On Wed, 19 Oct 2016 16:55:40 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 19 Oct 2016 17:45:18 +0200
> Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
>
> > Hi Rowland,
> >
> > Am 18.10.2016 um 12:30 schrieb Rowland Penny via samba:
> > > Yes it should exist and it should be added for you when Samba is
> > > started (on later versions) by samba_dnsupdate.
> >
> > have you tried recently if the records are added when
> > samba_dnsupdate runs?
> >
> > The BZ is still open:
> > https://bugzilla.samba.org/show_bug.cgi?id=10928#c4
> > And according to my last comment, it still failed last February.
> >
> >
> > Regards,
> > Marc
>
> Hi Marc, it has been some time since I tested it, but from memory it
> went something like this:
>
> There is an existing, working DC.
> You join another DC to the existing DC
> Before starting Samba, make /etc/resolv.conf point to itself as the
> nameserver
> start Samba
> samba_dnsupdate runs and adds the missing records
>
> Let me try it again and get back to you.
>
> Rowland
>
>
OK, I am back ;-)
You are correct, it doesn't work out of the box, but I have worked out
why (no fix yet) and a workaround
The why:
DNS records can only be changed by the owner or something that has
permission to change it. when samba_dnsupdate runs, it gets this ticket
cache:
root at samtest2:~# klist /tmp/tmpierjtB
Ticket cache: FILE:/tmp/tmpierjtB
Default principal: SAMTEST2$@EXAMPLE.DOM
Valid starting Expires Service principal
19/10/16 20:13:22 20/10/16 06:13:22 krbtgt/EXAMPLE.DOM at EXAMPLE.DOM
19/10/16 20:13:22 20/10/16 06:13:22 DNS/samtest1.example.dom at EXAMPLE.DOM
Big problem, it is trying to update records for samtest2 with the SPN
for samtest1, this will not work.
Workaround:
turn off samba on the first DC, then restart samba on the second DC.
There is a gotcha however, I had to force replication with 'samba-tool
drs replicate' (after I restarted samba on the first DC)
Rowland