L.P.H. van Belle
2021-Mar-05 08:04 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
>> So, failover appears to be acceptably working now, but I can't explain >> the lack of two sections in the first "time host..." command results.Can you post your fulll bind9 config? Maybe your still missing something here. This is my current config as example // named.conf.options options { directory "/var/cache/bind"; dnssec-validation auto; listen-on port 53 { 192.168.0.1; 127.0.0.1; }; listen-on-v6 { ::1; }; version "0.0.7"; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; auth-nxdomain yes notify no; empty-zones-enable no; minimal-responses yes; max-cache-size 100m; allow-query { 192.168.0.0/24; 127.0.0.1/32; }; allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; }; allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; allow-transfer { none; }; }; Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba > Verzonden: vrijdag 5 maart 2021 5:29 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain > controller is down > > > > On 3/4/21 1:46 PM, Rowland penny via samba wrote: > > On 04/03/2021 17:39, Dale via samba wrote: > >> > >> I'm very open to suggestions. > >> > > > > OK, I tested this on my small domain, from an rpi running 4.13.4. I > > did not change anything except for resolv.conf, which I changed to this: > > > > # wait 2 seconds : default 5 seconds > > options timeout:2 > > # make 1 attempt before trying next nameserver : default 2 > > options attempts:1 > > # round robin nameservers > > #options rotate > > search samdom.example.com > > nameserver 192.168.0.8 > > nameserver 192.168.0.6 > > > > I commented 'rotate' because it round robins nameservers, something I > > didn't want to happen. > > > > Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is > > dc4.samdom.example.com > > > > Ran this command on the rpi: > > > > time host -v -t SRV _ldap._tcp.samdom.example.com. > > > > And got this output: > > > > Trying "_ldap._tcp.samdom.example.com" > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 > > > > ;; QUESTION SECTION: > > ;_ldap._tcp.samdom.example.com.??? IN??? SRV > > > > ;; ANSWER SECTION: > > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 > > dc4.samdom.example.com. > > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 > > dc01.samdom.example.com. > > > > ;; AUTHORITY SECTION: > > samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com. > > samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com. > > > > ;; ADDITIONAL SECTION: > > dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6 > > dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8 > > > > Received 192 bytes from 192.168.0.8#53 in 78 ms > > > > real??? 0m0.153s > > user??? 0m0.038s > > sys??? ??? 0m0.038s > > > > So far, so good. > > > > I then turned off bind9 on dc01 and ran the command again, this time > > the output was: > > > > Trying "_ldap._tcp.samdom.example.com" > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;_ldap._tcp.samdom.example.com.??? IN??? SRV > > > > ;; ANSWER SECTION: > > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 > > dc4.samdom.example.com. > > _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 > > dc01.samdom.example.com. > > > > Received 132 bytes from 192.168.0.6#53 in 6 ms > > > > real??? 0m1.074s > > user??? 0m0.031s > > sys? ??? 0m0.041s > > > > As you can see, this time dc4 replied and fairly quickly. > > > > I think you may have missing or incorrect records for DC2, I will try > > and come up with something to check your records. > > > > Rowland > > Running the same commands that you did, I have good news and what I > think might be bad news. > > Good - Using the resolv.conf options values that you have (no rotate), I > was able to log into other member servers fairly quickly.? A "getent > user" took a little longer, but was acceptable. > Bad - Running the "time host..." command that you used returns only 2 > sections, QUESTION and ANSWER.? There is no AUTHORITY or ADDITIONAL > section.? I don't know how essential that is. > > _*Client resolv.conf > *_The client is LMDE4 and Samba is 4.13.4 from Louis' repo. > [I get consistent values from resolvconf by editing > /etc/resolvconf/resolv.conf.d/base to get the values shown below in > /etc/resolv.conf.] > **_**_ > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.0.7 > nameserver 192.168.0.8 > search workgroup.realm.tld > options timeout:2 > options attempts:1 > > _*Both DC's on the network*_ > Trying "_ldap._tcp.workgroup.realm.tld" > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_ldap._tcp.workgroup.realm.tld. