[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Ole Traupe
ole.traupe at tu-berlin.de
Fri Dec 18 11:19:48 UTC 2015
Hi Rowland,
I am very thankful, that you take the time and test all this!
Before I go and check if this is the same with my setup and possibly the
problem, could you perhaps try a logon to a member server, while the 1st
DC is unavailable?
From my understanding of your post I take it, you will have the same
problem. But then, my understanding is limited.
However, if you DO have the same problem, and my understanding is
correct, then the internal DNS of Samba is clearly *broken* and needs
fixing!
Also I would like to state then, that I am somewhat disappointed. I have
spent weeks (if not months) to get my domain running as it is now, only
to find out that I will have no good sleep with it. Sorry to be so blunt.
Ole
Am 18.12.2015 um 10:44 schrieb Rowland penny:
> On 17/12/15 15:37, Ole Traupe wrote:
>>
>>
>>
>>>
>>>>
>>>>
>>>>
>>>>> everything else seems to work though, although I haven't tried
>>>>> turning the first DC off yet.
>>>>
>>>> Why? I mean, could you perhaps? Please?
>>>>
>>>
>>> Probably, but not today, will do it as soon as possible.
>>
>> I would be more than happy about that!
>>
>>
>
> OK, before I did anything else this morning, I started up my test
> domain. Note that this domain only existed to try and find out why the
> second DC didn't have a NS record in the SOA and uses the internal dns.
>
> Both of the DCs have the relevant line in the hosts file:
>
> root at testdc1:~# nano /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.0.240 testdc1.home.lan testdc1
>
> root at testdc2:~# nano /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.0.241 testdc2.home.lan testdc2
>
>
> Both of the DCs point to each other as their nameserver:
>
> root at testdc1:~# nano /etc/resolv.conf
>
> search home.lan
> nameserver 192.168.0.241
> nameserver 192.168.0.240
>
> root at testdc2:~# nano /etc/resolv.conf
>
> search home.lan
> nameserver 192.168.0.240
> nameserver 192.168.0.241
>
> If I examine the SOA record in AD I find this:
>
> dn: DC=@,DC=home.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=lan
> .....................
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x003f (63)
> wType : DNS_TYPE_SOA (6)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x0000006e (110)
> dwTtlSeconds : 0x00000e10 (3600)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> data : union dnsRecordData(case 6)
> soa: struct dnsp_soa
> serial : 0x00000001 (1)
> refresh : 0x00000384 (900)
> retry : 0x00000258 (600)
> expire : 0x00015180 (86400)
> minimum : 0x00000e10 (3600)
> mname : testdc1.home.lan
> rname : hostmaster.home.lan
>
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0014 (20)
> wType : DNS_TYPE_NS (2)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x0000006e (110)
> dwTtlSeconds : 0x00000384 (900)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> data : union dnsRecordData(case 2)
> ns : testdc1.home.lan
>
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0014 (20)
> wType : DNS_TYPE_NS (2)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x0000006e (110)
> dwTtlSeconds : 0x00000384 (900)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> data : union dnsRecordData(case 2)
> ns : testdc2.home.lan
>
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0004 (4)
> wType : DNS_TYPE_A (1)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x0000006e (110)
> dwTtlSeconds : 0x00000384 (900)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> data : union dnsRecordData(case 1)
> ipv4 : 192.168.0.240
>
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0004 (4)
> wType : DNS_TYPE_A (1)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x0000006e (110)
> dwTtlSeconds : 0x00000384 (900)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00000000 (0)
> data : union dnsRecordData(case 1)
> ipv4 : 192.168.0.241
>
> So, as you can see both the DCs have their NS & A records in the SOA
>
> If I then run nslookup on both machines, I get this:
>
> root at testdc1:~# nslookup
> > set querytype=soa
> > home.lan
> Server: 192.168.0.241
> Address: 192.168.0.241#53
>
> home.lan
> origin = testdc1.home.lan
> mail addr = hostmaster.home.lan
> serial = 1
> refresh = 900
> retry = 600
> expire = 86400
> minimum = 3600
> > exit
>
> root at testdc2:~# nslookup
> > set querytype=soa
> > home.lan
> Server: 192.168.0.240
> Address: 192.168.0.240#53
>
> home.lan
> origin = testdc1.home.lan
> mail addr = hostmaster.home.lan
> serial = 1
> refresh = 900
> retry = 600
> expire = 86400
> minimum = 3600
> > exit
>
> As you can see, only the first DC is show as the NS for the SOA, what
> happens if we turn off the first DC?
>
> We get this:
>
> root at testdc2:~# nslookup
> > set querytype=soa
> > home.lan
> Server: 192.168.0.241
> Address: 192.168.0.241#53
>
> home.lan
> origin = testdc1.home.lan
> mail addr = hostmaster.home.lan
> serial = 1
> refresh = 900
> retry = 600
> expire = 86400
> minimum = 3600
> > exit
>
> The second DC is now using itself as its nameserver, but still gives
> the first DC as the NS
>
> This is totally different from what is returned if you use Bind9:
>
> Similar setup, only the names & ipaddresses have changed:
>
> root at dc1:~# nslookup
> > set querytype=soa
> > samdom.example.com
> Server: 192.168.0.6
> Address: 192.168.0.6#53
>
> samdom.example.com
> origin = dc2.samdom.example.com
> mail addr = hostmaster.samdom.example.com
> serial = 101
> refresh = 900
> retry = 600
> expire = 86400
> minimum = 3600
> > exit
>
> root at dc2:~# nslookup
> > set querytype=soa
> > samdom.example.com
> Server: 192.168.0.5
> Address: 192.168.0.5#53
>
> samdom.example.com
> origin = dc1.samdom.example.com
> mail addr = hostmaster.samdom.example.com
> serial = 101
> refresh = 900
> retry = 600
> expire = 86400
> minimum = 3600
> > exit
>
> Here, each DC shows the other as being the NS, so what happens if we
> turn off the first DC?
>
> root at dc2:~# nslookup
> > set querytype=soa
> > samdom.example.com
> Server: 192.168.0.6
> Address: 192.168.0.6#53
>
> samdom.example.com
> origin = dc2.samdom.example.com
> mail addr = hostmaster.samdom.example.com
> serial = 101
> refresh = 900
> retry = 600
> expire = 86400
> minimum = 3600
> > exit
>
> Now the second DC shows itself as being the NS.
>
> It seems that the internal dns server works very different from Bind9.
>
> Conclusions? From my very limited testing, it would seem that, whilst
> it will work if you use multiple DCs running the internal dns servers,
> it would probably be better to use Bind9 instead.
>
> Rowland
>
>
>
More information about the samba
mailing list