It happened again. When it happens, it happens at exactly the top of the hour. Same symptoms and results as below.
On Jun 11, 2013, at 12:08 AM, "Kristofer Pettijohn" <[email protected]> wrote: >> I would need logs and network traces to investigate this further. >> >> Could it be a kerberos ticket expiring? >> >> Does it still happen if you upgrade a test member server to 3.6 or 4.0 >> (so we can narrow down the issue)? > > I have logs (debug 16 from the client) and a network trace. If you would > like me to send them somewhere, let me know where you would like them. > > > Received an alert that Radius authentication fails (ntlm) > > Log into Radius server via ssh, which uses winbind for auth - receive this > error: Domain Controller unreachable, using cached credentials instead. > Network resources may be unavailable > > Ran "net ads info" > > [root@durad1 ~]# net ads info > LDAP server: 10.9.10.81 > LDAP server name: brsad.ad.bigrocksports.com > Realm: AD.BIGROCKSPORTS.COM > Bind Path: dc=AD,dc=BIGROCKSPORTS,dc=COM > LDAP port: 389 > Server time: Tue, 11 Jun 2013 00:42:44 EDT > KDC server: 10.9.10.81 > Server time offset: 0 > > Ran "net ads lookup" > > [root@durad1 ~]# net ads lookup > Information for Domain Controller: 10.9.10.81 > > Response Type: LOGON_SAM_LOGON_RESPONSE_EX > GUID: 61b8eb21-20b7-459b-8d7e-224ea1fa85d5 > Flags: > > Is a PDC: yes > Is a GC of the forest: yes > Is an LDAP server: yes > Supports DS: yes > Is running a KDC: yes > Is running time services: yes > Is the closest DC: yes > Is writable: yes > Has a hardware clock: yes > Is a non-domain NC serviced by LDAP server: no > Is NT6 DC that has some secrets: no > Is NT6 DC that has all secrets: no > Forest: ad.bigrocksports.com > Domain: ad.bigrocksports.com > Domain Controller: brsad.ad.bigrocksports.com > Pre-Win2k Domain: BRS > Pre-Win2k Hostname: BRSAD > Server Site Name : Default-First-Site-Name > Client Site Name : Default-First-Site-Name > NT Version: 5 > LMNT Token: ffff > LM20 Token: ffff > > tried a winbind ping > > [root@durad1 ~]# wbinfo -p > Ping to winbindd succeeded > > id <username> fails with "No such user" > > kinit [email protected] works. > > Email server authenticates against LDAP - and that is working without an > issue. > > Restarted winbind on Radius server, did not change failed results > > ntlm_auth fails > > [root@durad1 ~]# /usr/bin/ntlm_auth --request-nt-key > --domain=AD.BIGROCKSPORTS.COM --username=kpettijohn --password=<password> > NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e) > > Attempted to leave and re-join the domain: > > [root@durad1 samba]# net ads join -U Administrator > Enter Administrator's password: > Failed to join domain: failed to lookup DC info for domain > 'AD.BIGROCKSPORTS.COM' over rpc: The connection was refused > > Restart samba DC on 10.9.10.81 (brsad.ad.bigrocksports.com), and machine can > now join and ntlm_auth works. > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
