Julien Ropé
2018-Oct-22 05:57 UTC
[Samba] AD RODC not being used because of missing DNS entries?
Hi, We have encountered these timeout issues with Samba 4.7 as an RODC too. We created a ticket about it here : https://bugzilla.samba.org/show_bug.cgi?id=13502 One thing is that even after the timeouts got resolved, I still get a weird behaviour with two entries that keeps trying to update themselves when I run "samba_dnsupdate". The call succeeds, but the entries are actually NOT updated. Here is what I'm seeing:> # samba_dnsupdate --verbose > IPs: ['192.168.57.3'] > Looking for DNS entry A sambarodc.mondomaine.lan 192.168.57.3 as sambarodc.mondomaine.lan. > Looking for DNS entry CNAME 7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan sambarodc.mondomaine.lan as 7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan. > Looking for DNS entry SRV _ldap._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 389 as _ldap._tcp.Secondary._sites.mondomaine.lan. > Checking 0 100 389 sambarodc.mondomaine.lan. against SRV _ldap._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 389 > Looking for DNS entry SRV _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 389 as _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan. > Checking 0 100 389 sambarodc.mondomaine.lan. against SRV _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 389 > Looking for DNS entry SRV _kerberos._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 88 as _kerberos._tcp.Secondary._sites.mondomaine.lan. > Checking 0 100 88 sambarodc.mondomaine.lan. against SRV _kerberos._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 88 > Looking for DNS entry SRV _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 88 as _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan. > Checking 0 100 88 sambarodc.mondomaine.lan. against SRV _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 88 > Looking for DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268 as _gc._tcp.Secondary._sites.mondomaine.lan. > The DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268, queried as _gc._tcp.Secondary._sites.mondomaine.lan. does not exist > need update: SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268 > Looking for DNS entry SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268 as _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan. > The DNS entry SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268, queried as _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan. does not exist > need update: SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268 > 2 DNS updates and 0 DNS deletes needed > Successfully obtained Kerberos ticket to DNS/sambarwdc.mondomaine.lan as SAMBARODC$ > update (rodc): SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268 > update (rodc): SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268 > > # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan > Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN) > > # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan > Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)Is it something you can see on your environment too? Note that on my environment, the failed updates got resolved by themselves, as if the timeout was hiding the fact that the update finally succeeded. Now on other systems, updates had to be done manually as you did... We're still trying to understand what's different between the two. Le 20/10/2018 à 21:59, tomict via samba a écrit :>>> BTW how did you make this tree view? >> I have lots of time, so I typed it ;-) > > Thanks for your time! :-) > > >>> There seem to be two problems with my RODC DC2: >>> 1) DNS records were not generated when joining the domain. This is >>> perhaps caused by some kind of timeout problem. >> Not sure about this, but you could be correct. > > I can live with that. I only needed to input 4 entries manually (although I made that a challenge as well, see below) > > >>> 2) manual addition of the "_msdcs" records >>> resulted in a wrong path (see below) >> The 'wrong path' is because you gave it the wrong path ;-) > Aaaagh! @#!%@%! > > >> If you run 'samba-tool dns zonelist 127.0.0.1 -U Administrator' it will >> show your DNS zones, one of which should start with '_msdcs'. >> So, your commands: > <....> >> Should have been: >> samba-tool dns add DC1 _msdcs.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' >> samba-tool dns add DC1 _msdcs.ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' >> Delete the wrong entries. >> Rowland > > Thanks for pointing that out. _msdcs is a zone! I did not realize that when I got the entries from the file /var/lib/samba/dns_update_list. The records are in place now. > > I suppose the DNS entries in the other locations are not necessary for domain control on my RODC? I will know next week if DC2 starts being used. > > To make my RODC ready for duty should DC1 fail I added, using the windows DNS manager: > 1) a NS record pointing to my RODC (DC2) as name server in the AD. > 2) a A record in ad.example.nl with blank hostname ('same as parent folder') pointing to the ip address of DC2 > And I will preload user en computer accounts. > > @Rowland: thank you very much for the help, much appreciated! > > > regards, > > Tom > > > >-- Message envoyé grâce à OBM, la Communication Libre par Linagora
tomict
2018-Nov-07 22:22 UTC
[Samba] AD RODC not being used because of missing DNS entries?
----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Monday, 22 October, 2018 07:57:23 > Subject: Re: [Samba] AD RODC not being used because of missing DNS entries?> Hi, ><snip>> > One thing is that even after the timeouts got resolved, I still get a > weird behaviour with two entries that keeps trying to update themselves > when I run "samba_dnsupdate". The call succeeds, but the entries are > actually NOT updated. > > Here is what I'm seeing:<snip>>> 2 DNS updates and 0 DNS deletes needed >> Successfully obtained Kerberos ticket to DNS/sambarwdc.mondomaine.lan as >> SAMBARODC$ >> update (rodc): SRV _gc._tcp.Secondary._sites.mondomaine.lan >> sambarodc.mondomaine.lan 3268 >> update (rodc): SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan >> sambarodc.mondomaine.lan 3268 >> >> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan >> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN) >> >> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan >> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN) > > > Is it something you can see on your environment too? >Hi, Sorry for replying too late, i did not notice until now that there was a follow up to the mail conversation. Yes, I had the same issue of two dns records on the RODC trying to update, apparently with success, but not really. I resolved this, like you, by manually updating the records on the RWDC (which then got replicated to the RODC). Of course the RODC controller cannot write new records other than by replication because it is literally "read only". Maybe there is something wrong with the RODC join process because I would expect the dns records to be created at that time. The error that caused the two not updating records was in my case my first try at inserting the records by hand on the RWDC. I was looking at the file /var/lib/samba/private/dns_update_list for the records to update and did not notice that there are two different zones involved. It seemed as if the entries were present, so the update efforts seemed unnecassary, but in fact the records were not present at all. The command I used first: # samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' is syntactically correct, but it inserts a wrong entry in the wrong zone. It should be done, as in my second try after a Rowland pointed it out to me, like this: # samba-tool dns add DC1 _msdcs.ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' notice the different zone "_msdcs.ad.example.nl" . I had the same problem with the _ldap entry. The first (wrong) command created a wrong entry that confused everything, and me in particular. I don't think that (or know if) this has anything to do with your problem, but it did solve mine. regards, Tom
Rowland Penny
2018-Nov-08 08:36 UTC
[Samba] AD RODC not being used because of missing DNS entries?
On Wed, 7 Nov 2018 23:22:09 +0100 (CET) tomict via samba <samba at lists.samba.org> wrote:> Hi, > > Sorry for replying too late, i did not notice until now that there > was a follow up to the mail conversation. > > Yes, I had the same issue of two dns records on the RODC trying to > update, apparently with success, but not really. I resolved this, > like you, by manually updating the records on the RWDC (which then > got replicated to the RODC). Of course the RODC controller cannot > write new records other than by replication because it is literally > "read only". Maybe there is something wrong with the RODC join > process because I would expect the dns records to be created at that > time. >When you provision a new domain, all the dns records for the DC are created, but when you join another DC, only a few records for the new DC are created. The missing records are created by samba_dnsupdate, this works on a RWDC, but, as you cannot write to a RODC, it seems to fail. Rowland
Julien Ropé
2018-Nov-12 13:59 UTC
[Samba] AD RODC not being used because of missing DNS entries?
----- Original Message -----> > Hi, > > Sorry for replying too late, i did not notice until now that there was a follow up to the mail conversation. >Thank you for taking the time to answer - I appreciate.> [SNIP] > The command I used first: > > # samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' > > is syntactically correct, but it inserts a wrong entry in the wrong zone. > > It should be done, as in my second try after a Rowland pointed it out to me, like this: > > # samba-tool dns add DC1 _msdcs.ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' > > notice the different zone "_msdcs.ad.example.nl" . I had the same problem with the _ldap entry. > > The first (wrong) command created a wrong entry that confused everything, and me in particular. > I don't think that (or know if) this has anything to do with your problem, but it did solve mine.Yes, it helps : it probably explains some of the confusion while troubleshooting. Again, thanks for your time. At this point, I have to say that my client is reverting his deployment of Samba as a RODC - this issue on one side, and the authentication limitation on the other (see another thread about password updates on RODC) makes them cautious. The release notes seems to show that this feature is ready, now it seems there is still some roadblocks for end users in production environments. Is there any assessment of missing features and/or blocking bugs for samba as an RODC (apart from the two already mentioned)? Any roadmap related to it? I found the following TODO related to the RODC feature, but I don't think it's up to date? https://wiki.samba.org/index.php/Samba4/DRS_TODO_List#Support_RODC I'd like to collect as many details as possible to clarify expectations with users, and maybe help close the gap by contributing documentation and/or code where possible. Regards, Julien -- Message envoyé grâce à OBM, la Communication Libre par Linagora