Incorrect SRV records for internal DNS

David Mansfield samba at dm.cobite.com
Wed Feb 24 16:28:13 UTC 2016 

Hi,

I have a small domain running Samba 4.3.5 with 3 DC in 2 sites (there 
have been other DC in the past which were removed).

We are not using Bind, but are using the "internal" dns. The domain was 
initially set up with samba 4.0.1 and has been updated several times 
since then.

There are many SRV records that are "magically" maintained when DC are 
added or removed, or moved to differenc sites and we are seeing some 
inconsistencies in a few areas that I don't understand:

1) There are entries returned by the server for a query that don't show 
in the DNS management console, for example, none of the 
_kerberos._tcp.mysite1._sites.mydomain.com records show in the tool for 
one of my sites, but they do show in response a query. (Note: records DO 
show up in the tool for one of the other sites, and they also show up in 
the tool for the non-site-specific case).

2) There are entries that are "stale" in the tool and in the query 
response, belonging to removed DC, or belonging to DC that were moved 
from one site to another (these are site specific queries in this case).

Also, I'm unsure about the role of samba_dnsupdate, which seems to fail 
for various reasons. Is this the cause of these issues?  Does 
samba_dnsupdate play a role when internal DNS is used?  It has been 
failing because:

1) it seems to reference deleted DC
2) it seems to reference non-existent SOA records 
(_ldap._tcp.pdc._msdcs.mydomain.com)
3) it cannot find certain GSS credentials (again, it's looking for a key 
for a non-existent DC, DNS/volcano.mydomain.com at MYDOMAIN.COM: no such 
entry found in hdb)

These failures are not all at the same time.  #1 was present yesterday 
before the update to 4.3.5 (from 4.1.12).  #2 is present today until I 
fudge the resolv.conf on the system (this one could be an issue with our 
resolver cache). #3 is present after resolv.conf  has been fudged in 
response to #2.

My best guess is that the failure of samba_dnsupdate due to vestigal 
remains of dead DC is my root cause, but I don't know how to proceed. 
Any suggestions?

-- 
Thanks,
David Mansfield
Cobite, INC.

More information about the samba-technical mailing list