[Samba] SRV-records not replicated with BIND9_DLZ
Rowland penny
rpenny at samba.org
Fri Jun 24 12:21:03 UTC 2016
On 24/06/16 12:23, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I just set up a Domain with two DCs. I use Debian jessie the
> debian-pakages. And bind9 also from the debian repositories.
>
> After setting up the first DC everything was working fine. The
> nameresolution of hosts ans SRV-records worked.
>
> Then I set up a second DC also everything aut of the debian-box with
> bind9 as nameserver.
>
> The "join" and the replication of the database worked with no
> errormessage.
>
> BUT then I tested the DNS I saw that only the second DC got alle
> SRV-records:
> - -------------
> root at addc2:~# host -t srv _kerberos._tcp.example.net
> _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net.
> _kerberos._tcp.example.net has SRV record 0 100 88 addc2.example.net.
>
> root at addc2:~# host -t srv _ldap._tcp.example.net
> _ldap._tcp.example.net has SRV record 0 100 389 addc2.example.net.
> _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net.
>
> root at addc2:~# host -t srv _gc._tcp.example.net
> _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net.
> _gc._tcp.example.net has SRV record 0 100 3268 addc2.example.net.
> root at addc2:~#
> - ------------
>
> On the first DC I see only the SRV-records from the first DC:
> - ------------
> root at addc1:~# host -t srv _kerberos._tcp.example.net
> _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net.
> root at addc1:~# host -t srv _ldap._tcp.example.net
> _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net.
> root at addc1:~# host -t srv _gc._tcp.example.net
> _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net.
> - ------------
>
> So replication check was not working:
> - ------------
> root at addc1:~# samba-tool drs showrepl
> ==== INBOUND NEIGHBORS ====
>
> DC=ForestDnsZones,DC=example,DC=net
> Default-First-Site-Name\ADDC2 via RPC
> DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883
> Last attempt @ Fri Jun 24 12:42:40 2016 CEST failed,
> result 2 (WERR_BADFILE)
> 23 consecutive failure(s).
> Last success @ NTTIME(0)
> - ------------
>
> Trying to replicate dc1 with dc2
> - ------------
> root at addc1:~# samba-tool drs replicate addc1 addc2 example.net
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
> drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
> 345, in run
> drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
> source_dsa_guid, NC, req_options)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
> in sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
> - ----------
>
> Then I added a win10 Client to see the DNS entries via the rsat. Alle
> the srv-records missing BUT the new windows client was added to DNS
> and I cam see it on both DCs, as object and as dns-record.
>
> Running a "samba_dnsupdate --verbose --all-names" is running on both
> DCs without any error
>
> Testing the objectGUID is working:
> - ----------
> root at addc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
> '(invocationid=*)' --cross-ncs objectguid
> # record 1
> dn: CN=NTDS
> Settings,CN=ADDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
> iguration,DC=example,DC=net
> objectGUID: 9fba93aa-5e34-48fc-826b-dddc24072883
>
> # record 2
> dn: CN=NTDS
> Settings,CN=ADDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
> iguration,DC=example,DC=net
> objectGUID: b33e0b61-960c-41de-9271-6dad3f57ece0
> - ----------
>
> On the first DC the CNAME for the second DC is not there
> - ----------
> root at addc1:~# host -t CNAME
> 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net.
> Host 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. not
> found: 3(NXDOMAIN)
> root at addc1:~# host -t CNAME
> b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net.
> b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net is an alias
> for addc1.example.net.
> - ----------
>
> consitency chek works on both DCs
> - ----------
> root at addc1:~# kinit administrator
> administrator at EXAMPLE.NET's Password:
> root at addc1:~# samba-tool drs kcc -k yes
> Consistency check on addc1.example.net successful.
>
> root at addc2:~# kinit administrator
> administrator at EXAMPLE.NET's Password:
> root at addc2:~# samba-tool drs kcc -k yes
> Consistency check on addc2.example.net successful.
> - ----------
>
> On the second DC everything is ok.
>
> smb.conf on DC1:
> - ----------
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.NET
> netbios name = ADDC1
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> interfaces = 192.168.56.81
> bind interfaces only = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> - ----------
>
> smb.conf on DC2:
> - ----------
> [global]
> workgroup = EXAMPLE
> realm = example.net
> netbios name = ADDC2
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> interfaces = 192.168.56.82
> bind interfaces only = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> - ----------
>
> At the moment I don't know where to look. Can someone help please
>
> Stefan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAldtGDIACgkQ2JOGcNAHDTZSoACghKDh878JQk1nakNq+HCfTSja
> OzwAoNF1+zYF8VUL8Fnph2Efh2f41ZlI
> =6Cci
> -----END PGP SIGNATURE-----
>
I don't think this has anything to do with bind9, bind uses exactly the
same objects in AD that the internal DNS does.
Have you tried restarting Samba on the second DC ?
Have you tried running 'samba-tool ldapcmp ldap://dc1 ldap://dc2'
Rowland
More information about the samba
mailing list