samba - Dec 2015 - Authentication to Secondary Domain Controller initially fails when PDC is offline

On 02/12/15 10:31, mj wrote:
>> I can find on the internet multiple instances of 'every DC running
dns
>> should have a SOA record', but I cannot find any concrete examples
of an
>> ldif that shows this. Does each DC have a separate SOA record in AD, or
>> is there just one SOA record and the DC just claims to be the SOA, or
is
>> there just one SOA record with an NS record for each DC. Samba would
>> seem to be the later, but I am struggling with adding the NS record for
>> a new DC during the join, I think what happens is that the NS record
>> does get added, but is wiped out when replication kicks in. It is very
>> easy to add the NS record after the join with samba-tool.
>>
>> Rowland
>>
> Hi,
>
> I remember vaguely that someone once told me that MS DCs always 
> announce themselves as the soa if asked. If they always reply that, 
> perhaps there is no need for it to actually be in the database (so it 
> would perhaps not show up in an ldif)
>
> MJ
>
This is what I think happens and if this is the case, then samba itself 
will have to do this, but I have added an NS record for the 2nd DC to 
the SOA record with samba-tool and if I use nslookup I get this:

nslookup
 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.5
Address:    192.168.0.5#53

samdom.example.com
     origin = dc1.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 101
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

If I then exit from nslookup and swap the nameservers in 
/etc/resolv.conf and rerun nslookup, I get this:

nslookup
 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.6
Address:    192.168.0.6#53

samdom.example.com
     origin = dc2.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 101
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

Which, to me, says that both DCs are authoritative for the domain, if 
this is correct, I just need to find a way of adding the NS record 
during the join.

Rowland

Rowland,

What did you request as DNS? Samba + Bind + DLZ ?
If yes, the fact your two DNS are replying "I am SOA" is a feature
from
Bind9 or from DLZ patch.

That's important as a standard Samba AD designed without Bind is using LDAP
defined entry for SOA. Asking to the five Samba DC I have here who's SOA,
they all replied the same server, the one declared in SOA LDAP entry.
Of course all DC are declared as NS in that zone.

That behavior is the same for SAMBA.DOMAIN.TLD zone and for
_msdcs.SAMBA.DOAMIN.TLD zone.

And where is SOA is important as samba_dnsupdate is using, sometimes, that
SOA to guess where to push changes. I'm absolutely sure of that because I
started to interest myself in SOA after samba_dnsupdate complains about my
SOA which was not pointing to the right server.


2015-12-02 11:57 GMT+01:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 02/12/15 10:31, mj wrote:
>
>> I can find on the internet multiple instances of 'every DC running
dns
>>> should have a SOA record', but I cannot find any concrete
examples of an
>>> ldif that shows this. Does each DC have a separate SOA record in
AD, or
>>> is there just one SOA record and the DC just claims to be the SOA,
or is
>>> there just one SOA record with an NS record for each DC. Samba
would
>>> seem to be the later, but I am struggling with adding the NS record
for
>>> a new DC during the join, I think what happens is that the NS
record
>>> does get added, but is wiped out when replication kicks in. It is
very
>>> easy to add the NS record after the join with samba-tool.
>>>
>>> Rowland
>>>
>>> Hi,
>>
>> I remember vaguely that someone once told me that MS DCs always
announce
>> themselves as the soa if asked. If they always reply that, perhaps
there is
>> no need for it to actually be in the database (so it would perhaps not
show
>> up in an ldif)
>>
>> MJ
>>
>>
> This is what I think happens and if this is the case, then samba itself
> will have to do this, but I have added an NS record for the 2nd DC to the
> SOA record with samba-tool and if I use nslookup I get this:
>
> nslookup
> > set querytype=soa
> > samdom.example.com
> Server:        192.168.0.5
> Address:    192.168.0.5#53
>
> samdom.example.com
>     origin = dc1.samdom.example.com
>     mail addr = hostmaster.samdom.example.com
>     serial = 101
>     refresh = 900
>     retry = 600
>     expire = 86400
>     minimum = 3600
>
> If I then exit from nslookup and swap the nameservers in /etc/resolv.conf
> and rerun nslookup, I get this:
>
> nslookup
> > set querytype=soa
> > samdom.example.com
> Server:        192.168.0.6
> Address:    192.168.0.6#53
>
> samdom.example.com
>     origin = dc2.samdom.example.com
>     mail addr = hostmaster.samdom.example.com
>     serial = 101
>     refresh = 900
>     retry = 600
>     expire = 86400
>     minimum = 3600
>
> Which, to me, says that both DCs are authoritative for the domain, if this
> is correct, I just need to find a way of adding the NS record during the
> join.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 02/12/15 11:59, mathias dufresne wrote:
> Rowland,
>
> What did you request as DNS? Samba + Bind + DLZ ?
> If yes, the fact your two DNS are replying "I am SOA" is a
feature from
> Bind9 or from DLZ patch.
Yes, I use bind9 with the dlz backend.
>
> That's important as a standard Samba AD designed without Bind is using
LDAP
> defined entry for SOA. Asking to the five Samba DC I have here who's
SOA,
> they all replied the same server, the one declared in SOA LDAP entry.
> Of course all DC are declared as NS in that zone.
Not sure if this is a bind9 feature, does your SOA record have the NS 
records for all the DCs, if not, then the first DC will be the only 
Authoritative server.
>
> That behavior is the same for SAMBA.DOMAIN.TLD zone and for
> _msdcs.SAMBA.DOAMIN.TLD zone.
>
> And where is SOA is important as samba_dnsupdate is using, sometimes, that
> SOA to guess where to push changes. I'm absolutely sure of that because
I
> started to interest myself in SOA after samba_dnsupdate complains about my
> SOA which was not pointing to the right server.
>
>
> 2015-12-02 11:57 GMT+01:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
>
>> On 02/12/15 10:31, mj wrote:
>>
>>> I can find on the internet multiple instances of 'every DC
running dns
>>>> should have a SOA record', but I cannot find any concrete
examples of an
>>>> ldif that shows this. Does each DC have a separate SOA record
in AD, or
>>>> is there just one SOA record and the DC just claims to be the
SOA, or is
>>>> there just one SOA record with an NS record for each DC. Samba
would
>>>> seem to be the later, but I am struggling with adding the NS
record for
>>>> a new DC during the join, I think what happens is that the NS
record
>>>> does get added, but is wiped out when replication kicks in. It
is very
>>>> easy to add the NS record after the join with samba-tool.
>>>>
>>>> Rowland
>>>>
>>>> Hi,
>>> I remember vaguely that someone once told me that MS DCs always
announce
>>> themselves as the soa if asked. If they always reply that, perhaps
there is
>>> no need for it to actually be in the database (so it would perhaps
not show
>>> up in an ldif)
>>>
>>> MJ
>>>
>>>
>> This is what I think happens and if this is the case, then samba itself
>> will have to do this, but I have added an NS record for the 2nd DC to
the
>> SOA record with samba-tool and if I use nslookup I get this:
>>
>> nslookup
>>> set querytype=soa
>>> samdom.example.com
>> Server:        192.168.0.5
>> Address:    192.168.0.5#53
>>
>> samdom.example.com
>>      origin = dc1.samdom.example.com
>>      mail addr = hostmaster.samdom.example.com
>>      serial = 101
>>      refresh = 900
>>      retry = 600
>>      expire = 86400
>>      minimum = 3600
>>
>> If I then exit from nslookup and swap the nameservers in
/etc/resolv.conf
>> and rerun nslookup, I get this:
>>
>> nslookup
>>> set querytype=soa
>>> samdom.example.com
>> Server:        192.168.0.6
>> Address:    192.168.0.6#53
>>
>> samdom.example.com
>>      origin = dc2.samdom.example.com
>>      mail addr = hostmaster.samdom.example.com
>>      serial = 101
>>      refresh = 900
>>      retry = 600
>>      expire = 86400
>>      minimum = 3600
>>
>> Which, to me, says that both DCs are authoritative for the domain, if
this
>> is correct, I just need to find a way of adding the NS record during
the
>> join.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>