Single samba AD DC is working OK - BUT after joining a 2nd (or 3rd) samba AD DC to the domain really UGLY mess is seen!

Fri Apr 4 00:14:46 MDT 2014

Am 04.04.2014 06:18, schrieb Günter Kukkukk:
> Hi folks,
> 
> for some time now I do the following "FRESH after build/install sequence":
> (all DCs run the *same* build - atm git master from today)
> 
> 1.) provision the 1st samba AD DC (using the DLZ module)
> 2.) join a 2nd samba DC to the same AD DC domain (internal DNS)
> 3.) join a 3rd samba DC to the same AD DC domain (again DLZ)
> 
> Only steps 1.) and 2.) are needed - and the used DNS stuff is *not* important!
> 
> So here I only talk about the 2nd (or 3rd) _JOINED_ DC - the first AD DC
> is running pretty well.
> 
> The 2nd and/or 3rd DC is joined as usually with
>   - samba-tool domain join addlz.kukkukk.com DC -Uadministrator --realm=addlz.kukkukk.com --server=192.168.200.70
>   - samba-tool domain join addlz.kukkukk.com DC -Uadministrator --realm=addlz.kukkukk.com --server=192.168.200.70 --dns-backend=BIND9_DLZ
> 
> Please note that I used "--server=192.168.200.70" to specify the already running 1st samba DC!
> (so settings in /etc/resolv.conf should play no role here)
> 
> The above join commands succeed!
> 
> BUT the really UGLY mess is seen when such a joined DC is starting now:
> 
> When using the internal DNS:
> ============================
> [2014/04/04 04:29:07.193831,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
> [2014/04/04 04:29:07.289746,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH                      <======== !!!!!
> [2014/04/04 04:29:07.326814,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> [2014/04/04 04:29:07.356786,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> [2014/04/04 04:29:07.385024,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> [2014/04/04 04:29:07.412631,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
> .... and so on
> 
> When using the DLZ dns module:
> ==============================
>  /usr/local/samba/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
> [2014/04/04 04:06:28.292859,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable <======= !!!!
> [2014/04/04 04:06:28.311655,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
> [2014/04/04 04:06:28.329245,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
> [2014/04/04 04:06:28.344908,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable
> [2014/04/04 04:06:28.361414,  0] ../lib/util/util_runcmd.c:320(samba_runcmd_io_handler)
> .... and so on
> 
> Also the 1st (formerly working) samba AD DC now is very *unhappy* with this:
> ============================================================================
> [2014/04/04 04:29:52.402360,  3] ../source4/libcli/resolve/dns_ex.c:492(pipe_handler)
>   dns child failed to find name '7f9072a7-93a7-4da2-a658-8194b35d77a9._msdcs.addlz.kukkukk.com' of type A  <== NTDS-GUID
> [2014/04/04 04:29:52.407264,  3] ../libcli/nbt/lmhosts.c:185(resolve_lmhosts_file_as_sockaddr)
>   resolve_lmhosts: Attempting lmhosts lookup for name 1d24438c-bcfa-4712-8277-31e93ae53280._msdcs.addlz.kukkukk.com<0x20>
> [2014/04/04 04:29:52.421317,  3] ../source4/libcli/resolve/dns_ex.c:492(pipe_handler)
>   dns child failed to find name '1d24438c-bcfa-4712-8277-31e93ae53280._msdcs.addlz.kukkukk.com' of type A  <== NTDS-GUID
> 
> The 2 joined DCs were not able to at least put the NTDS-GUID into DNS!
> internal (/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names) is NOT working!
> 
> So *all* AD DCs are now running inside a loop!
> 
> (i partially fixed this by starting the 1st and 2nd DC about 3 to 10 times - suddenly
> it got working !???)
> 
> Unfortunately this is *not* just my alone problem - many AD DC users notice THE
> *side-effects* for a long time now:
>    DRS replication is not working at all - and/or after some days even samba dies ...
> 
> My question:
>   How is this expected to work - *after* a join of a 2nd AD DC?
>   Do other developers also test "these initial steps" ?
> 
> How is
>   /usr/local/samba/sbin/samba_dnsupdate
> expected to work - it calls external tools.
> 
> Cheers, Günter
> 

sorry, just an addition.

could some kind soul please explain in *which* cases and for *what* reasons
   ./source4/libcli/resolve/dns_ex.c
is called?
It's executing an async. child to "query" *basic* dns resolving stuff, and returning e.g:
  Addrs = 2a02:8109:8f40:107c:20c:29ff:fe3b:8649 at 0/li4771-131,192.168.200.70 at 0/li4771-131
with a port - here "@0" - of being always "zero", which seems to be wrong.

I know i should contact all sources - but probably some kind soul can explain this behavior. :-)

Cheers, Günter
-- 

Single samba AD DC is working OK - BUT after joining a 2nd (or 3rd) *samba* AD DC to the domain really UGLY mess is seen!

Single samba AD DC is working OK - BUT after joining a 2nd (or 3rd) samba AD DC to the domain really UGLY mess is seen!