[PATCH][WIP] Create DC DNS entires at domain join

Fri Feb 24 19:34:32 UTC 2017

On Fri, 2017-02-24 at 10:18 +0100, Stefan Metzmacher wrote:
> Am 24.02.2017 um 09:57 schrieb Andrew Bartlett:
> > On Fri, 2017-02-24 at 08:59 +0100, Stefan Metzmacher wrote:
> > > Hi Andrew,
> > > 
> > > > Just as with the domain member join, the DC join really should
> > > > create
> > > > the essential DNS entries at join time.
> > > > 
> > > > This should make it easier for folks to get DNS working and
> > > > fully
> > > > replicated, by ensuring the entry isn't written to the local DC
> > > > (that
> > > > nobody else knows how to contact). 
> > > > 
> > > > The attached patch does exactly that, in this case using the
> > > > dnsrpc
> > > > protocol.
> > > > 
> > > > I chose the dnsserver RPC protocol because:
> > > >  - I don't want to race with the replication of the machine
> > > > account
> > > > to
> > > > the KDC (which might not be the server I'm joining).  Instead
> > > > we
> > > > will
> > > > change the owner over LDAP
> > > >  - Direct LDAP or DsAddEntry injection wouldn't update the
> > > > sequence
> > > > number
> > > >  - shelling to nsupdate isn't reliable
> > > >  - We still don't have great bindings for secure DNS updates in
> > > > python
> > > > 
> > > > I need to finish the owner change part, and write the
> > > > dns_update_cache,
> > > > but we do successfully create the DNS records and re-sync the
> > > > database.
> > > >  This should make Samba DCs a little more reliable from the
> > > > moment
> > > > they
> > > > start.
> > > > 
> > > > Comment welcome.
> > > 
> > > I typically just use the following after "samba-tool domain
> > > join":
> > > samba_dnsupdate --use-samba-tool --rpc-server-ip=<ip>
> > > Can't we just call that at the end of the join?
> > 
> > That is essentially what I'm doing, just avoiding the double-exec
> > and
> > forcing an incremental replication so everyone is sync'ed up.
> 
> Why is the double-exec a problem? It will also
> fill dns_update_cache correctly.

Mostly due to the loss in error fidelity and general ugliness.  I
certainly do want it to fill in the dns_update_cache.

If it is desirable to re-use samba_dnsupdate, I'll re-work that to
first call the DNS RPC code in the way this does (for what will then be
a mis-named --use-samba-tool case), and then make samba_dnsupdate a re-
usable module. 

I took the first step in that direction by moving the helper routines
for building the objects required for samba-tool dns out of the
command-line tool.  

In terms of join.py may not go the whole hog (and I'll describe the
reasons in that case) but I'll certainly make more of this common.

> We could also run this before replicating the dns partitions
> and avoid the double replication.

Good point.  I'm doing this at the end because I wanted there to be a
very good chance that replication has been successful before I start
updating DNS, for consistency with existing behaviour and to avoid
changing DNS for the (too often in the real world) failure-to-join
cases.

I'm doing it just before the DsReplicaUpdateRefs as that is the first
place we use the DNS name.

Finally, thank-you for your comments.  I don't send enough early-stage
patches here for comment and it is useful to get some additional ideas
and thoughts.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba