[Samba] Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool
Rowland Penny
rpenny at samba.org
Mon Mar 13 21:31:00 UTC 2023
On 13/03/2023 20:58, Norbert Hanke via samba wrote:
> Hi,
>
> I transferred FSMO roles from my DC2 to my DC1, and that looks ok from
> samba-tool point of view:
>
> # samba-tool fsmo show
> ldb_wrap open of secrets.ldb
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
>
>
> But in DNS I now have 2 SRV entries for the PDC role:
>
> # host -t SRV _ldap._tcp.pdc._msdcs.ad.mydomain.tld dc1.ad.mydomain.tld
> Using domain server:
> Name: dc1.ad.mydomain.tld
> Address: 10.88.1.8#53
> Aliases:
>
> _ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
> dc2.ad.mydomain.tld.
> _ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
> dc1.ad.mydomain.tld.
>
>
> samba-tool also sees 2 records:
>
> # samba-tool dns query dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
> _tcp.pdc SRV
> Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
> Name=, Records=0, Children=0
> Name=_ldap, Records=2, Children=0
> SRV: dc2.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458,
> ttl=900)
> SRV: dc1.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458,
> ttl=900)
>
>
> That is wrong: the record with dc2 should not exist and I would expect
> it gets deleted and the one with dc1 created while transferring the fsmo
> role.
You can expect has much as you like, but there is no code to remove the
dns record. ;-)
>
> I tried to manually delete the wrong record but that does not work:
>
> # samba-tool dns delete dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
> _tcp.pdc SRV 'dc2.ad.mydomain.tld 389 0 100'
Wrong name, it is _ldap._tcp.pdc
> Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.ad.mydomain.tld<0x20>
> ERROR: Record does not exist; record could not be deleted.
> zone[_msdcs.ad.mydomain.tld] name[_tcp.pdc]
> File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 1223,
> in run
> dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
>
> Is this a bug, or am I doing something wrong? Any help is appreciated.
Yes, it s a bug (a known bug). No, you are not doing anything wrong
(other than using the wrong name when trying to delete the incorrect
record).
Rowland
More information about the samba
mailing list