[Samba] SRV-records not replicated with BIND9_DLZ

mathias dufresne infractory at gmail.com
Fri Jun 24 13:06:59 UTC 2016 

2016-06-24 14:21 GMT+02:00 Rowland penny <rpenny at samba.org>:

> On 24/06/16 12:23, Stefan Kania wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello,
>>
>> I just set up a Domain with two DCs. I use Debian jessie the
>> debian-pakages. And bind9 also from the debian repositories.
>>
>> After setting up the first DC everything was working fine. The
>> nameresolution of hosts ans SRV-records worked.
>>
>> Then I set up a second DC also everything aut of the debian-box with
>> bind9 as nameserver.
>>
>> The "join" and the replication of the database worked with no
>> errormessage.
>>
>> BUT then I tested the DNS I saw that only the second DC got alle
>> SRV-records:
>> - -------------
>> root at addc2:~# host -t srv _kerberos._tcp.example.net
>> _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net.
>> _kerberos._tcp.example.net has SRV record 0 100 88 addc2.example.net.
>>
>> root at addc2:~# host -t srv _ldap._tcp.example.net
>> _ldap._tcp.example.net has SRV record 0 100 389 addc2.example.net.
>> _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net.
>>
>> root at addc2:~# host -t srv _gc._tcp.example.net
>> _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net.
>> _gc._tcp.example.net has SRV record 0 100 3268 addc2.example.net.
>> root at addc2:~#
>> - ------------
>>
>> On the first DC I see only the SRV-records from the first DC:
>> - ------------
>> root at addc1:~# host -t srv _kerberos._tcp.example.net
>> _kerberos._tcp.example.net has SRV record 0 100 88 addc1.example.net.
>> root at addc1:~# host -t srv _ldap._tcp.example.net
>> _ldap._tcp.example.net has SRV record 0 100 389 addc1.example.net.
>> root at addc1:~# host -t srv _gc._tcp.example.net
>> _gc._tcp.example.net has SRV record 0 100 3268 addc1.example.net.
>> - ------------
>>
>
Here is certainly the issue. This record must be created on replicating DC
and on the new one for replication begins really between all your DC (ok
only one) and the new one.

Here it is:
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller

Could you please try to fix that and retry?


>
>> So replication check was not working:
>> - ------------
>> root at addc1:~# samba-tool drs showrepl
>> ==== INBOUND NEIGHBORS ====
>>
>> DC=ForestDnsZones,DC=example,DC=net
>>          Default-First-Site-Name\ADDC2 via RPC
>>                  DSA object GUID: 9fba93aa-5e34-48fc-826b-dddc24072883
>>                  Last attempt @ Fri Jun 24 12:42:40 2016 CEST failed,
>> result 2 (WERR_BADFILE)
>>                  23 consecutive failure(s).
>>                  Last success @ NTTIME(0)
>> - ------------
>>
>> Trying to replicate dc1 with dc2
>> - ------------
>> root at addc1:~# samba-tool drs replicate addc1 addc2 example.net
>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>> drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC')
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
>> 345, in run
>>      drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>> source_dsa_guid, NC, req_options)
>>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
>> in sendDsReplicaSync
>>      raise drsException("DsReplicaSync failed %s" % estr)
>> - ----------
>>
>> Then I added a win10 Client to see the DNS entries via the rsat. Alle
>> the srv-records missing BUT the new windows client was added to DNS
>> and I cam see it on both DCs, as object and as dns-record.
>>
>> Running a "samba_dnsupdate --verbose --all-names" is running on both
>> DCs without any error
>>
>> Testing the objectGUID is working:
>> - ----------
>> root at addc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
>> '(invocationid=*)' --cross-ncs objectguid
>> # record 1
>> dn: CN=NTDS
>> Settings,CN=ADDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
>> iguration,DC=example,DC=net
>> objectGUID: 9fba93aa-5e34-48fc-826b-dddc24072883
>>
>> # record 2
>> dn: CN=NTDS
>> Settings,CN=ADDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
>> iguration,DC=example,DC=net
>> objectGUID: b33e0b61-960c-41de-9271-6dad3f57ece0
>> - ----------
>>
>> On the first DC the CNAME for the second DC is not there
>> - ----------
>> root at addc1:~# host -t CNAME
>> 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net.
>> Host 9fba93aa-5e34-48fc-826b-dddc24072883._msdcs.example.net. not
>> found: 3(NXDOMAIN)
>> root at addc1:~# host -t CNAME
>> b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net.
>> b33e0b61-960c-41de-9271-6dad3f57ece0._msdcs.example.net is an alias
>> for addc1.example.net.
>> - ----------
>>
>> consitency chek works on both DCs
>> - ----------
>> root at addc1:~# kinit administrator
>> administrator at EXAMPLE.NET's Password:
>> root at addc1:~# samba-tool drs kcc -k yes
>> Consistency check on addc1.example.net successful.
>>
>> root at addc2:~# kinit administrator
>> administrator at EXAMPLE.NET's Password:
>> root at addc2:~# samba-tool drs kcc -k yes
>> Consistency check on addc2.example.net successful.
>> - ----------
>>
>> On the second DC everything is ok.
>>
>> smb.conf on  DC1:
>> - ----------
>> [global]
>>          workgroup = EXAMPLE
>>          realm = EXAMPLE.NET
>>          netbios name = ADDC1
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          interfaces = 192.168.56.81
>>          bind interfaces only = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> - ----------
>>
>> smb.conf on DC2:
>> - ----------
>> [global]
>>          workgroup = EXAMPLE
>>          realm = example.net
>>          netbios name = ADDC2
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          interfaces = 192.168.56.82
>>          bind interfaces only = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/example.net/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> - ----------
>>
>> At the moment I don't know where to look. Can someone help please
>>
>> Stefan
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>>
>> iEYEARECAAYFAldtGDIACgkQ2JOGcNAHDTZSoACghKDh878JQk1nakNq+HCfTSja
>> OzwAoNF1+zYF8VUL8Fnph2Efh2f41ZlI
>> =6Cci
>> -----END PGP SIGNATURE-----
>>
>>
> I don't think this has anything to do with bind9, bind uses exactly the
> same objects in AD that the internal DNS does.
>
> Have you tried restarting Samba on the second DC ?
> Have you tried running 'samba-tool ldapcmp ldap://dc1 ldap://dc2'
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list