[PATCH][WIP] Create DC DNS entires at domain join

Andrew Bartlett abartlet at samba.org
Fri Feb 24 19:41:19 UTC 2017


On Sat, 2017-02-25 at 08:34 +1300, Andrew Bartlett wrote:
> On Fri, 2017-02-24 at 10:18 +0100, Stefan Metzmacher wrote:
> > Am 24.02.2017 um 09:57 schrieb Andrew Bartlett:
> > > On Fri, 2017-02-24 at 08:59 +0100, Stefan Metzmacher wrote:
> > > > Hi Andrew,
> > > > 
> > > > > Just as with the domain member join, the DC join really
> > > > > should
> > > > > create
> > > > > the essential DNS entries at join time.
> > > > > 
> > > > > This should make it easier for folks to get DNS working and
> > > > > fully
> > > > > replicated, by ensuring the entry isn't written to the local
> > > > > DC
> > > > > (that
> > > > > nobody else knows how to contact). 
> > > > > 
> > > > > The attached patch does exactly that, in this case using the
> > > > > dnsrpc
> > > > > protocol.
> > > > > 
> > > > > I chose the dnsserver RPC protocol because:
> > > > >  - I don't want to race with the replication of the machine
> > > > > account
> > > > > to
> > > > > the KDC (which might not be the server I'm joining).  Instead
> > > > > we
> > > > > will
> > > > > change the owner over LDAP
> > > > >  - Direct LDAP or DsAddEntry injection wouldn't update the
> > > > > sequence
> > > > > number
> > > > >  - shelling to nsupdate isn't reliable
> > > > >  - We still don't have great bindings for secure DNS updates
> > > > > in
> > > > > python
> > > > > 
> > > > > I need to finish the owner change part, and write the
> > > > > dns_update_cache,
> > > > > but we do successfully create the DNS records and re-sync the
> > > > > database.
> > > > >  This should make Samba DCs a little more reliable from the
> > > > > moment
> > > > > they
> > > > > start.
> > > > > 
> > > > > Comment welcome.
> > > > 
> > > > I typically just use the following after "samba-tool domain
> > > > join":
> > > > samba_dnsupdate --use-samba-tool --rpc-server-ip=<ip>
> > > > Can't we just call that at the end of the join?
> > > 
> > > That is essentially what I'm doing, just avoiding the double-exec
> > > and
> > > forcing an incremental replication so everyone is sync'ed up.
> > 
> > Why is the double-exec a problem? It will also
> > fill dns_update_cache correctly.
> 
> Mostly due to the loss in error fidelity and general ugliness.  I
> certainly do want it to fill in the dns_update_cache.
> 
> If it is desirable to re-use samba_dnsupdate, I'll re-work that to
> first call the DNS RPC code in the way this does (for what will then
> be
> a mis-named --use-samba-tool case), and then make samba_dnsupdate a
> re-
> usable module. 
> 
> I took the first step in that direction by moving the helper routines
> for building the objects required for samba-tool dns out of the
> command-line tool.  
> 
> In terms of join.py may not go the whole hog (and I'll describe the
> reasons in that case) but I'll certainly make more of this common.

While it certainly could be fixed, one extra wrinkle is that the --use-
samba-tool case forces kerberos off with '-k no' (because it is run in
the Kerberos failure case by samba_dnsupdate), but what I put into the
join.py for every invocation should be fully using Kerberos, not NTLM. 

> > We could also run this before replicating the dns partitions
> > and avoid the double replication.
> 
> Good point.  I'm doing this at the end because I wanted there to be a
> very good chance that replication has been successful before I start
> updating DNS, for consistency with existing behaviour and to avoid
> changing DNS for the (too often in the real world) failure-to-join
> cases.
> 
> I'm doing it just before the DsReplicaUpdateRefs as that is the first
> place we use the DNS name.
> 
> Finally, thank-you for your comments.  I don't send enough early-
> stage
> patches here for comment and it is useful to get some additional
> ideas
> and thoughts.
> 
> Thanks,
> 
> Andrew Bartlett
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list