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 > dc1.workgroup.realm.tld. > _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 > dc2.workgroup.realm.tld. > > Received 158 bytes from*192.168.0.7*#53 in 6 ms > > real 0m0.025s > user 0m0.010s > sys 0m0.010s > > *_Ethernet cable unplugged from DC1_* > Trying "_ldap._tcp.workgroup.realm.tld" > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_ldap._tcp.workgroup.realm.tld. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 > dc1.workgroup.realm.tld. > _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 > dc2.workgroup.realm.tld. > > Received 158 bytes from*192.168.0.8*#53 in 8 ms > > real 0m1.032s > user 0m0.020s > sys 0m0.005s > > So, failover appears to be acceptably working now, but I can't explain > the lack of two sections in the first "time host..." command results. > > Dale > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Dale
2021-Mar-05 17:04 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
On 3/5/21 2:04 AM, L.P.H. van Belle via samba wrote:>>> So, failover appears to be acceptably working now, but I can't explain >>> the lack of two sections in the first "time host..." command results. > Can you post your fulll bind9 config? Maybe your still missing something here. > > This is my current config as example > // named.conf.options > options { > directory "/var/cache/bind"; > dnssec-validation auto; > listen-on port 53 { 192.168.0.1; 127.0.0.1; }; > listen-on-v6 { ::1; }; > version "0.0.7"; > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > auth-nxdomain yes > notify no; > empty-zones-enable no; > minimal-responses yes; > > max-cache-size 100m; > allow-query { 192.168.0.0/24; 127.0.0.1/32; }; > allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > allow-transfer { > none; > }; > }; > > Greetz, > > LouisHere you go, Louis.? I noticed a few differences from yours, but it should be very close to the Samba wiki, from which it is derived. Thanks for the help. Dale _*named.conf.options*_ // Managing acls acl internals { 127.0.0.0/8; 192.168.0.0/24; }; options { directory "/var/cache/bind"; version ""; masterfile-format text; notify no; empty-zones-enable no; auth-nxdomain yes; allow-transfer { none; }; dnssec-validation no; //dnssec-enable no; (obsolete) //dnssec-lookaside no; (obsolete) // If you only use IPv4 listen-on-v6 { none; }; // Listen on these IP numbers listen-on port 53 { 192.168.0.8; 127.0.0.1; }; // Added Per Debian buster Bind9 // Due to : resolver: info: resolver priming query complete messages in the logs // See:https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42 minimal-responses yes; // Add any subnets or hosts you want to allow to use this DNS server allow-query { "internals"; }; allow-query-cache { "internals"; }; // Add any subnets or hosts you want to allow to use recursive queries recursion yes; allow-recursion { "internals"; }; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. Seehttp://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; include "/etc/bind/named.conf.fwd"; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. Seehttps://www.isc.org/bind-keys //======================================================================= //https://wiki.samba.org/index.php/Dns-backend_bind // DNS dynamic updates via Kerberos (optional, but recommended) // ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz // or AFTER upgrading your dns from internal to bind9_dlz // Before Samba 4.9.0 // tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. ) tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; _*named.conf.local*_ // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // adding the Samba dlopen (Bind DLZ) module include "/var/lib/samba/bind-dns/named.conf";> > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba >> Verzonden: vrijdag 5 maart 2021 5:29 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain >> controller is down >> >> >> >> On 3/4/21 1:46 PM, Rowland penny via samba wrote: >>> On 04/03/2021 17:39, Dale via samba wrote: >>>> I'm very open to suggestions. >>>> >>> OK, I tested this on my small domain, from an rpi running 4.13.4. I >>> did not change anything except for resolv.conf, which I changed to this: >>> >>> # wait 2 seconds : default 5 seconds >>> options timeout:2 >>> # make 1 attempt before trying next nameserver : default 2 >>> options attempts:1 >>> # round robin nameservers >>> #options rotate >>> search samdom.example.com >>> nameserver 192.168.0.8 >>> nameserver 192.168.0.6 >>> >>> I commented 'rotate' because it round robins nameservers, something I >>> didn't want to happen. >>> >>> Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is >>> dc4.samdom.example.com >>> >>> Ran this command on the rpi: >>> >>> time host -v -t SRV _ldap._tcp.samdom.example.com. >>> >>> And got this output: >>> >>> Trying "_ldap._tcp.samdom.example.com" >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 >>> >>> ;; QUESTION SECTION: >>> ;_ldap._tcp.samdom.example.com.??? IN??? SRV >>> >>> ;; ANSWER SECTION: >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc4.samdom.example.com. >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc01.samdom.example.com. >>> >>> ;; AUTHORITY SECTION: >>> samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com. >>> samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com. >>> >>> ;; ADDITIONAL SECTION: >>> dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6 >>> dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8 >>> >>> Received 192 bytes from 192.168.0.8#53 in 78 ms >>> >>> real??? 0m0.153s >>> user??? 0m0.038s >>> sys??? ??? 0m0.038s >>> >>> So far, so good. >>> >>> I then turned off bind9 on dc01 and ran the command again, this time >>> the output was: >>> >>> Trying "_ldap._tcp.samdom.example.com" >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;_ldap._tcp.samdom.example.com.??? IN??? SRV >>> >>> ;; ANSWER SECTION: >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc4.samdom.example.com. >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc01.samdom.example.com. >>> >>> Received 132 bytes from 192.168.0.6#53 in 6 ms >>> >>> real??? 0m1.074s >>> user??? 0m0.031s >>> sys? ??? 0m0.041s >>> >>> As you can see, this time dc4 replied and fairly quickly. >>> >>> I think you may have missing or incorrect records for DC2, I will try >>> and come up with something to check your records. >>> >>> Rowland >> Running the same commands that you did, I have good news and what I >> think might be bad news. >> >> Good - Using the resolv.conf options values that you have (no rotate), I >> was able to log into other member servers fairly quickly.? A "getent >> user" took a little longer, but was acceptable. >> Bad - Running the "time host..." command that you used returns only 2 >> sections, QUESTION and ANSWER.? There is no AUTHORITY or ADDITIONAL >> section.? I don't know how essential that is. >> >> _*Client resolv.conf >> *_The client is LMDE4 and Samba is 4.13.4 from Louis' repo. >> [I get consistent values from resolvconf by editing >> /etc/resolvconf/resolv.conf.d/base to get the values shown below in >> /etc/resolv.conf.] >> **_**_ >> >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> nameserver 192.168.0.7 >> nameserver 192.168.0.8 >> search workgroup.realm.tld >> options timeout:2 >> options attempts:1 >> >> _*Both DC's on the network*_ >> Trying "_ldap._tcp.workgroup.realm.tld" >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;_ldap._tcp.workgroup.realm.tld. IN SRV >> >> ;; ANSWER SECTION: >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc1.workgroup.realm.tld. >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc2.workgroup.realm.tld. >> >> Received 158 bytes from*192.168.0.7*#53 in 6 ms >> >> real 0m0.025s >> user 0m0.010s >> sys 0m0.010s >> >> *_Ethernet cable unplugged from DC1_* >> Trying "_ldap._tcp.workgroup.realm.tld" >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;_ldap._tcp.workgroup.realm.tld. IN SRV >> >> ;; ANSWER SECTION: >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc1.workgroup.realm.tld. >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc2.workgroup.realm.tld. >> >> Received 158 bytes from*192.168.0.8*#53 in 8 ms >> >> real 0m1.032s >> user 0m0.020s >> sys 0m0.005s >> >> So, failover appears to be acceptably working now, but I can't explain >> the lack of two sections in the first "time host..." command results. >> >> Dale >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2021-Mar-08 11:25 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
Yeah, we dont have to much differences in the settings.
but i would remove the text file forwarders in bind.
not that im using that but the link below shows the picture.
https://www.interfacett.com/blogs/how-to-configure-a-dns-stub-zone-in-windows-server/
Greetz,
?
Louis
?
Van: Dale [mailto:samba at txschroeder.family]
Verzonden: vrijdag 5 maart 2021 18:04
Aan: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
controller is down
?
On 3/5/21 2:04 AM, L.P.H. van Belle via samba wrote:
?
So, failover appears to be acceptably working now, but I can't explain
the lack of two sections in the first "time host..." command results.
?
Can you post your fulll bind9 config? Maybe your still missing something here.
?
This is my current config as example
// named.conf.options
options {
??????? directory "/var/cache/bind";
??????? dnssec-validation auto;
??????? listen-on port 53 { 192.168.0.1; 127.0.0.1; };
??????? listen-on-v6 { ::1; };
??????? version "0.0.7";
?
??????? tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
??????? auth-nxdomain yes
??????? notify no;
??????? empty-zones-enable no;
??????? minimal-responses yes;
?
??????? max-cache-size 100m;
??????? allow-query { 192.168.0.0/24; 127.0.0.1/32; };
??????? allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; };
??????? allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
??????? allow-transfer {
??????????? none;
??????? };
};
?
Greetz,
?
Louis
Here you go, Louis.? I noticed a few differences from yours, but it should be
very close to the Samba wiki, from which it is derived.
Thanks for the help.
Dale
named.conf.options
// Managing acls
acl internals { 127.0.0.0/8; 192.168.0.0/24; };
?
options {
?? directory "/var/cache/bind";
?? version "";
?? masterfile-format text;
?? notify no;
?? empty-zones-enable no;
?? auth-nxdomain yes;
?? allow-transfer { none; };
?
?? dnssec-validation no;
?? //dnssec-enable no; (obsolete)
?? //dnssec-lookaside no; (obsolete)
?
?? // If you only use IPv4
?? listen-on-v6 { none; };
?
?? // Listen on these IP numbers
?? listen-on port 53 { 192.168.0.8; 127.0.0.1; };
?
?? // Added Per Debian buster Bind9
?? // Due to : resolver: info: resolver priming query complete messages in the
logs
?? // See:
https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
?? minimal-responses yes;
?
?? // Add any subnets or hosts you want to allow to use this DNS server
?? allow-query { "internals"; };
?? allow-query-cache { "internals"; };
?
?? // Add any subnets or hosts you want to allow to use recursive queries
?? recursion yes;
?? allow-recursion { "internals"; };
?
?? // If there is a firewall between you and nameservers you want
?? // to talk to, you may need to fix the firewall to allow multiple
?? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113
?
?? // If your ISP provided one or more IP addresses for stable
???// nameservers, you probably want to use them as forwarders.?
???// Uncomment the following block, and insert the addresses replacing
???// the all-0's placeholder.
?
?? // forwarders {
?? //??? 0.0.0.0;
?? // };
?
?? include "/etc/bind/named.conf.fwd";
?
?? //=======================================================================
?? // If BIND logs error messages about the root key being expired,
?? // you will need to update your keys.? See https://www.isc.org/bind-keys
?? //=======================================================================
?
?? // https://wiki.samba.org/index.php/Dns-backend_bind
?? // DNS dynamic updates via Kerberos (optional, but recommended)
?? // ONE of the following lines should be enabled AFTER you provision or join a
DC with bind9_dlz
?? // or AFTER upgrading your dns from internal to bind9_dlz
?? // Before Samba 4.9.0
?? // tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
?? // From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your
Samba version. )
?? tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
?
};
?
named.conf.local
//
// Do any local configuration here
//
?
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
?
// adding the Samba dlopen (Bind DLZ) module
include "/var/lib/samba/bind-dns/named.conf";
?
?
?
-----Oorspronkelijk bericht-----
Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude
gevonden van "lists.samba.org" ?mailto:samba-bounces at
lists.samba.org] Namens Dale via samba
Verzonden: vrijdag 5 maart 2021 5:29
Aan: samba at lists.samba.org
Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain
controller is down
?
?
?
On 3/4/21 1:46 PM, Rowland penny via samba wrote:
On 04/03/2021 17:39, Dale via samba wrote:
?
I'm very open to suggestions.
?
?
OK, I tested this on my small domain, from an rpi running 4.13.4. I
did not change anything except for resolv.conf, which I changed to this:
?
