thr3ads.net - samba - [Samba] Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.') [Jul 2022]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2022-Jul-18 10:22 UTC

[Samba] Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.')

On Mon, 2022-07-18 at 10:55 +0200, Lorenzo Milesi via samba
wrote:> I'm trying to add a second remote DC over a VPN (and possibly a not-
> so-fast connection), but it fails with the following message:
> ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout}
> The specified I/O operation on %hs was not completed before the time-
> out period expired.')
> 
> I've seen the NT_STATUS_NO_LOGON_SERVERS but I cannot figure out
> why... kinit works on the second server.
> 
> 
> Debug info on the FIRST SERVER:
> Config collected --- 2022-07-18-10:02 -----------
> 
> Hostname:   dc-lan
> DNS Domain: wdc.domain.it
> Realm:      WDC.DOMAIN.IT
> FQDN:       dc-lan.wdc.domain.it
> ipaddress:  192.168.1.206 
> 
> -----------
> 
> Checking file: /etc/hosts
> 
> 127.0.0.1 localhost
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> 192.168.1.206 dc-lan.wdc.domain.it dc-lan
> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> nameserver 127.0.0.1
> nameserver 192.168.1.1
Your nameservers are incorrect, you do not use '127.0.0.1', you should
be using '192.168.1.206' and the second nameserver is really useless,
if something goes wrong with Samba, you certainly do not want it asking
something else.
> search wdc.domain.it 
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
> sample output:
> Server:		127.0.0.1
> Address:	127.0.0.1#53
That is an artefact of using '127.0.0.1' as the first nameserver.
> 
> _kerberos._tcp.wdc.domain.it	service = 0 100 88 dc-
> lan.wdc.domain.it.
> 
> -----------
> 
> 
> 
> -----------
> 
> 
> Debug info on the SECOND server:
> Config collected --- 2022-07-18-10:00 -----------
> 
> Hostname:   dc-contabo
> DNS Domain: wdc.domain.it
> Realm:      WDC.DOMAIN.IT
> FQDN:       dc-contabo.wdc.domain.it
> ipaddress:  75.119.1.2 192.168.8.1 10.8.0.1 10.9.0.2 
> 
> -----------
> 
> 
> Checking file: /etc/hosts
> 
> 127.0.0.1	localhost
> 192.168.8.1 dc-contabo.wdc.domain.it dc-contabo 
> 
> -----------
> 
> Checking file: /etc/resolv.conf
> 
> search wdc.domain.it
> nameserver 192.168.1.206
> nameserver 192.168.8.1
> nameserver 1.0.0.1
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
> sample output:
> Server:		192.168.1.206
> Address:	192.168.1.206#53
> 
> _kerberos._tcp.wdc.domain.it	service = 0 100 88 dc-
> lan.wdc.domain.it.
> 
> -----------
> 
> 
> 
> Checking file: /etc/krb5.conf
> 
> [libdefaults]
>   default_realm = WDC.DOMAIN.IT
>   dns_lookup_kdc = false
>   dns_lookup_realm = false
> [realms]
>   WDC.DOMAIN.IT = {
>     kdc = 192.168.8.1
>     kdc = 192.168.1.206
>   }
> 
You got it right on the first DC, just copy the krb5.conf from the
first DC to the second DC.

Rowland

Lorenzo Milesi

2022-Jul-18 11:16 UTC

head link

[Samba] Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.')

Thanks for the feedback
>> Checking file: /etc/resolv.conf
>> 
>> nameserver 127.0.0.1
>> nameserver 192.168.1.1
> 
> Your nameservers are incorrect, you do not use '127.0.0.1', you
should
> be using '192.168.1.206' and the second nameserver is really
useless,
> if something goes wrong with Samba, you certainly do not want it asking
> something else.
Ok, I fixed the resolv on the first server which now uses 192.168.1.206.

>> Kerberos SRV _kerberos._tcp.wdc.domain.it record(s) verified ok,
>> sample output:
>> Server:		127.0.0.1
>> Address:	127.0.0.1#53
> 
> That is an artefact of using '127.0.0.1' as the first nameserver.
Fixed, now nslookup kerberos lookup returns 192.168.1.206 on both servers.

>> [libdefaults]
>>   default_realm = WDC.DOMAIN.IT
>>   dns_lookup_kdc = false
>>   dns_lookup_realm = false
>> [realms]
>>   WDC.DOMAIN.IT = {
>>     kdc = 192.168.8.1
>>     kdc = 192.168.1.206
>>   }
>> 
> 
> You got it right on the first DC, just copy the krb5.conf from the
> first DC to the second DC.
I've always been using this "solution" for the second DC, as I
found on a guide from tranquilit. I changed it to resemble the one on first
server.

Unfortunately, the JOIN command behaves exactly like before. It hangs for some
time after
NTLMSSP Sign/Seal - Initialising with flags:
then fails:
ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')


I ran the join command more than once, and in one occasion it went further on
but failed later:

Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for Administrator at WDC.DOMAIN.IT will expire in 35996 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
added interface eth1 ip=192.168.8.1 bcast=192.168.8.255 netmask=255.255.255.0
DSDB Transaction [rollback] at [Mon, 18 Jul 2022 12:49:56.096943 CEST] duration
[60569073]
{"timestamp": "2022-07-18T12:49:56.097191+0200",
"type": "dsdbTransaction", "dsdbTransaction":
{"version": {"major": 1, "minor": 0},
"action": "rollback", "transactionId":
"c07e8353-5017-46ac-a510-438aa57db0d9", "duration":
60569073}}
Join failed - cleaning up

ERROR(<class 'samba.join.DCJoinException'>): uncaught exception -
Can't join, error: ldb_wait from (null) with LDB_WAIT_ALL: Time limit
exceeded (3)
-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/

Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood
Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us
at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.

samba - Jul 2022 - Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.')

[Samba] Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.')

[Samba] Error adding second DC over slow conection: The specified I/O operation on %hs was not completed before the time-out period expired.')