samba - Feb 2016 - AD + Bind DLZ + Site

2016-02-10 14:37 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 10/02/16 11:12, mathias dufresne wrote:
>
>> Hi all,
>>
>> Using 4.3.4 + Bind DLZ @ Centos 7.
>>
>> Regarding AD sites, I have several questions:
>>
>> 1° Is it possible with Samba4 to rename Default-First-Site-Name?
>>
>
> Depends on what you mean, if you mean can it be changed, then the answer
> is yes. If you mean can it be changed with samba-tool, then no.
>
OK. I tried once and I had to reinstall the whole domain. I was using RPM
manually created with patch for demote dead servers. Rpmbuild never
complained about that patch but samba-tool did not get the option to demote
dead servers. Perhaps the patch I get wasn't the right one, perhaps that
patch would have broken part of this packaged samba...
Of course the issue can come from me, but as I used RSAT to rename the
site, I can't see how I could do a mistake...

>
>
>> 2° samba-tool sites create <name>
>> does not link new site to DEFAUTLIPSITELINK, is it the correct
behaviour?
>>
>
> Probably not.
>
OK
>
> 3° When a DC is not in Default-First-Site-Name, no DNS records related to
>> that DC should exists in Default-First-Site-Name related DNS records.
Is
>> that true?
>> ex: _ldap._tcp.Default-First-Site-Name._sites.samba.domain.tld should
not
>> exist.
>>
>
> Again probably not.
>
According to your next reply, I take your reply as a "yes, that's true.
A
DC should be referenced only in site it belongs."

Once more, my question was not clear, sorry about that.

>
> 4° When a DC is moved from one site to another site, all DNS records
>> related to old site should be automatically removed?
>>
>
> Yes
>
OK

>
> 5° If 4° is true, what trigger the change in DNS configuration? Is it a
>> samba restart which will run samba_dnsupdate which would perform that
>> creation of DNS records and deletion of the old ones or samba_dnsupdate
>> (or
>> equivalent) is run without the need of a restart/reboot?
>>
>
> I don't think there is anything to do this at present. The main problem
> (as I see it) is that when you provision a domain, all the records are
> created for you, but when you join another DC, they are not. You have to
> start/restart samba and this then adds various dns records including the
> site ones.
>
OK. So no trigger.

samba_dnsupdate should solve the issue as a restart of samba service or
restarting samba is really needed?

>
> Rowland
>
>
> For others questions I have still tests to perform.
>>
>> Thanks and regards,
>>
>> mathias dufresne
>>
>
>
> --
>
> Thank you for your help : )

On 10/02/16 14:07, mathias dufresne wrote:
>
>
> 2016-02-10 14:37 GMT+01:00 Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>>:
>
>     On 10/02/16 11:12, mathias dufresne wrote:
>
>         Hi all,
>
>         Using 4.3.4 + Bind DLZ @ Centos 7.
>
>         Regarding AD sites, I have several questions:
>
>         1° Is it possible with Samba4 to rename Default-First-Site-Name?
>
>
>     Depends on what you mean, if you mean can it be changed, then the
>     answer is yes. If you mean can it be changed with samba-tool, then no.
>
>
> OK. I tried once and I had to reinstall the whole domain. I was using 
> RPM manually created with patch for demote dead servers. Rpmbuild 
> never complained about that patch but samba-tool did not get the 
> option to demote dead servers. Perhaps the patch I get wasn't the 
> right one, perhaps that patch would have broken part of this packaged 
> samba...
> Of course the issue can come from me, but as I used RSAT to rename the 
> site, I can't see how I could do a mistake...
>
>
>
>         2° samba-tool sites create <name>
>         does not link new site to DEFAUTLIPSITELINK, is it the correct
>         behaviour?
>
>
>     Probably not.
>
>
> OK
>
>
>         3° When a DC is not in Default-First-Site-Name, no DNS records
>         related to
>         that DC should exists in Default-First-Site-Name related DNS
>         records. Is
>         that true?
>         ex: _ldap._tcp.Default-First-Site-Name._sites.samba.domain.tld
>         should not
>         exist.
>
>
>     Again probably not.
>
>
> According to your next reply, I take your reply as a "yes, that's 
> true. A DC should be referenced only in site it belongs."
>
> Once more, my question was not clear, sorry about that.
>
>
>         4° When a DC is moved from one site to another site, all DNS
>         records
>         related to old site should be automatically removed?
>
>
>     Yes
>
>
> OK
>
>
>         5° If 4° is true, what trigger the change in DNS
>         configuration? Is it a
>         samba restart which will run samba_dnsupdate which would
>         perform that
>         creation of DNS records and deletion of the old ones or
>         samba_dnsupdate (or
>         equivalent) is run without the need of a restart/reboot?
>
>
>     I don't think there is anything to do this at present. The main
>     problem (as I see it) is that when you provision a domain, all the
>     records are created for you, but when you join another DC, they
>     are not. You have to start/restart samba and this then adds
>     various dns records including the site ones.
>
>
> OK. So no trigger.
>
> samba_dnsupdate should solve the issue as a restart of samba service 
> or restarting samba is really needed?
>
>
I have been reading the 'samba-tool sites' code and it appears that it 
creates new sites in 'CN=NEWSITE,CN=Sites,DC=samdom,DC=example,DC=com'.

I think it should be creating it in 
'CN=NEWSITE,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'

I think is should also add a 'siteList' attribute containing
'CN=NEWSITE,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com' to
'CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'

Rowland

My answer below.

2016-02-10 15:38 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 10/02/16 14:07, mathias dufresne wrote:
>
>>
>>
>> 2016-02-10 14:37 GMT+01:00 Rowland penny <rpenny at samba.org
<mailto:
>> rpenny at samba.org>>:
>>
>>
>>     On 10/02/16 11:12, mathias dufresne wrote:
>>
>>         Hi all,
>>
>>         Using 4.3.4 + Bind DLZ @ Centos 7.
>>
>>         Regarding AD sites, I have several questions:
>>
>>         1° Is it possible with Samba4 to rename
Default-First-Site-Name?
>>
>>
>>     Depends on what you mean, if you mean can it be changed, then the
>>     answer is yes. If you mean can it be changed with samba-tool, then
no.
>>
>>
>> OK. I tried once and I had to reinstall the whole domain. I was using
RPM
>> manually created with patch for demote dead servers. Rpmbuild never
>> complained about that patch but samba-tool did not get the option to
demote
>> dead servers. Perhaps the patch I get wasn't the right one, perhaps
that
>> patch would have broken part of this packaged samba...
>> Of course the issue can come from me, but as I used RSAT to rename the
>> site, I can't see how I could do a mistake...
>>
>>
>>
>>         2° samba-tool sites create <name>
>>         does not link new site to DEFAUTLIPSITELINK, is it the correct
>>         behaviour?
>>
>>
>>     Probably not.
>>
>>
>> OK
>>
>>
>>         3° When a DC is not in Default-First-Site-Name, no DNS records
>>         related to
>>         that DC should exists in Default-First-Site-Name related DNS
>>         records. Is
>>         that true?
>>         ex: _ldap._tcp.Default-First-Site-Name._sites.samba.domain.tld
>>         should not
>>         exist.
>>
>>
>>     Again probably not.
>>
>>
>> According to your next reply, I take your reply as a "yes,
that's true. A
>> DC should be referenced only in site it belongs."
>>
>> Once more, my question was not clear, sorry about that.
>>
>>
>>         4° When a DC is moved from one site to another site, all DNS
>>         records
>>         related to old site should be automatically removed?
>>
>>
>>     Yes
>>
>>
>> OK
>>
>>
>>         5° If 4° is true, what trigger the change in DNS
>>         configuration? Is it a
>>         samba restart which will run samba_dnsupdate which would
>>         perform that
>>         creation of DNS records and deletion of the old ones or
>>         samba_dnsupdate (or
>>         equivalent) is run without the need of a restart/reboot?
>>
>>
>>     I don't think there is anything to do this at present. The main
>>     problem (as I see it) is that when you provision a domain, all the
>>     records are created for you, but when you join another DC, they
>>     are not. You have to start/restart samba and this then adds
>>     various dns records including the site ones.
>>
>>
>> OK. So no trigger.
>>
>> samba_dnsupdate should solve the issue as a restart of samba service or
>> restarting samba is really needed?
>>
>>
>>
> I have been reading the 'samba-tool sites' code and it appears that
it
> creates new sites in
'CN=NEWSITE,CN=Sites,DC=samdom,DC=example,DC=com'.
>
> I think it should be creating it in
> 'CN=NEWSITE,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'
>
I did look into the both domain I have here at work, one is 4.3.4 and the
other one is 4.4.0rc2.
There is no CN=Sites,DC=samdom,DC=example,DC=com but only
CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com.

Of course there is also no CN=NEWSITE,CN=Sites,DC=samdom,DC=example,DC=com
and only CN=NEWSITE,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
is present.

Which version of Samba were you looking into?

>
> I think is should also add a 'siteList' attribute containing
> 'CN=NEWSITE,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'
to
> 'CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'
>
That's a very interesting information. For now and as I'm starting to be
pushed by time, I would rely on RSAT to change that. That's the only things
I spotted as missing with 4.4.0 and site management (because 4.4.0 comes
with improvement of site management, thank to devs ;)

>
> Rowland
>
>
>