[Samba] samba4 dns delegation of _msdcs

maksemuz maksemuz at gmail.com
Thu Jul 20 14:46:52 UTC 2017

I compared DNS requests and results in both Samba/AD and MS/AD.
In Samba/AD requests were monitored with tcpdump on Samba DC.
In MS/AD it was Wireshark.
Request results were checked with 'ipconfig /displaydns' command on client
machine (Windows).
There are some differences: in Samba/AD client never req

2017-07-19 17:09 GMT+03:00 mathias dufresne <infractory at gmail.com>:

> Hi,
> I believe glue record are standard A records. Then you add NS record to
> the zone.
> Here I have no Samba/AD to test but I do have some MS/AD. "dig -t NS
> _msdcs.ms-ad.domain.tld"  gives me the whole list of DC (at least it seems
> to be the whole list).
> What could be interesting is wireshark on domain port when doing your
> tests, to see what DNS request gives global catalog servers instead of
> standard LDAP servers. If your supposition is correct (and if I did
> understood correctly too :) this request should appear in both test cases
> and a reply should be sent back only against MS/AD, not when asking to
> Samba/AD.
> Cheers,
> mathias
> 2017-07-12 10:45 GMT+02:00 maksemuz via samba <samba at lists.samba.org>:
>> Hello samba,
>> I got the following situation:
>> there is the test domain 'test.d' built on samba 4.6 on freebsd 11
>> I am connecting MS project server 2013 to it.
>> When I try to sync pool resources from project server web app, it gives me
>> an error.
>> Wireshark shows that the ldap search request with object SID and null
>> baseDN inside was sent to domain controller to port 389 of ldap, it is
>> defined as incorrect.
>> I built test domain with native MS AD instead of samba4 and repeated all
>> actions.
>> Wireshark shows that the same request goes to the ldap port 3268 (gc) and
>> got correct answer from domain controller.
>> I think the cause of it is the difference between MS AD DNS structure and
>> Samba4 AD DNS structure.
>> The difference is: the MS AD DNS contains the glue record for
>> _msdcs.test.d
>> inside the test.d, whilst Samba4 DNS does not.
>> In other words, there is no delegation recods of _msdcs.test.d in test.d,
>> therefore client machine cannot get all SRV records and then sends ldap
>> request to wrong port.
>> the glue record from MS AD DNS:
>> ;  Delegated sub-zone:  _msdcs.test.d.
>> ;
>> _msdcs                  NS    dc.test.d.
>> ;  End delegation
>> I tried adding this record with samba-tool but got the error:
>> 10:56:52 {root at fread}-# samba-tool dns add test.d _msdcs NS
>> Password for [TEST\uzer]:
>> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>> 1098, in run
>>     raise e
>> My questions are:
>> 1 - do you think my suspicions are correct?
>> 2 - if so, how to add glue record for _msdcs.test.d in test.d ?
>> 3 - if not, what should I do to solve this problem?
>> Thanks in advance.
>> __________________________
>> Regards,
>> Maks Melnikov
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list