[Samba] Samba AD with multiple DC and multiple NICs

Stefano Vargiu vstefanoxx at gmail.com
Mon Oct 19 11:40:14 UTC 2020 

Hello everyone,

I'm trying to add a second DC to a Samba 4 AD: they both have multiple NICs
and for this reason cannot find a way to make it work.
They communicate through VPN and both have one of the bound interfaces set
to the same IP address, 172.20.0.1, which doesn't allow me to route to the
correct DC, and that is only part of the problem.

Here is the configuration:
* DC1.domain.local
  IP NIC1: 172.16.0.2
  IP NIC2: 172.20.0.1
  IP VPN: 172.19.1.173

* DC2.domain.local
  IP NIC1: 192.168.0.1
  IP NIC2: 172.20.0.1
  IP VPN: 172.19.1.174

Before joining DC2 to the AD, I set the entries of DC1 using his VPN IP
both in /etc/hosts:
  172.19.1.173 DC1 DC1.domain.local
and in /etc/resolv.conf:
  search domain.local
  domain domain.local
  nameserver 172.19.1.173

Then I try:
$ kinit administrator

but it hangs and fails, because it tries to contact DC1 through IP
172.16.0.2, not with the VPN IP I set in /etc/hosts.

I could set up in DC2 a route to the remote IP 172.16.0.2 through VPN, but
what about the second IP 172.20.0.1 which is also used in DC2?
It seems that different operations (kinit and maybe replication after I
join domain) end up querying the DNS without using the entries in
/etc/hosts: how am I supposed to manage a similar situation in Samba?
Should all the IPs of DC1 be reachable from DC2, and vice versa? If so, I'm
forced to change the IP address of NIC2 in DC1 or DC2 to avoid the clash.

I tried to bypass the problem setting the nameserver in DC2 to a local DNS
proxy (dnsmasq) which resolve `DC1.domain.local` and `domain.local` to the
VPN IP of DC1 and forward all other DNS queries to the local Samba (after
the join). And the same I did in DC1.
In this way "kinit" works and the join ends up successfully, but I wonder
if this is the right way to do it.

The command:
$ samba_dnsupdate --verbose

gives me understandably errors of this kind:
---
Looking for DNS entry A DC2.domain.local 172.20.0.1 as DC2.domain.local.
Lookup of DC2.domain.local. succeeded, but we failed to find a matching DNS
entry for A DC2.domain.local 172.20.0.1
Lookup of domain.local. succeeded, but we failed to find a matching DNS
entry for A domain.local 172.20.0.1
---
Can I ignore them?

Also, now replication works only in one way, from DC1 to DC2. The
replication from DC2 to DC1 gives me the error:
  DsReplicaSync failed - drsException: DsReplicaSync failed WERR_BADFILE

I don't know if it has anything to do with the problems shown above.

Can you suggest to me which is the best way to manage such a situation?

Thank you and kind regards,
Stefano

More information about the samba mailing list