Aw: Re: Re: DNS server no in sync with database?

support at remsnet.de support at remsnet.de
Sun Mar 1 04:30:38 MST 2015 


> Gesendet: Samstag, 28. Februar 2015 um 21:13 Uhr
> Von: "Andrew Bartlett" <abartlet at samba.org>
> An: support at remsnet.de
> Cc: "Amitay Isaacs" <amitay at gmail.com>, "Samba Technical" <samba-technical at lists.samba.org>
> Betreff: Re: Aw: Re: DNS server no in sync with database?
>
> On Thu, 2015-02-26 at 07:34 +0100, support at remsnet.de wrote:
> > Hello Amitay  & Andrew  and others
> > 
> > This "featger"  .. DB not in sync ..  exist when the dc runs awhile ... Same you can found on DLZ DB usage.
> > 
> > I ask again for  that :
> > 
> > - dns  IN NS , IN NS AUTO-generated in CN=MicrosoftDNS,CN=System,DC=samba,DC=example,DC=com - while deploy an DC or join as an DC
> 
> Yes, we seem to be missing NS records from the dns_update_list.  This
> also impacts on changing a hostname with renamedc, because even with my
> new samba_dnsupdate script to use samba-tool (bypassing the chicken and
> egg issue), we do not fix up the NS record.

Ugly bady BUG stuff .

I am not an coder but:
  - possibly way to solve this are fork an subprocess 
   - use i.e IPCS 
   - control the update it over that
   - close forked suprocess when done.

.. there are many ways on linux to get an cleat hold over an " atomic state" - kernel & linux offer a lot of things  on the Process Intercomunications.


> 
> > - dns for our OWN dns entries are get VALIDATED after an Join as DC ( either as an re-join  with the same SID ) 
> 
> We actually do that every time samba_dnsupdate runs.  The issue is:
> with the internal dns server nobody looks at the output (because of the
> noise from nsupdate and our broken server-side crypto), and there is a
> bug that in 'standard' process mode, we don't get the status result from
> running the script.  
> 

sutch bug is ugly see aove comment.

> Ideally, samba_dnsupdate would never fail, and doing so would be a clear
> sign of poor heath in this area. 
> 
> I agree it could potentially be run during the join, where failure would
> be more likely to be noticed. 

The truth is :  samba_dnsupdate  failes sometimes  due out of sync , and if so , the AD itsself & AD Domain fall down .

> 
> > - DC´s automatily added as IN NS for the zone 
> 

Are you realy realy shure ? 

I am not - either not with latest samba 4.1.x or 4.2RC5 :
- after freshly setup Master DC and then join an freshly setup Second DC.
 and let this run for i.e 12h - the second DCś dns entries are GONE without admin actions.
 

> This is already done.
> 
> > - DC´s automaticy added as LDAP SRV for the zone
> 
> This is already done, as far as I can tell.
> 

NO it isn't all the time - Shuold i prove it on an real installation ?

> > - an diff of the db  for "IN A " , IN SRV  and missing ldap SRV on an  joining DC´s are heavly CRITICAL  
> >   and shuold cause put an ERROR to admin-user saying failed join with details..
> >   an Kind of Verfication code are required here to make shure .
> > - an samba-tool option i.e "sambatool validateDC"  shuold be created that check and force correct any kind CORE DNS entries Issues as of desaster-recovery .
> 

> This is in the logs, but as above, little attention is paid to it. 
>

M$ ADS does verifiy the ADS all the time - samba4 shuold do  that the same .
 
> This is fundamentally what samba_dnsupdate does each time it runs.  You
> can run it manually as well for that reason. 

I can say clearly prove that samba_dnsupdate don't do this all the time the right way.

I can let you login to freshly installed latest samba4 DCś and check out it yourself.
 
 and DC & DOmain will fall down within less 12h without *any* admin actions 
 while using Multible DC'ś in different class-C ip subnets.

If interest exist to show you - ping me with PM .

> 
> I hope this helps!
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> 
> 
> 

Regards , Horst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: addressbook.vcf
Type: text/x-vcard
Size: 901 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150301/5d86da6e/attachment.vcf>

More information about the samba-technical mailing list