mathias dufresne
2015-Dec-11 12:33 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Thank you Rowland to noticed that. Here it is: ------------------------------------------------------------------ #!/usr/bin/awk BEGIN { ad_zone = "YOUR.DOMAIN.TLD" msdcs_zone = "_msdcs." ad_zone dns_server = "YOUR-DC" } { if ($0 ~ /UPDATE SECTION:/) { getline print NF, $0 if ($4 == "A") { if($1 ~ /_msdcs/) { zone = msdcs_zone } else { zone = ad_zone } record = $1 regexp = "." zone "." sub(regexp, "", record) cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A " $5 " --kerberos=yes" #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A " $5 " " $2 print cmd cmd | getline close(cmd) } if ($4 == "SRV") { if($1 ~ /_msdcs/) { zone = msdcs_zone } else { zone = ad_zone } record = $1 regexp = "." zone "." sub(regexp, "", record) cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 print cmd cmd | getline close(cmd) } } } ------------------------------------------------------------------ This script does not take in account missing NS records as samba_dnsupdate does not try to create them. 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:> On 11/12/15 10:29, mathias dufresne wrote: > >> Hi Ole, >> >> Using internal DNS samba_dnsupdate does not work correctly, at least not >> every time. >> >> Someone modified this samba_dnsupdate tool commenting this line: >> os.unlink(tmpfile) >> which should line 413. >> >> Doing that he was able to get files generated by samba_dnsupdate to use >> them as argument of nsupdate command (without -g switch and with "allow >> dns >> updates = nonsecure" in smb.conf). >> >> I was not able to make that process work here but I did not tried hard. As >> this process was sent directly to me I share it. >> >> The process I use to generate all DNS records is to run samba_dnsupdate >> --all-names --verbose and send output of that command to attached awk >> script. >> The awk script get information from samba_dnsupdate for each record and >> launch samba-tool to create DNS record. This script is not clever: it >> tries >> to create all mentioned DNS record, generating warnings when record >> already >> exists. >> >> You will have to modify this awk script as the BEGIN section contains fake >> information related to AD domain: >> >> BEGIN { >> ad_zone = "YOUR.DOMAIN.TLD" >> msdcs_zone = "_msdcs." ad_zone >> dns_server = "YOUR-DC" >> } >> >> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >> configuration. >> >> The awk script uses kerberos authentication when running samba-tool so you >> will need to generate a kerberos ticket for some AD admin before: >> 1°) kinit administrator >> 2°) samba_dnsupdate | awk -f dnsupdate.awk >> >> As it is not an issue to try create an entry which already exists you can >> run it that script on each DC to assure you all entries are correctly >> created on all DC. >> >> Best regards, >> >> mathias dufresne >> >> >> > There is a flaw with your script! > > > > > > This mailing list strips off attachments, you are going to have to paste > it into post. :-) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Ole Traupe
2015-Dec-11 13:59 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hi folks, a) thank you all for your help, I highly appreciate you time and effort, and I am sure I can resolve this issue very soon! b) I have to delay this until early next week, as I have to attend to other matters for now. All I can say, Louis, is that I won't set up a new DC to resolve this - at least not for now. This seems to be another problem of Samba4 not being able to deal with multiple DCs properly. And this has to be able to be resolved on an otherwise working domain without changing its architecture or other more drastic measures. This is my point of view at the moment. Your suggestion reminds me a bit of some typical forum replies to "Reinstall the OS" in case of any problems that can't be solved in an instant. If necessary, I will just create the missing DNS entries of my 2nd DC by hand. Although I would prefer a working script supplied by a professional (which I am not). At least I would like to know which DNS entries for my 2nd DC are essential for logins to work. I wouldn't very much like to try this out. However, I am aware that your time is as limited as mine (of not even more so), and you are in no obligation in any way. Besides, I didn't forget do delete anything. I used the script from the wiki to get rid of old records pertaining to my former 1st DC after I had created the records of my *new* 1st DC. I checked the results: everything related to my former first DC was gone. Also I documented/discussed this process here on the list. And nobody pointed me to things I forgot or was leaving out. I know that use of this script was totally "on my own risk". But the results were as they should have been, at least as far I am able to tell. That said, I will go through your responses and get back to you with results. Best, have a good weekend! Ole Am 11.12.2015 um 13:33 schrieb mathias dufresne:> Thank you Rowland to noticed that. > > Here it is: > ------------------------------------------------------------------ > #!/usr/bin/awk > > BEGIN { > ad_zone = "YOUR.DOMAIN.TLD" > msdcs_zone = "_msdcs." ad_zone > dns_server = "YOUR-DC" > } > { > if ($0 ~ /UPDATE SECTION:/) { > getline > print NF, $0 > if ($4 == "A") { > if($1 ~ /_msdcs/) { > zone = msdcs_zone > } else { > zone = ad_zone > } > record = $1 > regexp = "." zone "." > sub(regexp, "", record) > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A > " $5 " --kerberos=yes" > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A > " $5 " " $2 > print cmd > cmd | getline > close(cmd) > } > if ($4 == "SRV") { > if($1 ~ /_msdcs/) { > zone = msdcs_zone > } else { > zone = ad_zone > } > record = $1 > regexp = "." zone "." > sub(regexp, "", record) > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " > SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " > SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 > print cmd > cmd | getline > close(cmd) > } > } > } > ------------------------------------------------------------------ > > This script does not take in account missing NS records as samba_dnsupdate > does not try to create them. > > > 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>: > >> On 11/12/15 10:29, mathias dufresne wrote: >> >>> Hi Ole, >>> >>> Using internal DNS samba_dnsupdate does not work correctly, at least not >>> every time. >>> >>> Someone modified this samba_dnsupdate tool commenting this line: >>> os.unlink(tmpfile) >>> which should line 413. >>> >>> Doing that he was able to get files generated by samba_dnsupdate to use >>> them as argument of nsupdate command (without -g switch and with "allow >>> dns >>> updates = nonsecure" in smb.conf). >>> >>> I was not able to make that process work here but I did not tried hard. As >>> this process was sent directly to me I share it. >>> >>> The process I use to generate all DNS records is to run samba_dnsupdate >>> --all-names --verbose and send output of that command to attached awk >>> script. >>> The awk script get information from samba_dnsupdate for each record and >>> launch samba-tool to create DNS record. This script is not clever: it >>> tries >>> to create all mentioned DNS record, generating warnings when record >>> already >>> exists. >>> >>> You will have to modify this awk script as the BEGIN section contains fake >>> information related to AD domain: >>> >>> BEGIN { >>> ad_zone = "YOUR.DOMAIN.TLD" >>> msdcs_zone = "_msdcs." ad_zone >>> dns_server = "YOUR-DC" >>> } >>> >>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >>> configuration. >>> >>> The awk script uses kerberos authentication when running samba-tool so you >>> will need to generate a kerberos ticket for some AD admin before: >>> 1°) kinit administrator >>> 2°) samba_dnsupdate | awk -f dnsupdate.awk >>> >>> As it is not an issue to try create an entry which already exists you can >>> run it that script on each DC to assure you all entries are correctly >>> created on all DC. >>> >>> Best regards, >>> >>> mathias dufresne >>> >>> >>> >> There is a flaw with your script! >> >> >> >> >> >> This mailing list strips off attachments, you are going to have to paste >> it into post. :-) >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Rowland penny
2015-Dec-11 14:24 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 11/12/15 13:59, Ole Traupe wrote:> Hi folks, > > a) thank you all for your help, I highly appreciate you time and > effort, and I am sure I can resolve this issue very soon! > b) I have to delay this until early next week, as I have to attend to > other matters for now. > > All I can say, Louis, is that I won't set up a new DC to resolve this > - at least not for now. This seems to be another problem of Samba4 not > being able to deal with multiple DCs properly. And this has to be able > to be resolved on an otherwise working domain without changing its > architecture or other more drastic measures. This is my point of view > at the moment. Your suggestion reminds me a bit of some typical forum > replies to "Reinstall the OS" in case of any problems that can't be > solved in an instant. > > If necessary, I will just create the missing DNS entries of my 2nd DC > by hand. Although I would prefer a working script supplied by a > professional (which I am not). At least I would like to know which DNS > entries for my 2nd DC are essential for logins to work. I wouldn't > very much like to try this out. However, I am aware that your time is > as limited as mine (of not even more so), and you are in no obligation > in any way. > > Besides, I didn't forget do delete anything. I used the script from > the wiki to get rid of old records pertaining to my former 1st DC > after I had created the records of my *new* 1st DC. I checked the > results: everything related to my former first DC was gone. Also I > documented/discussed this process here on the list. And nobody pointed > me to things I forgot or was leaving out. I know that use of this > script was totally "on my own risk". But the results were as they > should have been, at least as far I am able to tell. > > That said, I will go through your responses and get back to you with > results. > > Best, have a good weekend! > Ole > >Ole, when you provision a domain, all the required records are created, but when you join another DC, most of the dns records are not created until the samba deamon is started and samba_dnsupdate is run automatically, see 'dns_update_list' for what is added (this is in /usr/share/samba/setup & /var/lib/samba/private on debian) If you want to add the missing NS records, add these lines to 'dns_update_list' : # RW DNS servers ${IF_RWDNS_DOMAIN}A ${DNSDOMAIN} $IP ${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${HOSTNAME} # RW DNS servers ${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${HOSTNAME} You should be aware that even if you add these lines, they will not do you any good at the moment if you use the internal dns server. There is a problem, it looks like the records do not get added when samba_dnsupdate is first run, but they are. What you could do is this, copy the 'dns_update_list', replace all the variables with your info (${DNSDOMAIN} etc), then use this to check what you are missing and then add what isn't there. Rowland
L.P.H. van Belle
2015-Dec-11 14:31 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Commented inbetween.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: vrijdag 11 december 2015 14:59 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > Hi folks, > > a) thank you all for your help, I highly appreciate you time and effort, > and I am sure I can resolve this issue very soon! > b) I have to delay this until early next week, as I have to attend to > other matters for now. > > All I can say, Louis, is that I won't set up a new DC to resolve this - > at least not for now. This seems to be another problem of Samba4 not > being able to deal with multiple DCs properly. And this has to be able > to be resolved on an otherwise working domain without changing its > architecture or other more drastic measures. This is my point of view at > the moment. Your suggestion reminds me a bit of some typical forum > replies to "Reinstall the OS" in case of any problems that can't be > solved in an instant.[L.P.H. van Belle] I dont think this is another problem of samba4, but this is a problem which started in the begining of your install, at least thats what i suppect based on all your info on the list. I suspect that, then you "installed" the new DC with the old name/ip. You forgot somewhere to remove old entries in AD and/or DNS. And this is why i suggested it, normaly i dont suggest something like this, but i do think that if you setup clean you wil have a better running server with less problems , but what you choose is all up to you. Do what you thinks is best for you.> > If necessary, I will just create the missing DNS entries of my 2nd DC by > hand. Although I would prefer a working script supplied by a > professional (which I am not). At least I would like to know which DNS > entries for my 2nd DC are essential for logins to work. I wouldn't very > much like to try this out. However, I am aware that your time is as > limited as mine (of not even more so), and you are in no obligation in > any way.[L.P.H. van Belle]>). At least I would like to know which DNS > entries for my 2nd DC are essential for logins to work.And what you ask here is already answered few times imo. Again, your quicker with a clean install, and you learn more from it. And with clean, i dont mean dropping your AD, just add new "DC Join" to hold the AD data so you can remove the faulty server and then you can install that server again, but now as it should. AND when you join a DC your login problem is fixed also. ;-)> Besides, I didn't forget do delete anything. I used the script from the > wiki to get rid of old records pertaining to my former 1st DC after I > had created the records of my *new* 1st DC. I checked the results: > everything related to my former first DC was gone. Also I > documented/discussed this process here on the list. And nobody pointed > me to things I forgot or was leaving out. I know that use of this script > was totally "on my own risk". But the results were as they should have > been, at least as far I am able to tell.[L.P.H. van Belle][L.P.H. van Belle] which script ? can anyone point that one for me, cant find it. I only know about https://bugzilla.samba.org/show_bug.cgi?id=10595> > That said, I will go through your responses and get back to you with > results. > > Best, have a good weekend! > Ole[L.P.H. van Belle] Thank you, and have a very good weekend also, i hope your problem is fixed soon.> > > Am 11.12.2015 um 13:33 schrieb mathias dufresne: > > Thank you Rowland to noticed that. > > > > Here it is: > > ------------------------------------------------------------------ > > #!/usr/bin/awk > > > > BEGIN { > > ad_zone = "YOUR.DOMAIN.TLD" > > msdcs_zone = "_msdcs." ad_zone > > dns_server = "YOUR-DC" > > } > > { > > if ($0 ~ /UPDATE SECTION:/) { > > getline > > print NF, $0 > > if ($4 == "A") { > > if($1 ~ /_msdcs/) { > > zone = msdcs_zone > > } else { > > zone = ad_zone > > } > > record = $1 > > regexp = "." zone "." > > sub(regexp, "", record) > > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " A > > " $5 " --kerberos=yes" > > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " A > > " $5 " " $2 > > print cmd > > cmd | getline > > close(cmd) > > } > > if ($4 == "SRV") { > > if($1 ~ /_msdcs/) { > > zone = msdcs_zone > > } else { > > zone = ad_zone > > } > > record = $1 > > regexp = "." zone "." > > sub(regexp, "", record) > > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " > > SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" > > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " > > SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 > > print cmd > > cmd | getline > > close(cmd) > > } > > } > > } > > ------------------------------------------------------------------ > > > > This script does not take in account missing NS records as > samba_dnsupdate > > does not try to create them. > > > > > > 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>: > > > >> On 11/12/15 10:29, mathias dufresne wrote: > >> > >>> Hi Ole, > >>> > >>> Using internal DNS samba_dnsupdate does not work correctly, at least > not > >>> every time. > >>> > >>> Someone modified this samba_dnsupdate tool commenting this line: > >>> os.unlink(tmpfile) > >>> which should line 413. > >>> > >>> Doing that he was able to get files generated by samba_dnsupdate to > use > >>> them as argument of nsupdate command (without -g switch and with > "allow > >>> dns > >>> updates = nonsecure" in smb.conf). > >>> > >>> I was not able to make that process work here but I did not tried > hard. As > >>> this process was sent directly to me I share it. > >>> > >>> The process I use to generate all DNS records is to run > samba_dnsupdate > >>> --all-names --verbose and send output of that command to attached awk > >>> script. > >>> The awk script get information from samba_dnsupdate for each record > and > >>> launch samba-tool to create DNS record. This script is not clever: it > >>> tries > >>> to create all mentioned DNS record, generating warnings when record > >>> already > >>> exists. > >>> > >>> You will have to modify this awk script as the BEGIN section contains > fake > >>> information related to AD domain: > >>> > >>> BEGIN { > >>> ad_zone = "YOUR.DOMAIN.TLD" > >>> msdcs_zone = "_msdcs." ad_zone > >>> dns_server = "YOUR-DC" > >>> } > >>> > >>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain > >>> configuration. > >>> > >>> The awk script uses kerberos authentication when running samba-tool so > you > >>> will need to generate a kerberos ticket for some AD admin before: > >>> 1°) kinit administrator > >>> 2°) samba_dnsupdate | awk -f dnsupdate.awk > >>> > >>> As it is not an issue to try create an entry which already exists you > can > >>> run it that script on each DC to assure you all entries are correctly > >>> created on all DC. > >>> > >>> Best regards, > >>> > >>> mathias dufresne > >>> > >>> > >>> > >> There is a flaw with your script! > >> > >> > >> > >> > >> > >> This mailing list strips off attachments, you are going to have to > paste > >> it into post. :-) > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Ole Traupe
2015-Dec-17 12:50 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 11.12.2015 um 15:31 schrieb L.P.H. van Belle:> Commented inbetween. > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe >> Verzonden: vrijdag 11 december 2015 14:59 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> Hi folks, >> >> a) thank you all for your help, I highly appreciate you time and effort, >> and I am sure I can resolve this issue very soon! >> b) I have to delay this until early next week, as I have to attend to >> other matters for now. >> >> All I can say, Louis, is that I won't set up a new DC to resolve this - >> at least not for now. This seems to be another problem of Samba4 not >> being able to deal with multiple DCs properly. And this has to be able >> to be resolved on an otherwise working domain without changing its >> architecture or other more drastic measures. This is my point of view at >> the moment. Your suggestion reminds me a bit of some typical forum >> replies to "Reinstall the OS" in case of any problems that can't be >> solved in an instant. > [L.P.H. van Belle] > I dont think this is another problem of samba4, but this is a problem which started in the begining of your install, at least thats what i suppect based on all your info on the list. > I suspect that, then you "installed" the new DC with the old name/ip.Yes, maybe, but why/how?> You forgot somewhere to remove old entries in AD and/or DNS.Not that I know of. This is pure speculation. My domain is not that large and I can go through all DNS records in 5 min. There wasn't anything left pointing to the demoted DC.> And this is why i suggested it, normaly i dont suggest something like this, but i do think that if you setup clean you wil have a better running server with less problems , but what you choose is all up to you. > Do what you thinks is best for you.I am still considering this as a last resort.> >> If necessary, I will just create the missing DNS entries of my 2nd DC by >> hand. Although I would prefer a working script supplied by a >> professional (which I am not). At least I would like to know which DNS >> entries for my 2nd DC are essential for logins to work. I wouldn't very >> much like to try this out. However, I am aware that your time is as >> limited as mine (of not even more so), and you are in no obligation in >> any way. > [L.P.H. van Belle] > >> ). At least I would like to know which DNS >> entries for my 2nd DC are essential for logins to work. > And what you ask here is already answered few times imo.Where? Point me to it, please!> > Again, your quicker with a clean install, and you learn more from it. > And with clean, i dont mean dropping your AD, just add new "DC Join" to hold the AD data so you can remove the faulty server and then you can install that server again, but now as it should. > AND when you join a DC your login problem is fixed also. ;-)I somehow doubt that. Still it seems that no one here has an idea of why log-on from member servers isn't working properly (for me). However, in the meantime I have created all the necessary DNS records. This can't be the issue anymore.> > >> Besides, I didn't forget do delete anything. I used the script from the >> wiki to get rid of old records pertaining to my former 1st DC after I >> had created the records of my *new* 1st DC. I checked the results: >> everything related to my former first DC was gone. Also I >> documented/discussed this process here on the list. And nobody pointed >> me to things I forgot or was leaving out. I know that use of this script >> was totally "on my own risk". But the results were as they should have >> been, at least as far I am able to tell.[L.P.H. van Belle] > [L.P.H. van Belle] which script ? can anyone point that one for me, cant find it. I only know about > https://bugzilla.samba.org/show_bug.cgi?id=10595It is this one: https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content> >> That said, I will go through your responses and get back to you with >> results. >> >> Best, have a good weekend! >> Ole > [L.P.H. van Belle] > Thank you, and have a very good weekend also, i hope your problem is fixed soon.Thanks, me too. Ole> >> >> Am 11.12.2015 um 13:33 schrieb mathias dufresne: >>> Thank you Rowland to noticed that. >>> >>> Here it is: >>> ------------------------------------------------------------------ >>> #!/usr/bin/awk >>> >>> BEGIN { >>> ad_zone = "YOUR.DOMAIN.TLD" >>> msdcs_zone = "_msdcs." ad_zone >>> dns_server = "YOUR-DC" >>> } >>> { >>> if ($0 ~ /UPDATE SECTION:/) { >>> getline >>> print NF, $0 >>> if ($4 == "A") { >>> if($1 ~ /_msdcs/) { >>> zone = msdcs_zone >>> } else { >>> zone = ad_zone >>> } >>> record = $1 >>> regexp = "." zone "." >>> sub(regexp, "", record) >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " A >>> " $5 " --kerberos=yes" >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " A >>> " $5 " " $2 >>> print cmd >>> cmd | getline >>> close(cmd) >>> } >>> if ($4 == "SRV") { >>> if($1 ~ /_msdcs/) { >>> zone = msdcs_zone >>> } else { >>> zone = ad_zone >>> } >>> record = $1 >>> regexp = "." zone "." >>> sub(regexp, "", record) >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 >>> print cmd >>> cmd | getline >>> close(cmd) >>> } >>> } >>> } >>> ------------------------------------------------------------------ >>> >>> This script does not take in account missing NS records as >> samba_dnsupdate >>> does not try to create them. >>> >>> >>> 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>: >>> >>>> On 11/12/15 10:29, mathias dufresne wrote: >>>> >>>>> Hi Ole, >>>>> >>>>> Using internal DNS samba_dnsupdate does not work correctly, at least >> not >>>>> every time. >>>>> >>>>> Someone modified this samba_dnsupdate tool commenting this line: >>>>> os.unlink(tmpfile) >>>>> which should line 413. >>>>> >>>>> Doing that he was able to get files generated by samba_dnsupdate to >> use >>>>> them as argument of nsupdate command (without -g switch and with >> "allow >>>>> dns >>>>> updates = nonsecure" in smb.conf). >>>>> >>>>> I was not able to make that process work here but I did not tried >> hard. As >>>>> this process was sent directly to me I share it. >>>>> >>>>> The process I use to generate all DNS records is to run >> samba_dnsupdate >>>>> --all-names --verbose and send output of that command to attached awk >>>>> script. >>>>> The awk script get information from samba_dnsupdate for each record >> and >>>>> launch samba-tool to create DNS record. This script is not clever: it >>>>> tries >>>>> to create all mentioned DNS record, generating warnings when record >>>>> already >>>>> exists. >>>>> >>>>> You will have to modify this awk script as the BEGIN section contains >> fake >>>>> information related to AD domain: >>>>> >>>>> BEGIN { >>>>> ad_zone = "YOUR.DOMAIN.TLD" >>>>> msdcs_zone = "_msdcs." ad_zone >>>>> dns_server = "YOUR-DC" >>>>> } >>>>> >>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >>>>> configuration. >>>>> >>>>> The awk script uses kerberos authentication when running samba-tool so >> you >>>>> will need to generate a kerberos ticket for some AD admin before: >>>>> 1°) kinit administrator >>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk >>>>> >>>>> As it is not an issue to try create an entry which already exists you >> can >>>>> run it that script on each DC to assure you all entries are correctly >>>>> created on all DC. >>>>> >>>>> Best regards, >>>>> >>>>> mathias dufresne >>>>> >>>>> >>>>> >>>> There is a flaw with your script! >>>> >>>> >>>> >>>> >>>> >>>> This mailing list strips off attachments, you are going to have to >> paste >>>> it into post. :-) >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2015-Dec-17 13:22 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Commented inbetween.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: donderdag 17 december 2015 13:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 11.12.2015 um 15:31 schrieb L.P.H. van Belle: > > Commented inbetween. > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > >> Verzonden: vrijdag 11 december 2015 14:59 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > >> initially fails when PDC is offline > >> > >> Hi folks, > >> > >> a) thank you all for your help, I highly appreciate you time and > effort, > >> and I am sure I can resolve this issue very soon! > >> b) I have to delay this until early next week, as I have to attend to > >> other matters for now. > >> > >> All I can say, Louis, is that I won't set up a new DC to resolve this - > >> at least not for now. This seems to be another problem of Samba4 not > >> being able to deal with multiple DCs properly. And this has to be able > >> to be resolved on an otherwise working domain without changing its > >> architecture or other more drastic measures. This is my point of view > at > >> the moment. Your suggestion reminds me a bit of some typical forum > >> replies to "Reinstall the OS" in case of any problems that can't be > >> solved in an instant. > > [L.P.H. van Belle] > > I dont think this is another problem of samba4, but this is a problem > which started in the begining of your install, at least thats what i > suppect based on all your info on the list. > > I suspect that, then you "installed" the new DC with the old name/ip. > > Yes, maybe, but why/how?[L.P.H. van Belle] I could answere that i would, but i dont know how you exactly installed. I'v scripted my installs, so it always the same. I have no problems with my config, or on all my servers. So one fix fixes all in my case.> > > You forgot somewhere to remove old entries in AD and/or DNS. > > Not that I know of. This is pure speculation. My domain is not that > large and I can go through all DNS records in 5 min. There wasn't > anything left pointing to the demoted DC. > > > And this is why i suggested it, normaly i dont suggest something like > this, but i do think that if you setup clean you wil have a better running > server with less problems , but what you choose is all up to you. > > Do what you thinks is best for you. > > I am still considering this as a last resort.[L.P.H. van Belle] from a learning point this is always good. fist installs are always hard, i've tested my setup/configs for about 6-8 month before production, and i screwed also things up, so i reinstalled and learned also the hard way. And thankfully there is the samba list, which helped me a lot.> > > > >> If necessary, I will just create the missing DNS entries of my 2nd DC > by > >> hand. Although I would prefer a working script supplied by a > >> professional (which I am not). At least I would like to know which DNS > >> entries for my 2nd DC are essential for logins to work. I wouldn't very > >> much like to try this out. However, I am aware that your time is as > >> limited as mine (of not even more so), and you are in no obligation in > >> any way. > > [L.P.H. van Belle] > > > >> ). At least I would like to know which DNS > >> entries for my 2nd DC are essential for logins to work. > > And what you ask here is already answered few times imo. > > Where? Point me to it, please!Uhh, somehere in the emails of 10-dec, see whats in the samba_dnsupdate --verbose that are the needed dns records. [L.P.H. van Belle] in the AD and dns, open the user managment tool ( the AD user manager ) klik on view, enable advanced.. now klik through the complete ad and find old entries. Dont forget the "computers" OU and do the same in the DNS manager. also, make sure you DNS zone (SOA) record contains the PRIMARY DC. Above can be done also with ldapsearch.> > > > > Again, your quicker with a clean install, and you learn more from it. > > And with clean, i dont mean dropping your AD, just add new "DC Join" to > hold the AD data so you can remove the faulty server and then you can > install that server again, but now as it should. > > AND when you join a DC your login problem is fixed also. ;-) > > I somehow doubt that. Still it seems that no one here has an idea of why > log-on from member servers isn't working properly (for me). However, in > the meantime I have created all the necessary DNS records. This can't be > the issue anymore.[L.P.H. van Belle] a delay for the login when one dns is done is normal, it needs to timeout first. when you type : dig a internal.domain.tld you should see 2 responses, and the results are your 2 DC's.> > > > > > >> Besides, I didn't forget do delete anything. I used the script from the > >> wiki to get rid of old records pertaining to my former 1st DC after I > >> had created the records of my *new* 1st DC. I checked the results: > >> everything related to my former first DC was gone. Also I > >> documented/discussed this process here on the list. And nobody pointed > >> me to things I forgot or was leaving out. I know that use of this > script > >> was totally "on my own risk". But the results were as they should have > >> been, at least as far I am able to tell.[L.P.H. van Belle] > > [L.P.H. van Belle] which script ? can anyone point that one for me, cant > find it. I only know about > > https://bugzilla.samba.org/show_bug.cgi?id=10595 > > It is this one: > https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede- > 9f97-0e1cc4d577f3#content > > > > >> That said, I will go through your responses and get back to you with > >> results. > >> > >> Best, have a good weekend! > >> Ole > > [L.P.H. van Belle] > > Thank you, and have a very good weekend also, i hope your problem is > fixed soon. > > Thanks, me too. > > Ole > > > > >> > >> Am 11.12.2015 um 13:33 schrieb mathias dufresne: > >>> Thank you Rowland to noticed that. > >>> > >>> Here it is: > >>> ------------------------------------------------------------------ > >>> #!/usr/bin/awk > >>> > >>> BEGIN { > >>> ad_zone = "YOUR.DOMAIN.TLD" > >>> msdcs_zone = "_msdcs." ad_zone > >>> dns_server = "YOUR-DC" > >>> } > >>> { > >>> if ($0 ~ /UPDATE SECTION:/) { > >>> getline > >>> print NF, $0 > >>> if ($4 == "A") { > >>> if($1 ~ /_msdcs/) { > >>> zone = msdcs_zone > >>> } else { > >>> zone = ad_zone > >>> } > >>> record = $1 > >>> regexp = "." zone "." > >>> sub(regexp, "", record) > >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " A > >>> " $5 " --kerberos=yes" > >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " A > >>> " $5 " " $2 > >>> print cmd > >>> cmd | getline > >>> close(cmd) > >>> } > >>> if ($4 == "SRV") { > >>> if($1 ~ /_msdcs/) { > >>> zone = msdcs_zone > >>> } else { > >>> zone = ad_zone > >>> } > >>> record = $1 > >>> regexp = "." zone "." > >>> sub(regexp, "", record) > >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " > >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" > >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " > >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 > >>> print cmd > >>> cmd | getline > >>> close(cmd) > >>> } > >>> } > >>> } > >>> ------------------------------------------------------------------ > >>> > >>> This script does not take in account missing NS records as > >> samba_dnsupdate > >>> does not try to create them. > >>> > >>> > >>> 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>: > >>> > >>>> On 11/12/15 10:29, mathias dufresne wrote: > >>>> > >>>>> Hi Ole, > >>>>> > >>>>> Using internal DNS samba_dnsupdate does not work correctly, at least > >> not > >>>>> every time. > >>>>> > >>>>> Someone modified this samba_dnsupdate tool commenting this line: > >>>>> os.unlink(tmpfile) > >>>>> which should line 413. > >>>>> > >>>>> Doing that he was able to get files generated by samba_dnsupdate to > >> use > >>>>> them as argument of nsupdate command (without -g switch and with > >> "allow > >>>>> dns > >>>>> updates = nonsecure" in smb.conf). > >>>>> > >>>>> I was not able to make that process work here but I did not tried > >> hard. As > >>>>> this process was sent directly to me I share it. > >>>>> > >>>>> The process I use to generate all DNS records is to run > >> samba_dnsupdate > >>>>> --all-names --verbose and send output of that command to attached > awk > >>>>> script. > >>>>> The awk script get information from samba_dnsupdate for each record > >> and > >>>>> launch samba-tool to create DNS record. This script is not clever: > it > >>>>> tries > >>>>> to create all mentioned DNS record, generating warnings when record > >>>>> already > >>>>> exists. > >>>>> > >>>>> You will have to modify this awk script as the BEGIN section > contains > >> fake > >>>>> information related to AD domain: > >>>>> > >>>>> BEGIN { > >>>>> ad_zone = "YOUR.DOMAIN.TLD" > >>>>> msdcs_zone = "_msdcs." ad_zone > >>>>> dns_server = "YOUR-DC" > >>>>> } > >>>>> > >>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain > >>>>> configuration. > >>>>> > >>>>> The awk script uses kerberos authentication when running samba-tool > so > >> you > >>>>> will need to generate a kerberos ticket for some AD admin before: > >>>>> 1°) kinit administrator > >>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk > >>>>> > >>>>> As it is not an issue to try create an entry which already exists > you > >> can > >>>>> run it that script on each DC to assure you all entries are > correctly > >>>>> created on all DC. > >>>>> > >>>>> Best regards, > >>>>> > >>>>> mathias dufresne > >>>>> > >>>>> > >>>>> > >>>> There is a flaw with your script! > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> This mailing list strips off attachments, you are going to have to > >> paste > >>>> it into post. :-) > >>>> > >>>> Rowland > >>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- missing dns records? _ldaps._tcp ?
- missing dns records? _ldaps._tcp ?
- missing dns records? _ldaps._tcp ?