thr3ads.net - samba - [Samba] Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool [Mar 2023]

If this information is useful, please help other people find it:
Share via:

Norbert Hanke

2023-Mar-13 20:58 UTC

[Samba] Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool

Hi,

I transferred FSMO roles from my DC2 to my DC1, and that looks ok from
samba-tool point of view:

# samba-tool fsmo show
ldb_wrap open of secrets.ldb
SchemaMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld


But in DNS I now have 2 SRV entries for the PDC role:

# host -t SRV _ldap._tcp.pdc._msdcs.ad.mydomain.tld dc1.ad.mydomain.tld
Using domain server:
Name: dc1.ad.mydomain.tld
Address: 10.88.1.8#53
Aliases:

_ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
dc2.ad.mydomain.tld.
_ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
dc1.ad.mydomain.tld.


samba-tool also sees 2 records:

# samba-tool dns query dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
_tcp.pdc SRV
Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
 ? Name=, Records=0, Children=0
 ? Name=_ldap, Records=2, Children=0
 ??? SRV: dc2.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458, ttl=900)
 ??? SRV: dc1.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458, ttl=900)


That is wrong: the record with dc2 should not exist and I would expect
it gets deleted and the one with dc1 created while transferring the fsmo
role.

I tried to manually delete the wrong record but that does not work:

# samba-tool dns delete dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
_tcp.pdc SRV 'dc2.ad.mydomain.tld 389 0 100'
Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
ERROR: Record does not exist; record could not be deleted.
zone[_msdcs.ad.mydomain.tld] name[_tcp.pdc]
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
1223,
in run
dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,

Is this a bug, or am I doing something wrong? Any help is appreciated.

Deleting that record using the Windows MMC DNS snap-in works.

Regards, Norbert

Rowland Penny

2023-Mar-13 21:31 UTC

head link

[Samba] Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool

On 13/03/2023 20:58, Norbert Hanke via samba wrote:> Hi,
> 
> I transferred FSMO roles from my DC2 to my DC1, and that looks ok from
> samba-tool point of view:
> 
> # samba-tool fsmo show
> ldb_wrap open of secrets.ldb
> SchemaMasterRole owner: CN=NTDS
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> InfrastructureMasterRole owner: CN=NTDS
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> RidAllocationMasterRole owner: CN=NTDS
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> PdcEmulationMasterRole owner: CN=NTDS
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> DomainNamingMasterRole owner: CN=NTDS
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> DomainDnsZonesMasterRole owner: CN=NTDS
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> ForestDnsZonesMasterRole owner: CN=NTDS
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> 
> 
> But in DNS I now have 2 SRV entries for the PDC role:
> 
> # host -t SRV _ldap._tcp.pdc._msdcs.ad.mydomain.tld dc1.ad.mydomain.tld
> Using domain server:
> Name: dc1.ad.mydomain.tld
> Address: 10.88.1.8#53
> Aliases:
> 
> _ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
> dc2.ad.mydomain.tld.
> _ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
> dc1.ad.mydomain.tld.
> 
> 
> samba-tool also sees 2 records:
> 
> # samba-tool dns query dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
> _tcp.pdc SRV
> Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
>  ? Name=, Records=0, Children=0
>  ? Name=_ldap, Records=2, Children=0
>  ??? SRV: dc2.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458, 
> ttl=900)
>  ??? SRV: dc1.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458, 
> ttl=900)
> 
> 
> That is wrong: the record with dc2 should not exist and I would expect
> it gets deleted and the one with dc1 created while transferring the fsmo
> role.
You can expect has much as you like, but there is no code to remove the 
dns record. ;-)
> 
> I tried to manually delete the wrong record but that does not work:
> 
> # samba-tool dns delete dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
> _tcp.pdc SRV 'dc2.ad.mydomain.tld 389 0 100'
Wrong name, it is _ldap._tcp.pdc
> Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
> ERROR: Record does not exist; record could not be deleted.
> zone[_msdcs.ad.mydomain.tld] name[_tcp.pdc]
>  ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py",
line 1223,
> in run
> dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
> 
> Is this a bug, or am I doing something wrong? Any help is appreciated.
Yes, it s a bug (a known bug). No, you are not doing anything wrong 
(other than using the wrong name when trying to delete the incorrect 
record).

Rowland

samba - Mar 2023 - Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool

[Samba] Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool

[Samba] Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool