[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 17 13:51:20 UTC 2015


>> Where? Point me to it, please!
> Uhh, somehere in the emails of 10-dec, see whats in the
> samba_dnsupdate --verbose that are the needed dns records.

Ok, thank you! Interesting: this reaveals that there *should* be a "gc" 
record for the 2nd DC, although someone here said before, that I should 
definitely *not* create that one.

>
>
> [L.P.H. van Belle]  in the AD and dns, open the user managment tool ( the AD user manager )
> klik on view, enable advanced..
> now klik through the complete ad and find old entries.
> Dont forget the "computers" OU

As I said, there are and were no old entries.

>
>
> and do the same in the DNS manager.

Dito.

> also, make sure you DNS zone (SOA) record contains the PRIMARY DC.

Of course.

>
> Above can be done also with ldapsearch.
>
>
>>> Again, your quicker with a clean install, and you learn more from it.
>>> And with clean, i dont mean dropping your AD, just add new "DC Join" to
>> hold the AD data so you can remove the faulty server and then you can
>> install that server again, but now as it should.
>>> AND when you join a DC your login problem is fixed also.  ;-)
>> I somehow doubt that. Still it seems that no one here has an idea of why
>> log-on from member servers isn't working properly (for me). However, in
>> the meantime I have created all the necessary DNS records. This can't be
>> the issue anymore.
> [L.P.H. van Belle]
> a delay for the login when one dns is done is normal, it needs to timeout first.

How long? Like 60+ seconds in case of ssh login?

> when you type :
> dig a internal.domain.tld
> you should see 2 responses, and the results are your 2 DC's.

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> a internal.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48671
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;internal.domain.tld.           IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2015121700 1800 900 604800 86400



>
>
>>>
>>>> Besides, I didn't forget do delete anything. I used the script from the
>>>> wiki to get rid of old records pertaining to my former 1st DC after I
>>>> had created the records of my *new* 1st DC. I checked the results:
>>>> everything related to my former first DC was gone. Also I
>>>> documented/discussed this process here on the list. And nobody pointed
>>>> me to things I forgot or was leaving out. I know that use of this
>> script
>>>> was totally "on my own risk". But the results were as they should have
>>>> been, at least as far I am able to tell.[L.P.H. van Belle]
>>> [L.P.H. van Belle] which script ? can anyone point that one for me, cant
>> find it. I only know about
>>> https://bugzilla.samba.org/show_bug.cgi?id=10595
>> It is this one:
>> https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-
>> 9f97-0e1cc4d577f3#content
>>
>>>> That said, I will go through your responses and get back to you with
>>>> results.
>>>>
>>>> Best, have a good weekend!
>>>> Ole
>>> [L.P.H. van Belle]
>>> Thank you, and have a very good weekend also, i hope your problem is
>> fixed soon.
>>
>> Thanks, me too.
>>
>> Ole
>>
>>>> Am 11.12.2015 um 13:33 schrieb mathias dufresne:
>>>>> Thank you Rowland to noticed that.
>>>>>
>>>>> Here it is:
>>>>> ------------------------------------------------------------------
>>>>> #!/usr/bin/awk
>>>>>
>>>>> BEGIN {
>>>>>      ad_zone = "YOUR.DOMAIN.TLD"
>>>>>      msdcs_zone = "_msdcs." ad_zone
>>>>>      dns_server = "YOUR-DC"
>>>>> }
>>>>> {
>>>>>      if ($0 ~ /UPDATE SECTION:/) {
>>>>>        getline
>>>>>        print NF, $0
>>>>>        if ($4 == "A") {
>>>>>          if($1 ~ /_msdcs/) {
>>>>>            zone = msdcs_zone
>>>>>          } else {
>>>>>            zone = ad_zone
>>>>>          }
>>>>>          record = $1
>>>>>          regexp = "." zone "."
>>>>>          sub(regexp, "", record)
>>>>>          cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
>> record
>>>> " A
>>>>> " $5 " --kerberos=yes"
>>>>>          #cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
>> record
>>>> " A
>>>>> " $5 " " $2
>>>>>          print cmd
>>>>>          cmd | getline
>>>>>          close(cmd)
>>>>>        }
>>>>>        if ($4 == "SRV") {
>>>>>          if($1 ~ /_msdcs/) {
>>>>>            zone = msdcs_zone
>>>>>          } else {
>>>>>            zone = ad_zone
>>>>>          }
>>>>>          record = $1
>>>>>          regexp = "." zone "."
>>>>>          sub(regexp, "", record)
>>>>>          cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
>> record
>>>> "
>>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes"
>>>>>          #cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
>> record
>>>> "
>>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2
>>>>>          print cmd
>>>>>          cmd | getline
>>>>>          close(cmd)
>>>>>        }
>>>>>      }
>>>>> }
>>>>> ------------------------------------------------------------------
>>>>>
>>>>> This script does not take in account missing NS records as
>>>> samba_dnsupdate
>>>>> does not try to create them.
>>>>>
>>>>>
>>>>> 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>>>>
>>>>>> On 11/12/15 10:29, mathias dufresne wrote:
>>>>>>
>>>>>>> Hi Ole,
>>>>>>>
>>>>>>> Using internal DNS samba_dnsupdate does not work correctly, at least
>>>> not
>>>>>>> every time.
>>>>>>>
>>>>>>> Someone modified this samba_dnsupdate tool commenting this line:
>>>>>>> os.unlink(tmpfile)
>>>>>>> which should line 413.
>>>>>>>
>>>>>>> Doing that he was able to get files generated by samba_dnsupdate to
>>>> use
>>>>>>> them as argument of nsupdate command (without -g switch and with
>>>> "allow
>>>>>>> dns
>>>>>>> updates = nonsecure" in smb.conf).
>>>>>>>
>>>>>>> I was not able to make that process work here but I did not tried
>>>> hard. As
>>>>>>> this process was sent directly to me I share it.
>>>>>>>
>>>>>>> The process I use to generate all DNS records is to run
>>>> samba_dnsupdate
>>>>>>> --all-names --verbose and send output of that command to attached
>> awk
>>>>>>> script.
>>>>>>> The awk script get information from samba_dnsupdate for each record
>>>> and
>>>>>>> launch samba-tool to create DNS record. This script is not clever:
>> it
>>>>>>> tries
>>>>>>> to create all mentioned DNS record, generating warnings when record
>>>>>>> already
>>>>>>> exists.
>>>>>>>
>>>>>>> You will have to modify this awk script as the BEGIN section
>> contains
>>>> fake
>>>>>>> information related to AD domain:
>>>>>>>
>>>>>>> BEGIN {
>>>>>>>       ad_zone = "YOUR.DOMAIN.TLD"
>>>>>>>       msdcs_zone = "_msdcs." ad_zone
>>>>>>>       dns_server = "YOUR-DC"
>>>>>>> }
>>>>>>>
>>>>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain
>>>>>>> configuration.
>>>>>>>
>>>>>>> The awk script uses kerberos authentication when running samba-tool
>> so
>>>> you
>>>>>>> will need to generate a kerberos ticket for some AD admin before:
>>>>>>> 1°) kinit administrator
>>>>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk
>>>>>>>
>>>>>>> As it is not an issue to try create an entry which already exists
>> you
>>>> can
>>>>>>> run it that script on each DC to assure you all entries are
>> correctly
>>>>>>> created on all DC.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> mathias dufresne
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> There is a flaw with your script!
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> This mailing list strips off attachments, you are going to have to
>>>> paste
>>>>>> it into post. :-)
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>




More information about the samba mailing list