Dale
2021-Mar-05 17:04 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
On 3/5/21 2:04 AM, L.P.H. van Belle via samba wrote:>>> So, failover appears to be acceptably working now, but I can't explain >>> the lack of two sections in the first "time host..." command results. > Can you post your fulll bind9 config? Maybe your still missing something here. > > This is my current config as example > // named.conf.options > options { > directory "/var/cache/bind"; > dnssec-validation auto; > listen-on port 53 { 192.168.0.1; 127.0.0.1; }; > listen-on-v6 { ::1; }; > version "0.0.7"; > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > auth-nxdomain yes > notify no; > empty-zones-enable no; > minimal-responses yes; > > max-cache-size 100m; > allow-query { 192.168.0.0/24; 127.0.0.1/32; }; > allow-query-cache { 192.168.0.0/24; 127.0.0.1/32; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > allow-transfer { > none; > }; > }; > > Greetz, > > LouisHere you go, Louis.? I noticed a few differences from yours, but it should be very close to the Samba wiki, from which it is derived. Thanks for the help. Dale _*named.conf.options*_ // Managing acls acl internals { 127.0.0.0/8; 192.168.0.0/24; }; options { directory "/var/cache/bind"; version ""; masterfile-format text; notify no; empty-zones-enable no; auth-nxdomain yes; allow-transfer { none; }; dnssec-validation no; //dnssec-enable no; (obsolete) //dnssec-lookaside no; (obsolete) // If you only use IPv4 listen-on-v6 { none; }; // Listen on these IP numbers listen-on port 53 { 192.168.0.8; 127.0.0.1; }; // Added Per Debian buster Bind9 // Due to : resolver: info: resolver priming query complete messages in the logs // See:https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42 minimal-responses yes; // Add any subnets or hosts you want to allow to use this DNS server allow-query { "internals"; }; allow-query-cache { "internals"; }; // Add any subnets or hosts you want to allow to use recursive queries recursion yes; allow-recursion { "internals"; }; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. Seehttp://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; include "/etc/bind/named.conf.fwd"; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. Seehttps://www.isc.org/bind-keys //======================================================================= //https://wiki.samba.org/index.php/Dns-backend_bind // DNS dynamic updates via Kerberos (optional, but recommended) // ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz // or AFTER upgrading your dns from internal to bind9_dlz // Before Samba 4.9.0 // tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. ) tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; _*named.conf.local*_ // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // adding the Samba dlopen (Bind DLZ) module include "/var/lib/samba/bind-dns/named.conf";> > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dale via samba >> Verzonden: vrijdag 5 maart 2021 5:29 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Domain member cannot authenticate when first domain >> controller is down >> >> >> >> On 3/4/21 1:46 PM, Rowland penny via samba wrote: >>> On 04/03/2021 17:39, Dale via samba wrote: >>>> I'm very open to suggestions. >>>> >>> OK, I tested this on my small domain, from an rpi running 4.13.4. I >>> did not change anything except for resolv.conf, which I changed to this: >>> >>> # wait 2 seconds : default 5 seconds >>> options timeout:2 >>> # make 1 attempt before trying next nameserver : default 2 >>> options attempts:1 >>> # round robin nameservers >>> #options rotate >>> search samdom.example.com >>> nameserver 192.168.0.8 >>> nameserver 192.168.0.6 >>> >>> I commented 'rotate' because it round robins nameservers, something I >>> didn't want to happen. >>> >>> Also 192.168.0.8 is dc01.samdom.example.com and 192.168.0.6 is >>> dc4.samdom.example.com >>> >>> Ran this command on the rpi: >>> >>> time host -v -t SRV _ldap._tcp.samdom.example.com. >>> >>> And got this output: >>> >>> Trying "_ldap._tcp.samdom.example.com" >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53889 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 >>> >>> ;; QUESTION SECTION: >>> ;_ldap._tcp.samdom.example.com.??? IN??? SRV >>> >>> ;; ANSWER SECTION: >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc4.samdom.example.com. >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc01.samdom.example.com. >>> >>> ;; AUTHORITY SECTION: >>> samdom.example.com.??? 900??? IN??? NS??? dc4.samdom.example.com. >>> samdom.example.com.??? 900??? IN??? NS??? dc01.samdom.example.com. >>> >>> ;; ADDITIONAL SECTION: >>> dc4.samdom.example.com.??? 900??? IN??? A??? 192.168.0.6 >>> dc01.samdom.example.com. 900??? IN??? A??? 192.168.0.8 >>> >>> Received 192 bytes from 192.168.0.8#53 in 78 ms >>> >>> real??? 0m0.153s >>> user??? 0m0.038s >>> sys??? ??? 0m0.038s >>> >>> So far, so good. >>> >>> I then turned off bind9 on dc01 and ran the command again, this time >>> the output was: >>> >>> Trying "_ldap._tcp.samdom.example.com" >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63152 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;_ldap._tcp.samdom.example.com.??? IN??? SRV >>> >>> ;; ANSWER SECTION: >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc4.samdom.example.com. >>> _ldap._tcp.samdom.example.com. 900 IN??? SRV??? 0 100 389 >>> dc01.samdom.example.com. >>> >>> Received 132 bytes from 192.168.0.6#53 in 6 ms >>> >>> real??? 0m1.074s >>> user??? 0m0.031s >>> sys? ??? 0m0.041s >>> >>> As you can see, this time dc4 replied and fairly quickly. >>> >>> I think you may have missing or incorrect records for DC2, I will try >>> and come up with something to check your records. >>> >>> Rowland >> Running the same commands that you did, I have good news and what I >> think might be bad news. >> >> Good - Using the resolv.conf options values that you have (no rotate), I >> was able to log into other member servers fairly quickly.? A "getent >> user" took a little longer, but was acceptable. >> Bad - Running the "time host..." command that you used returns only 2 >> sections, QUESTION and ANSWER.? There is no AUTHORITY or ADDITIONAL >> section.? I don't know how essential that is. >> >> _*Client resolv.conf >> *_The client is LMDE4 and Samba is 4.13.4 from Louis' repo. >> [I get consistent values from resolvconf by editing >> /etc/resolvconf/resolv.conf.d/base to get the values shown below in >> /etc/resolv.conf.] >> **_**_ >> >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> nameserver 192.168.0.7 >> nameserver 192.168.0.8 >> search workgroup.realm.tld >> options timeout:2 >> options attempts:1 >> >> _*Both DC's on the network*_ >> Trying "_ldap._tcp.workgroup.realm.tld" >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48104 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;_ldap._tcp.workgroup.realm.tld. IN SRV >> >> ;; ANSWER SECTION: >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc1.workgroup.realm.tld. >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc2.workgroup.realm.tld. >> >> Received 158 bytes from*192.168.0.7*#53 in 6 ms >> >> real 0m0.025s >> user 0m0.010s >> sys 0m0.010s >> >> *_Ethernet cable unplugged from DC1_* >> Trying "_ldap._tcp.workgroup.realm.tld" >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10495 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;_ldap._tcp.workgroup.realm.tld. IN SRV >> >> ;; ANSWER SECTION: >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc1.workgroup.realm.tld. >> _ldap._tcp.workgroup.realm.tld. 900 IN SRV 0 100 389 >> dc2.workgroup.realm.tld. >> >> Received 158 bytes from*192.168.0.8*#53 in 8 ms >> >> real 0m1.032s >> user 0m0.020s >> sys 0m0.005s >> >> So, failover appears to be acceptably working now, but I can't explain >> the lack of two sections in the first "time host..." command results. >> >> Dale >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Rowland penny
2021-Mar-05 19:24 UTC
[Samba] Domain member cannot authenticate when first domain controller is down
On 05/03/2021 17:04, Dale via samba wrote:> Here you go, Louis.? I noticed a few differences from yours, but it > should be very close to the Samba wiki, from which it is derived. > > Thanks for the help.You don't actually need these, they are default settings: ??? allow-query-cache { "internals"; }; ??? recursion yes; I would remove this, I have never used it and it seems to have something to do with master to slave setups. All Samba DC dns servers are masters, there are no slaves. ??? masterfile-format text; I would add these: ??? dnssec-enable no; ??? dnssec-lookaside no; Finally, what is in this: ??? include "/etc/bind/named.conf.fwd"; Rowland