samba - Nov 2020 - Floating IP breaks AD replication

> we point them to somedom.contoso.com which is then
> resolved to both and the client can pick
I want to avoid Round-Robin DNS
> You cannot use CTDB with AD DCs
You can.


/etc/ctdb/nodes

192.168.30.11
192.168.30.12

/etc/ctdb/public_addresses

192.168.30.10/24 ens18

/etc/ctdb/events/legacy/20.samba-ad.script

#!/usr/bin/env bash
 
function monitor_ldap() {
  
  ldbsearch -H ldap://127.0.0.1 -s base -b "" vendorName
2>/dev/null | grep -qi samba

  if [[ $? -eq 0 ]]; then
    return 0
  else
    echo "ldbsearch received no info"
    return 1
  fi
}
 
case "$1" in
 
monitor)
    monitor_ldap || exit 1
    ;;
esac
 
exit 0



I used to use keepalived for this kind of setups
but ctdb is a neat solution so I switched.

When I change

/etc/ctdb/public_addresses

from 192.168.30.10/24 ens18
to   192.168.60.10/24 ens18

the replication does not break
because x.x.60.0 is not the internal DNS Zone

This setup allows me to upgrade, reboot
each DC without downtime because
ctdb checks for samba and moves the floating IP.

On 23/11/2020 16:50, Sven Wick via samba wrote:
>
>> You cannot use CTDB with AD DCs
> You can.
OK, I will change that to 'Do not use CTDB with Samba AD DCs'

A cluster is where all the same data is stored on multiple computers but 
they act as if they were just one computer, which funnily enough is what 
Samba AD dc's do, so you are wrapping something that acts like one 
computer inside something that acts like one computer.

That is a very simplistic view of clusters, but I am sure you get my 
drift, so I cannot recommend using CTDB with Samba AD DC's.
> This setup allows me to upgrade, reboot
> each DC without downtime because
> ctdb checks for samba and moves the floating IP.
Your DC's really should have fixed IP's, I cannot recommend anyone using
your method.

Rowland

> Your DC's really should have fixed IP's
Well, they have.
But there are still projects
which can not use multiple DNS Names.

e.g.

- https://gitlab.com/gitlab-org/gitlab/-/issues/139
- https://github.com/go-gitea/gitea/issues/6898

So I use an additional floating IP
> I cannot recommend anyone using your method
Why not? Even if AD replication is quite robust
concerning multi master
this setup enforces that manual changes
are done only by one DC not on separate DCs

> Sven Wick via samba <samba at lists.samba.org> hat am 23.11.2020
17:50 geschrieben:
> /etc/ctdb/public_addresses
> 
> from 192.168.30.10/24 ens18
> to   192.168.60.10/24 ens18
> 
> the replication does not break
> because x.x.60.0 is not the internal DNS Zone
I take that back. It still breaks.

samba-tool dns query dc2.test.test-local.de test.test-local.de @ ALL -U
administrator
Password for [TEST\administrator]:

  Name=, Records=6, Children=0
    SOA: serial=2, refresh=900, retry=600, expire=86400, minttl=3600,
ns=dc1.test.test-local.de., email=hostmaster.test.test-local.de.
(flags=600000f0, serial=110, ttl=3600)
    NS: dc1.test.test-local.de. (flags=600000f0, serial=110, ttl=900)
    NS: dc2.test.test-local.de. (flags=600000f0, serial=110, ttl=900)
    A: 192.168.30.11 (flags=600000f0, serial=110, ttl=900)
    A: 192.168.30.12 (flags=600000f0, serial=110, ttl=900)
    A: 192.168.60.10 (flags=600000f0, serial=110, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=dc1, Records=2, Children=0
    A: 192.168.30.11 (flags=f0, serial=110, ttl=900)
    A: 192.168.60.10 (flags=f0, serial=110, ttl=900)
  Name=DC2, Records=2, Children=0
    A: 192.168.30.12 (flags=f0, serial=110, ttl=900)
    A: 192.168.60.10 (flags=f0, serial=110, ttl=900)
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=snover, Records=1, Children=0
    A: 192.168.30.126 (flags=f0, serial=110, ttl=1200)