[Samba] AXFR transfer: SRV for DC missing
Ing. Markus Gschwendt
office+samba at gschwendt.at
Mon Oct 27 16:56:38 UTC 2025
Hi!
We just did an upgrade from Samba NT-style domain to AD.
Most things are working fine. Just the AXFR transfer to a secondary
nameserver is missing some records.
Everything is on the latest packages of debian bookworm (Samba,
Bind,...)
The AD DC has a bind9 which and gets zone information via DLZ module.
A DNS lookup for the SRV record on the AD does return the record
correctly:
dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
; <<>> DiG 9.20.11-4-Debian <<>> SRV
_ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 79f68a16d56af3d70100000068ff8bd19ebb9a54d2a9b7d7 (good)
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.example.internal. IN SRV
;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.example.internal. 3600 IN SRV 0 100 389
ad1.example.internal.
;; Query time: 3 msec
;; SERVER: 192.168.0.XXX#53(192.168.0.XXX) (UDP)
;; WHEN: Mon Oct 27 16:12:17 CET 2025
;; MSG SIZE rcvd: 171
if I manually ask for the whole zone via AXFR the record is missing:
dig axfr example.internal @192.168.0.XXX |grep SRV
_gc._tcp.example.internal. 900 IN SRV 0 100 3268
ad1.example.internal.
_kerberos._tcp.example.internal. 900 IN SRV 0 100 88
ad1.example.internal.
_ldap._tcp.DomainDnsZones.example.internal. 900 IN SRV 0 100 389
ad1.example.internal.
_kpasswd._udp.example.internal. 900 IN SRV 0 100 464
ad1.example.internal.
_ldap._tcp.Default-First-Site-Name._sites.example.internal. 900 IN SRV
0 100 389 ad1.example.internal.
_gc._tcp.Default-First-Site-Name._sites.example.internal. 900
IN SRV 0 100 3268 ad1.example.internal.
_ldap._tcp.ForestDnsZones.example.internal. 900 IN SRV 0 100 389
ad1.example.internal.
_kpasswd._tcp.example.internal. 900 IN SRV 0 100 464
ad1.example.internal.
_ldap._tcp.Default-First-Site-
Name._sites.ForestDnsZones.example.internal. 900 IN SRV 0 100 389
ad1.example.internal.
_ldap._tcp.Default-First-Site-
Name._sites.DomainDnsZones.example.internal. 900 IN SRV 0 100 389
ad1.example.internal.
_ldap._tcp.example.internal. 900 IN SRV 0 100 389
ad1.example.internal.
_kerberos._udp.example.internal. 900 IN SRV 0 100 88
ad1.example.internal.
_kerberos._tcp.Default-First-Site-Name._sites.example.internal. 900 IN
SRV 0 100 88 ad1.example.internal.
This means
* Inside samba ldb the record is present.
* Bind seems it can deliver the SRV record.
* But it is not delivered in a zone transfer via AXFR.
As you can see from the output, the axfr transfer itself does work and
the allow-settings are correct.
Why is the record in AXFR missing or how can I get it into AXFR?
Can anybody help on this?
At another site/company we have the same setup (versions, config,...)
and there it's working without problems.
Markus
More information about the samba
mailing list