[Samba] SRV-records not replicated with BIND9_DLZ

Stefan Kania stefan at kania-online.de
Fri Jun 24 11:23:31 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I just set up a Domain with two DCs. I use Debian jessie the
debian-pakages. And bind9 also from the debian repositories.

After setting up the first DC everything was working fine. The
nameresolution of hosts ans SRV-records worked.

Then I set up a second DC also everything aut of the debian-box with
bind9 as nameserver.

The "join" and the replication of the database worked with no
errormessage.

BUT then I tested the DNS I saw that only the second DC got alle
SRV-records:
- -------------
root at addc2:~# host -t srv _kerberos._tcp.example.net
_kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net.
_kerberos._tcp.example.net has SRV record 0 100 88 addc2.example.net.

root at addc2:~# host -t srv _ldap._tcp.example.net
_ldap._tcp.example.net has SRV record 0 100 389 addc2.example.net.
_ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net.

root at addc2:~# host -t srv _gc._tcp.example.net
_gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net.
_gc._tcp.example.net has SRV record 0 100 3268 addc2.example.net.
root at addc2:~#
- ------------

On the first DC I see only the SRV-records from the first DC:
- ------------
root at addc1:~# host -t srv _kerberos._tcp.example.net
_kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net.
root at addc1:~# host -t srv _ldap._tcp.example.net
_ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net.
root at addc1:~# host -t srv _gc._tcp.example.net
_gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net.
- ------------

So replication check was not working:
- ------------
root at addc1:~# samba-tool drs showrepl
==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=example,DC=net
        Default-First-Site-Name\ADDC2 via RPC
                DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883
                Last attempt @ Fri Jun 24 12:42:40 2016 CEST failed,
result 2 (WERR_BADFILE)
                23 consecutive failure(s).
                Last success @ NTTIME(0)
- ------------

Trying to replicate dc1 with dc2
- ------------
root at addc1:~# samba-tool drs replicate addc1 addc2 example.net
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
345, in run
    drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
source_dsa_guid, NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)
- ----------

Then I added a win10 Client to see the DNS entries via the rsat. Alle
the srv-records missing BUT the new windows client was added to DNS
and I cam see it on both DCs, as object and as dns-record.

Running a "samba_dnsupdate --verbose --all-names" is running on both
DCs without any error

Testing the objectGUID is working:
- ----------
root at addc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
'(invocationid=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=ADDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=example,DC=net
objectGUID: 9fba93aa-5e34-48fc-826b-dddc24072883

# record 2
dn: CN=NTDS
Settings,CN=ADDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=example,DC=net
objectGUID: b33e0b61-960c-41de-9271-6dad3f57ece0
- ----------

On the first DC the CNAME for the second DC is not there
- ----------
root at addc1:~# host -t CNAME
9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net.
Host 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. not
found: 3(NXDOMAIN)
root at addc1:~# host -t CNAME
b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net.
b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net is an alias
for addc1.example.net.
- ----------

consitency chek works on both DCs
- ----------
root at addc1:~# kinit administrator
administrator at EXAMPLE.NET's Password:
root at addc1:~# samba-tool drs kcc -k yes
Consistency check on addc1.example.net successful.

root at addc2:~# kinit administrator
administrator at EXAMPLE.NET's Password:
root at addc2:~# samba-tool drs kcc -k yes
Consistency check on addc2.example.net successful.
- ----------

On the second DC everything is ok.

smb.conf on  DC1:
- ----------
[global]
        workgroup = EXAMPLE
        realm = EXAMPLE.NET
        netbios name = ADDC1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        interfaces = 192.168.56.81
        bind interfaces only = yes

[netlogon]
        path = /var/lib/samba/sysvol/example.net/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
- ----------

smb.conf on DC2:
- ----------
[global]
        workgroup = EXAMPLE
        realm = example.net
        netbios name = ADDC2
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        interfaces = 192.168.56.82
        bind interfaces only = yes

[netlogon]
        path = /var/lib/samba/sysvol/example.net/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
- ----------

At the moment I don't know where to look. Can someone help please

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAldtGDIACgkQ2JOGcNAHDTZSoACghKDh878JQk1nakNq+HCfTSja
OzwAoNF1+zYF8VUL8Fnph2Efh2f41ZlI
=6Cci
-----END PGP SIGNATURE-----

More information about the samba mailing list