Shkaruba Andrey
2024-Jun-10 11:56 UTC
[Samba] Samba 4.19.6 dns record pdc not automatic updated
Good afternoon. Several errors were detected in the Samba 4.19.6 in the mode Samba AD DC, when working with DNS. The DNS record _ldap._tcp.pdc._msdcs.domain.loc (where domain.loc is the domain FQDN) is not updated, when FSMO roles was migrated. If DNS records are forcibly recreated, the record _ldap._tcp.pdc._msdcs.domain.loc is created a second time. Playback method: Checking DNS records # samba-tool dns query localhost _msdcs.domain.loc _tcp.pdc SRV -P ? Name=, Records=0, Children=0 ? Name=_ldap, Records=1, Children=0 ? ? SRV: dc01.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900) ? ?? Checking FSMO roles # samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default- First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=loc InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc Let's say we are migrating DSMO roles to dc02 # samba-tool fsmo transfer --role=all -U administrator ? After performing the operation, we get ????? ?????????? ????????, ????????? # samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default- First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=loc InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=domain,DC=loc Checking DNS records # samba-tool dns query localhost _msdcs.domain.loc _tcp.pdc SRV -P ? Name=, Records=0, Children=0 ? Name=_ldap, Records=1, Children=0 ? ? SRV: dc01.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900) The DNS record has not changed. This error leads to the fact that when requesting operations that should be performed on a domain controller with PDC roles, requests from clients or trusted servers will occur to the wrong domain controller. And if the DC01 domain controller is deleted, then the domain will remain without PDC records in DNS at all, which will lead to problems when servicing the domain using RSAT utilities, domain trust will not work... If we perform the operation on dc02 to force the creation of DNS records for a domain controller, new record _ldap._tcp.pdc._msdcs.domain.loc will be created the second time Playback method: # samba_dnsupdate --verbose --all-names Checking DNS records # samba-tool dns query localhost _msdcs.domain.loc _tcp.pdc SRV -P ? Name=, Records=0, Children=0 ? Name=_ldap, Records=2, Children=0 ? ? SRV: dc01.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900) ? ? SRV: dc02.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900) ? ?? If you delete the record for dc01, then the domain will work fine. In the version of Samba 4.19.4??the specified?problem is not exsit?or does not appear. Perhaps this problem is due to the fact that when a new domain controller is added, SRV records are not created for it. ___ Andrey
Apparently Analagous Threads
- samba-tool join faild. ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT
- samba-tool join faild. ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT
- Unable to transfer ForestDns/DomainDNS
- samba-tool join faild. ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT
- samba-tool join faild. ERROR(ldb): uncaught exception - LDAP error 32 LDAP_NO_SUCH_OBJECT