[PATCH][WIP] Create DC DNS entires at domain join
Stefan Metzmacher
metze at samba.org
Fri Feb 24 09:18:50 UTC 2017
Am 24.02.2017 um 09:57 schrieb Andrew Bartlett:
> On Fri, 2017-02-24 at 08:59 +0100, Stefan Metzmacher wrote:
>> Hi Andrew,
>>
>>> Just as with the domain member join, the DC join really should
>>> create
>>> the essential DNS entries at join time.
>>>
>>> This should make it easier for folks to get DNS working and fully
>>> replicated, by ensuring the entry isn't written to the local DC
>>> (that
>>> nobody else knows how to contact).
>>>
>>> The attached patch does exactly that, in this case using the dnsrpc
>>> protocol.
>>>
>>> I chose the dnsserver RPC protocol because:
>>> - I don't want to race with the replication of the machine account
>>> to
>>> the KDC (which might not be the server I'm joining). Instead we
>>> will
>>> change the owner over LDAP
>>> - Direct LDAP or DsAddEntry injection wouldn't update the sequence
>>> number
>>> - shelling to nsupdate isn't reliable
>>> - We still don't have great bindings for secure DNS updates in
>>> python
>>>
>>> I need to finish the owner change part, and write the
>>> dns_update_cache,
>>> but we do successfully create the DNS records and re-sync the
>>> database.
>>> This should make Samba DCs a little more reliable from the moment
>>> they
>>> start.
>>>
>>> Comment welcome.
>>
>> I typically just use the following after "samba-tool domain join":
>> samba_dnsupdate --use-samba-tool --rpc-server-ip=<ip>
>> Can't we just call that at the end of the join?
>
> That is essentially what I'm doing, just avoiding the double-exec and
> forcing an incremental replication so everyone is sync'ed up.
Why is the double-exec a problem? It will also
fill dns_update_cache correctly.
We could also run this before replicating the dns partitions
and avoid the double replication.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170224/a637bbbd/signature.sig>
More information about the samba-technical
mailing list