[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
mathias dufresne
infractory at gmail.com
Fri Dec 11 12:33:15 UTC 2015
Thank you Rowland to noticed that.
Here it is:
------------------------------------------------------------------
#!/usr/bin/awk
BEGIN {
ad_zone = "YOUR.DOMAIN.TLD"
msdcs_zone = "_msdcs." ad_zone
dns_server = "YOUR-DC"
}
{
if ($0 ~ /UPDATE SECTION:/) {
getline
print NF, $0
if ($4 == "A") {
if($1 ~ /_msdcs/) {
zone = msdcs_zone
} else {
zone = ad_zone
}
record = $1
regexp = "." zone "."
sub(regexp, "", record)
cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A
" $5 " --kerberos=yes"
#cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A
" $5 " " $2
print cmd
cmd | getline
close(cmd)
}
if ($4 == "SRV") {
if($1 ~ /_msdcs/) {
zone = msdcs_zone
} else {
zone = ad_zone
}
record = $1
regexp = "." zone "."
sub(regexp, "", record)
cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record "
SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes"
#cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record "
SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2
print cmd
cmd | getline
close(cmd)
}
}
}
------------------------------------------------------------------
This script does not take in account missing NS records as samba_dnsupdate
does not try to create them.
2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 11/12/15 10:29, mathias dufresne wrote:
>
>> Hi Ole,
>>
>> Using internal DNS samba_dnsupdate does not work correctly, at least not
>> every time.
>>
>> Someone modified this samba_dnsupdate tool commenting this line:
>> os.unlink(tmpfile)
>> which should line 413.
>>
>> Doing that he was able to get files generated by samba_dnsupdate to use
>> them as argument of nsupdate command (without -g switch and with "allow
>> dns
>> updates = nonsecure" in smb.conf).
>>
>> I was not able to make that process work here but I did not tried hard. As
>> this process was sent directly to me I share it.
>>
>> The process I use to generate all DNS records is to run samba_dnsupdate
>> --all-names --verbose and send output of that command to attached awk
>> script.
>> The awk script get information from samba_dnsupdate for each record and
>> launch samba-tool to create DNS record. This script is not clever: it
>> tries
>> to create all mentioned DNS record, generating warnings when record
>> already
>> exists.
>>
>> You will have to modify this awk script as the BEGIN section contains fake
>> information related to AD domain:
>>
>> BEGIN {
>> ad_zone = "YOUR.DOMAIN.TLD"
>> msdcs_zone = "_msdcs." ad_zone
>> dns_server = "YOUR-DC"
>> }
>>
>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain
>> configuration.
>>
>> The awk script uses kerberos authentication when running samba-tool so you
>> will need to generate a kerberos ticket for some AD admin before:
>> 1°) kinit administrator
>> 2°) samba_dnsupdate | awk -f dnsupdate.awk
>>
>> As it is not an issue to try create an entry which already exists you can
>> run it that script on each DC to assure you all entries are correctly
>> created on all DC.
>>
>> Best regards,
>>
>> mathias dufresne
>>
>>
>>
> There is a flaw with your script!
>
>
>
>
>
> This mailing list strips off attachments, you are going to have to paste
> it into post. :-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list