Web lists-archives.com

Re: [Samba] [airween@xxxxxxxxx: DC's are still unavailable when PDC halted]




Hello,

I've increased the loglevel to get some info on client.

When I turned off the DC, I've got these lines in log:

[2017/11/14 10:10:25.398269,  3] ../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *"
[2017/11/14 10:10:26.438916,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/11/14 10:10:26.439488,  5] ../source3/winbindd/winbindd_cm.c:1113(cm_prepare_connection)
  connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local]
[2017/11/14 10:10:26.439747,  3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
  Doing spnego session setup (blob length=96)
[2017/11/14 10:10:26.439965,  3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.3.6.1.4.1.311.2.2.10
[2017/11/14 10:10:26.440268,  3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
  got principal=not_defined_in_RFC4178@please_ignore
[2017/11/14 10:10:26.440393,  3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal)
  cli_session_setup_spnego: using target hostname not SPNEGO principal
[2017/11/14 10:10:26.440496,  3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal)
  cli_session_setup_spnego: guessed server principal=cifs/open-ldap2.wificloud.local@WIFICLOUD.LOCAL
[2017/11/14 10:10:26.683320,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/11/14 10:10:26.689164,  1] ../source3/rpc_client/cli_pipe.c:421(cli_pipe_validate_current_pdu)
  ../source3/rpc_client/cli_pipe.c:421: Bind NACK received from host open-ldap2.wificloud.local!
[2017/11/14 10:10:26.689801,  3] ../source3/rpc_client/cli_pipe.c:1926(rpc_pipe_bind_step_one_done)
  rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.690068,  1] ../source3/rpc_client/cli_pipe.c:3311(cli_rpc_pipe_open_schannel_with_creds)
  cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.690203,  3] ../source3/winbindd/winbindd_cm.c:3405(cm_connect_netlogon_transport)
  Could not open schannel'ed NETLOGON pipe. Error was NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.691016,  3] ../source3/winbindd/winbindd_dual_srv.c:758(_wbint_PingDc)
  could not open handle to NETLOGON pipe: NT_STATUS_NETWORK_ACCESS_DENIED
[2017/11/14 10:10:26.691185,  4] ../source3/winbindd/winbindd_dual.c:1396(child_handler)
  Finished processing child request 56

So, it looks like the first message containst the preffered
server list, and at the first place is the halted server.

get_dc_list: preferred server list: "open-ldap.wificloud.local, open-ldap.wificloud.local, open-ldap2.wificloud.local, *"

but the client connects to open-ldap2:

connecting to open-ldap2.wificloud.local from OPEN-CLIENT with kerberos principal [OPEN-CLIENT$@WIFICLOUD.LOCAL] and realm [wificloud.local]

and then comes the error message:

rpc_pipe_bind: host open-ldap2.wificloud.local bind request returned NT_STATUS_NETWORK_ACCESS_DENIED
...

But I don't know, why? Till those lines comes to the log, the
wbinfo timed out, and after a minute it gives:

wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)

And the next request, it works... Why? What'em I missing?


Thanks,


a.



On Mon, Nov 13, 2017 at 03:31:16PM +0100, Ervin Hegedüs wrote:
> Hi folks,
> 
> sorry for the re-post, I need some help to solve this problem.
> 
> Since my previous e-mail, we made a set-up: there is a Clear Pass
> device (Aruba), which controlls the network access for users.
> 
> Between the CP and these two DC's there is a load balancer.
> 
> But, when we stopped the DC1, which was set up first, and the DC2
> works continously, then the authentication of users is stopped
> for few minutes. Without LB, there is the same situation.
> 
> Looks like the DC2 (which had joined later to the domain) needs
> for DC1.
> 
> But now, here is the original e-mail:
> 
> 
> 
> I've completely re-installed my DC's and Linux member. I've
> followed the docs step-by-step on Samba's wiki page, everything
> is works as well.
> 
> Here is what I see on my member
> 
> # cat /etc/hosts
> 127.0.0.1	localhost localhost.localdomain
> 
> 192.168.255.98	open-client.wificloud.local	open-client
> 
> 
> # cat /etc/resolv.conf 
> options timeout:1
> options attempts:2
> options rotate
> search wificloud.local
> nameserver 192.168.255.99
> nameserver 192.168.255.100
> 
> first check:
> 
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded
> 
> real	0m0.017s
> user	0m0.012s
> sys	0m0.000s
> 
> right, seems like it works, shutted down the DC above
> (open-ldap), and check again:
> 
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" failed
> wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)
> 
> real	1m4.560s
> user	0m0.008s
> sys	0m0.004s
> # time wbinfo --ping-dc
> hecking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" succeeded
> 
> real	0m40.595s
> user	0m0.008s
> sys	0m0.008s
> 
> okay, it works after sime sleeping... open-ldap bringed up,
> open-ldap2 shutted down, check again:
> 
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap2.wificloud.local" failed
> wbcPingDc2(WIFICLOUD): error code was NT_STATUS_NETWORK_ACCESS_DENIED (0xc00000ca)
> 
> real	0m16.309s
> user	0m0.004s
> sys	0m0.008s
> # time wbinfo --ping-dc
> checking the NETLOGON for domain[WIFICLOUD] dc connection to "open-ldap.wificloud.local" succeeded
> 
> real	0m1.260s
> user	0m0.008s
> sys	0m0.004s
> 
> well done - it works, but after the DC stops, there are too much
> timeout. How can I decrease it?
> 
> 
> 
> Thanks,
> 
> 
> 
> a.
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba