L.P.H. van Belle
2015-Dec-10 10:44 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hai, Ah, ok, wel, yeah, i was missing the NS on the SOA. This is imo a bug, i dont know it this is by design for samba, so maybe a samba dev can answere this since every joined DC should have a NS record on the SOA as far as i know, but thats my opinion and i can be wrong here. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 10 december 2015 10:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 10/12/15 09:23, L.P.H. van Belle wrote: > > I was wondering why because in a full windows domain, every DC has an NS > record. > > > > > > When you join a DC, the basic info is added to AD and then when the > samba deamon is started, samba_dnsupdate is run, this uses the file > dns_update_list to add (if required) various dns records. Guess what dns > records are not in that file? > > However, even if you add the missing NS records to the SOA records, if > you use the internal dns server, you will still only have one NS, this > appears to be your first DC. I am beginning to think that if you have > more than one DC, you should forget the internal DNS server and use > BIND_DLZ instead. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2015-Dec-10 10:54 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 10:44, L.P.H. van Belle wrote:> Hai, > > Ah, ok, wel, yeah, i was missing the NS on the SOA. > > This is imo a bug, i dont know it this is by design for samba, > so maybe a samba dev can answere this since every joined DC should have a NS record on the SOA as far as i know, but thats my opinion and i can be wrong here. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: donderdag 10 december 2015 10:41 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> On 10/12/15 09:23, L.P.H. van Belle wrote: >>> I was wondering why because in a full windows domain, every DC has an NS >> record. >>> >> When you join a DC, the basic info is added to AD and then when the >> samba deamon is started, samba_dnsupdate is run, this uses the file >> dns_update_list to add (if required) various dns records. Guess what dns >> records are not in that file? >> >> However, even if you add the missing NS records to the SOA records, if >> you use the internal dns server, you will still only have one NS, this >> appears to be your first DC. I am beginning to think that if you have >> more than one DC, you should forget the internal DNS server and use >> BIND_DLZ instead. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >When I can figure how to get into the new GitHub setup, I will be proposing a patch for this, it just needs three line adding to dns_update_list. Rowland
Rowland penny
2015-Dec-10 11:55 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 10:54, Rowland penny wrote:> On 10/12/15 10:44, L.P.H. van Belle wrote: >> Hai, >> >> Ah, ok, wel, yeah, i was missing the NS on the SOA. >> >> This is imo a bug, i dont know it this is by design for samba, >> so maybe a samba dev can answere this since every joined DC should >> have a NS record on the SOA as far as i know, but thats my opinion >> and i can be wrong here. >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >>> Verzonden: donderdag 10 december 2015 10:41 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>> initially fails when PDC is offline >>> >>> On 10/12/15 09:23, L.P.H. van Belle wrote: >>>> I was wondering why because in a full windows domain, every DC has >>>> an NS >>> record. >>>> >>> When you join a DC, the basic info is added to AD and then when the >>> samba deamon is started, samba_dnsupdate is run, this uses the file >>> dns_update_list to add (if required) various dns records. Guess what >>> dns >>> records are not in that file? >>> >>> However, even if you add the missing NS records to the SOA records, if >>> you use the internal dns server, you will still only have one NS, this >>> appears to be your first DC. I am beginning to think that if you have >>> more than one DC, you should forget the internal DNS server and use >>> BIND_DLZ instead. >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > When I can figure how to get into the new GitHub setup, I will be > proposing a patch for this, it just needs three line adding to > dns_update_list. > > Rowland >If anybody is interested, this is the results of my testing, first here are the results of adding an NS record to the dns domain SOA record for the second DC on a domain using the internal dns server: root at testdc1:~# dig SOA +multiline home.lan ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;home.lan. IN SOA ;; ANSWER SECTION: home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( 1 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; Query time: 28 msec ;; SERVER: 192.168.0.241#53(192.168.0.241) ;; WHEN: Thu Dec 10 11:35:46 GMT 2015 ;; MSG SIZE rcvd: 81 root at testdc2:~# dig SOA +multiline home.lan ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;home.lan. IN SOA ;; ANSWER SECTION: home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( 1 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; Query time: 56 msec ;; SERVER: 192.168.0.240#53(192.168.0.240) ;; WHEN: Thu Dec 10 11:36:14 GMT 2015 ;; MSG SIZE rcvd: 81 As you can see, even though each DC is using the other DC as its nameserver in /etc/resolv.conf, they both return the same info, now compare that with the info from a domain that uses bind9 as the dns server: root at dc1:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 7 msec ;; SERVER: 192.168.0.6#53(192.168.0.6) ;; WHEN: Thu Dec 10 11:41:22 GMT 2015 ;; MSG SIZE rcvd: 162 root at dc2:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc1.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 2 msec ;; SERVER: 192.168.0.5#53(192.168.0.5) ;; WHEN: Thu Dec 10 11:41:29 GMT 2015 ;; MSG SIZE rcvd: 162 You get a lot more info and each DC is show as being authoritative for the dns domain Now, I am no expert when it comes to dns, but using bind9 looks a better idea to me :-) Rowland
Possibly Parallel Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline