DC's are unavailable when PDC halted

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

DC's are unavailable when PDC halted

Samba - General mailing list
Hi folks,

there are two Samba4 DC server. The first one is the "PDC", and
after I finished to set up that, I've joined the second one.

There is a Linux client, where I configured the samba, and joined
it to domain as member. Now I see these:

# net ads status -U administrator
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: OPEN-CLIENT
instanceType: 4
whenCreated: 20171108075440.0Z
...
distinguishedName:
CN=OPEN-CLIENT,CN=Computers,DC=core,DC=mydomain,DC=hu
-------------- Security Descriptor (revision: 1, type: 0x8c17)
owner SID: S-1-5-21-1111351423-2542600865-3078305116-512
group SID: S-1-5-21-1111351423-2542600865-3078305116-512
------- (system) ACL (revision: 4, size: 120, number of ACEs: 2)
------- ACE (type: 0x07, flags: 0x5a, size: 0x38, mask: 0x20, object flags: 0x3)
access SID:  S-1-1-0
...

(a long output...)

# wbinfo --ping-dc
checking the NETLOGON for domain[CORE] dc connection to "open-ldap2.core.mydomain.hu" succeeded

(note, that the open-ldap2 is the second server).

When I halted the open-ldap (which is the primary DC), all of the
commands above runs timed out.

If I halted the open-ldap2, then wbinfo timed out, but the "net
ads status" shows the message above.


What em I missing? The reason is why I configured two DC's, that
if one of them is kicked, the AD available continously.


Thanks,


a.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
On Wed, 8 Nov 2017 09:24:30 +0100
Ervin Hegedüs via samba <[hidden email]> wrote:

> Hi folks,
>
> there are two Samba4 DC server. The first one is the "PDC", and
> after I finished to set up that, I've joined the second one.

I am a bit confused here, from reading this post, you seem to have
called the two DCs 'open-ldap' & 'open-ldap2' and you refer to the
first one as the 'PDC', yet I think you are talking about an AD domain.
Is this the case ?
If so, you have just won the prize for the most confusing post to the
Samba mailing list ;-)

I think you need to post the following files from all three machines:

/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
smb.conf

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
Hi Rowland,

On Wed, Nov 08, 2017 at 09:45:48AM +0000, Rowland Penny wrote:

> On Wed, 8 Nov 2017 09:24:30 +0100
> Ervin Hegedüs via samba <[hidden email]> wrote:
>
> > Hi folks,
> >
> > there are two Samba4 DC server. The first one is the "PDC", and
> > after I finished to set up that, I've joined the second one.
>
> I am a bit confused here, from reading this post, you seem to have
> called the two DCs 'open-ldap' & 'open-ldap2' and you refer to the
> first one as the 'PDC', yet I think you are talking about an AD domain.

the open-ldap and open-ldap2 is just the naming convention...
these were installed, because we've started to build a directory
infrastructure, and started with OpenLDAP. The cluster had worked
as well, but wasn't enough. We had kept the names - nevermind.

> Is this the case ?

Probably :)
I'm not expert in AD, I've used the Samba3 in standalone mode as
DC. The last Windows environment where I used WIN Domain was
about Win2008... I'm really sorry for the confuse...

> If so, you have just won the prize for the most confusing post to the
> Samba mailing list ;-)

oh, I'm pleased to read it! :)

> I think you need to post the following files from all three machines:
>
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/krb5.conf
> smb.conf

========
open-ldap:

--------
/etc/hostname
open-ldap.core.mydomain.hu

--------
/etc/hosts
127.0.0.1 localhost

#10.10.20.202 open-ldap.core.mydomain.hu
#10.10.20.204 open-ldap2.core.mydomain.hu

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

--------
/etc/resolv.conf
search core.mydomain.hu
nameserver 127.0.0.1
nameserver 10.10.10.1

--------
/etc/krb5.conf
[libdefaults]
        default_realm = CORE.MYDOMAIN.HU
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        CORE.MYDOMAIN.HU = {
            kdc = OPEN-LDAP.CORE.MYDOMAIN.HU
            kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU
            admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU
            admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU
        }


--------
/etc/samba/smb.conf
# Global parameters
[global]
        netbios name = OPEN-LDAP
        realm = CORE.MYDOMAIN.HU
        workgroup = CORE
        dns forwarder = 10.10.10.1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        #tls enabled  = yes
        #tls keyfile  = tls/key.pem
        #tls certfile = tls/cert.pem
        #tls cafile   = tls/ca.pem  # if not required, set empty
        log level = 3 passdb:5 auth:5 tdb:5 ldb:5
        #ldap debug level = -1
        ntlm auth = yes
        lanman auth = yes
        client ntlmv2 auth = yes

        # server services = -dns
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

[netlogon]
        path = /var/lib/samba/sysvol/core.mydomain.hu/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

========
open-ldap2:

--------
/etc/hostname
open-ldap2

--------
/etc/hosts
127.0.0.1 localhost

10.10.20.204 open-ldap2.core.mydomain.hu
10.10.20.202 open-ldap.core.mydomain.hu

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

--------
/etc/resolv.conf
search core.mydomain.hu
nameserver 127.0.0.1
nameserver 10.10.10.1

--------
/etc/krb5.conf
[libdefaults]
        default_realm = CORE.MYDOMAIN.HU
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        CORE.MYDOMAIN.HU = {
            kdc = OPEN-LDAP.CORE.MYDOMAIN.HU
            kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU
            admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU
            admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU
        }


--------
/etc/samba/smb.conf
# Global parameters
[global]
        netbios name = OPEN-LDAP2
        realm = CORE.MYDOMAIN.HU
        workgroup = CORE
        dns forwarder = 10.10.10.1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        ntlm auth = yes
        lanman auth = yes
        client ntlmv2 auth = yes
        log level = 3 passdb:5 auth:5 tdb:5 ldb:5

        #server runs = -dns
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

[netlogon]
        path = /var/lib/samba/sysvol/core.mydomain.hu/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

========
client:

--------
/etc/hostname
open-client

--------
/etc/hosts
127.0.0.1 localhost

10.10.20.205 open-client.core.mydomain.hu open-client


::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

--------
/etc/resolv.conf
search core.mydomain.hu
nameserver 10.10.20.202
nameserver 10.10.20.204

--------
/etc/krb5.conf
[libdefaults]
        default_realm = CORE.MYDOMAIN.HU

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

--------
/etc/samba/smb.conf

[global]

   workgroup = CORE
   security = ads
   realm = CORE.MYDOMAIN.HU
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   username map = /etc/samba/user.map

   dns proxy = no

   log file = /var/log/samba/log.%m
   max log size = 1000

   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes
   map to guest = bad user

   usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no

   read only = yes

   create mask = 0700

   directory mask = 0700

   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no



Sorry again for the confusing post.



a.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list

See inline comments:

On Wed, 8 Nov 2017 11:18:10 +0100
Ervin Hegedüs <[hidden email]> wrote:

 
> ========
> open-ldap:
>
> --------
> /etc/hostname
> open-ldap.core.mydomain.hu

This should just be the short hostname not the fqdn

>
> --------
> /etc/hosts
> 127.0.0.1 localhost
>
> #10.10.20.202 open-ldap.core.mydomain.hu

Uncomment the above line

> #10.10.20.204 open-ldap2.core.mydomain.hu
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> --------
> /etc/resolv.conf
> search core.mydomain.hu
> nameserver 127.0.0.1
> nameserver 10.10.10.1

You would be better using the DCs ipaddress rather than '127.0.0.1'.
You should also remove '10.10.0.1' it doesn't seem to be a DC.

>
> --------
> /etc/krb5.conf
> [libdefaults]
> default_realm = CORE.MYDOMAIN.HU
> dns_lookup_realm = false
> dns_lookup_kdc = true
>

You don't need the rest of the krb5.conf

> [realms]
> CORE.MYDOMAIN.HU = {
>    kdc = OPEN-LDAP.CORE.MYDOMAIN.HU
>    kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU
>    admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU
>    admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU
> }
>
>
> --------
> /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = OPEN-LDAP
> realm = CORE.MYDOMAIN.HU
> workgroup = CORE
> dns forwarder = 10.10.10.1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> ntlm auth = yes
> lanman auth = yes
> client ntlmv2 auth = yes

I would investigate upgrading security on the clients, rather than
turning it down on the DC
 
>
> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

The above line contains all the defaults, so you can remove it.

>
> [netlogon]
> path = /var/lib/samba/sysvol/core.mydomain.hu/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> ========
> open-ldap2:
>
> --------
> /etc/hostname
> open-ldap2
>
> --------
> /etc/hosts
> 127.0.0.1 localhost
>
> 10.10.20.204 open-ldap2.core.mydomain.hu
> 10.10.20.202 open-ldap.core.mydomain.hu

Remove the above line, the other DC should be found by DNS

>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> --------
> /etc/resolv.conf
> search core.mydomain.hu
> nameserver 127.0.0.1
> nameserver 10.10.10.1

As the other DC, but use this DCs ipaddress

>
> --------
> /etc/krb5.conf
> [libdefaults]
> default_realm = CORE.MYDOMAIN.HU
> dns_lookup_realm = false
> dns_lookup_kdc = true
>

As the other DC, you don't need the rest of krb5.conf

> [realms]
> CORE.MYDOMAIN.HU = {
>    kdc = OPEN-LDAP.CORE.MYDOMAIN.HU
>    kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU
>    admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU
>    admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU
> }
>
>
> --------
> /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = OPEN-LDAP2
> realm = CORE.MYDOMAIN.HU
> workgroup = CORE
> dns forwarder = 10.10.10.1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> ntlm auth = yes
> lanman auth = yes
> client ntlmv2 auth = yes
> log level = 3 passdb:5 auth:5 tdb:5 ldb:5
>
> #server runs = -dns
> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns, s3fs

As the other DC, you don't need the above line

>
> [netlogon]
> path = /var/lib/samba/sysvol/core.mydomain.hu/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> ========
> client:
>
> --------
> /etc/hostname
> open-client
>
> --------
> /etc/hosts
> 127.0.0.1 localhost
>
> 10.10.20.205 open-client.core.mydomain.hu open-client
>
>
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> --------
> /etc/resolv.conf
> search core.mydomain.hu
> nameserver 10.10.20.202
> nameserver 10.10.20.204
>
> --------
> /etc/krb5.conf

The krb5.conf only needs to match the ones on the DCs, so you don't
need all of the following.

