2nd samba DC: NT_STATUS_NO_LOGON_SERVERS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

2nd samba DC: NT_STATUS_NO_LOGON_SERVERS

Samba - General mailing list

I added a 2nd DC (ADC2) to a samba-ADS today.

debian-9.3, samba-4.6.11 from Louis

followed
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

replication works afai see

-

We wanted to test services after turning off the first DC, and running
ADC2 and a DM file-server only.

DC1/backup: 10.0.0.224
ADC2: 10.0.0.230

We then get NT_STATUS_NO_LOGON_SERVERS

On the DM server "main" we get:

# nmblookup ARBEITSGRUPPE#1c
added interface em1 ip=10.0.0.221 bcast=10.0.0.255 netmask=255.255.255.0

10.0.0.224 ARBEITSGRUPPE<1c>
10.0.0.230 ARBEITSGRUPPE<1c>

# nmblookup ARBEITSGRUPPE#1b
added interface em1 ip=10.0.0.221 bcast=10.0.0.255 netmask=255.255.255.0
10.0.0.224 ARBEITSGRUPPE<1b>

-

adc2:~# samba-tool  testparm
Press enter to see a dump of your service definitions

# Global parameters
[global]
        netbios name = ADC2
        realm = ARBEITSGRUPPE.HIDDEN.AT
        workgroup = ARBEITSGRUPPE
        dns forwarder = 10.0.0.254
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/arbeitsgruppe.hidden.at/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

-

main # cat /etc/resolv.conf
# Generated by net-scripts for interface eth0
search arbeitsgruppe.hidden.at
nameserver 10.0.0.230
nameserver 10.0.0.224

-
root@adc2:~# systemctl status samba-ad-dc.service
● samba-ad-dc.service - Samba AD Daemon
   Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
vendor preset: enabled)
   Active: active (running) since Thu 2017-12-28 14:43:39 CET; 8min ago
     Docs: man:samba(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1000 (samba)
   Status: "smbd: ready to serve connections..."
    Tasks: 22 (limit: 4915)
   CGroup: /system.slice/samba-ad-dc.service
           ├─1000 /usr/sbin/samba
           ├─1001 /usr/sbin/samba
           ├─1002 /usr/sbin/samba
           ├─1003 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ├─1004 /usr/sbin/samba
           ├─1005 /usr/sbin/samba
           ├─1006 /usr/sbin/samba
           ├─1007 /usr/sbin/samba
           ├─1008 /usr/sbin/samba
           ├─1009 /usr/sbin/samba
           ├─1010 /usr/sbin/samba
           ├─1011 /usr/sbin/samba
           ├─1012 /usr/sbin/samba
           ├─1013 /usr/sbin/samba
           ├─1014 /usr/sbin/samba
           ├─1015 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ├─1018 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ├─1019 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ├─1021 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ├─1022 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ├─1047 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           └─1048 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground


What do I miss here? Had to install "dnsutils" to make dns_update work
... I set up krb5.conf, nsswitch.conf ...





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS

Samba - General mailing list
Hai Stephan,

You need also this in smb.conf

    # enable offline logins
    winbind offline logon = yes

I did also test my logins with one DC turned off.
And login on the DM is no problem or my pcs, no problem.

I did not test the AD logins thats because these have only linux logins for maintainance.
And that always works.

In a 2 DC setup, setup your nameservers first to the LAN ip of the server itself.
Resolv.conf example in a 2 DC setup when both servers are ALREADY in the AD.
When the second DC isnt in the AD jet, switch the servers in resolv.conf
Reboot and then switch them base as shown below and test again.

# Sample DC1.
search arbeitsgruppe.hidden.at
# DC1
nameserver 192.168.0.1
# DC2
nameserver 192.168.0.2
# Internet Fallback (optional)
#nameserver 8.8.8.8

# Sample DC2.
search arbeitsgruppe.hidden.at
# DC2
nameserver 192.168.0.2
# DC1
nameserver 192.168.0.1
# Internet Fallback (optional)
#nameserver 8.8.8.8

And you know, samba AD DC, does not run NMBD.

For the member resolv.conf which server goes first is up2you, but i suggest you also low the timeout.
These are good, and adjust to your need if you want bit quickers login when a DC is off/down.
# options to add in resolv.conf
# timeout, default 30 sec.
options timeout:3
# attempts defaults to 5.
options attempts:2
# Rotate between the name servers.
options rotate



Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: donderdag 28 december 2017 14:54
> Aan: samba
> Onderwerp: [Samba] 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS
>
>
> I added a 2nd DC (ADC2) to a samba-ADS today.
>
> debian-9.3, samba-4.6.11 from Louis
>
> followed
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Exis
> ting_Active_Directory
>
> replication works afai see
>
> -
>
> We wanted to test services after turning off the first DC, and running
> ADC2 and a DM file-server only.
>
> DC1/backup: 10.0.0.224
> ADC2: 10.0.0.230
>
> We then get NT_STATUS_NO_LOGON_SERVERS
>
> On the DM server "main" we get:
>
> # nmblookup ARBEITSGRUPPE#1c
> added interface em1 ip=10.0.0.221 bcast=10.0.0.255
> netmask=255.255.255.0
>
> 10.0.0.224 ARBEITSGRUPPE<1c>
> 10.0.0.230 ARBEITSGRUPPE<1c>
>
> # nmblookup ARBEITSGRUPPE#1b
> added interface em1 ip=10.0.0.221 bcast=10.0.0.255
> netmask=255.255.255.0
> 10.0.0.224 ARBEITSGRUPPE<1b>
>
> -
>
> adc2:~# samba-tool  testparm
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> netbios name = ADC2
> realm = ARBEITSGRUPPE.HIDDEN.AT
> workgroup = ARBEITSGRUPPE
> dns forwarder = 10.0.0.254
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/arbeitsgruppe.hidden.at/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -
>
> main # cat /etc/resolv.conf
> # Generated by net-scripts for interface eth0
> search arbeitsgruppe.hidden.at
> nameserver 10.0.0.230
> nameserver 10.0.0.224
>
> -
> root@adc2:~# systemctl status samba-ad-dc.service
> ??? samba-ad-dc.service - Samba AD Daemon
>    Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
> vendor preset: enabled)
>    Active: active (running) since Thu 2017-12-28 14:43:39
> CET; 8min ago
>      Docs: man:samba(8)
>            man:samba(7)
>            man:smb.conf(5)
>  Main PID: 1000 (samba)
>    Status: "smbd: ready to serve connections..."
>     Tasks: 22 (limit: 4915)
>    CGroup: /system.slice/samba-ad-dc.service
>            ??????1000 /usr/sbin/samba
>            ??????1001 /usr/sbin/samba
>            ??????1002 /usr/sbin/samba
>            ??????1003 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1004 /usr/sbin/samba
>            ??????1005 /usr/sbin/samba
>            ??????1006 /usr/sbin/samba
>            ??????1007 /usr/sbin/samba
>            ??????1008 /usr/sbin/samba
>            ??????1009 /usr/sbin/samba
>            ??????1010 /usr/sbin/samba
>            ??????1011 /usr/sbin/samba
>            ??????1012 /usr/sbin/samba
>            ??????1013 /usr/sbin/samba
>            ??????1014 /usr/sbin/samba
>            ??????1015 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1018 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1019 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1021 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1022 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1047 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??????1048 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
>
> What do I miss here? Had to install "dnsutils" to make dns_update work
> ... I set up krb5.conf, nsswitch.conf ...
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS

Samba - General mailing list
Am 2017-12-28 um 15:55 schrieb L.P.H. van Belle via samba:
> Hai Stephan,
>
> You need also this in smb.conf
>
>     # enable offline logins
>     winbind offline logon = yes

On which server(s)? The DCs? the DM?

> I did also test my logins with one DC turned off.
> And login on the DM is no problem or my pcs, no problem.
>
> I did not test the AD logins thats because these have only linux logins for maintainance.
> And that always works.

We have logins via ADC2 working for 15 mins now.

I have set up sysvol-rsync (works), but the ADC2 logs failing access to
the ADC1. Seems as if the GPOs point to ADC1 somehow?


> In a 2 DC setup, setup your nameservers first to the LAN ip of the server itself.
> Resolv.conf example in a 2 DC setup when both servers are ALREADY in the AD.
> When the second DC isnt in the AD jet, switch the servers in resolv.conf
> Reboot and then switch them base as shown below and test again.
>
> # Sample DC1.
> search arbeitsgruppe.hidden.at
> # DC1
> nameserver 192.168.0.1
> # DC2
> nameserver 192.168.0.2
> # Internet Fallback (optional)
> #nameserver 8.8.8.8
>
> # Sample DC2.
> search arbeitsgruppe.hidden.at
> # DC2
> nameserver 192.168.0.2
> # DC1
> nameserver 192.168.0.1
> # Internet Fallback (optional)
> #nameserver 8.8.8.8
>
> And you know, samba AD DC, does not run NMBD.

I think we have that quite this way already, will check later.

> For the member resolv.conf which server goes first is up2you, but i suggest you also low the timeout.
> These are good, and adjust to your need if you want bit quickers login when a DC is off/down.
> # options to add in resolv.conf
> # timeout, default 30 sec.
> options timeout:3
> # attempts defaults to 5.
> options attempts:2
> # Rotate between the name servers.
> options rotate

ok


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: 2nd samba DC: NT_STATUS_NO_LOGON_SERVERS

Samba - General mailing list
Am 2017-12-28 um 16:07 schrieb Stefan G. Weichinger via samba:

> Am 2017-12-28 um 15:55 schrieb L.P.H. van Belle via samba:
>> Hai Stephan,
>>
>> You need also this in smb.conf
>>
>>     # enable offline logins
>>     winbind offline logon = yes
>
> On which server(s)? The DCs? the DM?
>
>> I did also test my logins with one DC turned off.
>> And login on the DM is no problem or my pcs, no problem.
>>
>> I did not test the AD logins thats because these have only linux logins for maintainance.
>> And that always works.
>
> We have logins via ADC2 working for 15 mins now.
>
> I have set up sysvol-rsync (works), but the ADC2 logs failing access to
> the ADC1. Seems as if the GPOs point to ADC1 somehow?

If ADC2 is down (service ad-dc stopped) we see lines like this on ADC2:

Dez 28 18:44:01 adc2 samba[1743]:   Failed to connect host 10.0.0.224
(b0ca200f-4015-48e5-aa9e-2d85768ce6c2._msdcs.arbeitsgruppe.hidden.at) on
port 135 - NT_STATUS_CONNECTION_REFUSED.

... but GPOs get delivered now correctly (from the rsynced $SYSVOL on ADC2).

So we may ignore that as a "warning" somehow.

For now I am happy with today's progress.
thanks.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba