Hello, sorry to ask this many questions, but I want to know why things happen they way they do and if perhaps something is wrong. Our new, shiny domain created by classicupgrade consists of 4 (four) domain controllers. dc1 was the first, which was created by classicupgrade. Then I added dc2, dchks and dcirm using samba-tool domain join iww.lan DC -U "IWW\Administrator" --dns-backend=SAMBA_INTERNAL dc1 and dc2 have created SRV DNS records: # host -t SRV _ldap._tcp.dc._msdcs.iww.lan _ldap._tcp.dc._msdcs.iww.lan has SRV record 0 100 389 dc1.iww.lan. _ldap._tcp.dc._msdcs.iww.lan has SRV record 0 100 389 dc2.iww.lan. # host -t SRV _kerberos._tcp.dc._msdcs.iww.lan _kerberos._tcp.dc._msdcs.iww.lan has SRV record 0 100 88 dc1.iww.lan. _kerberos._tcp.dc._msdcs.iww.lan has SRV record 0 100 88 dc2.iww.lan. But dcirm and dchks didn't create SRV records. However, they did create DNS A records and they are listed as Domain Controllers in the AD Tree. samba-tool drs showrepl shows no errors. All DC' are running Debian or Devuan with Louis' Samba 4.7.8 packages. All of them are runing in a LXC container. The differences is that dcirm and dchks are located on remote locations which are connected through VPN connections with reduced bandwith. It is my understanding that those records are important for a client to find a DC, so if for some reason dc1 and dc2 would fail, clients wouldn't be able to locate a DC,although the other two DC's are still available - am I correct? If so, how can the correct SRV records be added? Kind Regards, Henry
On Tue, 24 Jul 2018 15:00:27 +0200 Henry Jensen via samba <samba at lists.samba.org> wrote:> Hello, > > sorry to ask this many questions, but I want to know why things happen > they way they do and if perhaps something is wrong. > > Our new, shiny domain created by classicupgrade consists of 4 (four) > domain controllers. > > dc1 was the first, which was created by classicupgrade. Then I added > dc2, dchks and dcirm using > > samba-tool domain join iww.lan DC -U "IWW\Administrator" > --dns-backend=SAMBA_INTERNAL > > > dc1 and dc2 have created SRV DNS records: > > # host -t SRV _ldap._tcp.dc._msdcs.iww.lan > _ldap._tcp.dc._msdcs.iww.lan has SRV record 0 100 389 dc1.iww.lan. > _ldap._tcp.dc._msdcs.iww.lan has SRV record 0 100 389 dc2.iww.lan. > > > # host -t SRV _kerberos._tcp.dc._msdcs.iww.lan > _kerberos._tcp.dc._msdcs.iww.lan has SRV record 0 100 88 dc1.iww.lan. > _kerberos._tcp.dc._msdcs.iww.lan has SRV record 0 100 88 dc2.iww.lan. > > But dcirm and dchks didn't create SRV records. However, they did > create DNS A records and they are listed as Domain Controllers in the > AD Tree. samba-tool drs showrepl shows no errors. > > All DC' are running Debian or Devuan with Louis' Samba 4.7.8 packages. > All of them are runing in a LXC container. > > The differences is that dcirm and dchks are located > on remote locations which are connected through VPN connections with > reduced bandwith. > > It is my understanding that those records are important for a client > to find a DC, so if for some reason dc1 and dc2 would fail, clients > wouldn't be able to locate a DC,although the other two DC's are still > available - am I correct? > > If so, how can the correct SRV records be added? > > Kind Regards, > > Henry > > >Try restarting the DC's without the records, this should create the missing records, if not, check syslog. Rowland
On Tue, 24 Jul 2018 14:15:04 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 24 Jul 2018 15:00:27 +0200> > dc1 and dc2 have created SRV DNS records: > > > > # host -t SRV _ldap._tcp.dc._msdcs.iww.lan > > _ldap._tcp.dc._msdcs.iww.lan has SRV record 0 100 389 dc1.iww.lan. > > _ldap._tcp.dc._msdcs.iww.lan has SRV record 0 100 389 dc2.iww.lan. > > > > > > # host -t SRV _kerberos._tcp.dc._msdcs.iww.lan > > _kerberos._tcp.dc._msdcs.iww.lan has SRV record 0 100 88 dc1.iww.lan. > > _kerberos._tcp.dc._msdcs.iww.lan has SRV record 0 100 88 dc2.iww.lan. > > > > But dcirm and dchks didn't create SRV records. However, they did > > create DNS A records and they are listed as Domain Controllers in the > > AD Tree. samba-tool drs showrepl shows no errors.> Try restarting the DC's without the records, this should create the > missing records, if not, check syslog.Thank you for that hint. OK, the log says: samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2018/07/24 14:32:17.590559, 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 26 So i digged further and found a mail from you from October 2017, suggesting to run samba_dnsupdate [0] So, i ran /usr/sbin/samba_dnsupdate (using DNS) which fails. Running /usr/sbin/samba_dnsupdate --use-samba-tool succedd and the missing SRV entries are created. So I added dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool to my smb.conf now. But as the original OP I am curious ;) and want to know why. You explained that this is a Kerberos problem. And then Andrew wrote> This should be fixed in Samba 4.7 finally. [1]Erm, I am using Samba 4.7.8, either it didn't get fixed after all or I did something wrong. note: the line samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. is still there. Kind regards, Henry [0] https://lists.samba.org/archive/samba/2017-October/211723.html [1] https://lists.samba.org/archive/samba/2017-October/211740.html