samba - Aug 2019 - winbind seems to hang when the DC goes down instead of switching to the other available DC

Hai Marco, 

Yes, best is to use the "localhost" dns setup as caching/forwarder
only.

All you need is for the forwarding is :  

zone "your.dnsdomain.tld" {
    type forward;
    forwarders { IP_DC1; IP_DC2; };
};

zone "168.192.in-addr.arpa" {
    type forward;
    forwarders { IP_DC1; IP_DC2; };
};


If you think its still to slow, remove 
> options attempts:2
Or set 
> options attempts:1


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 2 augustus 2019 12:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] winbind seems to hang when the DC goes 
> down instead of switching to the other available DC
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > Verify if all DC's are also available as NS record in the 
> DNS on the zones. 
> > Startup the DNS tool. 
> > Goto you primary dnszone ( and repeat for all other zones ) 
> > Do you see all your DC's as NS record in the zone, then its 
> ok, if not.. 
> 
> Do you mean the 'domain' zone and the '_msdcs.' zone? Yes,
both have
> all the DCs listed.
> 
> 
> > You can also try these settings in resolv.conf
> > options edns0
> > options timeout:1
> > options attempts:2
> 
> Added. I'll do some more tests when back from holyday.
> 
> Anyway, the first resolver listed is 'localhost' (that is, indeed,
the
> main DNS resolver); the local/main resolver have the AD domain as a
> subzone, with correct resolver defined.
> 
> Better to have a 'forward zone' defined?
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> Yes, best is to use the "localhost" dns setup as
caching/forwarder only.
Ok.

> All you need is for the forwarding is :  
But, sorry me, whan advantage i have to use 'forward zone' instead of
using 'normal' dns zone handling (eg, supposing as suggested the AD
zone is in a subzone, using correctly glue records in the main zone)?

If i use normal dns zone handling, i set the NS glue record only in one
place (the parent zone file), and at least until i do 'the right thing'
(eg, i can resolv the parent zone), i'm OK.


While, if i set forward zone like:
> zone "your.dnsdomain.tld" {
>     type forward;
>     forwarders { IP_DC1; IP_DC2; };
> };
i can limit access to, eg, the local site NS/DC and not use the round
robin algorithm.
Also effectively, if i set as above, local bind *TRY* the listed
forwarders and then fallback to normal resolution, while if i set
instead:

	zone "your.dnsdomain.tld" {
		type forward;
		forwarders { IP_DC1; IP_DC2; };
		forward only;
	};

i limit effectively the forward only to listed forwarders.


So, seems to me that adding a forward zone pointing to the site-local
NS/DC servers *WITHOUT* 'forward only' simulate more closely Windows
behaviour (eg, try NS in the local site, the try other/outer).


Right?


Just i'm here, there's some way to tackle 'roundrobin/handoff'
parameters between forwarders {} listed server, more or less like what
you suggest for /etc/resolv.conf?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Hai marco, 

Well, this is a hard one to answer for me. 
I'll give it a try. ;-)  
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 2 augustus 2019 15:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] winbind seems to hang when the DC goes 
> down instead of switching to the other available DC
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > Yes, best is to use the "localhost" dns setup as 
> caching/forwarder only. 
> 
> Ok.
> 
> 
> > All you need is for the forwarding is :  
> 
> But, sorry me, what advantage i have to use 'forward zone' instead
of
> using 'normal' dns zone handling (eg, supposing as suggested the AD
> zone is in a subzone, using correctly glue records in the main zone)?
> 
> If i use normal dns zone handling, i set the NS glue record 
> only in one place (the parent zone file), and at least until i do 'the 
> right thing'
> (eg, i can resolv the parent zone), i'm OK.
Yes, that will work but done wrong, you might create a circular reference. 
Using glue or not, this depends also on how you setup your resolving. 
But still, nothing wrong in using glue records.

There are more ways to Rome then one.. ;-) 
> 
> 
> While, if i set forward zone like:
> 
> > zone "your.dnsdomain.tld" {
> >     type forward;
> >     forwarders { IP_DC1; IP_DC2; };
> > };
> 
> i can limit access to, eg, the local site NS/DC and not use the round
> robin algorithm. Also effectively, if i set as above, local bind *TRY* the
listed
> forwarders and then fallback to normal resolution, while if i set
> instead:
> 
> 	zone "your.dnsdomain.tld" {
> 		type forward;
> 		forwarders { IP_DC1; IP_DC2; };
> 		forward only;
> 	};
> 
> i limit effectively the forward only to listed forwarders.
> 
> 
> So, seems to me that adding a forward zone pointing to the site-local
> NS/DC servers *WITHOUT* 'forward only' simulate more closely
Windows
> behaviour (eg, try NS in the local site, the try other/outer).
> 
> 
> Right? 
Yes, .. And No, because again, it depends on how you setup your dns resolving. 
For example, i have 3 servers using split dns setups, in cacheing and/or
forwarding setups.

1 of these have 
zone "your.dnsdomain.tld" {
    type forward;
    forwarders { IP_DC1; IP_DC2; };
};

And one has
zone "your.dnsdomain.tld" {
	type forward;
	forwarders { IP_DC1; IP_DC2; };
	forward only;
};


And depending on the use, resolv.conf has. 

My preffered search order 
(NOTE that normaly the primary.sambadnsdomain.tld is always first for you
program's)
(hostname -f or hostname -d will give problems with samba. )

search internal.domain.tld domain.tld 	< used on my webserver
Or 
search internal.domain.tld			< used on my members servers 
Or 
search domain.tld	internal.domain.tld	< used on my mailrelay. 

With 
nameserver 127.0.0.1
And/or 
nameserver internet_dns1
nameserver internet_dns2
And/or 
nameserver 127.0.0.1
nameserver IP_DC1
nameserver IP_DC2;


All above make sure, at least, for me, that i need the resolving there, where is
should go to.
Lan dns or internet DNS because of certificates or DNS CAA records SPF DMARC
DKIM, things like that.
I dont have a "normal" network. :-( 

And adding a forwarder, as shown, was for me, the quickest and most simple
solution to get everything running.

My setup might not be the best setup for you, i just think for others using a
forwarder like this is less prone to errors for beginners.
> 
> 
> Just i'm here, there's some way to tackle
'roundrobin/handoff'
> parameters between forwarders {} listed server, more or less like what
> you suggest for /etc/resolv.conf?
Round robin in resolv.conf is options rotate:X 
But i dont use Round Robin here. 
Where needed i've set timeout and attempts but most is default. 

Think your looking for this. 

http://www.zytrax.com/books/dns/ch7/queries.html#rrset-order 

So far, i hope it helps you a bit. 

Have a good weekend.. 


Greetz, 

Louis

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> Well, this is a hard one to answer for me. 
> I'll give it a try. ;-)  
....out of my workhour, in my last workday. ;-)

Sorry for the late answer.

> Yes, that will work but done wrong, you might create a circular reference. 
> Using glue or not, this depends also on how you setup your resolving. 
> But still, nothing wrong in using glue records.
Ok. I know perfectly 'pains and pleasures' of DNS... ;-)

> Yes, .. And No, because again, it depends on how you setup your dns
resolving.
No, i'm speaking strictly to 'member servers', clarly also i've
some
server not in domain, that have a different DNS setup.

For DM, a forward zone like this:

	; for a SITEA DM server
	;
	zone "your.dnsdomain.tld" {
		type forward;
		forwarders { IP_DC1_SITEA; IP_DC2_SITEA; };
		; NO 'forward only;' !!!
	};

seems pretty good to me: the DM 'prefere' the DC in their site, but,
because there's no 'forward only;', still are able to resolve from
dother DC (if, clearly there's one alive and the dns in correctly
configured ;).

> > Just i'm here, there's some way to tackle
'roundrobin/handoff'
> > parameters between forwarders {} listed server, more or less like what
> > you suggest for /etc/resolv.conf?
> Think your looking for this. 
> http://www.zytrax.com/books/dns/ch7/queries.html#rrset-order 
Yes, but seems related to zone data, not to forwarders. But i've found:

	https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_05.htm

(look at 'Forwarder Selection' at the bottom); seems that
'round-robin'
is builtin by Bind 8.2.3... goood...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)