> time host -v -t SRV _ldap._tcp.samdom.example.com.
>
> And got this output:
>
> Trying "_ldap._tcp.samdom.example.com"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;_ldap._tcp.samdom.example.com.??? IN??? SRV
>
> ;; ANSWER SECTION:
> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
> dc4.samdom.example.com.
> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
> dc01.samdom.example.com.
>
> ;; AUTHORITY SECTION:
> samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com.
> samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com.
>
> ;; ADDITIONAL SECTION:
> dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6
> dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8
>
> Received 192 bytes from 192.168.0.8#53 in 78 ms
>
> real??? 0m0.153s
> user??? 0m0.038s
> sys??? ??? 0m0.038s
>
> So far, so good.
>
> I then turned off bind9 on dc01 and ran the command again, this time 
> the output was:
>
> Trying "_ldap._tcp.samdom.example.com"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;_ldap._tcp.samdom.example.com.??? IN??? SRV
>
> ;; ANSWER SECTION:
> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
> dc4.samdom.example.com.
> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 
> dc01.samdom.example.com.
>
> Received 132 bytes from 192.168.0.6#53 in 6 ms
>
> real??? 0m1.074s
> user??? 0m0.031s
> sys? ??? 0m0.041s
>
> As you can see, this time dc4 replied and fairly quickly.
>
> I think you may have missing or incorrect records for DC2, I will try 
> and come up with something to check your records.
>
> Rowland
Running the same commands that you did, I have good news and what I 
think might be bad news.

Good - Using the resolv.conf options values that you have (no rotate), I 
was able to log into other member servers fairly quickly.? A "getent 
user" took a little longer, but was acceptable.
Bad - Running the "time host..." command that you used returns only 2 
sections, QUESTION and ANSWER.? There is no AUTHORITY or ADDITIONAL 
section.? I don't know how essential that is.

_*Client resolv.conf
*_The client is LMDE4 and Samba is 4.13.4 from Louis' repo.
[I get consistent values from resolvconf by editing 
/etc/resolvconf/resolv.conf.d/base to get the values shown below in 
/etc/resolv.conf.]
**_**_

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.7
nameserver 192.168.0.8
search workgroup.realm.tld
options timeout:2
options attempts:1

_*Both DC's on the network*_
Trying "_ldap._tcp.workgroup.realm.tld"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.workgroup.realm.tld.	IN SRV

;; ANSWER SECTION:
_ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389 dc1.workgroup.realm.tld.
_ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389 dc2.workgroup.realm.tld.

Received 158 bytes from*192.168.0.7*#53 in 6 ms

real	0m0.025s
user	0m0.010s
sys	0m0.010s

*_Ethernet cable unplugged from DC1_*
Trying "_ldap._tcp.workgroup.realm.tld"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.workgroup.realm.tld.	IN SRV

;; ANSWER SECTION:
_ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389 dc1.workgroup.realm.tld.
_ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389 dc2.workgroup.realm.tld.

Received 158 bytes from*192.168.0.8*#53 in 8 ms

real	0m1.032s
user	0m0.020s
sys	0m0.005s

So, failover appears to be acceptably working now, but I can't explain 
the lack of two sections in the first "time host..." command results.

Dale

>> So, failover appears to be acceptably working now, but I can't
explain
>> the lack of two sections in the first "time host..." command
results.
Can you post your fulll bind9 config? Maybe your still missing something here. 

This is my current config as example
// named.conf.options
options {
        directory "/var/cache/bind";
        dnssec-validation auto;
        listen-on port 53 { 192.168.0.1; 127.0.0.1; };
        listen-on-v6 { ::1; };
        version "0.0.7";

        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
        auth-nxdomain yes
        notify no;
        empty-zones-enable no;
        minimal-responses yes;

        max-cache-size 100m;
        allow-query { 192.168.0.0/24; 127.0.0.1/32; };
        allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; };
        allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
        allow-transfer {
            none;
        };
};

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba
> Verzonden: vrijdag 5 maart 2021 5:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
> controller is down
> 
> 
> 
> On 3/4/21 1:46 PM, Rowland penny via samba wrote:
> > On 04/03/2021 17:39, Dale via samba wrote:
> >>
> >> I'm very open to suggestions.
> >>
> >
> > OK, I tested this on my small domain, from an rpi running 4.13.4. I
> > did not change anything except for resolv.conf, which I changed to
this:
> >
> > # wait 2 seconds : default 5 seconds
> > options timeout:2
> > # make 1 attempt before trying next nameserver : default 2
> > options attempts:1
> > # round robin nameservers
> > #options rotate
> > search samdom.example.com
> > nameserver 192.168.0.8
> > nameserver 192.168.0.6
> >
> > I commented 'rotate' because it round robins nameservers,
something I
> > didn't want to happen.
> >
> > Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is
> > dc4.samdom.example.com
> >
> > Ran this command on the rpi:
> >
> > time host -v -t SRV _ldap._tcp.samdom.example.com.
> >
> > And got this output:
> >
> > Trying "_ldap._tcp.samdom.example.com"
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL:
2
> >
> > ;; QUESTION SECTION:
> > ;_ldap._tcp.samdom.example.com.??? IN??? SRV
> >
> > ;; ANSWER SECTION:
> > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
> > dc4.samdom.example.com.
> > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
> > dc01.samdom.example.com.
> >
> > ;; AUTHORITY SECTION:
> > samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com.
> > samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com.
> >
> > ;; ADDITIONAL SECTION:
> > dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6
> > dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8
> >
> > Received 192 bytes from 192.168.0.8#53 in 78 ms
> >
> > real??? 0m0.153s
> > user??? 0m0.038s
> > sys??? ??? 0m0.038s
> >
> > So far, so good.
> >
> > I then turned off bind9 on dc01 and ran the command again, this time
> > the output was:
> >
> > Trying "_ldap._tcp.samdom.example.com"
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL:
0
> >
> > ;; QUESTION SECTION:
> > ;_ldap._tcp.samdom.example.com.??? IN??? SRV
> >
> > ;; ANSWER SECTION:
> > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
> > dc4.samdom.example.com.
> > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
> > dc01.samdom.example.com.
> >
> > Received 132 bytes from 192.168.0.6#53 in 6 ms
> >
> > real??? 0m1.074s
> > user??? 0m0.031s
> > sys? ??? 0m0.041s
> >
> > As you can see, this time dc4 replied and fairly quickly.
> >
> > I think you may have missing or incorrect records for DC2, I will try
> > and come up with something to check your records.
> >
> > Rowland
> 
> Running the same commands that you did, I have good news and what I
> think might be bad news.
> 
> Good - Using the resolv.conf options values that you have (no rotate), I
> was able to log into other member servers fairly quickly.? A "getent
> user" took a little longer, but was acceptable.
> Bad - Running the "time host..." command that you used returns
only 2
> sections, QUESTION and ANSWER.? There is no AUTHORITY or ADDITIONAL
> section.? I don't know how essential that is.
> 
> _*Client resolv.conf
> *_The client is LMDE4 and Samba is 4.13.4 from Louis' repo.
> [I get consistent values from resolvconf by editing
> /etc/resolvconf/resolv.conf.d/base to get the values shown below in
> /etc/resolv.conf.]
> **_**_
> 
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.168.0.7
> nameserver 192.168.0.8
> search workgroup.realm.tld
> options timeout:2
> options attempts:1
> 
> _*Both DC's on the network*_
> Trying "_ldap._tcp.workgroup.realm.tld"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;_ldap._tcp.workgroup.realm.tld.	IN SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc1.workgroup.realm.tld.
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc2.workgroup.realm.tld.
> 
> Received 158 bytes from*192.168.0.7*#53 in 6 ms
> 
> real	0m0.025s
> user	0m0.010s
> sys	0m0.010s
> 
> *_Ethernet cable unplugged from DC1_*
> Trying "_ldap._tcp.workgroup.realm.tld"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;_ldap._tcp.workgroup.realm.tld.	IN SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc1.workgroup.realm.tld.
> _ldap._tcp.workgroup.realm.tld.	900 IN SRV 0 100 389
> dc2.workgroup.realm.tld.
> 
> Received 158 bytes from*192.168.0.8*#53 in 8 ms
> 
> real	0m1.032s
> user	0m0.020s
> sys	0m0.005s
> 
> So, failover appears to be acceptably working now, but I can't explain
> the lack of two sections in the first "time host..." command
results.
> 
> Dale
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba