[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland Penny rowlandpenny241155 at gmail.com
Wed Dec 2 12:24:50 UTC 2015 

On 02/12/15 11:59, mathias dufresne wrote:
> Rowland,
>
> What did you request as DNS? Samba + Bind + DLZ ?
> If yes, the fact your two DNS are replying "I am SOA" is a feature from
> Bind9 or from DLZ patch.

Yes, I use bind9 with the dlz backend.

>
> That's important as a standard Samba AD designed without Bind is using LDAP
> defined entry for SOA. Asking to the five Samba DC I have here who's SOA,
> they all replied the same server, the one declared in SOA LDAP entry.
> Of course all DC are declared as NS in that zone.

Not sure if this is a bind9 feature, does your SOA record have the NS 
records for all the DCs, if not, then the first DC will be the only 
Authoritative server.

>
> That behavior is the same for SAMBA.DOMAIN.TLD zone and for
> _msdcs.SAMBA.DOAMIN.TLD zone.
>
> And where is SOA is important as samba_dnsupdate is using, sometimes, that
> SOA to guess where to push changes. I'm absolutely sure of that because I
> started to interest myself in SOA after samba_dnsupdate complains about my
> SOA which was not pointing to the right server.
>
>
> 2015-12-02 11:57 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 02/12/15 10:31, mj wrote:
>>
>>> I can find on the internet multiple instances of 'every DC running dns
>>>> should have a SOA record', but I cannot find any concrete examples of an
>>>> ldif that shows this. Does each DC have a separate SOA record in AD, or
>>>> is there just one SOA record and the DC just claims to be the SOA, or is
>>>> there just one SOA record with an NS record for each DC. Samba would
>>>> seem to be the later, but I am struggling with adding the NS record for
>>>> a new DC during the join, I think what happens is that the NS record
>>>> does get added, but is wiped out when replication kicks in. It is very
>>>> easy to add the NS record after the join with samba-tool.
>>>>
>>>> Rowland
>>>>
>>>> Hi,
>>> I remember vaguely that someone once told me that MS DCs always announce
>>> themselves as the soa if asked. If they always reply that, perhaps there is
>>> no need for it to actually be in the database (so it would perhaps not show
>>> up in an ldif)
>>>
>>> MJ
>>>
>>>
>> This is what I think happens and if this is the case, then samba itself
>> will have to do this, but I have added an NS record for the 2nd DC to the
>> SOA record with samba-tool and if I use nslookup I get this:
>>
>> nslookup
>>> set querytype=soa
>>> samdom.example.com
>> Server:        192.168.0.5
>> Address:    192.168.0.5#53
>>
>> samdom.example.com
>>      origin = dc1.samdom.example.com
>>      mail addr = hostmaster.samdom.example.com
>>      serial = 101
>>      refresh = 900
>>      retry = 600
>>      expire = 86400
>>      minimum = 3600
>>
>> If I then exit from nslookup and swap the nameservers in /etc/resolv.conf
>> and rerun nslookup, I get this:
>>
>> nslookup
>>> set querytype=soa
>>> samdom.example.com
>> Server:        192.168.0.6
>> Address:    192.168.0.6#53
>>
>> samdom.example.com
>>      origin = dc2.samdom.example.com
>>      mail addr = hostmaster.samdom.example.com
>>      serial = 101
>>      refresh = 900
>>      retry = 600
>>      expire = 86400
>>      minimum = 3600
>>
>> Which, to me, says that both DCs are authoritative for the domain, if this
>> is correct, I just need to find a way of adding the NS record during the
>> join.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list