[Samba] NS records for a new AD DC

[Rowland Penny]

On Wed, 19 Oct 2016 16:55:40 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Wed, 19 Oct 2016 17:45:18 +0200
> Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> 
> > Hi Rowland,
> > 
> > Am 18.10.2016 um 12:30 schrieb Rowland Penny via samba:
> > > Yes it should exist and it should be added for you when Samba is
> > > started (on later versions) by samba_dnsupdate.
> > 
> > have you tried recently if the records are added when
> > samba_dnsupdate runs?
> > 
> > The BZ is still open:
> > https://bugzilla.samba.org/show_bug.cgi?id=10928#c4
> > And according to my last comment, it still failed last February.
> > 
> > 
> > Regards,
> > Marc
> 
> Hi Marc, it has been some time since I tested it, but from memory it
> went something like this:
> 
> There is an existing, working DC.
> You join another DC to the existing DC
> Before starting Samba, make /etc/resolv.conf point to itself as the
> nameserver
> start Samba
> samba_dnsupdate runs and adds the missing records
> 
> Let me try it again and get back to you.
> 
> Rowland
>  
> 

OK, I am back ;-)

You are correct, it doesn't work out of the box, but I have worked out
why (no fix yet) and a workaround

The why:
DNS records can only be changed by the owner or something that has
permission to change it. when samba_dnsupdate runs, it gets this ticket
cache:

root at samtest2:~# klist /tmp/tmpierjtB 
Ticket cache: FILE:/tmp/tmpierjtB
Default principal: SAMTEST2$@EXAMPLE.DOM

Valid starting     Expires            Service principal
19/10/16 20:13:22  20/10/16 06:13:22  krbtgt/EXAMPLE.DOM at EXAMPLE.DOM
19/10/16 20:13:22  20/10/16 06:13:22  DNS/samtest1.example.dom at EXAMPLE.DOM

Big problem, it is trying to update records for samtest2 with the SPN
for samtest1, this will not work.

Workaround:
turn off samba on the first DC, then restart samba on the second DC.
There is a gotcha however, I had to force replication with 'samba-tool
drs replicate' (after I restarted samba on the first DC)

Rowland