> [libdefaults]
> default_realm = CORE.MYDOMAIN.HU
>
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> fcc-mit-ticketflags = true
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> ATHENA.MIT.EDU = {
> kdc = kerberos.mit.edu
> kdc = kerberos-1.mit.edu
> kdc = kerberos-2.mit.edu:88
> admin_server = kerberos.mit.edu
> default_domain = mit.edu
> }
> ZONE.MIT.EDU = {
> kdc = casio.mit.edu
> kdc = seiko.mit.edu
> admin_server = casio.mit.edu
> }
> CSAIL.MIT.EDU = {
> admin_server = kerberos.csail.mit.edu
> default_domain = csail.mit.edu
> }
> IHTFP.ORG = {
> kdc = kerberos.ihtfp.org
> admin_server = kerberos.ihtfp.org
> }
> 1TS.ORG = {
> kdc = kerberos.1ts.org
> admin_server = kerberos.1ts.org
> }
> ANDREW.CMU.EDU = {
> admin_server = kerberos.andrew.cmu.edu
> default_domain = andrew.cmu.edu
> }
>         CS.CMU.EDU = {
>                 kdc = kerberos-1.srv.cs.cmu.edu
>                 kdc = kerberos-2.srv.cs.cmu.edu
>                 kdc = kerberos-3.srv.cs.cmu.edu
>                 admin_server = kerberos.cs.cmu.edu
>         }
> DEMENTIA.ORG = {
> kdc = kerberos.dementix.org
> kdc = kerberos2.dementix.org
> admin_server = kerberos.dementix.org
> }
> stanford.edu = {
> kdc = krb5auth1.stanford.edu
> kdc = krb5auth2.stanford.edu
> kdc = krb5auth3.stanford.edu
> master_kdc = krb5auth1.stanford.edu
> admin_server = krb5-admin.stanford.edu
> default_domain = stanford.edu
> }
>         UTORONTO.CA = {
>                 kdc = kerberos1.utoronto.ca
>                 kdc = kerberos2.utoronto.ca
>                 kdc = kerberos3.utoronto.ca
>                 admin_server = kerberos1.utoronto.ca
>                 default_domain = utoronto.ca
> }
>
> [domain_realm]
> .mit.edu = ATHENA.MIT.EDU
> mit.edu = ATHENA.MIT.EDU
> .media.mit.edu = MEDIA-LAB.MIT.EDU
> media.mit.edu = MEDIA-LAB.MIT.EDU
> .csail.mit.edu = CSAIL.MIT.EDU
> csail.mit.edu = CSAIL.MIT.EDU
> .whoi.edu = ATHENA.MIT.EDU
> whoi.edu = ATHENA.MIT.EDU
> .stanford.edu = stanford.edu
> .slac.stanford.edu = SLAC.STANFORD.EDU
>         .toronto.edu = UTORONTO.CA
>         .utoronto.ca = UTORONTO.CA
>
> --------
> /etc/samba/smb.conf
>
> [global]
>
>    workgroup = CORE
>    security = ads
>    realm = CORE.MYDOMAIN.HU
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999

Are you using sssd ?
If not, good, but you need to READ all of this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and probably this:

https://wiki.samba.org/index.php/Idmap_config_rid

You are trying to put EVERYTHING into the '*' domain, this is wrong.


>    username map = /etc/samba/user.map
>
>    dns proxy = no
>
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>
>    server role = standalone server

Oh no its not, it is a Unix domain member, remove the above line.

>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes

You CANNOT have a user in /etc/passwd and in AD with the same username,
so you cannot have the above line.

>
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>
>    pam password change = yes
>    map to guest = bad user
>
>    usershare allow guests = yes
>
> [homes]
>    comment = Home Directories
>    browseable = no
>    read only = yes
>    create mask = 0700
>    directory mask = 0700
>    valid users = %S
>
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
>
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
>
You would be better setting the permissions from windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

>
> Sorry again for the confusing post.

No problem, just don't refer to your first DC as a 'PDC' again, it just
confuses things, every DC is equal ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
Hi Rowland,

many thanks for your help,

On Wed, Nov 08, 2017 at 11:00:59AM +0000, Rowland Penny wrote:
>
> On Wed, 8 Nov 2017 11:18:10 +0100
> Ervin Hegedüs <[hidden email]> wrote:
>
>  
> > ========
> > open-ldap:
...

> > --------
> > /etc/resolv.conf
> > search core.mydomain.hu
> > nameserver 127.0.0.1
> > nameserver 10.10.10.1
>
> You would be better using the DCs ipaddress rather than '127.0.0.1'.
> You should also remove '10.10.0.1' it doesn't seem to be a DC.

yes, that's the forwarder (see in smb.conf). Most documents
notives that keep it in resolv.conf.
 

> > --------
> > /etc/samba/smb.conf
> > # Global parameters
> > [global]
> > netbios name = OPEN-LDAP
> > realm = CORE.MYDOMAIN.HU
> > workgroup = CORE
> > dns forwarder = 10.10.10.1
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> >
> > log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > ntlm auth = yes
> > lanman auth = yes
> > client ntlmv2 auth = yes
>
> I would investigate upgrading security on the clients, rather than
> turning it down on the DC

I'm sorry, what do you think about exactly?
 
> >
> > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbind, ntp_signd, kcc, dnsupdate, dns, s3fs
>
> The above line contains all the defaults, so you can remove it.

ok, I just missed up to remove, I just tested it... now I removed
it.
 
> > ========
> > open-ldap2:
> >
...

everything is done,

> > ========
> > client:
> >
> > --------
> > /etc/krb5.conf
>
> The krb5.conf only needs to match the ones on the DCs, so you don't
> need all of the following.

does it mean that the krb5.conf should be empty?
 

> > --------
> > /etc/samba/smb.conf
> >
> > [global]
> >
> >    workgroup = CORE
> >    security = ads
> >    realm = CORE.MYDOMAIN.HU
> >    idmap config * : backend = tdb
> >    idmap config * : range = 3000-7999
>
> Are you using sssd ?
no,

> If not, good, but you need to READ all of this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

I've followed this page (may be I forgot something - I review it
again)
 
> and probably this:
>
> https://wiki.samba.org/index.php/Idmap_config_rid

I'm afraid I don't need to that :)
 
> You are trying to put EVERYTHING into the '*' domain, this is wrong.

right,
 
> >    syslog = 0
> >    panic action = /usr/share/samba/panic-action %d
> >
> >    server role = standalone server
>
> Oh no its not, it is a Unix domain member, remove the above line.

ok, removed,
 
> >    passdb backend = tdbsam
> >    obey pam restrictions = yes
> >    unix password sync = yes
>
> You CANNOT have a user in /etc/passwd and in AD with the same username,
> so you cannot have the above line.

this condition is met - line removed,
 

> > [homes]
> >    comment = Home Directories
> >    browseable = no
> >    read only = yes
> >    create mask = 0700
> >    directory mask = 0700
> >    valid users = %S
> >
> > [printers]
> >    comment = All Printers
> >    browseable = no
> >    path = /var/spool/samba
> >    printable = yes
> >    guest ok = no
> >    read only = yes
> >    create mask = 0700
> >
> > [print$]
> >    comment = Printer Drivers
> >    path = /var/lib/samba/printers
> >    browseable = yes
> >    read only = yes
> >    guest ok = no
> >
> You would be better setting the permissions from windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I don't want to build the fileserver, I just need the user
management - these blocks stayed from the previous install.
 
> > Sorry again for the confusing post.
>
> No problem, just don't refer to your first DC as a 'PDC' again, it just
> confuses things, every DC is equal ;-)

yes, in meantime I've discussed with a Windows engineer, he said
that there aren't primary and backup roles.


Thanks again, I'll review the client config, and check it again.


Just one thing remains: what do you mean about here:

> I would investigate upgrading security on the clients, rather
> than turning it down on the DC

and is it enough an empty krb5.conf file on client?


Regards,

a.

   

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list

See inline comments, extraneous lines removed from post:

On Wed, 8 Nov 2017 12:43:16 +0100
Ervin Hegedüs <[hidden email]> wrote:

> > You would be better using the DCs ipaddress rather than '127.0.0.1'.
> > You should also remove '10.10.0.1' it doesn't seem to be a DC.
>
> yes, that's the forwarder (see in smb.conf). Most documents
> notives that keep it in resolv.conf.

And most documents get it wrong, The DC is a DNS server and your
clients should use it as their nameserver. Your DC should forward
anything unknown to the nameserver that is set in the DCs smb.conf if
using the internal DNS server, or if in the named conf files if using
Bind9

>  
> > > --------
> > > /etc/samba/smb.conf
> > > # Global parameters
> > > [global]
> > > netbios name = OPEN-LDAP
> > > realm = CORE.MYDOMAIN.HU
> > > workgroup = CORE
> > > dns forwarder = 10.10.10.1
> > > server role = active directory domain controller
> > > idmap_ldb:use rfc2307 = yes
> > >
> > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > > ntlm auth = yes
> > > lanman auth = yes
> > > client ntlmv2 auth = yes
> >
> > I would investigate upgrading security on the clients, rather than
> > turning it down on the DC
>
> I'm sorry, what do you think about exactly?

You have set 'ntlm auth = yes' in the smb.conf, this means your clients
can use NTLMv1, this is insecure, you would be better off removing this
line and then make your clients use NTLMv2 (at least) by default.

>
> > > ========
> > > client:
> > >
> > > --------
> > > /etc/krb5.conf
> >
> > The krb5.conf only needs to match the ones on the DCs, so you don't
> > need all of the following.
>
> does it mean that the krb5.conf should be empty?

No, the /etc/krb5.conf on all the machines needs to be only this:

[libdefaults]
  default_realm = CORE.MYDOMAIN.HU
  dns_lookup_realm = false
  dns_lookup_kdc = true

>
> > If not, good, but you need to READ all of this:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> I've followed this page (may be I forgot something - I review it
> again)
>  
> > and probably this:
> >
> > https://wiki.samba.org/index.php/Idmap_config_rid
>
> I'm afraid I don't need to that :)

Yes you do :)

windbind needs to map your windows users & groups to Unix IDs in the
'CORE' domain, not the '*' domain. The '*' domain is reserved for the
well known SIDs and anything outside the 'CORE' domain.
 
>
> I don't want to build the fileserver, I just need the user
> management - these blocks stayed from the previous install.

Then why have the Unix domain member ???

>  
> > > Sorry again for the confusing post.
> >
> > No problem, just don't refer to your first DC as a 'PDC' again, it
> > just confuses things, every DC is equal ;-)
>
> yes, in meantime I've discussed with a Windows engineer, he said
> that there aren't primary and backup roles.
>

There were Primary and Backup roles, but this was with NT4-style domains

> Just one thing remains: what do you mean about here:
>
> > I would investigate upgrading security on the clients, rather
> > than turning it down on the DC
>
> and is it enough an empty krb5.conf file on client?

Hopefully I have answered these questions above.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
Hi Rowland,

On Wed, Nov 08, 2017 at 12:12:20PM +0000, Rowland Penny wrote:

> On Wed, 8 Nov 2017 12:43:16 +0100
> Ervin Hegedüs <[hidden email]> wrote:
>
> > > You would be better using the DCs ipaddress rather than '127.0.0.1'.
> > > You should also remove '10.10.0.1' it doesn't seem to be a DC.
> >
> > yes, that's the forwarder (see in smb.conf). Most documents
> > notives that keep it in resolv.conf.
>
> And most documents get it wrong, The DC is a DNS server and your
> clients should use it as their nameserver. Your DC should forward
> anything unknown to the nameserver that is set in the DCs smb.conf if
> using the internal DNS server, or if in the named conf files if using
> Bind9

right, I've removed it, now all DC uses only themselves as
nameserver.

> > > > /etc/samba/smb.conf
> > > > # Global parameters
> > > > [global]
> > > > netbios name = OPEN-LDAP
> > > > realm = CORE.MYDOMAIN.HU
> > > > workgroup = CORE
> > > > dns forwarder = 10.10.10.1
> > > > server role = active directory domain controller
> > > > idmap_ldb:use rfc2307 = yes
> > > >
> > > > log level = 3 passdb:5 auth:5 tdb:5 ldb:5
> > > > ntlm auth = yes
> > > > lanman auth = yes
> > > > client ntlmv2 auth = yes
> > >
> > > I would investigate upgrading security on the clients, rather than
> > > turning it down on the DC
> >
> > I'm sorry, what do you think about exactly?
>
> You have set 'ntlm auth = yes' in the smb.conf, this means your clients
> can use NTLMv1, this is insecure, you would be better off removing this
> line and then make your clients use NTLMv2 (at least) by default.

well, this line needs some clarification - see below
 

> > > > ========
> > > > client:
> > > >
> > > > --------
> > > > /etc/krb5.conf
> > >
> > > The krb5.conf only needs to match the ones on the DCs, so you don't
> > > need all of the following.
> >
> > does it mean that the krb5.conf should be empty?
>
> No, the /etc/krb5.conf on all the machines needs to be only this:
>
> [libdefaults]
>   default_realm = CORE.MYDOMAIN.HU
>   dns_lookup_realm = false
>   dns_lookup_kdc = true

right,
 
> > > and probably this:
> > >
> > > https://wiki.samba.org/index.php/Idmap_config_rid
> >
> > I'm afraid I don't need to that :)
>
> Yes you do :)

no, I don't :)
 
> windbind needs to map your windows users & groups to Unix IDs in the
> 'CORE' domain, not the '*' domain. The '*' domain is reserved for the
> well known SIDs and anything outside the 'CORE' domain.

there will _not_ any Linux user - see below :)
 
> >
> > I don't want to build the fileserver, I just need the user
> > management - these blocks stayed from the previous install.
>
> Then why have the Unix domain member ???

so, the directory service needs because we have a captive portal,
to authenticate users for several services - eg. network access,
network groups. But only for these. There will _not_ any file
sharing.

The current device (Aruba) can authenticate only if the

  ntlm auth = yes

had turned on (but I'll check it again, may be the ntlmv2 is
enough).

We configured the CP that use this AD. We joined the deices to
domain, set up the both DC's. Then when I turned off the "first"
DC (which isn't the PDC :), I just installed and configred
first), then the auth service stops to work. The device doesn't
use the backup server (in the device config we see the "Backup
device" - I'm sorry).

So, I ask from the provider a "client" machine, which is a Linux
(I prefer the Linux), and this is the open-client.

Now I'ld like to test the redundant work of both DC's, and that's
why I don't need to any Linux user, user mapping, or any other
specific things. There will be thousends of users, everyone has a
login and a password. Connected to WiFI/eth LAN with 802.1x, and
use the network.

> Hopefully I have answered these questions above.

yes, thank you for all of your help again.


I left the domain (from client), and re-join again, but now I got
this message:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- CORE
Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu'
DNS Update for open-client.core.mydomain.hu failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

# wbinfo --ping-dc
checking the NETLOGON for domain[CORE] dc connection to "open-ldap.core.mydomain.hu" succeeded

# ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu
NT_STATUS_OK: Success (0x0)
# ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu
NT_STATUS_OK: Success (0x0)

# ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE --target-hostname=open-ldap.core.mydomain.hu
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
# ntlm_auth --username=abc_airween --password=WRONGPASS # --domain=CORE --target-hostname=open-ldap2.core.mydomain.hu
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

so, looks like it works.

# net ads status

gives a very long output.

And wbinfo gives only open-ldap as DC:

# wbinfo --dsgetdcname=CORE
open-ldap.core.mydomain.hu
\\10.10.20.202
1
37241698-63dd-40d5-805b-d83f4a35223a
core.mydomain.hu
core.mydomain.hu
0xe00013fd
Default-First-Site-Name
Default-First-Site-Name

# wbinfo --getdcname=CORE
OPEN-LDAP

# wbinfo -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication succeeded

# wbinfo -a abc_airween%WRONGPASS
plaintext password authentication failed
Could not authenticate user abc_airween%WRONGPASS with plaintext password
challenge/response password authentication failed
wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
Could not authenticate user abc_airween with challenge/response


At this point I made open-ldap (the first server) as
unattainable, and the result of the command above:

# time wbinfo -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication failed
Could not authenticate user abc_airween with challenge/response

real 1m2.640s
user 0m0.012s
sys 0m0.000s

it waits 1 minute, and then I got the message.

When I turned off the open-ldap2, and open-ldap works, then the
wbinfo -a returns with succeed, but only after 30 seconds.



So, looks like something is still wrong - may be I'm using wbinfo
as wrong way?


What should I do that the auth method works as well, when a DC
kicked out?



a.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-11-08 um 13:12 schrieb Rowland Penny via samba:

> And most documents get it wrong, The DC is a DNS server and your
> clients should use it as their nameserver. Your DC should forward
> anything unknown to the nameserver that is set in the DCs smb.conf if
> using the internal DNS server, or if in the named conf files if using
> Bind9

additional question here as I also prepare to deploy a 2nd DC at one site:

right now I tell the clients to use these as DNSs (via DHCP):

samba-DC, DNS on router to internet, one DNS upstream (just in case,
maybe stupid)

with additional DCs I assume I would have to list the DCs as well as
DNSs, to make sure DNS (in terms of AD *and* "normal" DNS) still works
in case the first DC is unreachable?

Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list

Hai Stefan,

What happens on the DC itself.
The dns `CLIENT queries` (resolving) goes through /etc/resolv.conf
And uses these settings.
for example, ping www.google.nl from the DC commandline.

The PC in the lan use the DC DNS but NOT  /etc/resolv.conf of the DC.
That uses the DNS Server settings, internal samba, used the forward setting in smb.conf
Or bind9_dlz + samba, used the forward setting in bind.


Now you know this. (DC1)
/etc/resolv.conf
search ADDC.domain.TLD externaldomain.tld
nameserver IP_OF_DC1 and not localhost/127.0.0.1
Nameserver IP_of_your_gateway
Nameserver IP_of_anyother_dns.

Now adding a second DC.

DC1 changes a bit.
/etc/resolv.conf
search ADDC.domain.TLD externaldomain.tld
nameserver IP_OF_DC1
nameserver IP_OF_DC2
Nameserver IP_of_anyother_dns.

DC2.
/etc/resolv.conf
search ADDC.domain.TLD externaldomain.tld
nameserver IP_OF_DC2
nameserver IP_OF_DC1
Nameserver IP_of_anyother_dns.

And set you client PC's DNS to the DC.s

Results in.
1) if DC1 is down, DC2 is used.
2) if DC2 is down, DC1 is used.
3) If both DC's are down, the DC still has internet, clients not.
But without any DC, your network is in serious problem..

The DC still has internet due to Nameserver IP_of_anyother_dns.
And you need that when your in trouble.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 8 november 2017 14:45
> Aan: [hidden email]
> Onderwerp: Re: [Samba] DC's are unavailable when PDC halted
>
> Am 2017-11-08 um 13:12 schrieb Rowland Penny via samba:
>
> > And most documents get it wrong, The DC is a DNS server and your
> > clients should use it as their nameserver. Your DC should forward
> > anything unknown to the nameserver that is set in the DCs
> smb.conf if
> > using the internal DNS server, or if in the named conf
> files if using
> > Bind9
>
> additional question here as I also prepare to deploy a 2nd DC
> at one site:
>
> right now I tell the clients to use these as DNSs (via DHCP):
>
> samba-DC, DNS on router to internet, one DNS upstream (just in case,
> maybe stupid)
>
> with additional DCs I assume I would have to list the DCs as well as
> DNSs, to make sure DNS (in terms of AD *and* "normal" DNS) still works
> in case the first DC is unreachable?
>
> Stefan
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
Am 2017-11-08 um 15:03 schrieb L.P.H. van Belle via samba:
>
> Hai Stefan,
>
> What happens on the DC itself.
> The dns `CLIENT queries` (resolving) goes through /etc/resolv.conf
> And uses these settings.
> for example, ping www.google.nl from the DC commandline.
>
> The PC in the lan use the DC DNS but NOT  /etc/resolv.conf of the DC.

Sure, I know.

> That uses the DNS Server settings, internal samba, used the forward setting in smb.conf
> Or bind9_dlz + samba, used the forward setting in bind.
>
>
> Now you know this. (DC1)
> /etc/resolv.conf
> search ADDC.domain.TLD externaldomain.tld
> nameserver IP_OF_DC1 and not localhost/127.0.0.1
> Nameserver IP_of_your_gateway
> Nameserver IP_of_anyother_dns.
>
> Now adding a second DC.
>
> DC1 changes a bit.
> /etc/resolv.conf
> search ADDC.domain.TLD externaldomain.tld
> nameserver IP_OF_DC1
> nameserver IP_OF_DC2
> Nameserver IP_of_anyother_dns.
>
> DC2.
> /etc/resolv.conf
> search ADDC.domain.TLD externaldomain.tld
> nameserver IP_OF_DC2
> nameserver IP_OF_DC1
> Nameserver IP_of_anyother_dns.
>
> And set you client PC's DNS to the DC.s
>
> Results in.
> 1) if DC1 is down, DC2 is used.
> 2) if DC2 is down, DC1 is used.
> 3) If both DC's are down, the DC still has internet, clients not.
> But without any DC, your network is in serious problem..

that's why I push adding a 2nd ... and the admin there understands ...

> The DC still has internet due to Nameserver IP_of_anyother_dns.
> And you need that when your in trouble.

very helpful, thanks!
I think I would have come up with a similar setup, but now I can use
this as *howto* or template ;-)

Stefan



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 8 Nov 2017 14:33:28 +0100
Ervin Hegedüs <[hidden email]> wrote:

> The current device (Aruba) can authenticate only if the
>
>   ntlm auth = yes
>
> had turned on (but I'll check it again, may be the ntlmv2 is
> enough).

All I can do is advise you, NTLMv1 is easily crackable, so, if you can
use a stronger authentication method, then I suggest you use it.

