[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Thu Dec 10 11:55:55 UTC 2015


On 10/12/15 10:54, Rowland penny wrote:
> On 10/12/15 10:44, L.P.H. van Belle wrote:
>> Hai,
>>
>> Ah, ok, wel, yeah, i was missing the NS on the SOA.
>>
>> This is imo a bug, i dont know it this is by design for samba,
>> so maybe a samba dev can answere this since every joined DC should 
>> have a NS record on the SOA as far as i know, but thats my opinion 
>> and i can be wrong here.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>>> Verzonden: donderdag 10 december 2015 10:41
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>>> initially fails when PDC is offline
>>>
>>> On 10/12/15 09:23, L.P.H. van Belle wrote:
>>>> I was wondering why because in a full windows domain, every DC has 
>>>> an NS
>>> record.
>>>>
>>> When you join a DC, the basic info is added to AD and then when the
>>> samba deamon is started, samba_dnsupdate is run, this uses the file
>>> dns_update_list to add (if required) various dns records. Guess what 
>>> dns
>>> records are not in that file?
>>>
>>> However, even if you add the missing NS records to the SOA records, if
>>> you use the internal dns server, you will still only have one NS, this
>>> appears to be your first DC. I am beginning to think that if you have
>>> more than one DC, you should forget the internal DNS server and use
>>> BIND_DLZ instead.
>>>
>>> Rowland
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> When I can figure how to get into the new GitHub setup, I will be 
> proposing a patch for this, it just needs three line adding to 
> dns_update_list.
>
> Rowland
>

If anybody is interested, this is the results of my testing, first here 
are the results of adding an NS record to the dns domain SOA record for 
the second DC on a domain using the internal dns server:

root at testdc1:~# dig SOA +multiline home.lan

; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;home.lan.        IN SOA

;; ANSWER SECTION:
home.lan.        3600 IN    SOA testdc1.home.lan. hostmaster.home.lan. (
                 1          ; serial
                 900        ; refresh (15 minutes)
                 600        ; retry (10 minutes)
                 86400      ; expire (1 day)
                 3600       ; minimum (1 hour)
                 )

;; Query time: 28 msec
;; SERVER: 192.168.0.241#53(192.168.0.241)
;; WHEN: Thu Dec 10 11:35:46 GMT 2015
;; MSG SIZE  rcvd: 81

root at testdc2:~# dig SOA +multiline home.lan

; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;home.lan.        IN SOA

;; ANSWER SECTION:
home.lan.        3600 IN    SOA testdc1.home.lan. hostmaster.home.lan. (
                 1          ; serial
                 900        ; refresh (15 minutes)
                 600        ; retry (10 minutes)
                 86400      ; expire (1 day)
                 3600       ; minimum (1 hour)
                 )

;; Query time: 56 msec
;; SERVER: 192.168.0.240#53(192.168.0.240)
;; WHEN: Thu Dec 10 11:36:14 GMT 2015
;; MSG SIZE  rcvd: 81

As you can see, even though each DC is using the other DC as its 
nameserver in /etc/resolv.conf, they both return the same info, now 
compare that with the info from a domain that uses bind9 as the dns server:

root at dc1:~# dig SOA +multiline samdom.example.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.    IN SOA

;; ANSWER SECTION:
samdom.example.com.    3600 IN    SOA dc2.samdom.example.com. 
hostmaster.samdom.example.com. (
                 101        ; serial
                 900        ; refresh (15 minutes)
                 600        ; retry (10 minutes)
                 86400      ; expire (1 day)
                 3600       ; minimum (1 hour)
                 )

;; AUTHORITY SECTION:
samdom.example.com.    900 IN NS dc1.samdom.example.com.
samdom.example.com.    900 IN NS dc2.samdom.example.com.

;; ADDITIONAL SECTION:
dc1.samdom.example.com.    900 IN A 192.168.0.5
dc2.samdom.example.com.    900 IN A 192.168.0.6

;; Query time: 7 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Thu Dec 10 11:41:22 GMT 2015
;; MSG SIZE  rcvd: 162

root at dc2:~# dig SOA +multiline samdom.example.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.    IN SOA

;; ANSWER SECTION:
samdom.example.com.    3600 IN    SOA dc1.samdom.example.com. 
hostmaster.samdom.example.com. (
                 101        ; serial
                 900        ; refresh (15 minutes)
                 600        ; retry (10 minutes)
                 86400      ; expire (1 day)
                 3600       ; minimum (1 hour)
                 )

;; AUTHORITY SECTION:
samdom.example.com.    900 IN NS dc1.samdom.example.com.
samdom.example.com.    900 IN NS dc2.samdom.example.com.

;; ADDITIONAL SECTION:
dc1.samdom.example.com.    900 IN A 192.168.0.5
dc2.samdom.example.com.    900 IN A 192.168.0.6

;; Query time: 2 msec
;; SERVER: 192.168.0.5#53(192.168.0.5)
;; WHEN: Thu Dec 10 11:41:29 GMT 2015
;; MSG SIZE  rcvd: 162

You get a lot more info and each DC is show as being authoritative for 
the dns domain

Now, I am no expert when it comes to dns, but using bind9 looks a better 
idea to me :-)

Rowland



More information about the samba mailing list