[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Thu Dec 10 13:11:21 UTC 2015 

On 10/12/15 12:58, James wrote:
> On 12/10/2015 6:55 AM, Rowland penny wrote:
>> On 10/12/15 10:54, Rowland penny wrote:
>>> On 10/12/15 10:44, L.P.H. van Belle wrote:
>>>> Hai,
>>>>
>>>> Ah, ok, wel, yeah, i was missing the NS on the SOA.
>>>>
>>>> This is imo a bug, i dont know it this is by design for samba,
>>>> so maybe a samba dev can answere this since every joined DC should 
>>>> have a NS record on the SOA as far as i know, but thats my opinion 
>>>> and i can be wrong here.
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland 
>>>>> penny
>>>>> Verzonden: donderdag 10 december 2015 10:41
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>>>>> initially fails when PDC is offline
>>>>>
>>>>> On 10/12/15 09:23, L.P.H. van Belle wrote:
>>>>>> I was wondering why because in a full windows domain, every DC 
>>>>>> has an NS
>>>>> record.
>>>>>>
>>>>> When you join a DC, the basic info is added to AD and then when the
>>>>> samba deamon is started, samba_dnsupdate is run, this uses the file
>>>>> dns_update_list to add (if required) various dns records. Guess 
>>>>> what dns
>>>>> records are not in that file?
>>>>>
>>>>> However, even if you add the missing NS records to the SOA 
>>>>> records, if
>>>>> you use the internal dns server, you will still only have one NS, 
>>>>> this
>>>>> appears to be your first DC. I am beginning to think that if you have
>>>>> more than one DC, you should forget the internal DNS server and use
>>>>> BIND_DLZ instead.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>> When I can figure how to get into the new GitHub setup, I will be 
>>> proposing a patch for this, it just needs three line adding to 
>>> dns_update_list.
>>>
>>> Rowland
>>>
>>
>> If anybody is interested, this is the results of my testing, first 
>> here are the results of adding an NS record to the dns domain SOA 
>> record for the second DC on a domain using the internal dns server:
>>
>> root at testdc1:~# dig SOA +multiline home.lan
>>
>> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153
>> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, 
>> ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;home.lan.        IN SOA
>>
>> ;; ANSWER SECTION:
>> home.lan.        3600 IN    SOA testdc1.home.lan. hostmaster.home.lan. (
>>                 1          ; serial
>>                 900        ; refresh (15 minutes)
>>                 600        ; retry (10 minutes)
>>                 86400      ; expire (1 day)
>>                 3600       ; minimum (1 hour)
>>                 )
>>
>> ;; Query time: 28 msec
>> ;; SERVER: 192.168.0.241#53(192.168.0.241)
>> ;; WHEN: Thu Dec 10 11:35:46 GMT 2015
>> ;; MSG SIZE  rcvd: 81
>>
>> root at testdc2:~# dig SOA +multiline home.lan
>>
>> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755
>> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, 
>> ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;home.lan.        IN SOA
>>
>> ;; ANSWER SECTION:
>> home.lan.        3600 IN    SOA testdc1.home.lan. hostmaster.home.lan. (
>>                 1          ; serial
>>                 900        ; refresh (15 minutes)
>>                 600        ; retry (10 minutes)
>>                 86400      ; expire (1 day)
>>                 3600       ; minimum (1 hour)
>>                 )
>>
>> ;; Query time: 56 msec
>> ;; SERVER: 192.168.0.240#53(192.168.0.240)
>> ;; WHEN: Thu Dec 10 11:36:14 GMT 2015
>> ;; MSG SIZE  rcvd: 81
>>
>> As you can see, even though each DC is using the other DC as its 
>> nameserver in /etc/resolv.conf, they both return the same info, now 
>> compare that with the info from a domain that uses bind9 as the dns 
>> server:
>>
>> root at dc1:~# dig SOA +multiline samdom.example.com
>>
>> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;samdom.example.com.    IN SOA
>>
>> ;; ANSWER SECTION:
>> samdom.example.com.    3600 IN    SOA dc2.samdom.example.com. 
>> hostmaster.samdom.example.com. (
>>                 101        ; serial
>>                 900        ; refresh (15 minutes)
>>                 600        ; retry (10 minutes)
>>                 86400      ; expire (1 day)
>>                 3600       ; minimum (1 hour)
>>                 )
>>
>> ;; AUTHORITY SECTION:
>> samdom.example.com.    900 IN NS dc1.samdom.example.com.
>> samdom.example.com.    900 IN NS dc2.samdom.example.com.
>>
>> ;; ADDITIONAL SECTION:
>> dc1.samdom.example.com.    900 IN A 192.168.0.5
>> dc2.samdom.example.com.    900 IN A 192.168.0.6
>>
>> ;; Query time: 7 msec
>> ;; SERVER: 192.168.0.6#53(192.168.0.6)
>> ;; WHEN: Thu Dec 10 11:41:22 GMT 2015
>> ;; MSG SIZE  rcvd: 162
>>
>> root at dc2:~# dig SOA +multiline samdom.example.com
>>
>> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;samdom.example.com.    IN SOA
>>
>> ;; ANSWER SECTION:
>> samdom.example.com.    3600 IN    SOA dc1.samdom.example.com. 
>> hostmaster.samdom.example.com. (
>>                 101        ; serial
>>                 900        ; refresh (15 minutes)
>>                 600        ; retry (10 minutes)
>>                 86400      ; expire (1 day)
>>                 3600       ; minimum (1 hour)
>>                 )
>>
>> ;; AUTHORITY SECTION:
>> samdom.example.com.    900 IN NS dc1.samdom.example.com.
>> samdom.example.com.    900 IN NS dc2.samdom.example.com.
>>
>> ;; ADDITIONAL SECTION:
>> dc1.samdom.example.com.    900 IN A 192.168.0.5
>> dc2.samdom.example.com.    900 IN A 192.168.0.6
>>
>> ;; Query time: 2 msec
>> ;; SERVER: 192.168.0.5#53(192.168.0.5)
>> ;; WHEN: Thu Dec 10 11:41:29 GMT 2015
>> ;; MSG SIZE  rcvd: 162
>>
>> You get a lot more info and each DC is show as being authoritative 
>> for the dns domain
>>
>> Now, I am no expert when it comes to dns, but using bind9 looks a 
>> better idea to me :-)
>>
>> Rowland
>>
> Rowland,
>
>     If I remember correctly you swapped the order of the DC's in your 
> resolv.conf to get these results? Can you see what happens if you were 
> to leave the resolv.conf order alone and temporally bring one of the 
> DC's down?
>

OK, stopped samba on dc1

root at dc2:~# dig SOA +multiline samdom.example.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7191
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.    IN SOA

;; ANSWER SECTION:
samdom.example.com.    3600 IN    SOA dc1.samdom.example.com. 
hostmaster.samdom.example.com. (
                 101        ; serial
                 900        ; refresh (15 minutes)
                 600        ; retry (10 minutes)
                 86400      ; expire (1 day)
                 3600       ; minimum (1 hour)
                 )

;; AUTHORITY SECTION:
samdom.example.com.    900 IN NS dc2.samdom.example.com.
samdom.example.com.    900 IN NS dc1.samdom.example.com.

;; ADDITIONAL SECTION:
dc1.samdom.example.com.    900 IN A 192.168.0.5
dc2.samdom.example.com.    900 IN A 192.168.0.6

;; Query time: 2 msec
;; SERVER: 192.168.0.5#53(192.168.0.5)
;; WHEN: Thu Dec 10 13:05:20 GMT 2015
;; MSG SIZE  rcvd: 162

Hmm, still using bind on dc1, back to dc1 and stopped bind9:

root at dc2:~# dig SOA +multiline samdom.example.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60862
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;samdom.example.com.    IN SOA

;; ANSWER SECTION:
samdom.example.com.    3600 IN    SOA dc2.samdom.example.com. 
hostmaster.samdom.example.com. (
                 101        ; serial
                 900        ; refresh (15 minutes)
                 600        ; retry (10 minutes)
                 86400      ; expire (1 day)
                 3600       ; minimum (1 hour)
                 )

;; AUTHORITY SECTION:
samdom.example.com.    900 IN NS dc2.samdom.example.com.
samdom.example.com.    900 IN NS dc1.samdom.example.com.

;; ADDITIONAL SECTION:
dc1.samdom.example.com.    900 IN A 192.168.0.5
dc2.samdom.example.com.    900 IN A 192.168.0.6

;; Query time: 7 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Thu Dec 10 13:06:24 GMT 2015
;; MSG SIZE  rcvd: 162

It is now using itself as the NS

Rowland

More information about the samba mailing list