2nd samba DC: NT_STATUS_NO_LOGON_SERVERS

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: donderdag 28 december 2017 14:54
> Aan: samba
> Onderwerp: [Samba] 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS
>
>
> I added a 2nd DC (ADC2) to a samba-ADS today.
>
> debian-9.3, samba-4.6.11 from Louis
>
> followed
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Exis
> ting_Active_Directory
>
> replication works afai see
>
> -
>
> We wanted to test services after turning off the first DC, and running
> ADC2 and a DM file-server only.
>
> DC1/backup: 10.0.0.224
> ADC2: 10.0.0.230
>
> We then get NT_STATUS_NO_LOGON_SERVERS
>
> On the DM server "main" we get:
>
> # nmblookup ARBEITSGRUPPE#1c
> added interface em1 ip=10.0.0.221 bcast=10.0.0.255
> netmask=255.255.255.0
>
> 10.0.0.224 ARBEITSGRUPPE<1c>
> 10.0.0.230 ARBEITSGRUPPE<1c>
>
> # nmblookup ARBEITSGRUPPE#1b
> added interface em1 ip=10.0.0.221 bcast=10.0.0.255
> netmask=255.255.255.0
> 10.0.0.224 ARBEITSGRUPPE<1b>
>
> -
>
> adc2:~# samba-tool  testparm
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> netbios name = ADC2
> realm = ARBEITSGRUPPE.HIDDEN.AT
> workgroup = ARBEITSGRUPPE
> dns forwarder = 10.0.0.254
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/arbeitsgruppe.hidden.at/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -
>
> main # cat /etc/resolv.conf
> # Generated by net-scripts for interface eth0
> search arbeitsgruppe.hidden.at
> nameserver 10.0.0.230
> nameserver 10.0.0.224
>
> -
> root@adc2:~# systemctl status samba-ad-dc.service
> ??? samba-ad-dc.service - Samba AD Daemon
>    Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
> vendor preset: enabled)
>    Active: active (running) since Thu 2017-12-28 14:43:39
> CET; 8min ago
>      Docs: man:samba(8)
>            man:samba(7)
>            man:smb.conf(5)
>  Main PID: 1000 (samba)
>    Status: "smbd: ready to serve connections..."
>     Tasks: 22 (limit: 4915)
>    CGroup: /system.slice/samba-ad-dc.service
>            ??????1000 /usr/sbin/samba
>            ??????1001 /usr/sbin/samba
>            ??????1002 /usr/sbin/samba
>            ??????1003 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1004 /usr/sbin/samba
>            ??????1005 /usr/sbin/samba
>            ??????1006 /usr/sbin/samba
>            ??????1007 /usr/sbin/samba
>            ??????1008 /usr/sbin/samba
>            ??????1009 /usr/sbin/samba
>            ??????1010 /usr/sbin/samba
>            ??????1011 /usr/sbin/samba
>            ??????1012 /usr/sbin/samba
>            ??????1013 /usr/sbin/samba
>            ??????1014 /usr/sbin/samba
>            ??????1015 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1018 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1019 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1021 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1022 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1047 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1048 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
>
> What do I miss here? Had to install "dnsutils" to make dns_update work
> ... I set up krb5.conf, nsswitch.conf ...
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

> In a 2 DC setup, setup your nameservers first to the LAN ip of the server itself.
> Resolv.conf example in a 2 DC setup when both servers are ALREADY in the AD.
> When the second DC isnt in the AD jet, switch the servers in resolv.conf
> Reboot and then switch them base as shown below and test again.
>
> # Sample DC1.
> search arbeitsgruppe.hidden.at
> # DC1
> nameserver 192.168.0.1
> # DC2
> nameserver 192.168.0.2
> # Internet Fallback (optional)
> #nameserver 8.8.8.8
>
> # Sample DC2.
> search arbeitsgruppe.hidden.at
> # DC2
> nameserver 192.168.0.2
> # DC1
> nameserver 192.168.0.1
> # Internet Fallback (optional)
> #nameserver 8.8.8.8
>
> And you know, samba AD DC, does not run NMBD.

> Am 2017-12-28 um 15:55 schrieb L.P.H. van Belle via samba:
>> Hai Stephan,
>>
>> You need also this in smb.conf
>>
>>     # enable offline logins
>>     winbind offline logon = yes
>
> On which server(s)? The DCs? the DM?
>
>> I did also test my logins with one DC turned off.
>> And login on the DM is no problem or my pcs, no problem.
>>
>> I did not test the AD logins thats because these have only linux logins for maintainance.
>> And that always works.
>
> We have logins via ADC2 working for 15 mins now.
>
> I have set up sysvol-rsync (works), but the ADC2 logs failing access to
> the ADC1. Seems as if the GPOs point to ADC1 somehow?