[Samba] samba4 dns delegation of _msdcs

mathias dufresne infractory at gmail.com
Wed Jul 19 14:09:02 UTC 2017 

Hi,

I believe glue record are standard A records. Then you add NS record to the
zone.

Here I have no Samba/AD to test but I do have some MS/AD. "dig -t NS
_msdcs.ms-ad.domain.tld"  gives me the whole list of DC (at least it seems
to be the whole list).

What could be interesting is wireshark on domain port when doing your
tests, to see what DNS request gives global catalog servers instead of
standard LDAP servers. If your supposition is correct (and if I did
understood correctly too :) this request should appear in both test cases
and a reply should be sent back only against MS/AD, not when asking to
Samba/AD.

Cheers,

mathias

2017-07-12 10:45 GMT+02:00 maksemuz via samba <samba at lists.samba.org>:

> Hello samba,
>
> I got the following situation:
> there is the test domain 'test.d' built on samba 4.6 on freebsd 11
>
> I am connecting MS project server 2013 to it.
> When I try to sync pool resources from project server web app, it gives me
> an error.
> Wireshark shows that the ldap search request with object SID and null
> baseDN inside was sent to domain controller to port 389 of ldap, it is
> defined as incorrect.
>
> I built test domain with native MS AD instead of samba4 and repeated all
> actions.
> Wireshark shows that the same request goes to the ldap port 3268 (gc) and
> got correct answer from domain controller.
>
> I think the cause of it is the difference between MS AD DNS structure and
> Samba4 AD DNS structure.
> The difference is: the MS AD DNS contains the glue record for _msdcs.test.d
> inside the test.d, whilst Samba4 DNS does not.
> In other words, there is no delegation recods of _msdcs.test.d in test.d,
> therefore client machine cannot get all SRV records and then sends ldap
> request to wrong port.
>
> the glue record from MS AD DNS:
> ;  Delegated sub-zone:  _msdcs.test.d.
> ;
> _msdcs                  NS    dc.test.d.
> ;  End delegation
>
> I tried adding this record with samba-tool but got the error:
>
> 10:56:52 {root at fread}-# samba-tool dns add 127.0.0.1 test.d _msdcs NS
> Password for [TEST\uzer]:
> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> 1098, in run
>     raise e
>
> My questions are:
> 1 - do you think my suspicions are correct?
> 2 - if so, how to add glue record for _msdcs.test.d in test.d ?
> 3 - if not, what should I do to solve this problem?
>
> Thanks in advance.
> __________________________
> Regards,
> Maks Melnikov
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list