[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

mathias dufresne infractory at gmail.com
Wed Dec 2 11:59:43 UTC 2015 

Rowland,

What did you request as DNS? Samba + Bind + DLZ ?
If yes, the fact your two DNS are replying "I am SOA" is a feature from
Bind9 or from DLZ patch.

That's important as a standard Samba AD designed without Bind is using LDAP
defined entry for SOA. Asking to the five Samba DC I have here who's SOA,
they all replied the same server, the one declared in SOA LDAP entry.
Of course all DC are declared as NS in that zone.

That behavior is the same for SAMBA.DOMAIN.TLD zone and for
_msdcs.SAMBA.DOAMIN.TLD zone.

And where is SOA is important as samba_dnsupdate is using, sometimes, that
SOA to guess where to push changes. I'm absolutely sure of that because I
started to interest myself in SOA after samba_dnsupdate complains about my
SOA which was not pointing to the right server.


2015-12-02 11:57 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 02/12/15 10:31, mj wrote:
>
>> I can find on the internet multiple instances of 'every DC running dns
>>> should have a SOA record', but I cannot find any concrete examples of an
>>> ldif that shows this. Does each DC have a separate SOA record in AD, or
>>> is there just one SOA record and the DC just claims to be the SOA, or is
>>> there just one SOA record with an NS record for each DC. Samba would
>>> seem to be the later, but I am struggling with adding the NS record for
>>> a new DC during the join, I think what happens is that the NS record
>>> does get added, but is wiped out when replication kicks in. It is very
>>> easy to add the NS record after the join with samba-tool.
>>>
>>> Rowland
>>>
>>> Hi,
>>
>> I remember vaguely that someone once told me that MS DCs always announce
>> themselves as the soa if asked. If they always reply that, perhaps there is
>> no need for it to actually be in the database (so it would perhaps not show
>> up in an ldif)
>>
>> MJ
>>
>>
> This is what I think happens and if this is the case, then samba itself
> will have to do this, but I have added an NS record for the 2nd DC to the
> SOA record with samba-tool and if I use nslookup I get this:
>
> nslookup
> > set querytype=soa
> > samdom.example.com
> Server:        192.168.0.5
> Address:    192.168.0.5#53
>
> samdom.example.com
>     origin = dc1.samdom.example.com
>     mail addr = hostmaster.samdom.example.com
>     serial = 101
>     refresh = 900
>     retry = 600
>     expire = 86400
>     minimum = 3600
>
> If I then exit from nslookup and swap the nameservers in /etc/resolv.conf
> and rerun nslookup, I get this:
>
> nslookup
> > set querytype=soa
> > samdom.example.com
> Server:        192.168.0.6
> Address:    192.168.0.6#53
>
> samdom.example.com
>     origin = dc2.samdom.example.com
>     mail addr = hostmaster.samdom.example.com
>     serial = 101
>     refresh = 900
>     retry = 600
>     expire = 86400
>     minimum = 3600
>
> Which, to me, says that both DCs are authoritative for the domain, if this
> is correct, I just need to find a way of adding the NS record during the
> join.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list