Site coverage DNS update on RODC

Rowland Penny rpenny at samba.org
Fri Aug 3 18:28:03 UTC 2018


On Fri, 3 Aug 2018 19:48:34 +0200
Denis Cardon <dcardon at tranquil.it> wrote:

> Hi Rowland,
> 
> Le 08/03/2018 à 06:57 PM, Rowland Penny via samba-technical a écrit :
>  > On Fri, 3 Aug 2018 17:55:27 +0200
>  > Kévin Guérineau via samba-technical
>  > <samba-technical at lists.samba.org> wrote:
>  >
>  >> Hi everyone,
>  >>
>  >> I have been working with Denis at Tranquil IT testing with our
>  >> client on the new site coverage coming with 4.9rc2. I have some
>  >> issues with samba_dnsupdate on RODC, and I would need some help
>  >> here to see if there is a bug or the issue resides inbetween the
>  >> keyboard and the chair. Aside from the error messages below,
>  >> samba_dnsupdate does not properly create the _gc fields (with
>  >> Samba, every RWDC is a GC. so I guess it is the same case for
>  >> RODC).
>  >>
>  >> I have added more specific notes written inline of the
>  >> samba_dnsupdate --verbose output bellow. I can fill a bugzilla
>  >> entry if you suitable.
>  >>
>  >> Thanks,
>  >>
>  >> Kevin Guérineau
>  >>
>  >> [root at srvrodc.env.tranq private]# samba_dnsupdate   --verbose
>  >> IPs: ['192.168.1.130']
>  >> 8 DNS updates and 0 DNS deletes needed
>  >> Successfully obtained Kerberos ticket to
>  >> DNS/srvads.env.tranquil.it as SRVRODC$
>  >> update (nsupdate): A srvrodc.env.tranquil.it 192.168.1.130
>  >> Calling nsupdate for A srvrodc.env.tranquil.it 192.168.1.130 (add)
>  >> Successfully obtained Kerberos ticket to
>  >> DNS/srvads.env.tranquil.it as SRVRODC$
>  >> Outgoing update query:
>  >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>  >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>  >> ;; UPDATE SECTION:
>  >> srvrodc.env.tranquil.it. 900    IN      A 192.168.1.130
>  >>
>  >> ####### note : during provisioning , srvrodc A field entry is
>  >> created but SRVRODC$ does not have the RW ACE to that entry. then
>  >> update fails ####### note : during samba_dnsupdate on SRVRODC, if
>  >> DNS A entry for itself with a wrong ip address , samba_dnsupdate
>  >> create a new entry rather than updating the existing one (it
>  >> should delete the wrong one)
>  >>
>  >> update (rodc): CNAME
>  >> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
>  >> srvrodc.env.tranquil.it
>  >> Calling netlogon RODC update for CNAME
>  >> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
>  >> srvrodc.env.tranquil.it
>  >>
>  >> ####### note : samba_dnsupdate tries to update even though the
>  >> entry is already correct. Is it an expected behavior
>  >>
>  >> update (rodc): SRV _ldap._tcp.Site2._sites.env.tranquil.it
>  >> srvrodc.env.tranquil.it 389
>  >> Calling netlogon RODC update for SRV
>  >> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it
>  >> 389 Error setting DNS entry of type 22: SRV
>  >> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it
>  >> 389: (3221225653, '{Device Timeout} The specified I/O operation
>  >> on %hs was not completed before the time-out period expired.')
>  >>
>  >> ####### note : we are not sure why it fails here, if the entry is
>  >> deleted, it is properly re-created, but we still get the same
>  >> error message
>  >>
>  >> update (rodc): SRV
>  >> _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
>  >> srvrodc.env.tranquil.it 389 Calling netlogon RODC update for SRV
>  >> _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
>  >> srvrodc.env.tranquil.it 389
>  >> update (rodc): SRV _kerberos._tcp.Site2._sites.env.tranquil.it
>  >> srvrodc.env.tranquil.it 88
>  >> Calling netlogon RODC update for SRV
>  >> _kerberos._tcp.Site2._sites.env.tranquil.it
>  >> srvrodc.env.tranquil.it 88 Error setting DNS entry of type 34: SRV
>  >> _kerberos._tcp.Site2._sites.env.tranquil.it
>  >> srvrodc.env.tranquil.it 88: (3221225653, '{Device Timeout} The
>  >> specified I/O operation on %hs was not completed before the
>  >> time-out period expired.')
>  >>
>  >> ####### (same as above) note : we are not sure why it fails here,
>  >> if the entry is deleted, it is properly re-created, but we get
>  >> the same error message
>  >>
>  >> update (rodc): SRV
>  >> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
>  >> srvrodc.env.tranquil.it 88 Calling netlogon RODC update for SRV
>  >> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
>  >> srvrodc.env.tranquil.it 88
>  >> update (rodc): SRV _gc._tcp.Site2._sites.env.tranquil.it
>  >> srvrodc.env.tranquil.it 3268
>  >>
>  >> ####### note : we don't have any error message, but the entry is
>  >> not created.
>  >>
>  >> update (rodc): SRV
>  >> _ldap._tcp.Site2._sites.gc._msdcs.env.tranquil.it
>  >> srvrodc.env.tranquil.it 3268
>  >>
>  >> #######  (same as above) note : we don't have any error message,
>  >> but the entry is not created
>  >>
>  >> Failed update of 2 entries
>  >>
>  >> ####### note : it says that two entries fails, which it is the
>  >> case, but the one that failed are not the one that really failed
>  >> actually
>  >>
>  >
>  > From my understanding, a RODC is just that, it is read only and
>  > doesn't have the entire AD objects, it doesn't have the users for
>  > one thing, these are cached when the user connects.
> 
> Just for clarification, RODC does have user information, it just does 
> have the right to sync any password hash by default, unless the user 
> belongs to the necessary RODC replication group and had his password 
> hashes already replicated.

Sorry that was my misunderstanding.

> 
>  > So if you are trying to carry
>  > out the DNS updates on the RODC, then they should always fail, they
>  > should be passed to a RWDC.
> 
> sorry but the answer is offtopic. Samba_dnsupdate 4.9rc2 on RODC 
> forwards dns updates to a RWDC. Kevin is asking for specific behavior 
> issues when samba_dnsupdate on RODC is trying to update entries on
> the RWDC, he is not trying to update local database...

No, its not offtopic, it is just that I am not used to how Samba deals
with a RODC, but samba_dnsupdate is notorious for not working, have you
tried adding '--use-samba-tool' to the command ?

Rowland



More information about the samba-technical mailing list