samba - Apr 2022 - Samba 4 AD member loose membership after DC reboot (SOLVED)

netbios aliases = RADI.UPC.ES RADI.UPC.EDU <<< this is soo wrong.. 

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#computer-names

quote : 
Names can contain a period (.). But the name can't start with a period. 
The use of non-DNS names with periods is allowed in Microsoft Windows NT.  
Periods should not be used in Microsoft Windows 2000 or later versions of
Windows

Do not use . in NETBIOS names.  *( and aliasses) 

and read : 
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#dns-host-names

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba Namens Frank via samba
> Verzonden: vrijdag 22 april 2022 9:50
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4 AD member loose membership after DC
> reboot (SOLVED)
> 
> Hi everybody,
> 
> just in case someone has a similar issue, may be this can help.
> 
> Problem was DNS configuration and the way dns resolver works on ubuntu
> 20.04
> 
> Often the way dns resolver use dns servers has been confused. It's
> supposed when the first dns gets offline, resolver uses next one on the
> dns list. But,? how long does it take this change?
> And, when the first dns gets online again, is it used again as the first
> dns to look up?
> 
> Well, in ubuntu 20.04, which uses netplan by default, dns resolution
> works in a dynamic way, and as it is expected. So, when first dns in
> list goes offline, in few seconds the second one (if there is any) take
> its place, and remains as the first, even if the previous first dns goes
> online again. You can see this with "resolvectl status" command.
> 
> In my case, the first dns in the list was the DC, as expected, but the
> next two ones were global dns that were unable to resolve AD queries.
> 
> So when DC went offline, may be just a reboot, members took the second
> dns, and set it as their first dns, even when DC went online again. We
> thought that when first dns in the list were up again it would be the
> first one? used again, but it is not how it works.
> That made members unable to works with the AD, unable to find any DC.
> Just a reboot of the member, or a "netplan apply" made DC was the
first
> dns used again.
> 
> Solution: set up ONLY DCs as dns in domain members. Perhaps it sounds
> obvious, but it has been a nightmare for us.
> 
> Best regards.
> 
> 
> Francesc Bassas Serrami?
> Serveis Inform?tics Campus Terrassa
> C/ Colom 2
> 08222 Terrassa (Barcelona)
> Tel?fon : 93.73.98630
> https://serveis.terrassa.upc.edu/sict
> 
> El 1/4/2022 a les 14:00, samba-request at lists.samba.org ha escrit:
> > Assumpte:
> > Re: [Samba] Samba 4 AD member loose membership after DC reboot
> > De:
> > Rowland Penny <rpenny at samba.org>
> > Data:
> > 31/3/2022, 15:56
> >
> > A:
> > samba at lists.samba.org
> >
> >
> > On Thu, 2022-03-31 at 14:29 +0200, Frank via samba wrote:
> >> Hi Rowland,
> >>
> >> thanks for your quick response.
> >>
> >> Here it is a member smb.conf:
> >>
> >> # Global parameters
> >> [global]
> >>           workgroup = UPC-CT
> >>           realm = UPC-CT.UPC.EDU
> >>           netbios name = RADI
> >>           netbios aliases = RADI.UPC.ES RADI.UPC.EDU
> > You cannot use netbios aliases on a Unix domain member, use a CNAME
> > instead.

> >
> >>           security = ADS
> >>
> >>           log level = 5
> >>           username map = /var/lib/samba/user.map
> >>
> >>           winbind enum users = yes
> >>           winbind enum groups = yes
> > Remove the above two lines when you are sure everything is working
> > correctly, they should not be used in production.
> >
> >>           winbind nss info = rfc2307
> >>           winbind use default domain = Yes
> >>           winbind refresh tickets = yes
> >>           winbind offline logon = yes
> >>           winbind cache time = 60
> >>
> >> idmap config * : backend = tdb
> >> idmap config * : range = 100-499
> >> idmap config UPC-CT:backend = ad
> >> idmap config UPC-CT:schema_mode = rfc2307
> >> idmap config UPC-CT:range = 500-999999
> >> idmap config UPC-CT:unix_nss_info = yes
> > Was this an upgrade from an NT4-style domain ?
> > Even if it was, your '*' range is clobbering local system
users.
> >
> > Rowland
> >
> >
> >
> >
> --
> Aquest missatge ha estat escanejat per trobar-hi virus i
> contingut perill?s per MailScanner i es
> considera que ?s net.
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 2022-04-22 at 10:28 +0200, L.P.H. van Belle via samba
wrote:
> netbios aliases = RADI.UPC.ES RADI.UPC.EDU <<< this is soo wrong..
> 
>
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#computer-names
> 
> quote : 
> Names can contain a period (.). But the name can't start with a
> period. 
> The use of non-DNS names with periods is allowed in Microsoft Windows
> NT.  
> Periods should not be used in Microsoft Windows 2000 or later
> versions of Windows
> 
> Do not use . in NETBIOS names.  *( and aliasses) 
Never mind the fact that you require SMBv1 for netbios aliases.

Use CNAMEs instead.

Rowland