[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

James lingpanda101 at gmail.com
Mon Dec 28 14:06:55 UTC 2015


On 12/24/2015 11:32 AM, Rowland penny wrote:
> On 24/12/15 15:32, mathias dufresne wrote:
>> And to get mentioned entries list I used:
>> "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name"
>>
>> This list 8 DNS records related to Default Site.
>>
>> Next was to change Default-First... by the name of another AD Site 
>> (sed is
>> still working :p)
>>
>> I was able to create DNS entries which were missing for one of my sites.
>>
>> Next, test:
>> Back on one Windows on the network associated to that AD Site, reboot 
>> it,
>> and tcpdump on my DNS server (all requests goes through this DNS server)
>>
>> 1° Site related DNS SRV request:
>> 35752:15:24:38.907301 IP 10.156.248.244.64390 >
>> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV?
>> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr.
>> (88)
>> 2° Site related DNS SRV reply:
>> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain >
>> 10.156.248.244.64390: 23013 2/2/4 *SRV* 
>> *m705.ad.dgfip.finances.gouv.fr.:389
>> 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291)
>>
>> 3° Then A request on one DC returned by previous request:
>> 35754-15:24:38.908731 IP 10.156.248.244.56932 >
>> dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A?
>> m705.ad.dgfip.finances.gouv.fr <http://m705.ad.dgfip.finances.gouv.fr>*.
>> (48)
>> 4° the reply:
>> 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain >
>> 10.156.248.244.56932: 16037 1/2/2 *A 10.156.248.222* (135)
>>
>> Now my Windows clients receive answer when they request SRV record
>> according to the AD site they belong to.
>>
>> I must say I've also manually declared each DC as NS. As explained
>> yesterday evening I don't think this should be important (even if I 
>> say the
>> contrary few weeks ago).
>> NS record should be used only when clients use a DNS server which is 
>> not AD
>> DNS and if the declared DNS server on client do not need to ask upper 
>> level
>> for NS.
>> This is so badly described here is an example of my thought:
>> With AD Domain = samba.org
>> and Win_client -> DNS server non-AD and nothing configured on this 
>> DNS to
>> help it to find samba.org name servers
>>
>> When Win_client request DNS server about samba.org, as DNS server do not
>> know anything about samba.org, the DNS server would ask to root DNS 
>> server
>> (the one for ORG) which servers are responsible for samba.org. Here 
>> is the
>> case where NS should be used.
>>
>> And with my lack of knowledge about DNS I don't see any other case 
>> where NS
>> should be used.
>>
>>
>>
>>
>>
>
> Hi Mathias, one of the problems with your setup, is that you seem to 
> be running dns differently from what Samba (and for that matter, 
> windows) recommends, you seem to be using a dns server that is not an 
> AD DC.
>
> Normally to find a DC, you would ask the dns server that is 
> authoritative for the domain, with a Samba AD domain this is usually a 
> DC, and is identified by its SOA record, which is supposed to contain 
> the authoritative name servers.
> Now, with a Samba domain, if you use the internal dns server, you only 
> get *one*  authoritative name server even if you add the required 
> records to the domain SOA. The net result is, if the first DC in the 
> domain goes down, you don't have an authoritative name server. If you 
> use bind9 instead of the internal dns server, each DC becomes 
> authoritative for the domain after you add the required records to the 
> domain SOA.
>
> As you are using bind9 (although in a non recommended way), each of 
> your DCs will be authoritative as you have added the required records.
>
> When I get the time, I will create a bug report for this, this will 
> probably be after Christmas though.
>
> Rowland
>
>
I'm using the internal DNS and I have all the necessary SRV records for 
all my sites and DC's. They were created automatically by Samba. You 
should have the following if missing.

Forward Lookup 
Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward 
Lookup Zones/Domain_Name/_msdcs/dc/_tcp

You should have a SRV record for the following.

_kerberos

and

_ldap

-- 
-James



More information about the samba mailing list