[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Fri Dec 11 13:59:19 UTC 2015


Hi folks,

a) thank you all for your help, I highly appreciate you time and effort, 
and I am sure I can resolve this issue very soon!
b) I have to delay this until early next week, as I have to attend to 
other matters for now.

All I can say, Louis, is that I won't set up a new DC to resolve this - 
at least not for now. This seems to be another problem of Samba4 not 
being able to deal with multiple DCs properly. And this has to be able 
to be resolved on an otherwise working domain without changing its 
architecture or other more drastic measures. This is my point of view at 
the moment. Your suggestion reminds me a bit of some typical forum 
replies to "Reinstall the OS" in case of any problems that can't be 
solved in an instant.

If necessary, I will just create the missing DNS entries of my 2nd DC by 
hand. Although I would prefer a working script supplied by a 
professional (which I am not). At least I would like to know which DNS 
entries for my 2nd DC are essential for logins to work. I wouldn't very 
much like to try this out. However, I am aware that your time is as 
limited as mine (of not even more so), and you are in no obligation in 
any way.

Besides, I didn't forget do delete anything. I used the script from the 
wiki to get rid of old records pertaining to my former 1st DC after I 
had created the records of my *new* 1st DC. I checked the results: 
everything related to my former first DC was gone. Also I 
documented/discussed this process here on the list. And nobody pointed 
me to things I forgot or was leaving out. I know that use of this script 
was totally "on my own risk". But the results were as they should have 
been, at least as far I am able to tell.

That said, I will go through your responses and get back to you with 
results.

Best, have a good weekend!
Ole


Am 11.12.2015 um 13:33 schrieb mathias dufresne:
> Thank you Rowland to noticed that.
>
> Here it is:
> ------------------------------------------------------------------
> #!/usr/bin/awk
>
> BEGIN {
>    ad_zone = "YOUR.DOMAIN.TLD"
>    msdcs_zone = "_msdcs." ad_zone
>    dns_server = "YOUR-DC"
> }
> {
>    if ($0 ~ /UPDATE SECTION:/) {
>      getline
>      print NF, $0
>      if ($4 == "A") {
>        if($1 ~ /_msdcs/) {
>          zone = msdcs_zone
>        } else {
>          zone = ad_zone
>        }
>        record = $1
>        regexp = "." zone "."
>        sub(regexp, "", record)
>        cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A
> " $5 " --kerberos=yes"
>        #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A
> " $5 " " $2
>        print cmd
>        cmd | getline
>        close(cmd)
>      }
>      if ($4 == "SRV") {
>        if($1 ~ /_msdcs/) {
>          zone = msdcs_zone
>        } else {
>          zone = ad_zone
>        }
>        record = $1
>        regexp = "." zone "."
>        sub(regexp, "", record)
>        cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record "
> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes"
>        #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record "
> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2
>        print cmd
>        cmd | getline
>        close(cmd)
>      }
>    }
> }
> ------------------------------------------------------------------
>
> This script does not take in account missing NS records as samba_dnsupdate
> does not try to create them.
>
>
> 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:
>
>> On 11/12/15 10:29, mathias dufresne wrote:
>>
>>> Hi Ole,
>>>
>>> Using internal DNS samba_dnsupdate does not work correctly, at least not
>>> every time.
>>>
>>> Someone modified this samba_dnsupdate tool commenting this line:
>>> os.unlink(tmpfile)
>>> which should line 413.
>>>
>>> Doing that he was able to get files generated by samba_dnsupdate to use
>>> them as argument of nsupdate command (without -g switch and with "allow
>>> dns
>>> updates = nonsecure" in smb.conf).
>>>
>>> I was not able to make that process work here but I did not tried hard. As
>>> this process was sent directly to me I share it.
>>>
>>> The process I use to generate all DNS records is to run samba_dnsupdate
>>> --all-names --verbose and send output of that command to attached awk
>>> script.
>>> The awk script get information from samba_dnsupdate for each record and
>>> launch samba-tool to create DNS record. This script is not clever: it
>>> tries
>>> to create all mentioned DNS record, generating warnings when record
>>> already
>>> exists.
>>>
>>> You will have to modify this awk script as the BEGIN section contains fake
>>> information related to AD domain:
>>>
>>> BEGIN {
>>>     ad_zone = "YOUR.DOMAIN.TLD"
>>>     msdcs_zone = "_msdcs." ad_zone
>>>     dns_server = "YOUR-DC"
>>> }
>>>
>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain
>>> configuration.
>>>
>>> The awk script uses kerberos authentication when running samba-tool so you
>>> will need to generate a kerberos ticket for some AD admin before:
>>> 1°) kinit administrator
>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk
>>>
>>> As it is not an issue to try create an entry which already exists you can
>>> run it that script on each DC to assure you all entries are correctly
>>> created on all DC.
>>>
>>> Best regards,
>>>
>>> mathias dufresne
>>>
>>>
>>>
>> There is a flaw with your script!
>>
>>
>>
>>
>>
>> This mailing list strips off attachments, you are going to have to paste
>> it into post. :-)
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list