samba - Jan 2016 - Authentication to Secondary Domain Controller initially fails when PDC is offline

Please don't post any sensitive information - even if I forget 
sanitizing it.

This is probably the reason behind it: Our corporate DNS servers hold 
info about our machines. This works together with DHCP. By registering 
the machines I simply prevent any IP conflicts. My domain DNS has 
nothing to do with it. In my domain members (Win clients and Linux 
servers) only my DCs are set as DNS servers and these members don't use 
DHCP.

Within my subnet, I get exactly the same as Rowland reported below.

Ole


Am 07.01.2016 um 10:28 schrieb L.P.H. van Belle:
> Yes, thats exacly what ole must test.
>
> And optionaly the result of :
> dig A internal.domain.tld @IP_DC1
> dig A internal.domain.tld @IP_DC2
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
penny
>> Verzonden: donderdag 7 januari 2016 10:20
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>> initially fails when PDC is offline
>>
>> On 07/01/16 08:45, L.P.H. van Belle wrote:
>>> Hai Ole,
>>>
>>> What does this give you as output?
>>> host bpn.tu-berlin.de
>>>
>>> I assum you dnsdomain name is the same as your REALM_NAME ?
>>>
>>> For me it show the 2 ipadresses of my DC's.
>>> And my MX record.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>> Hi Louis and Ole, Just for interest I ran 'host
bpn.tu-berlin.de' in a
>> terminal, all I get back is:
>>
>> bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de.
>>
>> No NS records
>>
>> Yet when I search on my dns/kerberos domain:
>>
>> host samdom.example.com
>> samdom.example.com has address 192.168.0.6
>> samdom.example.com has address 192.168.0.5
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 07/01/16 10:48, Ole Traupe wrote:
> Please don't post any sensitive information - even if I forget 
> sanitizing it.
>
> This is probably the reason behind it: Our corporate DNS servers hold 
> info about our machines. This works together with DHCP. By registering 
> the machines I simply prevent any IP conflicts. My domain DNS has 
> nothing to do with it. In my domain members (Win clients and Linux 
> servers) only my DCs are set as DNS servers and these members don't 
> use DHCP.
>
> Within my subnet, I get exactly the same as Rowland reported below.
>
> Ole
>
>
This is one of the reasons that you shouldn't use your corporate domain 
name for your AD domain name, if you do, your domain members are 
locatable from the internet. The domain name in question is *not* 
sensitive info, if it was, you wouldn't get any email :-)

Rowland

Guys, as much as I like troubleshooting (I admit it), we all have 
already spent way too much time on this. I strongly feel we should wrap 
it up here. This issue either is due to my faulty configuration, or 
there is a general problem with the internal DNS of Samba (seems to me; 
also Rowland's interpretation, if I am right).

So, as I already created a problem in my DNS (an invisible faulty record 
I cannot delete anymore), I would like to take this opportunity of a 
clean (DNS) slate by switching to bind9 - maybe with your help, Rowland? 
Ideally without starting completely from scratch.

In addition, I recommend updating the wiki like this:
- Currently it seems that with Samba's internal DNS fail-over safety 
cannot reliably be achieved.
- Therefore it is strongly suggested to use bind9 in any setup that is 
intended to go in production sooner or later.
- At the moment, Samba's internal DNS must be seen as a quick and 
convenient solution for *testing* purposes only.

Ole


Am 07.01.2016 um 11:48 schrieb Ole Traupe:
> Please don't post any sensitive information - even if I forget 
> sanitizing it.
>
> This is probably the reason behind it: Our corporate DNS servers hold 
> info about our machines. This works together with DHCP. By registering 
> the machines I simply prevent any IP conflicts. My domain DNS has 
> nothing to do with it. In my domain members (Win clients and Linux 
> servers) only my DCs are set as DNS servers and these members don't 
> use DHCP.
>
> Within my subnet, I get exactly the same as Rowland reported below.
>
> Ole
>
>
> Am 07.01.2016 um 10:28 schrieb L.P.H. van Belle:
>> Yes, thats exacly what ole must test.
>>
>> And optionaly the result of :
>> dig A internal.domain.tld @IP_DC1
>> dig A internal.domain.tld @IP_DC2
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
penny
>>> Verzonden: donderdag 7 januari 2016 10:20
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain
Controller
>>> initially fails when PDC is offline
>>>
>>> On 07/01/16 08:45, L.P.H. van Belle wrote:
>>>> Hai Ole,
>>>>
>>>> What does this give you as output?
>>>> host bpn.tu-berlin.de
>>>>
>>>> I assum you dnsdomain name is the same as your REALM_NAME ?
>>>>
>>>> For me it show the 2 ipadresses of my DC's.
>>>> And my MX record.
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>> Hi Louis and Ole, Just for interest I ran 'host
bpn.tu-berlin.de' in a
>>> terminal, all I get back is:
>>>
>>> bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de.
>>>
>>> No NS records
>>>
>>> Yet when I search on my dns/kerberos domain:
>>>
>>> host samdom.example.com
>>> samdom.example.com has address 192.168.0.6
>>> samdom.example.com has address 192.168.0.5
>>>
>>> Rowland
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

Am 07.01.2016 um 11:58 schrieb Rowland penny:
> On 07/01/16 10:48, Ole Traupe wrote:
>> Please don't post any sensitive information - even if I forget 
>> sanitizing it.
>>
>> This is probably the reason behind it: Our corporate DNS servers hold 
>> info about our machines. This works together with DHCP. By 
>> registering the machines I simply prevent any IP conflicts. My domain 
>> DNS has nothing to do with it. In my domain members (Win clients and 
>> Linux servers) only my DCs are set as DNS servers and these members 
>> don't use DHCP.
>>
>> Within my subnet, I get exactly the same as Rowland reported below.
>>
>> Ole
>>
>>
>
> This is one of the reasons that you shouldn't use your corporate 
> domain name for your AD domain name, if you do, your domain members 
> are locatable from the internet.
In theory. Actually, most of them aren't.
> The domain name in question is *not* sensitive info, if it was, you 
> wouldn't get any email :-)
My mail address is *not* ole.traupe@*bpn*.tu-berlin.de.
>
> Rowland
>