[Samba] Missing DNS entry after "domain join"

mathias dufresne infractory at gmail.com
Wed Oct 14 09:52:55 UTC 2015


Hi all,

I kept only samba-technical as now it seems to me this issue is purely a
regression.

Today I've installed another domain compiling Samba 4.3.0 (without any
patch) using the following configure command:
./configure --enable-fhs --prefix=/usr --sysconfdir=/etc
--localstatedir=/var

This was performed on Centos7. Additional installed packages to be able to
run the compilation were:
  yum install --assumeyes gcc attr libacl-devel libblkid-devel \
    gnutls-devel readline-devel python-devel gdb pkgconfig \
    krb5-workstation zlib-devel setroubleshoot-server libaio-devel \
    setroubleshoot-plugins policycoreutils-python \
    libsemanage-python perl-ExtUtils-MakeMaker perl-Parse-Yapp \
    perl-Test-Base popt-devel libxml2-devel libattr-devel \
    keyutils-libs-devel cups-devel bind-utils libxslt \
    docbook-style-xsl openldap-devel autoconf
  yum install --assumeyes redhat-lsb-core pycrypto pam-devel xfsprogs-devel
e2fsprogs-devel

On first DC (named m707):
samba-tool domain provision --use-rfc2307 --server-role='domain controller'
--realm=SAMBA.DOMAIN.TLD --domain=SAMBA.DOMAIN --adminpass="1SuperPass"

On the second DC (named m708):
samba-tool domain join SAMBA.DOMAIN.TLD DC -Uadministrator
--realm=SAMBA.DOMAIN.TLD --domain-critical-only --password="1SuperPass"

Adding the second into the samba.domain.tld domain was successful:
---------------------------------------------
Finding a writeable DC for domain 'SAMBA.DOMAIN.TLD'
Found DC m707.samba.domain.tld
workgroup is SAMBA.DOMAIN
realm is samba.domain.tld
checking sAMAccountName
Adding CN=M708,OU=Domain Controllers,DC=samba,DC=domain,DC=tld
Adding
CN=M708,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Adding CN=NTDS
Settings,CN=M708,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Adding SPNs to CN=M708,OU=Domain Controllers,DC=samba,DC=domain,DC=tld
Setting account password for M708$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=samba,DC=domain,DC=tld
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=domain,DC=tld]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=domain,DC=tld]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=domain,DC=tld]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=samba,DC=domain,DC=tld]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samba,DC=domain,DC=tld] objects[402/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=domain,DC=tld] objects[804/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=domain,DC=tld] objects[1206/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=domain,DC=tld] objects[1608/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=samba,DC=domain,DC=tld] objects[1614/1614]
linked_values[28/0]
Partition[DC=samba,DC=domain,DC=tld] objects[97/97] linked_values[23/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
Partition[DC=DomainDnsZones,DC=samba,DC=domain,DC=tld] objects[40/40]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=samba,DC=domain,DC=tld
Partition[DC=ForestDnsZones,DC=samba,DC=domain,DC=tld] objects[18/18]
linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain SAMBA.DOMAIN (SID S-1-5-21-606025217-964174945-510058985) as
a DC
------------------------------------------------

Both DC are using the same /etc/resolv.conf:
cat /etc/resolv.conf
search samba.domain.tld
nameserver 10.156.248.238

Where 10.156.248.238 is the IP of m707, the DC where domain provision was
performed.

Missing entries:
* Only one DC is declared for samba.domain.tld:
------------------------------------------------
dig samba.domain.tld

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> samba.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37892
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;samba.domain.tld.              IN      A

;; ANSWER SECTION:
*samba.domain.tld.       900     IN      A       10.156.248.238*

;; Query time: 0 msec
;; SERVER: 10.156.248.238#53(10.156.248.238)
;; WHEN: mer. oct. 14 11:33:54 CEST 2015
;; MSG SIZE  rcvd: 50
------------------------------------------------

* No record for joined DC:
------------------------------------------------
 dig m708.samba.domain.tld

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> m708.samba.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61911
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;m708.samba.domain.tld.         IN      A

;; Query time: 0 msec
;; SERVER: 10.156.248.238#53(10.156.248.238)
;; WHEN: mer. oct. 14 11:35:29 CEST 2015
;; MSG SIZE  rcvd: 50
------------------------------------------------

No "ANSWER SECTION" for that record.

* No objectGUID CNAME for joined DC:
------------------------------------------------
# ldbsearch -H $sam '(invocationId=*)' --cross-ncs objectguid | grep ^dn:
-A1
dn: CN=NTDS Settings,CN=*M708*
,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
objectGUID: *5d04faa2-a4e6-4b36-b3dd-91a02b282444*
--
dn: CN=NTDS
Settings,CN=M707,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
objectGUID: d1339867-6135-47c5-8d65-15825c851985
#  host -t CNAME
5d04faa2-a4e6-4b36-b3dd-91a02b282444._msdcs.samba.domain.tld
*Host 5d04faa2-a4e6-4b36-b3dd-91a02b282444._msdcs.samba.domain.tld not
found: 3(NXDOMAIN)*
#  host -t CNAME
d1339867-6135-47c5-8d65-15825c851985._msdcs.samba.domain.tld
d1339867-6135-47c5-8d65-15825c851985._msdcs.samba.domain.tld is an alias
for m707.samba.domain.tld.
m707:~/initial_setup#
------------------------------------------------

As this compilation was performed using almost no option and absolutely no
patch, I'm wondering why all these DNS records are missing.

As these records are missing we can expect all associated SRV records are
also missing.
Examples:
m708:~# host -t SRV _ldap._tcp.samba.domain.tld
_ldap._tcp.samba.domain.tld has SRV record 0 100 389 m707.samba.domain.tld.
m708:~# host -t SRV _ldap._tcp.dc._msdcs.samba.domain.tld
_ldap._tcp.dc._msdcs.samba.domain.tld has SRV record 0 100 389
m707.samba.domain.tld.

Here we can see there is only record for these SRV.

As DC choice is made according to declared records in DNS, it seems only DC
on which the domain provision was performed can be used by (Windows, at
least) clients.

I'm about to install another domain using Sernet packages in version 4.2 as
I do believe these issue were not present with that version, which is why I
started to speak about regression.

Dear Samba team, what can we do in such case? Do I missed some argument on
my ./configure to produce a Samba version which is able to create
automatically these records?

Best regards,

mathias


2015-10-13 15:19 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Hi all,
>
> First I apologize to post on both mailing list but it seems it could be a
> question for whose close enough to the code.
>
> I'm using Samba 4.3.0 on Centos 7. This version was compiled automatically
> when building RPMs, to do that I used a spec file from Sernet 4.1.x version.
>
> With these packages I set up an AD domain controller which seems well
> configured.
> Joining a second DC (let's call it DC2) to that domain there no DNS entry
> created for DC2.domain.tld when until now, this entry was always created.
> Another missing entry is related to objectGUID CNAME record of the new
> joined Domain Controller as shown in the following link:
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> Perhaps I'm wrong but I thought this missing entry was solved months ago
> and I also thought this issue was not present when using Samba 4.2.3 from
> Sernet package.
>
> Both domain controllers have the default smb.conf generated by samba-tool
> command (one with provision, one with join).
>
> I could of course give more information about how I compiled this version
> - I would certainly need help to run the right command to extract the right
> information - if needed.
>
> The question: any idea why these entries are missing? Is there some
> patches to make automatically created?
>
> I have a script to perform commands shown in previous link to create
> missing DNS record regarding objectGUID and I'd like to be able to remove
> that script rather than upgrading it to create also standard DNS entry when
> a new DC is added : )
>
> In advance, thank you for your help!
>
> Best regards,
>
> mathias
>


More information about the samba-technical mailing list