samba - Aug 2018 - SOA record in Samba Internal DNS

Hi.  I'm running Sernet Samba 4.7 on Ubuntu 16.

I noticed that when my first DC went away, I had problems.  The SOA record
for the domain still points at that first DC.

I found, in this entry from 2014 (
https://lists.samba.org/archive/samba/2014-August/184301.html) that
"Windows AD servers actually 'lie' about the SOA record, and always
say
that it points to themselves. So in a native microsoft AD network,
regardsless of what the SOA actually is in the database, a DC always
returns itself as SOA."

So how should this be handled now?  Do I need to manually keep track of
which DC I want to reference with the SOA record, or is there a better way ?

-- 
[image: Seaman Paper]
Jeff Dickens – IT Manager

Seaman Paper Company of Massachusetts, Inc.
35 Wilkins Rd, Gardner MA 01440

T:978-958-0547 - - -
www.seamanpaper.com

For internal IT Support visit seamanpaper.freshdesk.com

On Wed, 2018-08-01 at 14:18 -0400, Jeff Dickens via samba
wrote:
> Hi.  I'm running Sernet Samba 4.7 on Ubuntu 16.
> 
> I noticed that when my first DC went away, I had problems.  The SOA record
> for the domain still points at that first DC.
> 
> I found, in this entry from 2014 (
> https://lists.samba.org/archive/samba/2014-August/184301.html) that
> "Windows AD servers actually 'lie' about the SOA record, and
always say
> that it points to themselves. So in a native microsoft AD network,
> regardsless of what the SOA actually is in the database, a DC always
> returns itself as SOA."
> 
> So how should this be handled now?  Do I need to manually keep track of
> which DC I want to reference with the SOA record, or is there a better way
?
Samba 4.7 has the patch to do overstamp, are you sure the SOA on the
second DC isn't pointing at itself?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Thu, 02 Aug 2018 06:25:16 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> On Wed, 2018-08-01 at 14:18 -0400, Jeff Dickens via samba wrote:
> > Hi.  I'm running Sernet Samba 4.7 on Ubuntu 16.
> > 
> > I noticed that when my first DC went away, I had problems.  The SOA
> > record for the domain still points at that first DC.
> > 
> > I found, in this entry from 2014 (
> > https://lists.samba.org/archive/samba/2014-August/184301.html) that
> > "Windows AD servers actually 'lie' about the SOA record,
and always
> > say that it points to themselves. So in a native microsoft AD
> > network, regardsless of what the SOA actually is in the database, a
> > DC always returns itself as SOA."
> > 
> > So how should this be handled now?  Do I need to manually keep
> > track of which DC I want to reference with the SOA record, or is
> > there a better way ?
> 
> Samba 4.7 has the patch to do overstamp, are you sure the SOA on the
> second DC isn't pointing at itself?
> 
> Thanks,
> 
> Andrew Bartlett
> 
Pardon ??

dc3 pointing to itself:
root at dc3:~# host -t soa samdom.example.com
samdom.example.com has SOA record dc3.samdom.example.com.
hostmaster.samdom.example.com. 2329 900 600 86400 3600

dc4 pointing to itself:
root at dc4:~# host -t soa samdom.example.com
samdom.example.com has SOA record dc4.samdom.example.com.
hostmaster.samdom.example.com. 2329 900 600 86400 3600

On a Unix client:
rowland at devstation:~$ dig SOA samdom.example.com

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> SOA
samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47647
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.		IN	SOA

;; ANSWER SECTION:
samdom.example.com.	3600	IN	SOA	dc3.samdom.example.com.
hostmaster.samdom.example.com. 2329 900 600 86400 3600

;; AUTHORITY SECTION:
samdom.example.com.	900	IN	NS	dc3.samdom.example.com.
samdom.example.com.	900	IN	NS	dc4.samdom.example.com.

;; ADDITIONAL SECTION:
dc3.samdom.example.com.	900	IN	A	192.168.0.7
dc4.samdom.example.com.	900	IN	A	192.168.0.6

;; Query time: 6 msec
;; SERVER: 192.168.0.7#53(192.168.0.7)
;; WHEN: Wed Aug 01 19:27:48 BST 2018
;; MSG SIZE  rcvd: 162

Change nameserver in /etc/resolv.conf

rowland at devstation:~$ dig SOA samdom.example.com

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> SOA
samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41276
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.		IN	SOA

;; ANSWER SECTION:
samdom.example.com.	3600	IN	SOA	dc4.samdom.example.com.
hostmaster.samdom.example.com. 2329 900 600 86400 3600

;; AUTHORITY SECTION:
samdom.example.com.	900	IN	NS	dc4.samdom.example.com.
samdom.example.com.	900	IN	NS	dc3.samdom.example.com.

;; ADDITIONAL SECTION:
dc3.samdom.example.com.	900	IN	A	192.168.0.7
dc4.samdom.example.com.	900	IN	A	192.168.0.6

;; Query time: 3 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Wed Aug 01 19:33:35 BST 2018
;; MSG SIZE  rcvd: 162

I think something isn't configured correctly or samba_dnsupdate hasn't
run correctly.

Rowland