If you are only using the Unix domain member for authentication, you
might as well remove it and use one or both of the DCs instead.
 
 

>
> I left the domain (from client), and re-join again, but now I got
> this message:
>
> # net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- CORE
> Joined 'OPEN-CLIENT' to dns domain 'core.mydomain.hu'
> DNS Update for open-client.core.mydomain.hu failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> # wbinfo --ping-dc
> checking the NETLOGON for domain[CORE] dc connection to
> "open-ldap.core.mydomain.hu" succeeded
>
> # ntlm_auth --username=abc_airween --password=GOODPASS --domain=CORE
> --target-hostname=open-ldap2.core.mydomain.hu NT_STATUS_OK: Success
> (0x0) # ntlm_auth --username=abc_airween --password=GOODPASS
> --domain=CORE --target-hostname=open-ldap.core.mydomain.hu
> NT_STATUS_OK: Success (0x0)
>
> # ntlm_auth --username=abc_airween --password=WRONGPASS --domain=CORE
> --target-hostname=open-ldap.core.mydomain.hu
> NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) # ntlm_auth
> --username=abc_airween --password=WRONGPASS # --domain=CORE
> --target-hostname=open-ldap2.core.mydomain.hu
> NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
>
> so, looks like it works.
>
> # net ads status
>
> gives a very long output.
>
> And wbinfo gives only open-ldap as DC:
>
> # wbinfo --dsgetdcname=CORE
> open-ldap.core.mydomain.hu
> \\10.10.20.202
> 1
> 37241698-63dd-40d5-805b-d83f4a35223a
> core.mydomain.hu
> core.mydomain.hu
> 0xe00013fd
> Default-First-Site-Name
> Default-First-Site-Name
>
> # wbinfo --getdcname=CORE
> OPEN-LDAP
>
> # wbinfo -a abc_airween%GOODPASS
> plaintext password authentication failed
> Could not authenticate user abc_airween%GOODPASS with plaintext
> password challenge/response password authentication succeeded
>
> # wbinfo -a abc_airween%WRONGPASS
> plaintext password authentication failed
> Could not authenticate user abc_airween%WRONGPASS with plaintext
> password challenge/response password authentication failed
> wbcAuthenticateUserEx(CORE\abc_airween): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong
> Password Could not authenticate user abc_airween with
> challenge/response
>
>
> At this point I made open-ldap (the first server) as
> unattainable, and the result of the command above:
>
> # time wbinfo -a abc_airween%GOODPASS
> plaintext password authentication failed
> Could not authenticate user abc_airween%GOODPASS with plaintext
> password challenge/response password authentication failed
> Could not authenticate user abc_airween with challenge/response
>
> real 1m2.640s
> user 0m0.012s
> sys 0m0.000s
>
> it waits 1 minute, and then I got the message.
>
> When I turned off the open-ldap2, and open-ldap works, then the
> wbinfo -a returns with succeed, but only after 30 seconds.


OK, the problem here is not that you have turned off the first DC, it
is that the client keeps trying to connect to it for 30 seconds.

You need to add:

'timeout:1 attempts:2 rotate'

to /etc/resolv.conf

Rowland


>
>
> So, looks like something is still wrong - may be I'm using wbinfo
> as wrong way?
>
>
> What should I do that the auth method works as well, when a DC
> kicked out?
>
>
>
> a.
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
On Wed, Nov 08, 2017 at 03:21:28PM +0000, Rowland Penny wrote:

> On Wed, 8 Nov 2017 14:33:28 +0100
> Ervin Hegedüs <[hidden email]> wrote:
>
> > The current device (Aruba) can authenticate only if the
> >
> >   ntlm auth = yes
> >
> > had turned on (but I'll check it again, may be the ntlmv2 is
> > enough).
>
> All I can do is advise you, NTLMv1 is easily crackable, so, if you can
> use a stronger authentication method, then I suggest you use it.

yes, thanks - I'll check it that when I drop the ntlm auth from
config, the CP will work away.

> If you are only using the Unix domain member for authentication, you
> might as well remove it and use one or both of the DCs instead.

this Unix domain member test (with Linux) is just a "test". The
final box will an Aruba cluster. That's also a Linux box, but we
don't know what works inside of that.
 

> > real 1m2.640s
> > user 0m0.012s
> > sys 0m0.000s
> >
> > it waits 1 minute, and then I got the message.
> >
> > When I turned off the open-ldap2, and open-ldap works, then the
> > wbinfo -a returns with succeed, but only after 30 seconds.
>
>
> OK, the problem here is not that you have turned off the first DC, it
> is that the client keeps trying to connect to it for 30 seconds.
>
> You need to add:
>
> 'timeout:1 attempts:2 rotate'
>
> to /etc/resolv.conf

# cat /etc/resolv.conf
options timeout:1
options attempts:2
options rotate
search core.mydomain.hu
nameserver 10.10.20.202
nameserver 10.10.20.204

# wbinfo --ntlmv2 -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication failed
wbcAuthenticateUserEx(CORE\abc_airween): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user abc_airween with challenge/response


but I wrote the lines above, and about after 2-3 minutes, now it
works:

# wbinfo --ntlmv2 -a abc_airween%GOODPASS
plaintext password authentication failed
Could not authenticate user abc_airween%GOODPASS with plaintext password
challenge/response password authentication succeeded


I'm not sure that _this_ is the solution. I've never read this
DNS settings is required.

How can I check that the Samba4 DNS service is works correctly?

The regular checks (host -t A some.domain.com, etc...) are works.

I've set up both DC for _ldap._tcp.core.mydomain.hu SRV,
_kerberos._udp SRV, and core.mydomain.hu A records. Now the
client got both DC for all DNS requests. Is that correct?


Thanks again,


a.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,


On Wed, Nov 08, 2017 at 03:21:28PM +0000, Rowland Penny wrote:

> On Wed, 8 Nov 2017 14:33:28 +0100
> Ervin Hegedüs <[hidden email]> wrote:
>
> > When I turned off the open-ldap2, and open-ldap works, then the
> > wbinfo -a returns with succeed, but only after 30 seconds.
>
>
> OK, the problem here is not that you have turned off the first DC, it
> is that the client keeps trying to connect to it for 30 seconds.
>
> You need to add:
>
> 'timeout:1 attempts:2 rotate'
>
> to /etc/resolv.conf

okay, may be I've found something interest: the DC's have 2
network interfaces (eth0: 192.168.100.n/26, eth1: 10.10.20.m/25).

We planned, that the eth0 and that network will be used.

But I've added the another network addresses to DNS too.

Perhaps this was my mistake, because I've removed the 10.10.20.x
addresses from DNS (from domain, and from DC's A record), and now I
turned off any DC (till another works, of course), and client can
authenticate!

But. :)

After some minutes, the 10.10.20.x address gone back to DNS...
and I didn't set it up...

# host -t A core.mydomain.hu
core.mydomain.hu has address 192.168.255.100
core.mydomain.hu has address 192.168.255.99

(takes few minutes...)

# host -t A core.mydomain.hu
core.mydomain.hu has address 192.168.255.100
core.mydomain.hu has address 10.10.20.202
core.mydomain.hu has address 192.168.255.99


How can I prevent that this record appears in zone?

I can delete that with samba-tool:

# samba-tool dns delete open-ldap.core.mydomain.hu core.mydomain.hu core.mydomain.hu A 10.10.20.202  -[hidden email]
Password for [[hidden email]]:
Record deleted successfully
# host -t A core.mydomain.hu
core.mydomain.hu has address 192.168.255.100
core.mydomain.hu has address 192.168.255.99


but it comes again after some minutes...


Thanks,


a.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
On Wed, 8 Nov 2017 17:20:09 +0100
Ervin Hegedüs <[hidden email]> wrote:

> Hi,
>
>
> On Wed, Nov 08, 2017 at 03:21:28PM +0000, Rowland Penny wrote:
> > On Wed, 8 Nov 2017 14:33:28 +0100
> > Ervin Hegedüs <[hidden email]> wrote:
> >
> > > When I turned off the open-ldap2, and open-ldap works, then the
> > > wbinfo -a returns with succeed, but only after 30 seconds.
> >
> >
> > OK, the problem here is not that you have turned off the first DC,
> > it is that the client keeps trying to connect to it for 30 seconds.
> >
> > You need to add:
> >
> > 'timeout:1 attempts:2 rotate'
> >
> > to /etc/resolv.conf
>
> okay, may be I've found something interest: the DC's have 2
> network interfaces (eth0: 192.168.100.n/26, eth1: 10.10.20.m/25).
>
> We planned, that the eth0 and that network will be used.
>
> But I've added the another network addresses to DNS too.
>
> Perhaps this was my mistake, because I've removed the 10.10.20.x
> addresses from DNS (from domain, and from DC's A record), and now I
> turned off any DC (till another works, of course), and client can
> authenticate!
>
> But. :)
>
> After some minutes, the 10.10.20.x address gone back to DNS...
> and I didn't set it up...
>
> # host -t A core.mydomain.hu
> core.mydomain.hu has address 192.168.255.100
> core.mydomain.hu has address 192.168.255.99
>
> (takes few minutes...)
>
> # host -t A core.mydomain.hu
> core.mydomain.hu has address 192.168.255.100
> core.mydomain.hu has address 10.10.20.202
> core.mydomain.hu has address 192.168.255.99
>
>
> How can I prevent that this record appears in zone?
>
> I can delete that with samba-tool:
>
> # samba-tool dns delete open-ldap.core.mydomain.hu core.mydomain.hu
> core.mydomain.hu A 10.10.20.202  -[hidden email]
> Password for [[hidden email]]: Record deleted
> successfully # host -t A core.mydomain.hu
> core.mydomain.hu has address 192.168.255.100
> core.mydomain.hu has address 192.168.255.99
>
>
> but it comes again after some minutes...
>
>
> Thanks,
>
>
> a.
>

Something must be putting it back, do you have a dhcp client running on
the machine ?

I have thought of something else, are both of your DCs Authoritative
for the dns domain ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DC's are unavailable when PDC halted

Samba - General mailing list
Hi Rowland,

On Wed, Nov 08, 2017 at 04:27:22PM +0000, Rowland Penny via samba wrote:

> On Wed, 8 Nov 2017 17:20:09 +0100
> Ervin Hegedüs <[hidden email]> wrote:
>
> >
> > but it comes again after some minutes...
> >
> >
>
> Something must be putting it back, do you have a dhcp client running on
> the machine ?

no, all interfaces configured statically,
 
> I have thought of something else, are both of your DCs Authoritative
> for the dns domain ?

they knows about themselves that they are :).

Now I removed the 10.10.20.x addresses from everywhere
(resolv.conf, hosts), I'll check it soon.

But your options to resolv.conf still requires to work the
failover mode.


a.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba