mathias dufresne
2015-Dec-11 10:29 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hi Ole, Using internal DNS samba_dnsupdate does not work correctly, at least not every time. Someone modified this samba_dnsupdate tool commenting this line: os.unlink(tmpfile) which should line 413. Doing that he was able to get files generated by samba_dnsupdate to use them as argument of nsupdate command (without -g switch and with "allow dns updates = nonsecure" in smb.conf). I was not able to make that process work here but I did not tried hard. As this process was sent directly to me I share it. The process I use to generate all DNS records is to run samba_dnsupdate --all-names --verbose and send output of that command to attached awk script. The awk script get information from samba_dnsupdate for each record and launch samba-tool to create DNS record. This script is not clever: it tries to create all mentioned DNS record, generating warnings when record already exists. You will have to modify this awk script as the BEGIN section contains fake information related to AD domain: BEGIN { ad_zone = "YOUR.DOMAIN.TLD" msdcs_zone = "_msdcs." ad_zone dns_server = "YOUR-DC" } You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain configuration. The awk script uses kerberos authentication when running samba-tool so you will need to generate a kerberos ticket for some AD admin before: 1°) kinit administrator 2°) samba_dnsupdate | awk -f dnsupdate.awk As it is not an issue to try create an entry which already exists you can run it that script on each DC to assure you all entries are correctly created on all DC. Best regards, mathias dufresne 2015-12-10 17:07 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:> Hmm.. > > > >>>> Could this have to do with... > > >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of > > >>>> DNS entries via this script on the wiki? > > >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC > > >>>> (with the same IP address)? > > This can be a problem yes, depending on the order of what and how you did > it. i think you forgot to remove the "old" entry in the AD (with user tool) > > I suggest you try the following, why, it safes time and then your sure > thing are going ok. > > and remember BACKUPS ! sysvol things like that. > ( this is why my DC are only DC ) > > A) install a new DC. *(any hardware, this is a temparairy server ) > B) check if all needed dns records are available on the new DC. > C) dont use the same ip or hostname ! > > Check, check check, see previous e-mails for checkups and the dns updates. > > If its all ok, then, > D) transfer the FSMO roles to this DC and check again. > E) If ok, remove the wrong server. > F) check and remove remaining entries from the dns AND OU=Computers in the > RSAT user tool. > G) install the a new DC again, on the "DC" hardware. > If your sure now you can use the original hostname and ip. > H) transfer the FSMO roles to this DC back and check again. > > This should be about 30min-120min work and you end up with a good dns and > AD database. > > If you use virtuals, this is about 20 min work, (for me, but i've scripted > my installs.) i'v done this now about 4-5 times, works very well for me. > Very importent is that "old" entries are gone before you join the new > > But again above is a suggestion, i think you save time by doing a new > correct install. > > And a tip, dont use any ip anyware for accessing server services. > For example, > ntp1.domain.tld CNAME DC1.domain.tld > ntp2.domain.tld CNAME DC2.domain.tld > ns1.domain.tld CNAME DC1.domain.tld > ns2.domain.tld CNAME DC2.domain.tld > ldap1.domain.tld CNAME DC1.domain.tld > ldap2.domain.tld CNAME DC2.domain.tld > > now for an easy switch, also add > ntp.domain.tld CNAME ntp1.domain.tld > ldap.domain.tld CNAME ldap1.domain.tld > > so if you set your server to ntp.domain.tld and you remove the server. > Just change the cname, wait out the ttl, and your done. > I do the same with my ldap and proxy and web servers. > If i need to maintain them, i change the cname, down the servers, > do my work, up the again, and change it back when done. > Keeps my users happy.. i do down server etc. during worktime.. > nobody notices it. :-) > and a setup like above make you very flexible to move things around, > if you slit up a server in 2 different servers(with services), I only > change cnames for the services. > > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > > Verzonden: donderdag 10 december 2015 16:14 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > > initially fails when PDC is offline > > > > > > > > Am 10.12.2015 um 15:49 schrieb Rowland penny: > > > On 10/12/15 14:40, Ole Traupe wrote: > > >> > > >>>> However, my 2nd DC is not that new, I restarted it many times, just > > >>>> again (samba service). No DNS records are created anywhere. > > >>>> > > >>>> If I go through the DNS console, in each and every container there > > >>>> is some entry for the 1st DC, but none for the 2nd (except on the > > >>>> top levels: FQDN and _msdcs.FQDN). > > >>>> > > >>>> Could this have to do with... > > >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of > > >>>> DNS entries via this script on the wiki? > > >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC > > >>>> (with the same IP address)? > > >>>> > > >>>> > > >>>> > > >>> > > >>> Possibly, but can you try this on your second DC, run > > >>> 'samba_dnsupdate --verbose' > > >>> > > >>> Rowland > > >>> > > >> > > >> Doesn't look too good to me: > > >> > > >> > > >> [root at DC2 me]# samba_dnsupdate --verbose > > >> IPs: ['IP_of_2nd_DC'] > > >> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as > > >> DC2.my.domain.tld. > > >> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld. > > >> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC > > >> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > > >> 389 as _ldap._tcp.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 as > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld > > >> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV _kerberos._udp.my.domain.tld > > >> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV > > >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld > > >> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld. > > >> Checking 0 100 464 DC1.my.domain.tld. against SRV > > >> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 > > >> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld > > >> DC2.my.domain.tld 464 > > >> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld > > >> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld. > > >> Checking 0 100 464 DC1.my.domain.tld. against SRV > > >> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 > > >> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld > > >> DC2.my.domain.tld 464 > > >> Looking for DNS entry CNAME > > >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld > > >> DC2.my.domain.tld as > > >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld. > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 as > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 as > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 as > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 as > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as > > >> gc._msdcs.my.domain.tld. > > >> Failed to find matching DNS entry A gc._msdcs.my.domain.tld > > IP_of_2nd_DC > > >> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld > > >> 3268 as _gc._tcp.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > > >> Looking for DNS entry SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 as > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 as > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as > > >> DomainDnsZones.my.domain.tld. > > >> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld > > >> IP_of_2nd_DC > > >> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 as > > >> > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as > > >> ForestDnsZones.my.domain.tld. > > >> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld > > >> IP_of_2nd_DC > > >> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 as > > >> > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > > >> 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 > > DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kerberos._udp.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 > > DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld > > >> DC2.my.domain.tld 464 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld > > >> DC2.my.domain.tld 464 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > > >> 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN > > >> SRV 0 100 88 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > 900 > > >> IN SRV 0 100 88 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld > > >> 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > > >> 100 3268 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. > > >> 900 IN SRV 0 100 3268 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Failed update of 24 entries > > >> > > >> > > >> > > > > > > There is a known problem, even though the updates print '; TSIG error > > > with server: tsig verify failure', it still works. Try running 'host > > > -t SRV _kerberos._udp.my.domain.tld.' again. > > > > > > Rowland > > > > Nope, still one record. > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2015-Dec-11 11:07 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 11/12/15 10:29, mathias dufresne wrote:> Hi Ole, > > Using internal DNS samba_dnsupdate does not work correctly, at least not > every time. > > Someone modified this samba_dnsupdate tool commenting this line: > os.unlink(tmpfile) > which should line 413. > > Doing that he was able to get files generated by samba_dnsupdate to use > them as argument of nsupdate command (without -g switch and with "allow dns > updates = nonsecure" in smb.conf). > > I was not able to make that process work here but I did not tried hard. As > this process was sent directly to me I share it. > > The process I use to generate all DNS records is to run samba_dnsupdate > --all-names --verbose and send output of that command to attached awk > script. > The awk script get information from samba_dnsupdate for each record and > launch samba-tool to create DNS record. This script is not clever: it tries > to create all mentioned DNS record, generating warnings when record already > exists. > > You will have to modify this awk script as the BEGIN section contains fake > information related to AD domain: > > BEGIN { > ad_zone = "YOUR.DOMAIN.TLD" > msdcs_zone = "_msdcs." ad_zone > dns_server = "YOUR-DC" > } > > You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain > configuration. > > The awk script uses kerberos authentication when running samba-tool so you > will need to generate a kerberos ticket for some AD admin before: > 1°) kinit administrator > 2°) samba_dnsupdate | awk -f dnsupdate.awk > > As it is not an issue to try create an entry which already exists you can > run it that script on each DC to assure you all entries are correctly > created on all DC. > > Best regards, > > mathias dufresne > >There is a flaw with your script! This mailing list strips off attachments, you are going to have to paste it into post. :-) Rowland
mathias dufresne
2015-Dec-11 12:33 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Thank you Rowland to noticed that. Here it is: ------------------------------------------------------------------ #!/usr/bin/awk BEGIN { ad_zone = "YOUR.DOMAIN.TLD" msdcs_zone = "_msdcs." ad_zone dns_server = "YOUR-DC" } { if ($0 ~ /UPDATE SECTION:/) { getline print NF, $0 if ($4 == "A") { if($1 ~ /_msdcs/) { zone = msdcs_zone } else { zone = ad_zone } record = $1 regexp = "." zone "." sub(regexp, "", record) cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A " $5 " --kerberos=yes" #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A " $5 " " $2 print cmd cmd | getline close(cmd) } if ($4 == "SRV") { if($1 ~ /_msdcs/) { zone = msdcs_zone } else { zone = ad_zone } record = $1 regexp = "." zone "." sub(regexp, "", record) cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 print cmd cmd | getline close(cmd) } } } ------------------------------------------------------------------ This script does not take in account missing NS records as samba_dnsupdate does not try to create them. 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:> On 11/12/15 10:29, mathias dufresne wrote: > >> Hi Ole, >> >> Using internal DNS samba_dnsupdate does not work correctly, at least not >> every time. >> >> Someone modified this samba_dnsupdate tool commenting this line: >> os.unlink(tmpfile) >> which should line 413. >> >> Doing that he was able to get files generated by samba_dnsupdate to use >> them as argument of nsupdate command (without -g switch and with "allow >> dns >> updates = nonsecure" in smb.conf). >> >> I was not able to make that process work here but I did not tried hard. As >> this process was sent directly to me I share it. >> >> The process I use to generate all DNS records is to run samba_dnsupdate >> --all-names --verbose and send output of that command to attached awk >> script. >> The awk script get information from samba_dnsupdate for each record and >> launch samba-tool to create DNS record. This script is not clever: it >> tries >> to create all mentioned DNS record, generating warnings when record >> already >> exists. >> >> You will have to modify this awk script as the BEGIN section contains fake >> information related to AD domain: >> >> BEGIN { >> ad_zone = "YOUR.DOMAIN.TLD" >> msdcs_zone = "_msdcs." ad_zone >> dns_server = "YOUR-DC" >> } >> >> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >> configuration. >> >> The awk script uses kerberos authentication when running samba-tool so you >> will need to generate a kerberos ticket for some AD admin before: >> 1°) kinit administrator >> 2°) samba_dnsupdate | awk -f dnsupdate.awk >> >> As it is not an issue to try create an entry which already exists you can >> run it that script on each DC to assure you all entries are correctly >> created on all DC. >> >> Best regards, >> >> mathias dufresne >> >> >> > There is a flaw with your script! > > > > > > This mailing list strips off attachments, you are going to have to paste > it into post. :-) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Samba 4.3.0 and DNS entries missing for DCs
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline