Hi! I have a question about order in dcs is /etc/resolv.conf , my configuration: DC01: /etc/resolv.conf IP DC02 IP DC01 DC02 /etc/resolv.conf IP DC01 IP DC02 https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#DNS_Configuration_on_Domain_Controllers --- However this setting causes the error: samba_dnsupdate --verbose --all-names dns_tkey_negotiategss: TKEY is unacceptable Failed nsupdate: 1 Failed update of 28 entries --- If you change to DC01 IP DC01 IP DC02 DC02 IP DC02 IP DC01 Problem does not exist. What would be the correct one? Regards;
I think, right configuration is: DC01: /etc/resolv.conf IP DC01 IP DC02 DC02 /etc/resolv.conf IP DC01 IP DC02 10.04.2018 17:13, Carlos via samba: dns island problem, it is wrong:> If you change to > DC01 > IP DC01 > IP DC02 > > DC02 > IP DC02 > IP DC01 > > Problem does not exist. > > What would be the correct one? > > > Regards; >Best regards, Valery
On Tue, 10 Apr 2018 10:13:05 -0300 Carlos via samba <samba at lists.samba.org> wrote:> Hi! > I have a question about order in dcs is /etc/resolv.conf , my > configuration: > > DC01: > /etc/resolv.conf > > IP DC02 > IP DC01 > > DC02 > /etc/resolv.conf > > IP DC01 > IP DC02 > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#DNS_Configuration_on_Domain_Controllers > > --- > > > However this setting causes the error: > > > samba_dnsupdate --verbose --all-names > > dns_tkey_negotiategss: TKEY is unacceptable > Failed nsupdate: 1 > Failed update of 28 entriesIf the first IP in /etc/resolv.conf isn't the DCs own, samba_dnsupdate will connect to the other DC and use its kerberos key and, surprise,surprise, it doesn't work. The wiki page was written to prevent 'islanding', the only problem with that is, you don't get 'islanding' on an AD DC.> > If you change to > DC01 > IP DC01 > IP DC02 > > DC02 > IP DC02 > IP DC01 > > Problem does not exist. >And there is the proof ;-)> What would be the correct one?The second one, I will amend the wiki page. Rowland
On 4/10/2018 9:32 AM, Rowland Penny via samba wrote:> On Tue, 10 Apr 2018 10:13:05 -0300 > Carlos via samba <samba at lists.samba.org> wrote: > >> Hi! >> I have a question about order in dcs is /etc/resolv.conf , my >> configuration: >> >> DC01: >> /etc/resolv.conf >> >> IP DC02 >> IP DC01 >> >> DC02 >> /etc/resolv.conf >> >> IP DC01 >> IP DC02 >> >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#DNS_Configuration_on_Domain_Controllers >> >> --- >> >> >> However this setting causes the error: >> >> >> samba_dnsupdate --verbose --all-names >> >> dns_tkey_negotiategss: TKEY is unacceptable >> Failed nsupdate: 1 >> Failed update of 28 entries > If the first IP in /etc/resolv.conf isn't the DCs own, samba_dnsupdate > will connect to the other DC and use its kerberos key and, > surprise,surprise, it doesn't work. The wiki page was written to > prevent 'islanding', the only problem with that is, you don't get > 'islanding' on an AD DC. > >> If you change to >> DC01 >> IP DC01 >> IP DC02 >> >> DC02 >> IP DC02 >> IP DC01 >> >> Problem does not exist. >> > And there is the proof ;-) > >> What would be the correct one? > The second one, I will amend the wiki page. > > Rowland > > >If I may add. I have only experienced this as a issue when using bind. The internal DNS doesn't seem to exhibit this issue with the resolv order. -- -- James
Mandi! Rowland Penny via samba In chel di` si favelave...> If the first IP in /etc/resolv.conf isn't the DCs own, samba_dnsupdate > will connect to the other DC and use its kerberos key and, > surprise,surprise, it doesn't work. The wiki page was written to > prevent 'islanding', the only problem with that is, you don't get > 'islanding' on an AD DC....what do you mean with 'islanding'? Apart the join phase, why not put localhost (eg 127.0.0.1) as first DNS in DC? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)