[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

Rowland Penny rpenny at samba.org
Mon Aug 15 13:44:35 UTC 2016 

On Sun, 14 Aug 2016 23:17:57 +0100
Alex Crow via samba <samba at lists.samba.org> wrote:

> 
> 
> On 14/08/16 22:14, Rowland Penny via samba wrote:
> > On Sun, 14 Aug 2016 21:52:43 +0100
> > Alex Crow via samba <samba at lists.samba.org> wrote:
> >
> >>> I am fairly sure this is your problem, it should be able to find
> >>> the KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts
> >>> and /etc/resolv.conf ?
> >> With the BIND server not running, and this krb5.conf:
> >>
> >> [libdefaults]
> >>         default_realm = SAMBA.IFA.NET
> >>         dns_lookup_realm = false
> >>         dns_lookup_kdc = true
> >> ~                           
> >>
> >> samba_dnsupdate cannot find the KDC. Even if I add:
> >>
> >> [realms]
> >>     SAMBA4.IFA.NET {
> >>     kdc= 172.31.0.10
> >> }
> >>
> > Well, I don't think you can find the KDC if the DNS server isn't
> > running, you could try changing 'dns_lookup_kdc = true' to false 
> I think I tried that, but I'm not 100% sure. I tried a lot of things
> to get back on track.
> 
> >
> >> it still complains about not finding a KDC and does not complete.
> >>
> >> Oddly if I can use the output to figure out the DNS entries I need
> >> to add, so I thought "ah, cool, I'll use samba-tool dns" to add
> >> them back in. To my great surprise, when I try to add each entry
> >> that samba_dnsupdate says is missing, samba-tool tells me it
> >> already exists!!
> > OK, try running:
> >
> > ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs
> > --show-binary
> >
> > replace nano with your favourite editor and
> > '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb.
> >
> > You should now be able to search the entire AD and see if your
> > entries do exist.
> 
> I did had a quick look with ldbedit before this last email. There were
> indeed a number of DNS nodes but perhaps as I didn't use "
> 
> --show-binary
> 
> "
> 
> I was missing something.

Just had a thought, how is /etc/resolv.conf set up ?
Is it set up so that each DC uses the other first ?

If it is, then this 'could' be your problem, your second DC tries to
find the KDC, so it asks DNS (via resolv.conf) for the KDCs address.
now if the other DC is first in line and doesn't exist, it will have
to timeout before it will try the next nameserver and most probably
will give up and tell you it cannot find the KDC

Rowland

More information about the samba mailing list