[Samba] Samba 4.3.0 and DNS entries missing for DCs
James
lingpanda101 at gmail.com
Thu Nov 19 15:24:22 UTC 2015
On 11/19/2015 9:44 AM, Thierry Hotelier wrote:
> hello,
> we've just upgraded from samba 3.6.6 to samba 4.3.0. We are using
> INTERNAL as dns backend. We have 1 domain and 6 DCs on 5 different
> sites. Replication between DCs is ok as we can see with "samba-tool
> drs showrepl". We configured them like it is described on the wiki and
> used the RSAT tool "Sites and services" to add sites, subnets, links
> ... But for the 4 DCs not on our main site, some DNS entries are
> missing and it is not possible to add them with samba_dnsupdate (part
> of the result of the command below).
> As described by other people recently we need to put "allow dns
> updates = nonsecure" in smb.conf in order to have dynamic DNS to work.
> Is it correct to think that these DCs are not used by the clients ?
> And that adding the dns entries missing is sufficient to correct the
> problem ?
> I've slightly modified samba_dnsupdate in order to collect the
> commands send to nsupdate (the temporay files are not deleted). What
> is the better way to add these entries ? I think of either executing
> them on the "pdc" or trying executing nsupdate without option -g.
>
> Regards,
> Thierry
>
> # samba_dnsupdate --verbose
> IPs: ['192.168.0.1']
> Looking for DNS entry A dc-site1.samdom.example.lan 192.168.0.1 as
> dc-site1.samdom.example.lan.
> Looking for DNS entry A samdom.example.lan 192.168.0.1 as
> samdom.example.lan.
> Failed to find matching DNS entry A samdom.example.lan 192.168.0.1
> Looking for DNS entry SRV _ldap._tcp.samdom.example.lan
> dc-site1.samdom.example.lan 389 as _ldap._tcp.samdom.example.lan.
> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV
> _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV
> _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
> Failed to find matching DNS entry SRV _ldap._tcp.samdom.example.lan
> dc-site1.samdom.example.lan 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389 as
> _ldap._tcp.dc._msdcs.samdom.example.lan.
> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV
> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV
> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
> Looking for DNS entry SRV
> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389 as
> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV
> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389
> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV
> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389
> Failed to find matching DNS entry SRV
> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389
>
> [.....]
>
> Calling nsupdate for A samdom.example.lan 192.168.0.1 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> samdom.example.lan. 900 IN A 192.168.0.1
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV _ldap._tcp.samdom.example.lan
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.samdom.example.lan. 900 IN SRV 0 100 389
> dc-site1.samdom.example.lan.
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.dc._msdcs.samdom.example.lan. 900 IN SRV 0 100 389
> dc-site1.samdom.example.lan.
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV
> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
> 900 IN SRV 0 100 389 dc-site1.samdom.example.lan.
>
> [.....]
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Calling nsupdate for SRV
> _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan
> dc-site1.samdom.example.lan 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan. 900 IN SRV
> 0 100 389 dc-site1.samdom.example.lan.
>
> dns_tkey_negotiategss: TKEY is unacceptable
> Failed nsupdate: 1
> Failed update of 24 entries
>
>
>
*"Is it correct to think that these DCs are not used by the clients ?"
*Your clients will not be able to use any DC where SRV records are
missing for a requested service.
*"And that adding the dns entries missing is sufficient to correct the
problem ?"
*It should be. You can verify by using nslookup from a client in each site.
*"What is the better way to add these entries ?"
*I would use the Windows DNS snap in or samba-tool
--
-James
More information about the samba
mailing list