# wait 2 seconds : default 5 seconds
options timeout:2
# make 1 attempt before trying next nameserver : default 2
options attempts:1
# round robin nameservers
#options rotate
search samdom.example.com
nameserver 192.168.0.8
nameserver 192.168.0.6
?
I commented 'rotate' because it round robins nameservers, something I
didn't want to happen.
?
Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is
dc4.samdom.example.com
?
Ran this command on the rpi:
?
time host -v -t SRV _ldap._tcp.samdom.example.com.
?
And got this output:
?
Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
?
;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.??? IN??? SRV
?
;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
dc01.samdom.example.com.
?
;; AUTHORITY SECTION:
samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com.
samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com.
?
;; ADDITIONAL SECTION:
dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6
dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8
?
Received 192 bytes from 192.168.0.8#53 in 78 ms
?
real??? 0m0.153s
user??? 0m0.038s
sys??? ??? 0m0.038s
?
So far, so good.
?
I then turned off bind9 on dc01 and ran the command again, this time
the output was:
?
Trying "_ldap._tcp.samdom.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
?
;; QUESTION SECTION:
;_ldap._tcp.samdom.example.com.??? IN??? SRV
?
;; ANSWER SECTION:
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
dc4.samdom.example.com.
_ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389
dc01.samdom.example.com.
?
Received 132 bytes from 192.168.0.6#53 in 6 ms
?
real??? 0m1.074s
user??? 0m0.031s
sys? ??? 0m0.041s
?
As you can see, this time dc4 replied and fairly quickly.
?
I think you may have missing or incorrect records for DC2, I will try
and come up with something to check your records.
?
Rowland
?
Running the same commands that you did, I have good news and what I
think might be bad news.
?
Good - Using the resolv.conf options values that you have (no rotate), I
was able to log into other member servers fairly quickly.? A "getent
user" took a little longer, but was acceptable.
Bad - Running the "time host..." command that you used returns only 2
sections, QUESTION and ANSWER.? There is no AUTHORITY or ADDITIONAL
section.? I don't know how essential that is.
?
_*Client resolv.conf
*_The client is LMDE4 and Samba is 4.13.4 from Louis' repo.
[I get consistent values from resolvconf by editing
/etc/resolvconf/resolv.conf.d/base to get the values shown below in
/etc/resolv.conf.]
**_**_
?
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
#???? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.7
nameserver 192.168.0.8
search workgroup.realm.tld
options timeout:2
options attempts:1
?
_*Both DC's on the network*_
Trying "_ldap._tcp.workgroup.realm.tld"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
?
;; QUESTION SECTION:
;_ldap._tcp.workgroup.realm.tld.?? IN SRV
?
;; ANSWER SECTION:
_ldap._tcp.workgroup.realm.tld.?? 900 IN SRV 0 100 389
dc1.workgroup.realm.tld.
_ldap._tcp.workgroup.realm.tld.?? 900 IN SRV 0 100 389
dc2.workgroup.realm.tld.
?
Received 158 bytes from*192.168.0.7*#53 in 6 ms
?
real?? 0m0.025s
user?? 0m0.010s
sys?? 0m0.010s
?
*_Ethernet cable unplugged from DC1_*
Trying "_ldap._tcp.workgroup.realm.tld"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
?
;; QUESTION SECTION:
;_ldap._tcp.workgroup.realm.tld.?? IN SRV
?
;; ANSWER SECTION:
_ldap._tcp.workgroup.realm.tld.?? 900 IN SRV 0 100 389
dc1.workgroup.realm.tld.
_ldap._tcp.workgroup.realm.tld.?? 900 IN SRV 0 100 389
dc2.workgroup.realm.tld.
?
Received 158 bytes from*192.168.0.8*#53 in 8 ms
?
real?? 0m1.032s
user?? 0m0.020s
sys?? 0m0.005s
?
So, failover appears to be acceptably working now, but I can't explain
the lack of two sections in the first "time host..." command results.
?
Dale
?
?
--
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba
?
?
?
?