[Samba] Samba AD with multiple DC and multiple NICs
Nico Kadel-Garcia
nkadel at gmail.com
Wed Oct 21 09:51:17 UTC 2020
On Mon, Oct 19, 2020 at 7:42 AM Stefano Vargiu via samba
<samba at lists.samba.org> wrote:
>
> Hello everyone,
>
> I'm trying to add a second DC to a Samba 4 AD: they both have multiple NICs
> and for this reason cannot find a way to make it work.
> They communicate through VPN and both have one of the bound interfaces set
> to the same IP address, 172.20.0.1, which doesn't allow me to route to the
> correct DC, and that is only part of the problem.
Why are you doing this? It seems both confusing and unnecessary, as
distinct hosts inside of your VPN they should have distinct IP
addresses.
> Here is the configuration:
> * DC1.domain.local
> IP NIC1: 172.16.0.2
> IP NIC2: 172.20.0.1
> IP VPN: 172.19.1.173
>
> * DC2.domain.local
> IP NIC1: 192.168.0.1
> IP NIC2: 172.20.0.1
> IP VPN: 172.19.1.174
>
> Before joining DC2 to the AD, I set the entries of DC1 using his VPN IP
> both in /etc/hosts:
> 172.19.1.173 DC1 DC1.domain.local
> and in /etc/resolv.conf:
> search domain.local
> domain domain.local
> nameserver 172.19.1.173
>
> Then I try:
> $ kinit administrator
>
> but it hangs and fails, because it tries to contact DC1 through IP
> 172.16.0.2, not with the VPN IP I set in /etc/hosts.
>
> I could set up in DC2 a route to the remote IP 172.16.0.2 through VPN, but
> what about the second IP 172.20.0.1 which is also used in DC2?
> It seems that different operations (kinit and maybe replication after I
> join domain) end up querying the DNS without using the entries in
> /etc/hosts: how am I supposed to manage a similar situation in Samba?
> Should all the IPs of DC1 be reachable from DC2, and vice versa? If so, I'm
> forced to change the IP address of NIC2 in DC1 or DC2 to avoid the clash.
>
> I tried to bypass the problem setting the nameserver in DC2 to a local DNS
> proxy (dnsmasq) which resolve `DC1.domain.local` and `domain.local` to the
> VPN IP of DC1 and forward all other DNS queries to the local Samba (after
> the join). And the same I did in DC1.
> In this way "kinit" works and the join ends up successfully, but I wonder
> if this is the right way to do it.
>
> The command:
> $ samba_dnsupdate --verbose
>
> gives me understandably errors of this kind:
> ---
> Looking for DNS entry A DC2.domain.local 172.20.0.1 as DC2.domain.local.
> Lookup of DC2.domain.local. succeeded, but we failed to find a matching DNS
> entry for A DC2.domain.local 172.20.0.1
> Lookup of domain.local. succeeded, but we failed to find a matching DNS
> entry for A domain.local 172.20.0.1
> ---
> Can I ignore them?
>
> Also, now replication works only in one way, from DC1 to DC2. The
> replication from DC2 to DC1 gives me the error:
> DsReplicaSync failed - drsException: DsReplicaSync failed WERR_BADFILE
>
> I don't know if it has anything to do with the problems shown above.
>
> Can you suggest to me which is the best way to manage such a situation?
>
> Thank you and kind regards,
> Stefano
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list