Site coverage DNS update on RODC

Denis Cardon dcardon at tranquil.it
Fri Aug 3 17:48:34 UTC 2018 

Hi Rowland,

Le 08/03/2018 à 06:57 PM, Rowland Penny via samba-technical a écrit :
 > On Fri, 3 Aug 2018 17:55:27 +0200
 > Kévin Guérineau via samba-technical <samba-technical at lists.samba.org>
 > wrote:
 >
 >> Hi everyone,
 >>
 >> I have been working with Denis at Tranquil IT testing with our client
 >> on the new site coverage coming with 4.9rc2. I have some issues with
 >> samba_dnsupdate on RODC, and I would need some help here to see if
 >> there is a bug or the issue resides inbetween the keyboard and the
 >> chair. Aside from the error messages below, samba_dnsupdate does not
 >> properly create the _gc fields (with Samba, every RWDC is a GC. so I
 >> guess it is the same case for RODC).
 >>
 >> I have added more specific notes written inline of the
 >> samba_dnsupdate --verbose output bellow. I can fill a bugzilla entry
 >> if you suitable.
 >>
 >> Thanks,
 >>
 >> Kevin Guérineau
 >>
 >> [root at srvrodc.env.tranq private]# samba_dnsupdate   --verbose
 >> IPs: ['192.168.1.130']
 >> 8 DNS updates and 0 DNS deletes needed
 >> Successfully obtained Kerberos ticket to DNS/srvads.env.tranquil.it
 >> as SRVRODC$
 >> update (nsupdate): A srvrodc.env.tranquil.it 192.168.1.130
 >> Calling nsupdate for A srvrodc.env.tranquil.it 192.168.1.130 (add)
 >> Successfully obtained Kerberos ticket to DNS/srvads.env.tranquil.it
 >> as SRVRODC$
 >> Outgoing update query:
 >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
 >> ;; UPDATE SECTION:
 >> srvrodc.env.tranquil.it. 900    IN      A 192.168.1.130
 >>
 >> ####### note : during provisioning , srvrodc A field entry is created
 >> but SRVRODC$ does not have the RW ACE to that entry. then update fails
 >> ####### note : during samba_dnsupdate on SRVRODC, if DNS A entry for
 >> itself with a wrong ip address , samba_dnsupdate create a new entry
 >> rather than updating the existing one (it should delete the wrong one)
 >>
 >> update (rodc): CNAME
 >> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
 >> srvrodc.env.tranquil.it
 >> Calling netlogon RODC update for CNAME
 >> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
 >> srvrodc.env.tranquil.it
 >>
 >> ####### note : samba_dnsupdate tries to update even though the entry
 >> is already correct. Is it an expected behavior
 >>
 >> update (rodc): SRV _ldap._tcp.Site2._sites.env.tranquil.it
 >> srvrodc.env.tranquil.it 389
 >> Calling netlogon RODC update for SRV
 >> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it 389
 >> Error setting DNS entry of type 22: SRV
 >> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it 389:
 >> (3221225653, '{Device Timeout} The specified I/O operation on %hs was
 >> not completed before the time-out period expired.')
 >>
 >> ####### note : we are not sure why it fails here, if the entry is
 >> deleted, it is properly re-created, but we still get the same error
 >> message
 >>
 >> update (rodc): SRV _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
 >> srvrodc.env.tranquil.it 389
 >> Calling netlogon RODC update for SRV
 >> _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
 >> srvrodc.env.tranquil.it 389
 >> update (rodc): SRV _kerberos._tcp.Site2._sites.env.tranquil.it
 >> srvrodc.env.tranquil.it 88
 >> Calling netlogon RODC update for SRV
 >> _kerberos._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it 88
 >> Error setting DNS entry of type 34: SRV
 >> _kerberos._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it
 >> 88: (3221225653, '{Device Timeout} The specified I/O operation on %hs
 >> was not completed before the time-out period expired.')
 >>
 >> ####### (same as above) note : we are not sure why it fails here, if
 >> the entry is deleted, it is properly re-created, but we get the same
 >> error message
 >>
 >> update (rodc): SRV
 >> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
 >> srvrodc.env.tranquil.it 88 Calling netlogon RODC update for SRV
 >> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
 >> srvrodc.env.tranquil.it 88
 >> update (rodc): SRV _gc._tcp.Site2._sites.env.tranquil.it
 >> srvrodc.env.tranquil.it 3268
 >>
 >> ####### note : we don't have any error message, but the entry is not
 >> created.
 >>
 >> update (rodc): SRV _ldap._tcp.Site2._sites.gc._msdcs.env.tranquil.it
 >> srvrodc.env.tranquil.it 3268
 >>
 >> #######  (same as above) note : we don't have any error message, but
 >> the entry is not created
 >>
 >> Failed update of 2 entries
 >>
 >> ####### note : it says that two entries fails, which it is the case,
 >> but the one that failed are not the one that really failed actually
 >>
 >
 > From my understanding, a RODC is just that, it is read only and doesn't
 > have the entire AD objects, it doesn't have the users for one thing,
 > these are cached when the user connects.

Just for clarification, RODC does have user information, it just does 
have the right to sync any password hash by default, unless the user 
belongs to the necessary RODC replication group and had his password 
hashes already replicated.

 > So if you are trying to carry
 > out the DNS updates on the RODC, then they should always fail, they
 > should be passed to a RWDC.

sorry but the answer is offtopic. Samba_dnsupdate 4.9rc2 on RODC 
forwards dns updates to a RWDC. Kevin is asking for specific behavior 
issues when samba_dnsupdate on RODC is trying to update entries on the 
RWDC, he is not trying to update local database...


Denis

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba-technical mailing list