Rodrigo Antunes
2024-Oct-18 15:00 UTC
[Samba] net ads extremely slow when dns server configured in resolv.conf
Hi,? First of all, my problem is a lot similar to this:?https://lists.samba.org/archive/samba/2017-February/206248.html I have a freeradius server (10.1.0.13) that authenticate wifi users against AD?(10.1.0.3). 10.1.0.13 is domain joined and has 10.1.0.3 as it's DNS server. The problem:? When 10.1.0.3 has no internet connection, users most of the time can't authenticate.? When it has, everything works as it should. The "fix": If I use no DNS servers at all and put a fixed entry (10.1.0.3? mydomain.com) in 10.1.0.13's /etc/hosts everything works as it should.? Although this solves the main problem this creates other unrelated problems, so the freeradius server needs to work with the right DNS server configured. When the problem happens all the domain related commands (wbinfo, net ads, nltm_auth) are extremely slow and sometimes succeds and sometimes don't. I have run 'net ads info' in debug and found this: -- Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5? (hangs for a lot of time) gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit kerberos_kinit_password: as MYFRSERVER$@MYDOMAIN.COM using [MEMORY:net_ads] as ccache and config [/var/run/samba/smb_krb5/krb5.conf.ADM] (then tries again) Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 -- But I have noticed that the same messages appears when everything is working, except that there is no hangs. Any ideas? Samba Version 4.2.10-Debian
Rowland Penny
2024-Oct-18 15:13 UTC
[Samba] net ads extremely slow when dns server configured in resolv.conf
On Fri, 18 Oct 2024 15:00:38 +0000 (UTC) Rodrigo Antunes via samba <samba at lists.samba.org> wrote:> Hi,? > > > First of all, my problem is a lot similar to this: > https://lists.samba.org/archive/samba/2017-February/206248.html > > I have a freeradius server (10.1.0.13) that authenticate wifi users > against AD?(10.1.0.3). 10.1.0.13 is domain joined and has 10.1.0.3 as > it's DNS server. > > The problem:? > When 10.1.0.3 has no internet connection, users most of the time > can't authenticate. When it has, everything works as it should. > > The "fix": > If I use no DNS servers at all and put a fixed entry (10.1.0.3 > mydomain.com) in 10.1.0.13's /etc/hosts everything works as it > should. Although this solves the main problem this creates other > unrelated problems, so the freeradius server needs to work with the > right DNS server configured. > > > > When the problem happens all the domain related commands (wbinfo, net > ads, nltm_auth) are extremely slow and sometimes succeds and > sometimes don't. I have run 'net ads info' in debug and found this: > > -- > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5? > > (hangs for a lot of time) > > gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were > supplied, or the credentials were unavailable or inaccessible.: > unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may > retry after a kinit. Failed to start GENSEC client mech gse_krb5: > NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: > NT_STATUS_INTERNAL_ERROR ads_sasl_spnego_gensec_bind(KRB5) failed > with: An internal error occurred., calling kinit > kerberos_kinit_password: as MYFRSERVER$@MYDOMAIN.COM using > [MEMORY:net_ads] as ccache and config > [/var/run/samba/smb_krb5/krb5.conf.ADM] > > (then tries again) > > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > -- > > But I have noticed that the same messages appears when everything is > working, except that there is no hangs. > > Any ideas? > > > Samba Version 4.2.10-Debian >Please tell me that is typo before we go anywhere, tell me that you are not still using Samba 4.2.10 and presumably Debian Jessie. Rowland