[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

mathias dufresne infractory at gmail.com
Mon Jan 4 10:23:51 UTC 2016

Hi all and an happy new year : )

Yes James is right my issue is Site related DNS records were not created.

First there is something wrong in what I said previously regarding AD Site:
the fall back process is not to look for DC in Default-First-Site-Name but
it seems to look for for DC without Site information (ie looking for
_ldap._tcp.SAMBA.DOMAIN.TLD in place of

That's important to understand AD Site but also to understand my previous
mistake: I was creating manually servers in Site management console when we
must not do that (at least we must not do that in the way I did :p).
Creating servers manually using contextual menu in Site management console
does not run the process of creating DNS records for these manually created
servers. We must use automatically created servers and displace them.

Once I understood I did that big mistake I switched to right way to manage
servers in Sites (using those automatically created) Samba started to
reflect Site changes in DNS... if and only if samba_dnsupdate is working,
which is not often the case with Internal DNS backend because of
authentication required by default.

I haven't yet fully understood DNS authentication processes and that's what
I'm working on, so I can't tell how this could be solved for now.
What I expect is: once samba_dnsupdate (so in fact "nsupdate -g") would
work the whole issue would disappear.

Now regarding the fact I use additional DNS this does not seems to be
related: with or without this additional DNS server my DCs behaved
identically for what I remember.

I'll dig into that and be back once I have something to say.



2015-12-28 15:34 GMT+01:00 James <lingpanda101 at gmail.com>:

> On 12/28/2015 9:21 AM, Rowland penny wrote:
>> On 28/12/15 14:06, James wrote:
>>> On 12/24/2015 11:32 AM, Rowland penny wrote:
>>>> On 24/12/15 15:32, mathias dufresne wrote:
>>>>> And to get mentioned entries list I used:
>>>>> "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name"
>>>>> This list 8 DNS records related to Default Site.
>>>>> Next was to change Default-First... by the name of another AD Site
>>>>> (sed is
>>>>> still working :p)
>>>>> I was able to create DNS entries which were missing for one of my
>>>>> sites.
>>>>> Next, test:
>>>>> Back on one Windows on the network associated to that AD Site, reboot
>>>>> it,
>>>>> and tcpdump on my DNS server (all requests goes through this DNS
>>>>> server)
>>>>> 1° Site related DNS SRV request:
>>>>> 35752:15:24:38.907301 IP >
>>>>> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV?
>>>>> _ldap._tcp.authentification._sites.dc.*_
>>>>> msdcs.ad.dgfip.finances.gouv.fr.
>>>>> (88)
>>>>> 2° Site related DNS SRV reply:
>>>>> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain >
>>>>> 23013 2/2/4 *SRV*
>>>>> *m705.ad.dgfip.finances.gouv.fr.:389
>>>>> 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291)
>>>>> 3° Then A request on one DC returned by previous request:
>>>>> 35754-15:24:38.908731 IP >
>>>>> dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A?
>>>>> m705.ad.dgfip.finances.gouv.fr <http://m705.ad.dgfip.finances.gouv.fr
>>>>> >*.
>>>>> (48)
>>>>> 4° the reply:
>>>>> 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain >
>>>>> 16037 1/2/2 *A* (135)
>>>>> Now my Windows clients receive answer when they request SRV record
>>>>> according to the AD site they belong to.
>>>>> I must say I've also manually declared each DC as NS. As explained
>>>>> yesterday evening I don't think this should be important (even if I
>>>>> say the
>>>>> contrary few weeks ago).
>>>>> NS record should be used only when clients use a DNS server which is
>>>>> not AD
>>>>> DNS and if the declared DNS server on client do not need to ask upper
>>>>> level
>>>>> for NS.
>>>>> This is so badly described here is an example of my thought:
>>>>> With AD Domain = samba.org
>>>>> and Win_client -> DNS server non-AD and nothing configured on this DNS
>>>>> to
>>>>> help it to find samba.org name servers
>>>>> When Win_client request DNS server about samba.org, as DNS server do
>>>>> not
>>>>> know anything about samba.org, the DNS server would ask to root DNS
>>>>> server
>>>>> (the one for ORG) which servers are responsible for samba.org. Here
>>>>> is the
>>>>> case where NS should be used.
>>>>> And with my lack of knowledge about DNS I don't see any other case
>>>>> where NS
>>>>> should be used.
>>>> Hi Mathias, one of the problems with your setup, is that you seem to be
>>>> running dns differently from what Samba (and for that matter, windows)
>>>> recommends, you seem to be using a dns server that is not an AD DC.
>>>> Normally to find a DC, you would ask the dns server that is
>>>> authoritative for the domain, with a Samba AD domain this is usually a DC,
>>>> and is identified by its SOA record, which is supposed to contain the
>>>> authoritative name servers.
>>>> Now, with a Samba domain, if you use the internal dns server, you only
>>>> get *one*  authoritative name server even if you add the required records
>>>> to the domain SOA. The net result is, if the first DC in the domain goes
>>>> down, you don't have an authoritative name server. If you use bind9 instead
>>>> of the internal dns server, each DC becomes authoritative for the domain
>>>> after you add the required records to the domain SOA.
>>>> As you are using bind9 (although in a non recommended way), each of
>>>> your DCs will be authoritative as you have added the required records.
>>>> When I get the time, I will create a bug report for this, this will
>>>> probably be after Christmas though.
>>>> Rowland
>>>> I'm using the internal DNS and I have all the necessary SRV records for
>>> all my sites and DC's. They were created automatically by Samba. You should
>>> have the following if missing.
>>> Forward Lookup
>>> Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward
>>> Lookup Zones/Domain_Name/_msdcs/dc/_tcp
>>> You should have a SRV record for the following.
>>> _kerberos
>>> and
>>> _ldap
>> Ah, I think you are missing the point here James, yes you need all the
>> SRV records etc that you refer to, but, from my testing, if you use the
>> internal dns server, you will only have one authoritative nameserver for
>> the dns domain, even if you add the NS & A records to the zone SOA.
>> I cannot log into the second DC via ssh if I turn off the first DC,
>> something that does work if I use the bind9 server.
>> Rowland
>> Hello Rowland. I understand your point. You are correct. It's a issue
> with the internal DNS.
> I was under the impression that Mathias was missing SRV records for his
> sites. I wanted to confirm that SRV records are created by Samba if using
> the internal DNS. It appears he isn't using the internal DNS for Samba
> which may be causing some confusion?
> --
> -James
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list