[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

James lingpanda101 at gmail.com
Thu Dec 10 12:58:23 UTC 2015 

On 12/10/2015 6:55 AM, Rowland penny wrote:
> On 10/12/15 10:54, Rowland penny wrote:
>> On 10/12/15 10:44, L.P.H. van Belle wrote:
>>> Hai,
>>>
>>> Ah, ok, wel, yeah, i was missing the NS on the SOA.
>>>
>>> This is imo a bug, i dont know it this is by design for samba,
>>> so maybe a samba dev can answere this since every joined DC should 
>>> have a NS record on the SOA as far as i know, but thats my opinion 
>>> and i can be wrong here.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>>>> Verzonden: donderdag 10 december 2015 10:41
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>>>> initially fails when PDC is offline
>>>>
>>>> On 10/12/15 09:23, L.P.H. van Belle wrote:
>>>>> I was wondering why because in a full windows domain, every DC has 
>>>>> an NS
>>>> record.
>>>>>
>>>> When you join a DC, the basic info is added to AD and then when the
>>>> samba deamon is started, samba_dnsupdate is run, this uses the file
>>>> dns_update_list to add (if required) various dns records. Guess 
>>>> what dns
>>>> records are not in that file?
>>>>
>>>> However, even if you add the missing NS records to the SOA records, if
>>>> you use the internal dns server, you will still only have one NS, this
>>>> appears to be your first DC. I am beginning to think that if you have
>>>> more than one DC, you should forget the internal DNS server and use
>>>> BIND_DLZ instead.
>>>>
>>>> Rowland
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> When I can figure how to get into the new GitHub setup, I will be 
>> proposing a patch for this, it just needs three line adding to 
>> dns_update_list.
>>
>> Rowland
>>
>
> If anybody is interested, this is the results of my testing, first 
> here are the results of adding an NS record to the dns domain SOA 
> record for the second DC on a domain using the internal dns server:
>
> root at testdc1:~# dig SOA +multiline home.lan
>
> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, 
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;home.lan.        IN SOA
>
> ;; ANSWER SECTION:
> home.lan.        3600 IN    SOA testdc1.home.lan. hostmaster.home.lan. (
>                 1          ; serial
>                 900        ; refresh (15 minutes)
>                 600        ; retry (10 minutes)
>                 86400      ; expire (1 day)
>                 3600       ; minimum (1 hour)
>                 )
>
> ;; Query time: 28 msec
> ;; SERVER: 192.168.0.241#53(192.168.0.241)
> ;; WHEN: Thu Dec 10 11:35:46 GMT 2015
> ;; MSG SIZE  rcvd: 81
>
> root at testdc2:~# dig SOA +multiline home.lan
>
> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, 
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;home.lan.        IN SOA
>
> ;; ANSWER SECTION:
> home.lan.        3600 IN    SOA testdc1.home.lan. hostmaster.home.lan. (
>                 1          ; serial
>                 900        ; refresh (15 minutes)
>                 600        ; retry (10 minutes)
>                 86400      ; expire (1 day)
>                 3600       ; minimum (1 hour)
>                 )
>
> ;; Query time: 56 msec
> ;; SERVER: 192.168.0.240#53(192.168.0.240)
> ;; WHEN: Thu Dec 10 11:36:14 GMT 2015
> ;; MSG SIZE  rcvd: 81
>
> As you can see, even though each DC is using the other DC as its 
> nameserver in /etc/resolv.conf, they both return the same info, now 
> compare that with the info from a domain that uses bind9 as the dns 
> server:
>
> root at dc1:~# dig SOA +multiline samdom.example.com
>
> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;samdom.example.com.    IN SOA
>
> ;; ANSWER SECTION:
> samdom.example.com.    3600 IN    SOA dc2.samdom.example.com. 
> hostmaster.samdom.example.com. (
>                 101        ; serial
>                 900        ; refresh (15 minutes)
>                 600        ; retry (10 minutes)
>                 86400      ; expire (1 day)
>                 3600       ; minimum (1 hour)
>                 )
>
> ;; AUTHORITY SECTION:
> samdom.example.com.    900 IN NS dc1.samdom.example.com.
> samdom.example.com.    900 IN NS dc2.samdom.example.com.
>
> ;; ADDITIONAL SECTION:
> dc1.samdom.example.com.    900 IN A 192.168.0.5
> dc2.samdom.example.com.    900 IN A 192.168.0.6
>
> ;; Query time: 7 msec
> ;; SERVER: 192.168.0.6#53(192.168.0.6)
> ;; WHEN: Thu Dec 10 11:41:22 GMT 2015
> ;; MSG SIZE  rcvd: 162
>
> root at dc2:~# dig SOA +multiline samdom.example.com
>
> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;samdom.example.com.    IN SOA
>
> ;; ANSWER SECTION:
> samdom.example.com.    3600 IN    SOA dc1.samdom.example.com. 
> hostmaster.samdom.example.com. (
>                 101        ; serial
>                 900        ; refresh (15 minutes)
>                 600        ; retry (10 minutes)
>                 86400      ; expire (1 day)
>                 3600       ; minimum (1 hour)
>                 )
>
> ;; AUTHORITY SECTION:
> samdom.example.com.    900 IN NS dc1.samdom.example.com.
> samdom.example.com.    900 IN NS dc2.samdom.example.com.
>
> ;; ADDITIONAL SECTION:
> dc1.samdom.example.com.    900 IN A 192.168.0.5
> dc2.samdom.example.com.    900 IN A 192.168.0.6
>
> ;; Query time: 2 msec
> ;; SERVER: 192.168.0.5#53(192.168.0.5)
> ;; WHEN: Thu Dec 10 11:41:29 GMT 2015
> ;; MSG SIZE  rcvd: 162
>
> You get a lot more info and each DC is show as being authoritative for 
> the dns domain
>
> Now, I am no expert when it comes to dns, but using bind9 looks a 
> better idea to me :-)
>
> Rowland
>
Rowland,

     If I remember correctly you swapped the order of the DC's in your 
resolv.conf to get these results? Can you see what happens if you were 
to leave the resolv.conf order alone and temporally bring one of the 
DC's down?

-- 
-James

More information about the samba mailing list