Single samba AD DC is working OK - BUT after joining a 2nd (or 3rd) *samba* AD DC to the domain really UGLY mess is seen!

Günter Kukkukk linux at kukkukk.com
Thu Apr 3 22:18:50 MDT 2014 

Hi folks,

for some time now I do the following "FRESH after build/install sequence":
(all DCs run the *same* build - atm git master from today)

1.) provision the 1st samba AD DC (using the DLZ module)
2.) join a 2nd samba DC to the same AD DC domain (internal DNS)
3.) join a 3rd samba DC to the same AD DC domain (again DLZ)

Only steps 1.) and 2.) are needed - and the used DNS stuff is *not* important!

So here I only talk about the 2nd (or 3rd) _JOINED_ DC - the first AD DC
is running pretty well.

The 2nd and/or 3rd DC is joined as usually with
  - samba-tool domain join addlz.kukkukk.com DC -Uadministrator --realm=addlz.kukkukk.com --server=192.168.200.70
  - samba-tool domain join addlz.kukkukk.com DC -Uadministrator --realm=addlz.kukkukk.com --server=192.168.200.70 --dns-backend=BIND9_DLZ

Please note that I used "--server=192.168.200.70" to specify the already running 1st samba DC!
(so settings in /etc/resolv.conf should play no role here)

The above join commands succeed!

BUT the really UGLY mess is seen when such a joined DC is starting now:

When using the internal DNS:
============================
[2014/04/04 04:29:07.193831,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
[2014/04/04 04:29:07.289746,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH                      <======== !!!!!
[2014/04/04 04:29:07.326814,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
[2014/04/04 04:29:07.356786,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
[2014/04/04 04:29:07.385024,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
[2014/04/04 04:29:07.412631,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
.... and so on

When using the DLZ dns module:
==============================
 /usr/local/samba/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
[2014/04/04 04:06:28.292859,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable <======= !!!!
[2014/04/04 04:06:28.311655,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
[2014/04/04 04:06:28.329245,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
[2014/04/04 04:06:28.344908,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
[2014/04/04 04:06:28.361414,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
.... and so on

Also the 1st (formerly working) samba AD DC now is very *unhappy* with this:
============================================================================
[2014/04/04 04:29:52.402360,  3] ../source4/libcli/resolve/dns_ex.c:492(pipe_handler)
  dns child failed to find name '7f9072a7-93a7-4da2-a658-8194b35d77a9._msdcs.addlz.kukkukk.com' of type A  <== NTDS-GUID
[2014/04/04 04:29:52.407264,  3] ../libcli/nbt/lmhosts.c:185(resolve_lmhosts_file_as_sockaddr)
  resolve_lmhosts: Attempting lmhosts lookup for name 1d24438c-bcfa-4712-8277-31e93ae53280._msdcs.addlz.kukkukk.com<0x20>
[2014/04/04 04:29:52.421317,  3] ../source4/libcli/resolve/dns_ex.c:492(pipe_handler)
  dns child failed to find name '1d24438c-bcfa-4712-8277-31e93ae53280._msdcs.addlz.kukkukk.com' of type A  <== NTDS-GUID

The 2 joined DCs were not able to at least put the NTDS-GUID into DNS!
internal (/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names) is NOT working!

So *all* AD DCs are now running inside a loop!

(i partially fixed this by starting the 1st and 2nd DC about 3 to 10 times - suddenly
it got working !???)

Unfortunately this is *not* just my alone problem - many AD DC users notice THE
*side-effects* for a long time now:
   DRS replication is not working at all - and/or after some days even samba dies ...

My question:
  How is this expected to work - *after* a join of a 2nd AD DC?
  Do other developers also test "these initial steps" ?

How is
  /usr/local/samba/sbin/samba_dnsupdate
expected to work - it calls external tools.

Cheers, Günter

--

More information about the samba-technical mailing list