New tests for DNS behaviour for new DCs (was: Re: Aw: [PATCH] Improve krb5 KDC tests, kdc behaviour)

Andrew Bartlett abartlet at samba.org
Fri Jan 30 12:03:40 MST 2015


On Fri, 2015-01-30 at 11:18 +0100, support at remsnet.de wrote:
> Andrew,
> 
> may you and garmin add KDC ldap forest srv dns checks , that
> explicitly run after an  join as an DC had been done please ?
> 
> Sample from latest sernet 4.1.x samba :
> 
> 
> Server ldap/ADHRST.ADS.SOFTWAREENERGIE.EU at ADS.SOFTWAREENERGIE.EU is
> not registered with our KDC:  Miscellaneous failure (see text): Server
> (ldap/ADHRST at ADS.SOFTWAREENERGIE.EU) unknown
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_INVALID_PARAMETER
> 
> 
> An join as DC shuold 
> 
> - add dns A entrys
> - add dns srv forest entries
> - add ldap srv register itsself 
> - add IN NS entries , register itsself as NS 
> 
> All this missing things affects VPN based AD stabilty. 

These all seem reasonable things, but I'm not sure how this connects to
the tests I'm writing here, except that you suggest extra tests should
be written.  

Our test suite is fully open source, and I would suggest that adding
such checks on the startup of the vampire_dc or promoted_dc environment,
or as part of a unit test that joins the domain, establishes DNS and
leaves again would be very worthwhile.   Patches are most welcome, do
let me know if you need some assistance in creating them.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list