Site coverage DNS update on RODC
Rowland Penny
rpenny at samba.org
Fri Aug 3 18:28:03 UTC 2018
On Fri, 3 Aug 2018 19:48:34 +0200
Denis Cardon <dcardon at tranquil.it> wrote:
> Hi Rowland,
>
> Le 08/03/2018 à 06:57 PM, Rowland Penny via samba-technical a écrit :
> > On Fri, 3 Aug 2018 17:55:27 +0200
> > Kévin Guérineau via samba-technical
> > <samba-technical at lists.samba.org> wrote:
> >
> >> Hi everyone,
> >>
> >> I have been working with Denis at Tranquil IT testing with our
> >> client on the new site coverage coming with 4.9rc2. I have some
> >> issues with samba_dnsupdate on RODC, and I would need some help
> >> here to see if there is a bug or the issue resides inbetween the
> >> keyboard and the chair. Aside from the error messages below,
> >> samba_dnsupdate does not properly create the _gc fields (with
> >> Samba, every RWDC is a GC. so I guess it is the same case for
> >> RODC).
> >>
> >> I have added more specific notes written inline of the
> >> samba_dnsupdate --verbose output bellow. I can fill a bugzilla
> >> entry if you suitable.
> >>
> >> Thanks,
> >>
> >> Kevin Guérineau
> >>
> >> [root at srvrodc.env.tranq private]# samba_dnsupdate --verbose
> >> IPs: ['192.168.1.130']
> >> 8 DNS updates and 0 DNS deletes needed
> >> Successfully obtained Kerberos ticket to
> >> DNS/srvads.env.tranquil.it as SRVRODC$
> >> update (nsupdate): A srvrodc.env.tranquil.it 192.168.1.130
> >> Calling nsupdate for A srvrodc.env.tranquil.it 192.168.1.130 (add)
> >> Successfully obtained Kerberos ticket to
> >> DNS/srvads.env.tranquil.it as SRVRODC$
> >> Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> srvrodc.env.tranquil.it. 900 IN A 192.168.1.130
> >>
> >> ####### note : during provisioning , srvrodc A field entry is
> >> created but SRVRODC$ does not have the RW ACE to that entry. then
> >> update fails ####### note : during samba_dnsupdate on SRVRODC, if
> >> DNS A entry for itself with a wrong ip address , samba_dnsupdate
> >> create a new entry rather than updating the existing one (it
> >> should delete the wrong one)
> >>
> >> update (rodc): CNAME
> >> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
> >> srvrodc.env.tranquil.it
> >> Calling netlogon RODC update for CNAME
> >> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
> >> srvrodc.env.tranquil.it
> >>
> >> ####### note : samba_dnsupdate tries to update even though the
> >> entry is already correct. Is it an expected behavior
> >>
> >> update (rodc): SRV _ldap._tcp.Site2._sites.env.tranquil.it
> >> srvrodc.env.tranquil.it 389
> >> Calling netlogon RODC update for SRV
> >> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it
> >> 389 Error setting DNS entry of type 22: SRV
> >> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it
> >> 389: (3221225653, '{Device Timeout} The specified I/O operation
> >> on %hs was not completed before the time-out period expired.')
> >>
> >> ####### note : we are not sure why it fails here, if the entry is
> >> deleted, it is properly re-created, but we still get the same
> >> error message
> >>
> >> update (rodc): SRV
> >> _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> >> srvrodc.env.tranquil.it 389 Calling netlogon RODC update for SRV
> >> _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> >> srvrodc.env.tranquil.it 389
> >> update (rodc): SRV _kerberos._tcp.Site2._sites.env.tranquil.it
> >> srvrodc.env.tranquil.it 88
> >> Calling netlogon RODC update for SRV
> >> _kerberos._tcp.Site2._sites.env.tranquil.it
> >> srvrodc.env.tranquil.it 88 Error setting DNS entry of type 34: SRV
> >> _kerberos._tcp.Site2._sites.env.tranquil.it
> >> srvrodc.env.tranquil.it 88: (3221225653, '{Device Timeout} The
> >> specified I/O operation on %hs was not completed before the
> >> time-out period expired.')
> >>
> >> ####### (same as above) note : we are not sure why it fails here,
> >> if the entry is deleted, it is properly re-created, but we get
> >> the same error message
> >>
> >> update (rodc): SRV
> >> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> >> srvrodc.env.tranquil.it 88 Calling netlogon RODC update for SRV
> >> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> >> srvrodc.env.tranquil.it 88
> >> update (rodc): SRV _gc._tcp.Site2._sites.env.tranquil.it
> >> srvrodc.env.tranquil.it 3268
> >>
> >> ####### note : we don't have any error message, but the entry is
> >> not created.
> >>
> >> update (rodc): SRV
> >> _ldap._tcp.Site2._sites.gc._msdcs.env.tranquil.it
> >> srvrodc.env.tranquil.it 3268
> >>
> >> ####### (same as above) note : we don't have any error message,
> >> but the entry is not created
> >>
> >> Failed update of 2 entries
> >>
> >> ####### note : it says that two entries fails, which it is the
> >> case, but the one that failed are not the one that really failed
> >> actually
> >>
> >
> > From my understanding, a RODC is just that, it is read only and
> > doesn't have the entire AD objects, it doesn't have the users for
> > one thing, these are cached when the user connects.
>
> Just for clarification, RODC does have user information, it just does
> have the right to sync any password hash by default, unless the user
> belongs to the necessary RODC replication group and had his password
> hashes already replicated.
Sorry that was my misunderstanding.
>
> > So if you are trying to carry
> > out the DNS updates on the RODC, then they should always fail, they
> > should be passed to a RWDC.
>
> sorry but the answer is offtopic. Samba_dnsupdate 4.9rc2 on RODC
> forwards dns updates to a RWDC. Kevin is asking for specific behavior
> issues when samba_dnsupdate on RODC is trying to update entries on
> the RWDC, he is not trying to update local database...
No, its not offtopic, it is just that I am not used to how Samba deals
with a RODC, but samba_dnsupdate is notorious for not working, have you
tried adding '--use-samba-tool' to the command ?
Rowland
More information about the samba-technical
mailing list