[Samba] Samba 4.19.6 dns record pdc not automatic updated

Shkaruba Andrey ShkarubaA at yandex.ru
Mon Jun 10 11:56:12 UTC 2024 

Good afternoon.
Several errors were detected in the Samba 4.19.6 in the mode Samba AD
DC, when working with DNS.
The DNS record _ldap._tcp.pdc._msdcs.domain.loc (where domain.loc is
the domain FQDN) is not updated, when FSMO roles was migrated.
If DNS records are forcibly recreated, the record
_ldap._tcp.pdc._msdcs.domain.loc is created a second time.

Playback method:
Checking DNS records
# samba-tool dns query localhost _msdcs.domain.loc _tcp.pdc SRV -P
  Name=, Records=0, Children=0
  Name=_ldap, Records=1, Children=0
    SRV: dc01.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900)
    
Checking FSMO roles
# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc

Let's say we are migrating DSMO roles to dc02
# samba-tool fsmo transfer --role=all -U administrator
 
After performing the operation, we get
После выполнение операции, получаем 
# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=loc

Checking DNS records
# samba-tool dns query localhost _msdcs.domain.loc _tcp.pdc SRV -P
  Name=, Records=0, Children=0
  Name=_ldap, Records=1, Children=0
    SRV: dc01.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900)

The DNS record has not changed.
This error leads to the fact that when requesting operations that
should be performed on a domain controller with PDC roles, requests
from clients or trusted servers will occur to the wrong domain
controller. And if the DC01 domain controller is deleted, then the
domain will remain without PDC records in DNS at all, which will lead
to problems when servicing the domain using RSAT utilities, domain
trust will not work...

If we perform the operation on dc02 to force the creation of DNS
records for a domain controller, new record
_ldap._tcp.pdc._msdcs.domain.loc will be created the second time

Playback method:
# samba_dnsupdate --verbose --all-names
Checking DNS records
# samba-tool dns query localhost _msdcs.domain.loc _tcp.pdc SRV -P
  Name=, Records=0, Children=0
  Name=_ldap, Records=2, Children=0
    SRV: dc01.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900)
    SRV: dc02.domain.loc. (389, 0, 100) (flags=f0, serial=1, ttl=900)
    
If you delete the record for dc01, then the domain will work fine.

In the version of Samba 4.19.4  the specified problem is not exsit or
does not appear.

Perhaps this problem is due to the fact that when a new domain
controller is added, SRV records are not created for it.
___
Andrey

More information about the samba mailing list