[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Mon Dec 28 14:21:24 UTC 2015


On 28/12/15 14:06, James wrote:
> On 12/24/2015 11:32 AM, Rowland penny wrote:
>> On 24/12/15 15:32, mathias dufresne wrote:
>>> And to get mentioned entries list I used:
>>> "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name"
>>>
>>> This list 8 DNS records related to Default Site.
>>>
>>> Next was to change Default-First... by the name of another AD Site 
>>> (sed is
>>> still working :p)
>>>
>>> I was able to create DNS entries which were missing for one of my 
>>> sites.
>>>
>>> Next, test:
>>> Back on one Windows on the network associated to that AD Site, 
>>> reboot it,
>>> and tcpdump on my DNS server (all requests goes through this DNS 
>>> server)
>>>
>>> 1° Site related DNS SRV request:
>>> 35752:15:24:38.907301 IP 10.156.248.244.64390 >
>>> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV?
>>> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. 
>>>
>>> (88)
>>> 2° Site related DNS SRV reply:
>>> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain >
>>> 10.156.248.244.64390: 23013 2/2/4 *SRV* 
>>> *m705.ad.dgfip.finances.gouv.fr.:389
>>> 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291)
>>>
>>> 3° Then A request on one DC returned by previous request:
>>> 35754-15:24:38.908731 IP 10.156.248.244.56932 >
>>> dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A?
>>> m705.ad.dgfip.finances.gouv.fr 
>>> <http://m705.ad.dgfip.finances.gouv.fr>*.
>>> (48)
>>> 4° the reply:
>>> 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain >
>>> 10.156.248.244.56932: 16037 1/2/2 *A 10.156.248.222* (135)
>>>
>>> Now my Windows clients receive answer when they request SRV record
>>> according to the AD site they belong to.
>>>
>>> I must say I've also manually declared each DC as NS. As explained
>>> yesterday evening I don't think this should be important (even if I 
>>> say the
>>> contrary few weeks ago).
>>> NS record should be used only when clients use a DNS server which is 
>>> not AD
>>> DNS and if the declared DNS server on client do not need to ask 
>>> upper level
>>> for NS.
>>> This is so badly described here is an example of my thought:
>>> With AD Domain = samba.org
>>> and Win_client -> DNS server non-AD and nothing configured on this 
>>> DNS to
>>> help it to find samba.org name servers
>>>
>>> When Win_client request DNS server about samba.org, as DNS server do 
>>> not
>>> know anything about samba.org, the DNS server would ask to root DNS 
>>> server
>>> (the one for ORG) which servers are responsible for samba.org. Here 
>>> is the
>>> case where NS should be used.
>>>
>>> And with my lack of knowledge about DNS I don't see any other case 
>>> where NS
>>> should be used.
>>>
>>>
>>>
>>>
>>>
>>
>> Hi Mathias, one of the problems with your setup, is that you seem to 
>> be running dns differently from what Samba (and for that matter, 
>> windows) recommends, you seem to be using a dns server that is not an 
>> AD DC.
>>
>> Normally to find a DC, you would ask the dns server that is 
>> authoritative for the domain, with a Samba AD domain this is usually 
>> a DC, and is identified by its SOA record, which is supposed to 
>> contain the authoritative name servers.
>> Now, with a Samba domain, if you use the internal dns server, you 
>> only get *one*  authoritative name server even if you add the 
>> required records to the domain SOA. The net result is, if the first 
>> DC in the domain goes down, you don't have an authoritative name 
>> server. If you use bind9 instead of the internal dns server, each DC 
>> becomes authoritative for the domain after you add the required 
>> records to the domain SOA.
>>
>> As you are using bind9 (although in a non recommended way), each of 
>> your DCs will be authoritative as you have added the required records.
>>
>> When I get the time, I will create a bug report for this, this will 
>> probably be after Christmas though.
>>
>> Rowland
>>
>>
> I'm using the internal DNS and I have all the necessary SRV records 
> for all my sites and DC's. They were created automatically by Samba. 
> You should have the following if missing.
>
> Forward Lookup 
> Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp 
> Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp
>
> You should have a SRV record for the following.
>
> _kerberos
>
> and
>
> _ldap
>

Ah, I think you are missing the point here James, yes you need all the 
SRV records etc that you refer to, but, from my testing, if you use the 
internal dns server, you will only have one authoritative nameserver for 
the dns domain, even if you add the NS & A records to the zone SOA.
I cannot log into the second DC via ssh if I turn off the first DC, 
something that does work if I use the bind9 server.

Rowland




More information about the samba mailing list