[Samba] adjust SOA record

mourik jan heupink - merit heupink at merit.unu.edu
Fri Aug 22 06:20:24 MDT 2014


Hi,

I learned something on the topic of SOA today, straight from sernet 
support, that I would like to share.

Windows AD servers actually 'lie' about the SOA record, and always say 
that it points to themselves. So in a native microsoft AD network, 
regardsless of what the SOA actually is in the database, a DC always 
returns itself as SOA.

Samba does not do this, and returns what is actually in the DNS 
database. So in a samba domain, each DC should have listed himself 
(herself?) in the SOA record.

The bit I don't yet understand is how this works with replication, 
because if DNS data is replicated, the SOA would have to be excluded 
from the replication. I have to check that out a little bit more.

But just wanted to share this bit of knowledge with the list.

Mourik Jan

On 08/18/2014 10:35 AM, mourik jan heupink - merit wrote:
> Hi Achim,
>
> Yes, that did it. Thanks!
>
> But a broader question: is it common practise to set each dc's SOA to
> itself, to have complete 'independance', and thus failover..?
>
> MJ
>
>
> On 08/16/2014 08:39 PM, Achim Gottinger wrote:
>> Am 16.08.2014 20:30, schrieb mourik jan heupink - merit:
>>> No one..? Or am I asking something that is obvious to everybody except
>>> myself..?
>>>
>>> On 08/13/2014 07:21 PM, mourik jan heupink - merit wrote:
>>>> Hi,
>>>>
>>>> We have outdated SOA information in our samba DNS. We used to have a
>>>> DC1, and it is no more, however it's listed in our SOA records on both
>>>> remaining DC's. I think this is not correct.
>>>>
>>>> I am under the impression that in order to get full failover support,
>>>> all DC's need to have listed themselves as SOA. This is also what
>>>> google
>>>> tells me:
>>>>
>>>> http://serverfault.com/questions/285021/in-a-2-dc-environment-should-both-dcs-host-ad-integrated-primary-zones-to-ensur
>>>>
>>>>
>>>>
>>>>
>>>> So, I would like to change the SOA, but the microsoft MMC DNS tools
>>>> don't let me do that, I'm getting
>>>> "The start of authority (SOA) record cannot be updated. The record does
>>>> not exist."
>>>>
>>>> I'm not sure what the correct 4.1.7 samba-tool line should be:
>>>>
>>>>>  samba-tool dns update <server> <zone> <name>
>>>>> <A|AAAA|PTR|CNAME|NS|MX|SOA|SRV|TXT> <olddata> <newdata>
>>>>
>>>>
>>>> I'm unsure about <olddata> and <netdata>. Here is my current SOA, I
>>>> should replace <olddata> with this:
>>>>
>>>> SOA: serial=3, refresh=900, retry=600, expire=86400, minttl=0,
>>>> ns=dc1.samba.company.com., email=hostmaster.samba.company.com.
>>>> (flags=600000f0, serial=3, ttl=3600)
>>>>
>>>> Would this translate into something like:
>>>>
>>>>> samba-tool dns update dc3.samba.company.com samba.company.com
>>>>> samba.company.com SOA dc1.samba.company.com. dc3.samba.company.com.
>>>>> hostmaster.samba.company.com. 4 900 600 86400 0 -U username
>>>>
>>>> This can never be right? (and yes, I've tried it on my testserver, and
>>>> it does not work, getting "ERROR: Data requires 7 elements -
>>>> nameserver,
>>>> email, serial refresh, retry, expire, minimumttl
>>>>
>>>> Can anyone tell me what the correct magic is? (or: should I even be
>>>> updating the SOA to point to each separate DC at all?)
>>>>
>>>> Regards,
>>>> MJ
>> Hi Mourik,
>>
>>  From https://lists.samba.org/archive/samba/2013-August/174946.html
>>
>> /Ah, yes. Apparently this functionality only exists in 4.1 and master,
>> />>/  sorry.
>> />>/  > Should you try and run with that the command syntax is
>> />>/  >
>> />>/  > samba-tool dns update SOA "fqdn_dns fqdn_email serial refresh
>> retry
>> />>/  expire
>> />>/  > minimumttl"
>> />>/  >
>> />>/  > HTH,
>> />>/  >
>> />>/  > Kai
>>
>> /
>>
>> So i expect in your case <olddata> translates into
>>
>> "dc1.samba.company.com. hostmaster.samba.company.com. 3 900 600 86400 0"
>>
>> and <newdata> into
>>
>> "dc3.samba.company.com. hostmaster.samba.company.com. 3 900 600 86400 0"
>>
>> including the quotation marks.
>>


More information about the samba mailing list