[airween@gmail.com: DC's are still unavailable when PDC halted]

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[airween@gmail.com: DC's are still unavailable when PDC halted]

Samba - General mailing list
Hi folks,

sorry for the re-post, I need some help to solve this problem.

Since my previous e-mail, we made a set-up: there is a Clear Pass
device (Aruba), which controlls the network access for users.

Between the CP and these two DC's there is a load balancer.

But, when we stopped the DC1, which was set up first, and the DC2
works continously, then the authentication of users is stopped
for few minutes. Without LB, there is the same situation.

Looks like the DC2 (which had joined later to the domain) needs
for DC1.

But now, here is the original e-mail:



I've completely re-installed my DC's and Linux member. I've
followed the docs step-by-step on Samba's wiki page, everything
is works as well.

Here is what I see on my member

# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain

192.168.255.98 open-client.wificloud.local open-client


# cat /etc/resolv.conf
options timeout:1
options attempts:2
options rotate
search wificloud.local
nameserver 192.168.255.99
nameserver 192.168.255.100

first check:

# time wbinfo --ping-dc
checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded

real 0m0.017s
user 0m0.012s
sys 0m0.000s

right, seems like it works, shutted down the DC above
(open-ldap), and check again:

# time wbinfo --ping-dc
checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" failed
wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)

real 1m4.560s
user 0m0.008s
sys 0m0.004s
# time wbinfo --ping-dc
hecking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" succeeded

real 0m40.595s
user 0m0.008s
sys 0m0.008s

okay, it works after sime sleeping... open-ldap bringed up,
open-ldap2 shutted down, check again:

# time wbinfo --ping-dc
checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" failed
wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)

real 0m16.309s
user 0m0.004s
sys 0m0.008s
# time wbinfo --ping-dc
checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded

real 0m1.260s
user 0m0.008s
sys 0m0.004s

well done - it works, but after the DC stops, there are too much
timeout. How can I decrease it?



Thanks,



a.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [airween@gmail.com: DC's are still unavailable when PDC halted]

Samba - General mailing list
Hello,

I've increased the loglevel to get some info on client.

When I turned off the DC, I've got these lines in log:

[2017/11/14 10:10:25.398269,  3] ../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *"
[2017/11/14 10:10:26.438916,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/11/14 10:10:26.439488,  5] ../source3/winbindd/winbindd_cm.c:1113(cm_prepare_connection)
  connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local]
[2017/11/14 10:10:26.439747,  3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
  Doing spnego session setup (blob length=96)
[2017/11/14 10:10:26.439965,  3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.3.6.1.4.1.311.2.2.10
[2017/11/14 10:10:26.440268,  3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
  got principal=not_defined_in_RFC4178@please_ignore
[2017/11/14 10:10:26.440393,  3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal)
  cli_session_setup_spnego: using target hostname not SPNEGO principal
[2017/11/14 10:10:26.440496,  3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal)
  cli_session_setup_spnego: guessed server principal=cifs/[hidden email]
[2017/11/14 10:10:26.683320,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/11/14 10:10:26.689164,  1] ../source3/rpc_client/cli_pipe.c:421(cli_pipe_validate_current_pdu)
  ../source3/rpc_client/cli_pipe.c:421: Bind NACK received from host open-ldap2.wificloud.local!
[2017/11/14 10:10:26.689801,  3] ../source3/rpc_client/cli_pipe.c:1926(rpc_pipe_bind_step_one_done)
  rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.690068,  1] ../source3/rpc_client/cli_pipe.c:3311(cli_rpc_pipe_open_schannel_with_creds)
  cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.690203,  3] ../source3/winbindd/winbindd_cm.c:3405(cm_connect_netlogon_transport)
  Could not open schannel'ed NETLOGON pipe. Error was NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.691016,  3] ../source3/winbindd/winbindd_dual_srv.c:758(_wbint_PingDc)
  could not open handle to NETLOGON pipe: NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.691185,  4] ../source3/winbindd/winbindd_dual.c:1396(child_handler)
  Finished processing child request 56

So, it looks like the first message containst the preffered
server list, and at the first place is the halted server.

get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *"

but the client connects to open-ldap2:

connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local]

and then comes the error message:

rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED
...

But I don't know, why? Till those lines comes to the log, the
wbinfo timed out, and after a minute it gives:

wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)

And the next request, it works... Why? What'em I missing?


Thanks,


a.



On Mon, Nov 13, 2017 at 03:31:16PM +0100, Ervin Hegedüs wrote:

> Hi folks,
>
> sorry for the re-post, I need some help to solve this problem.
>
> Since my previous e-mail, we made a set-up: there is a Clear Pass
> device (Aruba), which controlls the network access for users.
>
> Between the CP and these two DC's there is a load balancer.
>
> But, when we stopped the DC1, which was set up first, and the DC2
> works continously, then the authentication of users is stopped
> for few minutes. Without LB, there is the same situation.
>
> Looks like the DC2 (which had joined later to the domain) needs
> for DC1.
>
> But now, here is the original e-mail:
>
>
>
> I've completely re-installed my DC's and Linux member. I've
> followed the docs step-by-step on Samba's wiki page, everything
> is works as well.
>
> Here is what I see on my member
>
> # cat /etc/hosts
> 127.0.0.1 localhost localhost.localdomain
>
> 192.168.255.98 open-client.wificloud.local open-client
>
>
> # cat /etc/resolv.conf
> options timeout:1
> options attempts:2
> options rotate
> search wificloud.local
> nameserver 192.168.255.99
> nameserver 192.168.255.100
>
> first check:
>
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded
>
> real 0m0.017s
> user 0m0.012s
> sys 0m0.000s
>
> right, seems like it works, shutted down the DC above
> (open-ldap), and check again:
>
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" failed
> wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)
>
> real 1m4.560s
> user 0m0.008s
> sys 0m0.004s
> # time wbinfo --ping-dc
> hecking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" succeeded
>
> real 0m40.595s
> user 0m0.008s
> sys 0m0.008s
>
> okay, it works after sime sleeping... open-ldap bringed up,
> open-ldap2 shutted down, check again:
>
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" failed
> wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)
>
> real 0m16.309s
> user 0m0.004s
> sys 0m0.008s
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded
>
> real 0m1.260s
> user 0m0.008s
> sys 0m0.004s
>
> well done - it works, but after the DC stops, there are too much
> timeout. How can I decrease it?
>
>
>
> Thanks,
>
>
>
> a.
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba