[Samba] Samba 4.3.0 and DNS entries missing for DCs

Thierry Hotelier Thierry.Hotelier at supagro.fr
Thu Nov 19 14:44:40 UTC 2015 

hello,
we've just upgraded from samba 3.6.6 to samba 4.3.0. We are using 
INTERNAL as dns backend. We have 1 domain and 6 DCs on 5 different 
sites. Replication between DCs is ok as we can see with "samba-tool drs 
showrepl". We configured them like it is described on the wiki and used 
the RSAT tool "Sites and services" to add sites, subnets, links ... But 
for the 4 DCs not on our main site, some DNS entries are missing and it 
is not possible to add them with samba_dnsupdate (part of the result of 
the command below).
As described by other people recently we need to put "allow dns updates 
= nonsecure" in smb.conf in order to have dynamic DNS to work.
Is it correct to think that these DCs are not used by the clients ? And 
that adding the dns entries missing is sufficient to correct the problem ?
I've slightly modified samba_dnsupdate in order to collect the commands 
send to nsupdate (the temporay files are not deleted). What is the 
better way to add these entries ? I think of either executing them on 
the "pdc" or trying executing nsupdate without option -g.

Regards,
Thierry

# samba_dnsupdate --verbose
IPs: ['192.168.0.1']
Looking for DNS entry A dc-site1.samdom.example.lan 192.168.0.1 as 
dc-site1.samdom.example.lan.
Looking for DNS entry A samdom.example.lan 192.168.0.1 as 
samdom.example.lan.
Failed to find matching DNS entry A samdom.example.lan 192.168.0.1
Looking for DNS entry SRV _ldap._tcp.samdom.example.lan 
dc-site1.samdom.example.lan 389 as _ldap._tcp.samdom.example.lan.
Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
_ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
_ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
Failed to find matching DNS entry SRV _ldap._tcp.samdom.example.lan 
dc-site1.samdom.example.lan 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389 as _ldap._tcp.dc._msdcs.samdom.example.lan.
Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
_ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
_ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
Failed to find matching DNS entry SRV 
_ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
Looking for DNS entry SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389 as 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389
Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389
Failed to find matching DNS entry SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389

[.....]

Calling nsupdate for A samdom.example.lan 192.168.0.1 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samdom.example.lan.    900    IN    A    192.168.0.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.samdom.example.lan 
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.samdom.example.lan. 900 IN    SRV    0 100 389 
dc-site1.samdom.example.lan.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.samdom.example.lan. 900 IN SRV 0 100 389 
dc-site1.samdom.example.lan.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV 
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan 
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan. 
900 IN    SRV 0 100 389 dc-site1.samdom.example.lan.

[.....]

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Calling nsupdate for SRV 
_ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan 
dc-site1.samdom.example.lan 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan. 900 IN SRV 0 
100 389 dc-site1.samdom.example.lan.

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 24 entries

More information about the samba mailing list