[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Rowland penny
rpenny at samba.org
Thu Dec 10 13:11:21 UTC 2015
On 10/12/15 12:58, James wrote:
> On 12/10/2015 6:55 AM, Rowland penny wrote:
>> On 10/12/15 10:54, Rowland penny wrote:
>>> On 10/12/15 10:44, L.P.H. van Belle wrote:
>>>> Hai,
>>>>
>>>> Ah, ok, wel, yeah, i was missing the NS on the SOA.
>>>>
>>>> This is imo a bug, i dont know it this is by design for samba,
>>>> so maybe a samba dev can answere this since every joined DC should
>>>> have a NS record on the SOA as far as i know, but thats my opinion
>>>> and i can be wrong here.
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
>>>>> penny
>>>>> Verzonden: donderdag 10 december 2015 10:41
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>>>>> initially fails when PDC is offline
>>>>>
>>>>> On 10/12/15 09:23, L.P.H. van Belle wrote:
>>>>>> I was wondering why because in a full windows domain, every DC
>>>>>> has an NS
>>>>> record.
>>>>>>
>>>>> When you join a DC, the basic info is added to AD and then when the
>>>>> samba deamon is started, samba_dnsupdate is run, this uses the file
>>>>> dns_update_list to add (if required) various dns records. Guess
>>>>> what dns
>>>>> records are not in that file?
>>>>>
>>>>> However, even if you add the missing NS records to the SOA
>>>>> records, if
>>>>> you use the internal dns server, you will still only have one NS,
>>>>> this
>>>>> appears to be your first DC. I am beginning to think that if you have
>>>>> more than one DC, you should forget the internal DNS server and use
>>>>> BIND_DLZ instead.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>> When I can figure how to get into the new GitHub setup, I will be
>>> proposing a patch for this, it just needs three line adding to
>>> dns_update_list.
>>>
>>> Rowland
>>>
>>
>> If anybody is interested, this is the results of my testing, first
>> here are the results of adding an NS record to the dns domain SOA
>> record for the second DC on a domain using the internal dns server:
>>
>> root at testdc1:~# dig SOA +multiline home.lan
>>
>> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153
>> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
>> ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;home.lan. IN SOA
>>
>> ;; ANSWER SECTION:
>> home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. (
>> 1 ; serial
>> 900 ; refresh (15 minutes)
>> 600 ; retry (10 minutes)
>> 86400 ; expire (1 day)
>> 3600 ; minimum (1 hour)
>> )
>>
>> ;; Query time: 28 msec
>> ;; SERVER: 192.168.0.241#53(192.168.0.241)
>> ;; WHEN: Thu Dec 10 11:35:46 GMT 2015
>> ;; MSG SIZE rcvd: 81
>>
>> root at testdc2:~# dig SOA +multiline home.lan
>>
>> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755
>> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
>> ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;home.lan. IN SOA
>>
>> ;; ANSWER SECTION:
>> home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. (
>> 1 ; serial
>> 900 ; refresh (15 minutes)
>> 600 ; retry (10 minutes)
>> 86400 ; expire (1 day)
>> 3600 ; minimum (1 hour)
>> )
>>
>> ;; Query time: 56 msec
>> ;; SERVER: 192.168.0.240#53(192.168.0.240)
>> ;; WHEN: Thu Dec 10 11:36:14 GMT 2015
>> ;; MSG SIZE rcvd: 81
>>
>> As you can see, even though each DC is using the other DC as its
>> nameserver in /etc/resolv.conf, they both return the same info, now
>> compare that with the info from a domain that uses bind9 as the dns
>> server:
>>
>> root at dc1:~# dig SOA +multiline samdom.example.com
>>
>> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;samdom.example.com. IN SOA
>>
>> ;; ANSWER SECTION:
>> samdom.example.com. 3600 IN SOA dc2.samdom.example.com.
>> hostmaster.samdom.example.com. (
>> 101 ; serial
>> 900 ; refresh (15 minutes)
>> 600 ; retry (10 minutes)
>> 86400 ; expire (1 day)
>> 3600 ; minimum (1 hour)
>> )
>>
>> ;; AUTHORITY SECTION:
>> samdom.example.com. 900 IN NS dc1.samdom.example.com.
>> samdom.example.com. 900 IN NS dc2.samdom.example.com.
>>
>> ;; ADDITIONAL SECTION:
>> dc1.samdom.example.com. 900 IN A 192.168.0.5
>> dc2.samdom.example.com. 900 IN A 192.168.0.6
>>
>> ;; Query time: 7 msec
>> ;; SERVER: 192.168.0.6#53(192.168.0.6)
>> ;; WHEN: Thu Dec 10 11:41:22 GMT 2015
>> ;; MSG SIZE rcvd: 162
>>
>> root at dc2:~# dig SOA +multiline samdom.example.com
>>
>> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;samdom.example.com. IN SOA
>>
>> ;; ANSWER SECTION:
>> samdom.example.com. 3600 IN SOA dc1.samdom.example.com.
>> hostmaster.samdom.example.com. (
>> 101 ; serial
>> 900 ; refresh (15 minutes)
>> 600 ; retry (10 minutes)
>> 86400 ; expire (1 day)
>> 3600 ; minimum (1 hour)
>> )
>>
>> ;; AUTHORITY SECTION:
>> samdom.example.com. 900 IN NS dc1.samdom.example.com.
>> samdom.example.com. 900 IN NS dc2.samdom.example.com.
>>
>> ;; ADDITIONAL SECTION:
>> dc1.samdom.example.com. 900 IN A 192.168.0.5
>> dc2.samdom.example.com. 900 IN A 192.168.0.6
>>
>> ;; Query time: 2 msec
>> ;; SERVER: 192.168.0.5#53(192.168.0.5)
>> ;; WHEN: Thu Dec 10 11:41:29 GMT 2015
>> ;; MSG SIZE rcvd: 162
>>
>> You get a lot more info and each DC is show as being authoritative
>> for the dns domain
>>
>> Now, I am no expert when it comes to dns, but using bind9 looks a
>> better idea to me :-)
>>
>> Rowland
>>
> Rowland,
>
> If I remember correctly you swapped the order of the DC's in your
> resolv.conf to get these results? Can you see what happens if you were
> to leave the resolv.conf order alone and temporally bring one of the
> DC's down?
>
OK, stopped samba on dc1
root at dc2:~# dig SOA +multiline samdom.example.com
; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7191
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com. IN SOA
;; ANSWER SECTION:
samdom.example.com. 3600 IN SOA dc1.samdom.example.com.
hostmaster.samdom.example.com. (
101 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
;; AUTHORITY SECTION:
samdom.example.com. 900 IN NS dc2.samdom.example.com.
samdom.example.com. 900 IN NS dc1.samdom.example.com.
;; ADDITIONAL SECTION:
dc1.samdom.example.com. 900 IN A 192.168.0.5
dc2.samdom.example.com. 900 IN A 192.168.0.6
;; Query time: 2 msec
;; SERVER: 192.168.0.5#53(192.168.0.5)
;; WHEN: Thu Dec 10 13:05:20 GMT 2015
;; MSG SIZE rcvd: 162
Hmm, still using bind on dc1, back to dc1 and stopped bind9:
root at dc2:~# dig SOA +multiline samdom.example.com
; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60862
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com. IN SOA
;; ANSWER SECTION:
samdom.example.com. 3600 IN SOA dc2.samdom.example.com.
hostmaster.samdom.example.com. (
101 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
;; AUTHORITY SECTION:
samdom.example.com. 900 IN NS dc2.samdom.example.com.
samdom.example.com. 900 IN NS dc1.samdom.example.com.
;; ADDITIONAL SECTION:
dc1.samdom.example.com. 900 IN A 192.168.0.5
dc2.samdom.example.com. 900 IN A 192.168.0.6
;; Query time: 7 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Thu Dec 10 13:06:24 GMT 2015
;; MSG SIZE rcvd: 162
It is now using itself as the NS
Rowland
More information about the samba
mailing list