[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

L.P.H. van Belle belle at bazuin.nl
Thu Dec 17 14:45:58 UTC 2015 

No GC !!  
Ai.. thats a problem.. 

Read this, create a new GC record. 
https://support.microsoft.com/en-us/kb/313994 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: donderdag 17 december 2015 14:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> >> Where? Point me to it, please!
> > Uhh, somehere in the emails of 10-dec, see whats in the
> > samba_dnsupdate --verbose that are the needed dns records.
> 
> Ok, thank you! Interesting: this reaveals that there *should* be a "gc"
> record for the 2nd DC, although someone here said before, that I should
> definitely *not* create that one.
> 
> >
> >
> > [L.P.H. van Belle]  in the AD and dns, open the user managment tool (
> the AD user manager )
> > klik on view, enable advanced..
> > now klik through the complete ad and find old entries.
> > Dont forget the "computers" OU
> 
> As I said, there are and were no old entries.
> 
> >
> >
> > and do the same in the DNS manager.
> 
> Dito.
> 
> > also, make sure you DNS zone (SOA) record contains the PRIMARY DC.
> 
> Of course.
> 
> >
> > Above can be done also with ldapsearch.
> >
> >
> >>> Again, your quicker with a clean install, and you learn more from it.
> >>> And with clean, i dont mean dropping your AD, just add new "DC Join"
> to
> >> hold the AD data so you can remove the faulty server and then you can
> >> install that server again, but now as it should.
> >>> AND when you join a DC your login problem is fixed also.  ;-)
> >> I somehow doubt that. Still it seems that no one here has an idea of
> why
> >> log-on from member servers isn't working properly (for me). However, in
> >> the meantime I have created all the necessary DNS records. This can't
> be
> >> the issue anymore.
> > [L.P.H. van Belle]
> > a delay for the login when one dns is done is normal, it needs to
> timeout first.
> 
> How long? Like 60+ seconds in case of ssh login?
> 
> > when you type :
> > dig a internal.domain.tld
> > you should see 2 responses, and the results are your 2 DC's.
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> a
> internal.domain.tld
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48671
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;internal.domain.tld.           IN      A
> 
> ;; AUTHORITY SECTION:
> .                       10800   IN      SOA     a.root-servers.net.
> nstld.verisign-grs.com. 2015121700 1800 900 604800 86400
> 
> 
> 
> >
> >
> >>>
> >>>> Besides, I didn't forget do delete anything. I used the script from
> the
> >>>> wiki to get rid of old records pertaining to my former 1st DC after I
> >>>> had created the records of my *new* 1st DC. I checked the results:
> >>>> everything related to my former first DC was gone. Also I
> >>>> documented/discussed this process here on the list. And nobody
> pointed
> >>>> me to things I forgot or was leaving out. I know that use of this
> >> script
> >>>> was totally "on my own risk". But the results were as they should
> have
> >>>> been, at least as far I am able to tell.[L.P.H. van Belle]
> >>> [L.P.H. van Belle] which script ? can anyone point that one for me,
> cant
> >> find it. I only know about
> >>> https://bugzilla.samba.org/show_bug.cgi?id=10595
> >> It is this one:
> >> https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-
> >> 9f97-0e1cc4d577f3#content
> >>
> >>>> That said, I will go through your responses and get back to you with
> >>>> results.
> >>>>
> >>>> Best, have a good weekend!
> >>>> Ole
> >>> [L.P.H. van Belle]
> >>> Thank you, and have a very good weekend also, i hope your problem is
> >> fixed soon.
> >>
> >> Thanks, me too.
> >>
> >> Ole
> >>
> >>>> Am 11.12.2015 um 13:33 schrieb mathias dufresne:
> >>>>> Thank you Rowland to noticed that.
> >>>>>
> >>>>> Here it is:
> >>>>> ------------------------------------------------------------------
> >>>>> #!/usr/bin/awk
> >>>>>
> >>>>> BEGIN {
> >>>>>      ad_zone = "YOUR.DOMAIN.TLD"
> >>>>>      msdcs_zone = "_msdcs." ad_zone
> >>>>>      dns_server = "YOUR-DC"
> >>>>> }
> >>>>> {
> >>>>>      if ($0 ~ /UPDATE SECTION:/) {
> >>>>>        getline
> >>>>>        print NF, $0
> >>>>>        if ($4 == "A") {
> >>>>>          if($1 ~ /_msdcs/) {
> >>>>>            zone = msdcs_zone
> >>>>>          } else {
> >>>>>            zone = ad_zone
> >>>>>          }
> >>>>>          record = $1
> >>>>>          regexp = "." zone "."
> >>>>>          sub(regexp, "", record)
> >>>>>          cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> >> record
> >>>> " A
> >>>>> " $5 " --kerberos=yes"
> >>>>>          #cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> >> record
> >>>> " A
> >>>>> " $5 " " $2
> >>>>>          print cmd
> >>>>>          cmd | getline
> >>>>>          close(cmd)
> >>>>>        }
> >>>>>        if ($4 == "SRV") {
> >>>>>          if($1 ~ /_msdcs/) {
> >>>>>            zone = msdcs_zone
> >>>>>          } else {
> >>>>>            zone = ad_zone
> >>>>>          }
> >>>>>          record = $1
> >>>>>          regexp = "." zone "."
> >>>>>          sub(regexp, "", record)
> >>>>>          cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> >> record
> >>>> "
> >>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes"
> >>>>>          #cmd = "samba-tool dns add " dns_server " " msdcs_zone " "
> >> record
> >>>> "
> >>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2
> >>>>>          print cmd
> >>>>>          cmd | getline
> >>>>>          close(cmd)
> >>>>>        }
> >>>>>      }
> >>>>> }
> >>>>> ------------------------------------------------------------------
> >>>>>
> >>>>> This script does not take in account missing NS records as
> >>>> samba_dnsupdate
> >>>>> does not try to create them.
> >>>>>
> >>>>>
> >>>>> 2015-12-11 12:07 GMT+01:00 Rowland penny <rpenny at samba.org>:
> >>>>>
> >>>>>> On 11/12/15 10:29, mathias dufresne wrote:
> >>>>>>
> >>>>>>> Hi Ole,
> >>>>>>>
> >>>>>>> Using internal DNS samba_dnsupdate does not work correctly, at
> least
> >>>> not
> >>>>>>> every time.
> >>>>>>>
> >>>>>>> Someone modified this samba_dnsupdate tool commenting this line:
> >>>>>>> os.unlink(tmpfile)
> >>>>>>> which should line 413.
> >>>>>>>
> >>>>>>> Doing that he was able to get files generated by samba_dnsupdate
> to
> >>>> use
> >>>>>>> them as argument of nsupdate command (without -g switch and with
> >>>> "allow
> >>>>>>> dns
> >>>>>>> updates = nonsecure" in smb.conf).
> >>>>>>>
> >>>>>>> I was not able to make that process work here but I did not tried
> >>>> hard. As
> >>>>>>> this process was sent directly to me I share it.
> >>>>>>>
> >>>>>>> The process I use to generate all DNS records is to run
> >>>> samba_dnsupdate
> >>>>>>> --all-names --verbose and send output of that command to attached
> >> awk
> >>>>>>> script.
> >>>>>>> The awk script get information from samba_dnsupdate for each
> record
> >>>> and
> >>>>>>> launch samba-tool to create DNS record. This script is not clever:
> >> it
> >>>>>>> tries
> >>>>>>> to create all mentioned DNS record, generating warnings when
> record
> >>>>>>> already
> >>>>>>> exists.
> >>>>>>>
> >>>>>>> You will have to modify this awk script as the BEGIN section
> >> contains
> >>>> fake
> >>>>>>> information related to AD domain:
> >>>>>>>
> >>>>>>> BEGIN {
> >>>>>>>       ad_zone = "YOUR.DOMAIN.TLD"
> >>>>>>>       msdcs_zone = "_msdcs." ad_zone
> >>>>>>>       dns_server = "YOUR-DC"
> >>>>>>> }
> >>>>>>>
> >>>>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your
> domain
> >>>>>>> configuration.
> >>>>>>>
> >>>>>>> The awk script uses kerberos authentication when running samba-
> tool
> >> so
> >>>> you
> >>>>>>> will need to generate a kerberos ticket for some AD admin before:
> >>>>>>> 1°) kinit administrator
> >>>>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk
> >>>>>>>
> >>>>>>> As it is not an issue to try create an entry which already exists
> >> you
> >>>> can
> >>>>>>> run it that script on each DC to assure you all entries are
> >> correctly
> >>>>>>> created on all DC.
> >>>>>>>
> >>>>>>> Best regards,
> >>>>>>>
> >>>>>>> mathias dufresne
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> There is a flaw with your script!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> This mailing list strips off attachments, you are going to have to
> >>>> paste
> >>>>>> it into post. :-)
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list