All, I configured two DCs (Samba version 4.5.5) replicating ad.corp.com in two sites ( https://wiki.samba.org/index.php/Active_Directory_Sites) Following 'DNS configuration on Domain Controllers' section from this wiki https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory If I configure nameserver DC1 to be the first resolver for DC2, samba_dnsupdate --verbose --all-names fails with ' tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.' The failure makes sense because each DC has keys only for itself in dns.keytab, as shown by 'klist -k /usr/local/samba/private/dns.keytab'. It makes no sense functionally for one DC to update another's DNS directly. Seems to me the failure from 'samba_dnsupdate --verbose --all-names' can be ignored when another DC's nameserver is listed first. Unless I'm missing something ? -Mike
On Mon, 6 Mar 2017 16:30:48 +0000 (UTC) Mircea Husz via samba <samba at lists.samba.org> wrote:> All, > > I configured two DCs (Samba version 4.5.5) replicating ad.corp.com in > two sites ( > > https://wiki.samba.org/index.php/Active_Directory_Sites) > > Following 'DNS configuration on Domain Controllers' section from this > wiki > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > If I configure nameserver DC1 to be the first resolver for DC2, > samba_dnsupdate --verbose --all-names fails with ' > tkey query failed: GSSAPI error: Major = Unspecified GSS failure. > Minor code may provide more information, Minor = Server not found in > Kerberos database.' > > The failure makes sense because each DC has keys only for itself in > dns.keytab, as shown by 'klist > -k /usr/local/samba/private/dns.keytab'. It makes no sense > functionally for one DC to update another's DNS directly. > > Seems to me the failure from 'samba_dnsupdate --verbose --all-names' > can be ignored when another DC's nameserver is listed first. Unless > I'm missing something ? > > -Mike >This is all down to the mythical 'islanding' problem. I personally think that each DC should use its own ipaddress as the first nameserver in /etc/resolv.conf and another DC as the second. Rowland
That's straightforward enough. Thank you Rowland.
-Mike
On Monday, March 6, 2017 11:05 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
On Mon, 6 Mar 2017 16:30:48 +0000 (UTC)
Mircea Husz via samba <samba at lists.samba.org> wrote:
> All,
>
> I configured two DCs (Samba version 4.5.5) replicating ad.corp.com in
> two sites (
>
> https://wiki.samba.org/index.php/Active_Directory_Sites)
>
> Following 'DNS configuration on Domain Controllers' section from
this
> wiki
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> If I configure nameserver DC1 to be the first resolver for DC2,
> samba_dnsupdate --verbose --all-names fails with '
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = Server not found in
> Kerberos database.'
>
> The failure makes sense because each DC has keys only for itself in
> dns.keytab, as shown by 'klist
> -k /usr/local/samba/private/dns.keytab'. It makes no sense
> functionally for one DC to update another's DNS directly.
>
> Seems to me the failure from 'samba_dnsupdate --verbose
--all-names'
> can be ignored when another DC's nameserver is listed first. Unless
> I'm missing something ?
>
> -Mike
>
This is all down to the mythical 'islanding' problem. I personally
think that each DC should use its own ipaddress as the first nameserver
in /etc/resolv.conf and another DC as the second.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Mon, 2017-03-06 at 16:59 +0000, Rowland Penny via samba wrote:> On Mon, 6 Mar 2017 16:30:48 +0000 (UTC) > Mircea Husz via samba <samba at lists.samba.org> wrote: > > > All, > > > > I configured two DCs (Samba version 4.5.5) replicating ad.corp.com > > in > > two sites ( > > > > https://wiki.samba.org/index.php/Active_Directory_Sites) > > > > Following 'DNS configuration on Domain Controllers' section from > > this > > wiki > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_ > > Active_Directory > > > > If I configure nameserver DC1 to be the first resolver for DC2, > > samba_dnsupdate --verbose --all-names fails with ' > > tkey query failed: GSSAPI error: Major = Unspecified GSS failure. > > Minor code may provide more information, Minor = Server not found > > in > > Kerberos database.' > > > > The failure makes sense because each DC has keys only for itself in > > dns.keytab, as shown by 'klist > > -k /usr/local/samba/private/dns.keytab'. It makes no sense > > functionally for one DC to update another's DNS directly. > > > > Seems to me the failure from 'samba_dnsupdate --verbose --all- > > names' > > can be ignored when another DC's nameserver is listed first. Unless > > I'm missing something ? > > > > -Mike > > > > This is all down to the mythical 'islanding' problem. I personally > think that each DC should use its own ipaddress as the first > nameserver > in /etc/resolv.conf and another DC as the second.This can have some other impacts, if a DNS run hasn't happened by the time we first start up. I've got some patches to force the first DNS entries to be created during the domain join. I hope that will help a lot here, but this remains a problematic area. There is also an issue with a patch that went in to 4.5 to help us with resolv_wrapper that make the real-world use more fragile, because it requires that the DC we point to first already have the NS records (and our local IP won't have those yet). Using it the other way around (remote first, then local) seems to avoid some of that. I'm really sorry we have got this far in to Samba as an AD DC without this stuff 'just working', and I hope to have improved patches in master soon. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba