[Samba] Samba 4.3.0 and DNS entries missing for DCs

mathias dufresne infractory at gmail.com
Thu Nov 19 16:52:43 UTC 2015


Here is an awk script to add missing entries. In fact it adds all entries
returned by samba_dnsupdate and generates non-blocking errors when entry is
already created.

To use it:
samba_dnsupdate --verbose --all-names | awk -f /path/to/script.awk

Don't forget to change variables in BEGIN section to suit your domain
configuration.

It seems to me samba_dnsupdate interest mainly in local DC. To force
creation of all entries you may have to run that command on all your DCs.

with  /path/to/script.awk which contains:
---------------------------------------------------------------------
#!/usr/bin/awk

BEGIN {
  ad_zone = "YOUR.DOMAIN.TLD"
  msdcs_zone = "_msdcs." ad_zone
  dns_server = "YOUR-DC"
}
{
  if ($0 ~ /UPDATE SECTION:/) {
    getline
    print NF, $0
    if ($0 ~ /IN A/) {
      if($1 ~ /_msdcs/) {
        zone = msdcs_zone
      } else {
        zone = ad_zone
      }
      record = $1
      regexp = "." zone "."
      sub(regexp, "", record)
      cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A
" $5 " --kerberos=yes"
      #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A
" $5 " " $2
      print cmd
      cmd | getline
      close(cmd)
    }
    if ($0 ~ /IN SRV/) {
      if($1 ~ /_msdcs/) {
        zone = msdcs_zone
      } else {
        zone = ad_zone
      }
      record = $1
      regexp = "." zone "."
      sub(regexp, "", record)
      cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record "
SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes"
      #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record "
SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2
      print cmd
      cmd | getline
      close(cmd)
    }
  }
}
---------------------------------------------------------------------

2015-11-19 16:24 GMT+01:00 James <lingpanda101 at gmail.com>:

> On 11/19/2015 9:44 AM, Thierry Hotelier wrote:
>
>> hello,
>> we've just upgraded from samba 3.6.6 to samba 4.3.0. We are using
>> INTERNAL as dns backend. We have 1 domain and 6 DCs on 5 different sites.
>> Replication between DCs is ok as we can see with "samba-tool drs showrepl".
>> We configured them like it is described on the wiki and used the RSAT tool
>> "Sites and services" to add sites, subnets, links ... But for the 4 DCs not
>> on our main site, some DNS entries are missing and it is not possible to
>> add them with samba_dnsupdate (part of the result of the command below).
>> As described by other people recently we need to put "allow dns updates =
>> nonsecure" in smb.conf in order to have dynamic DNS to work.
>> Is it correct to think that these DCs are not used by the clients ? And
>> that adding the dns entries missing is sufficient to correct the problem ?
>> I've slightly modified samba_dnsupdate in order to collect the commands
>> send to nsupdate (the temporay files are not deleted). What is the better
>> way to add these entries ? I think of either executing them on the "pdc" or
>> trying executing nsupdate without option -g.
>>
>> Regards,
>> Thierry
>>
>> # samba_dnsupdate --verbose
>> IPs: ['192.168.0.1']
>> Looking for DNS entry A dc-site1.samdom.example.lan 192.168.0.1 as
>> dc-site1.samdom.example.lan.
>> Looking for DNS entry A samdom.example.lan 192.168.0.1 as
>> samdom.example.lan.
>> Failed to find matching DNS entry A samdom.example.lan 192.168.0.1
>> Looking for DNS entry SRV _ldap._tcp.samdom.example.lan
>> dc-site1.samdom.example.lan 389 as _ldap._tcp.samdom.example.lan.
>> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV
>> _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
>> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV
>> _ldap._tcp.samdom.example.lan dc-site1.samdom.example.lan 389
>> Failed to find matching DNS entry SRV _ldap._tcp.samdom.example.lan
>> dc-site1.samdom.example.lan 389
>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.example.lan
>> dc-site1.samdom.example.lan 389 as _ldap._tcp.dc._msdcs.samdom.example.lan.
>> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV
>> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
>> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV
>> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
>> Failed to find matching DNS entry SRV
>> _ldap._tcp.dc._msdcs.samdom.example.lan dc-site1.samdom.example.lan 389
>> Looking for DNS entry SRV
>> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
>> dc-site1.samdom.example.lan 389 as
>> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
>> Checking 0 100 389 dc-princ1.samdom.example.lan. against SRV
>> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
>> dc-site1.samdom.example.lan 389
>> Checking 0 100 389 dc-princ2.samdom.example.lan. against SRV
>> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
>> dc-site1.samdom.example.lan 389
>> Failed to find matching DNS entry SRV
>> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
>> dc-site1.samdom.example.lan 389
>>
>> [.....]
>>
>> Calling nsupdate for A samdom.example.lan 192.168.0.1 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> samdom.example.lan.    900    IN    A    192.168.0.1
>>
>> dns_tkey_negotiategss: TKEY is unacceptable
>> Failed nsupdate: 1
>> Calling nsupdate for SRV _ldap._tcp.samdom.example.lan
>> dc-site1.samdom.example.lan 389 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> _ldap._tcp.samdom.example.lan. 900 IN    SRV    0 100 389
>> dc-site1.samdom.example.lan.
>>
>> dns_tkey_negotiategss: TKEY is unacceptable
>> Failed nsupdate: 1
>> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.example.lan
>> dc-site1.samdom.example.lan 389 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> _ldap._tcp.dc._msdcs.samdom.example.lan. 900 IN SRV 0 100 389
>> dc-site1.samdom.example.lan.
>>
>> dns_tkey_negotiategss: TKEY is unacceptable
>> Failed nsupdate: 1
>> Calling nsupdate for SRV
>> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan
>> dc-site1.samdom.example.lan 389 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> _ldap._tcp.4e70c2a8-652f-41f9-8713-385fcd661d44.domains._msdcs.samdom.example.lan.
>> 900 IN    SRV 0 100 389 dc-site1.samdom.example.lan.
>>
>> [.....]
>>
>> dns_tkey_negotiategss: TKEY is unacceptable
>> Failed nsupdate: 1
>> Calling nsupdate for SRV
>> _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan
>> dc-site1.samdom.example.lan 389 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> _ldap._tcp.SITE1._sites.ForestDnsZones.samdom.example.lan. 900 IN SRV 0
>> 100 389 dc-site1.samdom.example.lan.
>>
>> dns_tkey_negotiategss: TKEY is unacceptable
>> Failed nsupdate: 1
>> Failed update of 24 entries
>>
>>
>>
>> *"Is it correct to think that these DCs are not used by the clients ?"
> *Your clients will not be able to use any DC where SRV records are missing
> for a requested service.
>
> *"And that adding the dns entries missing is sufficient to correct the
> problem ?"
> *It should be. You can verify by using nslookup from a client in each site.
>
> *"What is the better way to add these entries ?"
> *I would use the Windows DNS snap in or samba-tool
>
>
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list