samba - Jan 2025 - R: R: R: R: samba remote site client authentication and network browsing problem

Hi Rowland, below, the servers and the remote client dns configuration

Server's dns configuration:
DC-1:
 - themself
 - DC-2

DC-2
 - themself
 - DC-1

RODC-1
 - DC-1
 - DC-2
 - themself

REMOTE-CLIENT
 - directly point as dns to the RODC-1 ip
 - nltest /dsgetdc:domain_name report RODC-1 as logon server


DNS SRV RECORDS:
The ad srv records uses default configuration


Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: gioved? 2 gennaio 2025 12:52
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: R: R: samba remote site client authentication and
network browsing problem

On Thu, 2 Jan 2025 08:25:56 +0000
Manzini Enrico <emanzini at zensistemi.com> wrote:
> Hi Rowland
> 
> I try some several test and: 
> - tried fsmo transfer from the rwdc used as replication partner to the 
> secondary dc, no luck, problem persist
> - tried join with no replication partner specification, no luck, 
> problem persist Also during the join procedure the rodc anyway find a 
> domain controller to use as a replication partner (it say "find dc 
> dc_name", and after the join procedure, we could find it as ntds rodc 
> connection object in active directory sites and services)
> 
> Also:
> - servers dns correctly configured
Are the Dcs (this includes the RODC) using themselves as their nameserver ?
> - client dns correctly configured
Are the clients (at the RODC site) using the RODC as their nameserver ?
> - client logon server correctly connected
> 	The nltest command report the correct rodc server
> 
> But the problem explained above persist
> 
If everything is correct and Windows works as expected, but Samba doesn't,
then it sounds like you have found a bug, so please file a bug report, but get
as much info as possible (level 10 logs, network traces etc.).

One last thing you could check, Samba uses the same 'priority' and
'weight' for all SRV records ('0' & '100'), what
does Windows use ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 3 Jan 2025 08:29:59 +0000
Manzini Enrico <emanzini at zensistemi.com> wrote:
> Hi Rowland, below, the servers and the remote client dns configuration
> 
> Server's dns configuration:
> DC-1:
>  - themself
>  - DC-2
> 
> DC-2
>  - themself
>  - DC-1
> 
> RODC-1
>  - DC-1
>  - DC-2
>  - themself
> 
In my opinion, all Samba AD DCs should only have themselves as their
nameserver, if something goes wrong, can you really rely on what it
returns if it is coming from another DC ?

When we come to your RODC, well it is looks to me that your clients are
asking the RODC for domain records and the RODC is going 'hang on, I
will ask DNS and, when it is online, DC-1 returns the info and the RODC
passes it to the client. When DC-1 is offline (which probably means
that DC-2 is as well), the client asks for a domain record, the RODC
asks DC-1 for the data, only it cannot find DC-1, so it waits for about
30 seconds and then tries DC-2, waits for about 30 seconds and then
finally tries itself and you 'may' get an answer if that record has
replicated.

Please fix your DNS.

Rowland

PS: Please do not CC me