samba - Oct 2020 - Samba AD with multiple DC and multiple NICs

Hello everyone,

I'm trying to add a second DC to a Samba 4 AD: they both have multiple NICs
and for this reason cannot find a way to make it work.
They communicate through VPN and both have one of the bound interfaces set
to the same IP address, 172.20.0.1, which doesn't allow me to route to the
correct DC, and that is only part of the problem.

Here is the configuration:
* DC1.domain.local
  IP NIC1: 172.16.0.2
  IP NIC2: 172.20.0.1
  IP VPN: 172.19.1.173

* DC2.domain.local
  IP NIC1: 192.168.0.1
  IP NIC2: 172.20.0.1
  IP VPN: 172.19.1.174

Before joining DC2 to the AD, I set the entries of DC1 using his VPN IP
both in /etc/hosts:
  172.19.1.173 DC1 DC1.domain.local
and in /etc/resolv.conf:
  search domain.local
  domain domain.local
  nameserver 172.19.1.173

Then I try:
$ kinit administrator

but it hangs and fails, because it tries to contact DC1 through IP
172.16.0.2, not with the VPN IP I set in /etc/hosts.

I could set up in DC2 a route to the remote IP 172.16.0.2 through VPN, but
what about the second IP 172.20.0.1 which is also used in DC2?
It seems that different operations (kinit and maybe replication after I
join domain) end up querying the DNS without using the entries in
/etc/hosts: how am I supposed to manage a similar situation in Samba?
Should all the IPs of DC1 be reachable from DC2, and vice versa? If so, I'm
forced to change the IP address of NIC2 in DC1 or DC2 to avoid the clash.

I tried to bypass the problem setting the nameserver in DC2 to a local DNS
proxy (dnsmasq) which resolve `DC1.domain.local` and `domain.local` to the
VPN IP of DC1 and forward all other DNS queries to the local Samba (after
the join). And the same I did in DC1.
In this way "kinit" works and the join ends up successfully, but I
wonder
if this is the right way to do it.

The command:
$ samba_dnsupdate --verbose

gives me understandably errors of this kind:
---
Looking for DNS entry A DC2.domain.local 172.20.0.1 as DC2.domain.local.
Lookup of DC2.domain.local. succeeded, but we failed to find a matching DNS
entry for A DC2.domain.local 172.20.0.1
Lookup of domain.local. succeeded, but we failed to find a matching DNS
entry for A domain.local 172.20.0.1
---
Can I ignore them?

Also, now replication works only in one way, from DC1 to DC2. The
replication from DC2 to DC1 gives me the error:
  DsReplicaSync failed - drsException: DsReplicaSync failed WERR_BADFILE

I don't know if it has anything to do with the problems shown above.

Can you suggest to me which is the best way to manage such a situation?

Thank you and kind regards,
Stefano

On 19/10/2020 12:40, Stefano Vargiu via samba wrote:
> Hello everyone,
>
> I'm trying to add a second DC to a Samba 4 AD: they both have multiple
NICs
> and for this reason cannot find a way to make it work.
> They communicate through VPN and both have one of the bound interfaces set
> to the same IP address, 172.20.0.1, which doesn't allow me to route to
the
> correct DC, and that is only part of the problem.
>
> Here is the configuration:
> * DC1.domain.local
>    IP NIC1: 172.16.0.2
>    IP NIC2: 172.20.0.1
>    IP VPN: 172.19.1.173
>
> * DC2.domain.local
>    IP NIC1: 192.168.0.1
>    IP NIC2: 172.20.0.1
>    IP VPN: 172.19.1.174
>
I don't think you really understand dns and AD =-O

You cannot have two computers with the same IP (how would DNS 
differentiate between them), each DC is authoritative for the dns 
domain, this is called multi-master and means that each DC is the dns 
master. Each DC should use itself as its first nameserver and /etc/hosts 
is only used by the DC itself. You seem to be trying to use what is 
called multi-homed devices and this doesn't work very well (if at all) 
with AD. You shouldn't be trying to point VPN at your DC's, VPN should 
just use the DC's for authentication.

I think you need to explain just what you are trying to achieve and how 
you are doing it now.

Rowland

Thank you for the quick reply, Rowland.
> I don't think you really understand dns and AD =-O
Evidently not ;)

I thought this was a common situation and it seemed to me it made sense.

This is what I want to achieve:
* I have a branch with DC1.domain.local, which provides file services to a
couple of local networks (172.16.0.0/16 and 172.20.0.0/16)
* some time later I want to join a second DC located in a second branch
which provides file services to a couple of local networks (in 2nd branch
obviously), one of which happens to have the same addressing of one local
network in 1st branch (172.20.0.0/16)
* to let DC1 and DC2 communicate I set a VPN up

Now probably comes my lack of understanding how it really works, but I
simply would like the DC2 contact DC1 and join the AD domain while
continuing to serve his local networks. Conceptually I imagine PCs in 1st
branch can query the domain server DC1 with his local IPs 172.16.0.2 and
172.20.0.2, while the remote DC2 in 2nd branch could contact DC1 only
through his VPN address 172.19.1.173 and not try to contact it through his
others IPs.
Because PCs on the 1st branch only need to contact DC1 and not DC2, I
thought, this configuration should work if only DC1 and DC2 are forced to
contact each other with their VPN IPs.
> You cannot have two computers with the same IP
They happen to have the same private IP in two different branches: nothing
prevented me from doing that before deciding to join them to the same AD
domain.
> Each DC should use itself as its first nameserver and /etc/hosts is only
used by the DC itself
I agree, that's what I did after the join (before the join the nameserver
for DC2 was the VPN IP of DC1)
> You shouldn't be trying to point VPN at your DC's, VPN should just
use
the DC's for authentication.
I couldn't bind samba to VPN's tun interface (it didn't works, if
it's what
you are referring to), but with NAT rules I redirect connection from VPN to
another interface: at that point it seemed to start working well, apart the
replication from DC2 to DC1: but again, I'm not sure if it's going to
work
in the long run, and judging from your answer probably not.

Thank you
Stefano

Il giorno lun 19 ott 2020 alle ore 14:08 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 19/10/2020 12:40, Stefano Vargiu via samba wrote:
> > Hello everyone,
> >
> > I'm trying to add a second DC to a Samba 4 AD: they both have
multiple
> NICs
> > and for this reason cannot find a way to make it work.
> > They communicate through VPN and both have one of the bound interfaces
> set
> > to the same IP address, 172.20.0.1, which doesn't allow me to
route to
> the
> > correct DC, and that is only part of the problem.
> >
> > Here is the configuration:
> > * DC1.domain.local
> >    IP NIC1: 172.16.0.2
> >    IP NIC2: 172.20.0.1
> >    IP VPN: 172.19.1.173
> >
> > * DC2.domain.local
> >    IP NIC1: 192.168.0.1
> >    IP NIC2: 172.20.0.1
> >    IP VPN: 172.19.1.174
> >
> I don't think you really understand dns and AD =-O
>
> You cannot have two computers with the same IP (how would DNS
> differentiate between them), each DC is authoritative for the dns
> domain, this is called multi-master and means that each DC is the dns
> master. Each DC should use itself as its first nameserver and /etc/hosts
> is only used by the DC itself. You seem to be trying to use what is
> called multi-homed devices and this doesn't work very well (if at all)
> with AD. You shouldn't be trying to point VPN at your DC's, VPN
should
> just use the DC's for authentication.
>
> I think you need to explain just what you are trying to achieve and how
> you are doing it now.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I add some additional information I didn't give in my previous email,
specifically how I tried to force DC1 and DC2 to contact each other only
with their VPN IPs.
I did so using dnsmasq as a DNS proxy.

# DC1 configuration
IP NIC1: 172.16.0.2
IP NIC2: 172.20.0.1
IP VPN: 172.19.1.173

---
/etc/resolv.conf:
search domain.local
domain domain.local
nameserver 172.19.1.173
---

I configured dnsmasq to listen on the VPN interface 172.19.1.173 (while
samba listen on all other interfaces, 172.16.0.1, 172.20.0.1 and lo
127.0.0.1)

---
/etc/dnsmasq.conf:
listen-address=172.19.1.173
server=127.0.0.1  (dnsmasq's dns forwarder: samba is listening on 127.0.0.1)
host-record=DC2.domain.local,172.19.1.174
host-record=domain.local,127.0.0.1
---

In this way, any dns lookup to DC2.domain.local from DC1 gives me the VPN
IP of DC2:
$ dig +short DC2.domain.local
172.19.1.174
---

All other DNS queries are forwarded by dnsmasq to 127.0.0.1, where the
Samba's DNS server is listening.

Same configuration in DC2, with dnsmasq that resolve DC1.domain.local to
172.19.1.173.
I'm not sure if domain.local in DC2 should resolve to 127.0.0.1 or to
172.19.1.173: considered they are multi-master, for symmetry maybe better
to use 127.0.0.1, also if in my first attempts I used the VPN IP of DC1.
> DC is authoritative for the dns domain, this is called multi-master and
means that each DC is the dns master
I know that. Maybe I didn't explain well what I was trying to achieve, but
I already knew most of the information you gave me.

The most important thing I didn't know was that multi-homed is strongly
discouraged.

Is such configuration with a dns proxy going to work?
As I said, with it I was able to make kinit and the join works. Replication
from DC2 to DC1 works, but doesn't work from DC1 to DC2.

I should keep trying it or is it a lost cause?

Il giorno lun 19 ott 2020 alle ore 14:08 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 19/10/2020 12:40, Stefano Vargiu via samba wrote:
> > Hello everyone,
> >
> > I'm trying to add a second DC to a Samba 4 AD: they both have
multiple
> NICs
> > and for this reason cannot find a way to make it work.
> > They communicate through VPN and both have one of the bound interfaces
> set
> > to the same IP address, 172.20.0.1, which doesn't allow me to
route to
> the
> > correct DC, and that is only part of the problem.
> >
> > Here is the configuration:
> > * DC1.domain.local
> >    IP NIC1: 172.16.0.2
> >    IP NIC2: 172.20.0.1
> >    IP VPN: 172.19.1.173
> >
> > * DC2.domain.local
> >    IP NIC1: 192.168.0.1
> >    IP NIC2: 172.20.0.1
> >    IP VPN: 172.19.1.174
> >
> I don't think you really understand dns and AD =-O
>
> You cannot have two computers with the same IP (how would DNS
> differentiate between them), each DC is authoritative for the dns
> domain, this is called multi-master and means that each DC is the dns
> master. Each DC should use itself as its first nameserver and /etc/hosts
> is only used by the DC itself. You seem to be trying to use what is
> called multi-homed devices and this doesn't work very well (if at all)
> with AD. You shouldn't be trying to point VPN at your DC's, VPN
should
> just use the DC's for authentication.
>
> I think you need to explain just what you are trying to achieve and how
> you are doing it now.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Mon, Oct 19, 2020 at 7:42 AM Stefano Vargiu via samba
<samba at lists.samba.org> wrote:
>
> Hello everyone,
>
> I'm trying to add a second DC to a Samba 4 AD: they both have multiple
NICs
> and for this reason cannot find a way to make it work.
> They communicate through VPN and both have one of the bound interfaces set
> to the same IP address, 172.20.0.1, which doesn't allow me to route to
the
> correct DC, and that is only part of the problem.
Why are you doing this? It seems both confusing and unnecessary, as
distinct hosts inside of your VPN they should have distinct IP
addresses.
> Here is the configuration:
> * DC1.domain.local
>   IP NIC1: 172.16.0.2
>   IP NIC2: 172.20.0.1
>   IP VPN: 172.19.1.173
>
> * DC2.domain.local
>   IP NIC1: 192.168.0.1
>   IP NIC2: 172.20.0.1
>   IP VPN: 172.19.1.174
>
> Before joining DC2 to the AD, I set the entries of DC1 using his VPN IP
> both in /etc/hosts:
>   172.19.1.173 DC1 DC1.domain.local
> and in /etc/resolv.conf:
>   search domain.local
>   domain domain.local
>   nameserver 172.19.1.173
>
> Then I try:
> $ kinit administrator
>
> but it hangs and fails, because it tries to contact DC1 through IP
> 172.16.0.2, not with the VPN IP I set in /etc/hosts.
>
> I could set up in DC2 a route to the remote IP 172.16.0.2 through VPN, but
> what about the second IP 172.20.0.1 which is also used in DC2?
> It seems that different operations (kinit and maybe replication after I
> join domain) end up querying the DNS without using the entries in
> /etc/hosts: how am I supposed to manage a similar situation in Samba?
> Should all the IPs of DC1 be reachable from DC2, and vice versa? If so,
I'm
> forced to change the IP address of NIC2 in DC1 or DC2 to avoid the clash.
>
> I tried to bypass the problem setting the nameserver in DC2 to a local DNS
> proxy (dnsmasq) which resolve `DC1.domain.local` and `domain.local` to the
> VPN IP of DC1 and forward all other DNS queries to the local Samba (after
> the join). And the same I did in DC1.
> In this way "kinit" works and the join ends up successfully, but
I wonder
> if this is the right way to do it.
>
> The command:
> $ samba_dnsupdate --verbose
>
> gives me understandably errors of this kind:
> ---
> Looking for DNS entry A DC2.domain.local 172.20.0.1 as DC2.domain.local.
> Lookup of DC2.domain.local. succeeded, but we failed to find a matching DNS
> entry for A DC2.domain.local 172.20.0.1
> Lookup of domain.local. succeeded, but we failed to find a matching DNS
> entry for A domain.local 172.20.0.1
> ---
> Can I ignore them?
>
> Also, now replication works only in one way, from DC1 to DC2. The
> replication from DC2 to DC1 gives me the error:
>   DsReplicaSync failed - drsException: DsReplicaSync failed WERR_BADFILE
>
> I don't know if it has anything to do with the problems shown above.
>
> Can you suggest to me which is the best way to manage such a situation?
>
> Thank you and kind regards,
> Stefano
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

>  It seems both confusing and unnecessary, as
> distinct hosts inside of your VPN they should have distinct IP
> addresses.
In fact they have distinct IP on the VPN interface: the same IP is on
another interface.
The two DCs  both have the same private IP on one interface and reside on
two different (isolated at the time) sites.


Il giorno mer 21 ott 2020 alle ore 11:51 Nico Kadel-Garcia <nkadel at
gmail.com>
ha scritto:
> On Mon, Oct 19, 2020 at 7:42 AM Stefano Vargiu via samba
> <samba at lists.samba.org> wrote:
> >
> > Hello everyone,
> >
> > I'm trying to add a second DC to a Samba 4 AD: they both have
multiple
> NICs
> > and for this reason cannot find a way to make it work.
> > They communicate through VPN and both have one of the bound interfaces
> set
> > to the same IP address, 172.20.0.1, which doesn't allow me to
route to
> the
> > correct DC, and that is only part of the problem.
>
> Why are you doing this? It seems both confusing and unnecessary, as
> distinct hosts inside of your VPN they should have distinct IP
> addresses.
>
> > Here is the configuration:
> > * DC1.domain.local
> >   IP NIC1: 172.16.0.2
> >   IP NIC2: 172.20.0.1
> >   IP VPN: 172.19.1.173
> >
> > * DC2.domain.local
> >   IP NIC1: 192.168.0.1
> >   IP NIC2: 172.20.0.1
> >   IP VPN: 172.19.1.174
> >
> > Before joining DC2 to the AD, I set the entries of DC1 using his VPN
IP
> > both in /etc/hosts:
> >   172.19.1.173 DC1 DC1.domain.local
> > and in /etc/resolv.conf:
> >   search domain.local
> >   domain domain.local
> >   nameserver 172.19.1.173
> >
> > Then I try:
> > $ kinit administrator
> >
> > but it hangs and fails, because it tries to contact DC1 through IP
> > 172.16.0.2, not with the VPN IP I set in /etc/hosts.
> >
> > I could set up in DC2 a route to the remote IP 172.16.0.2 through VPN,
> but
> > what about the second IP 172.20.0.1 which is also used in DC2?
> > It seems that different operations (kinit and maybe replication after
I
> > join domain) end up querying the DNS without using the entries in
> > /etc/hosts: how am I supposed to manage a similar situation in Samba?
> > Should all the IPs of DC1 be reachable from DC2, and vice versa? If
so,
> I'm
> > forced to change the IP address of NIC2 in DC1 or DC2 to avoid the
clash.
> >
> > I tried to bypass the problem setting the nameserver in DC2 to a local
> DNS
> > proxy (dnsmasq) which resolve `DC1.domain.local` and `domain.local` to
> the
> > VPN IP of DC1 and forward all other DNS queries to the local Samba
(after
> > the join). And the same I did in DC1.
> > In this way "kinit" works and the join ends up successfully,
but I wonder
> > if this is the right way to do it.
> >
> > The command:
> > $ samba_dnsupdate --verbose
> >
> > gives me understandably errors of this kind:
> > ---
> > Looking for DNS entry A DC2.domain.local 172.20.0.1 as
DC2.domain.local.
> > Lookup of DC2.domain.local. succeeded, but we failed to find a
matching
> DNS
> > entry for A DC2.domain.local 172.20.0.1
> > Lookup of domain.local. succeeded, but we failed to find a matching
DNS
> > entry for A domain.local 172.20.0.1
> > ---
> > Can I ignore them?
> >
> > Also, now replication works only in one way, from DC1 to DC2. The
> > replication from DC2 to DC1 gives me the error:
> >   DsReplicaSync failed - drsException: DsReplicaSync failed
WERR_BADFILE
> >
> > I don't know if it has anything to do with the problems shown
above.
> >
> > Can you suggest to me which is the best way to manage such a
situation?
> >
> > Thank you and kind regards,
> > Stefano
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>