Bug 10928 - Joining Samba as DC, misses to create some important DNS entries
Joining Samba as DC, misses to create some important DNS entries
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.2.0
All All
: P5 normal
: 4.3
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks: 11924
  Show dependency treegraph
 
Reported: 2014-11-09 23:08 UTC by Marc Muehlfeld
Modified: 2016-06-07 16:16 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2014-11-09 23:08:09 UTC
When you join Samba as an additional Domain Controller to an Active Directory, neither the A record for the new DC isn't added, nor the CNAME of the objectGUID pointing to the hostname:

# host -t A {DCHostname}.samdom.example.com.
Host {DCHostname}.samdom.example.com. not found: 3(NXDOMAIN)


# host -t CNAME {objectGUID}._msdcs.samdom.example.com.
Host {objectGUID}._msdcs.samdom.example.com. not found: 3(NXDOMAIN)


Currently users have to add these two DNS records manually. See
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Check_DNS_entries


We should do this automatically during the domain join.
Comment 1 Remsnet LTD Support 2014-12-25 21:22:28 UTC
I can confirm what Marc Found .

today updated to sernet-samba latest 4.1.14-10 on Centos 6.5 and 6. with bind9.9 build from https://github.com/remsnet/CentOS-Bind-DLZ


with create the new ( freshly ) installed sernet-samba deployment using
at ad1 DC master at subnet 192.168.0 and ad2 DC 192.168.1

samba-tool domain provision --use-rfc2307 \
--dns-backend=BIND9_DLZ \
--workgroup=ADS \
--function-level=2008_R2 \
--site=master \
--domain=ADS \
--sid=S-1-5-21-974500379-1975925619-3590964749 \
--host-name=ad1 \
--host-ip=192.168.0.20 \
--realm=SAMPLE.DOM\
--adminpass=<pwd> \
--ldapadminpass=<pwd> \
--krbtgtpass=<pwd>

then Join second new freshly setup ad2 with 
samba-tool domain join SAMPLE.DOMDC -Uadministrator \
 --realm=SAMPLE.DOM\
 --dns-backend=BIND9_DLZ \
 --workgroup=ADS \
 --site=master \
 --server=ad1.SAMPLE.DOM\
 --password=<pwd>

Both , the domain create and the domain join as DC "reported" with sucess.


Error symtoms seen:
-  the ad2 dns entrys A resulted only resobable localy on ad2

-  samba-tool drs kcc fail saying that our ldap kcc been not registered with the realm due failed dns, error :

Server ldap/AD2.@SAMPLE.DOMis not registered with our KDC:  Miscellaneous failure (see text): Server (ldap/AD2.ADS.SOFTWAREENERGIE.EU@ADS.SOFTWAREENERGIE.EU) unknown
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER


-  samba-tool drs bind fail 
-  samba_dnsupdate --all-names fail on dc2
-  samba_dnsupdate --all-names works on dc1
-  samba_dnsupdate --all-names on dc2 works only if /etc/resolv.conf first nameserver IP points to  ad1 
- samba-tool dns zonecreate ad2.ADS.SOFTWAREENERGIE.EU 0.168.192.in-addr.arpa with KRB works , been replicated to ad1, but any samba-tool dns add/update fail on ad2 using that new subzone.
-  samba-tool drs showrepl fail with drsException  (8, 'WERR_NOMEM') ... resulted in "raise drsException("DRS connection to %s failed: %s" % (server, e))"


# samba-tool dns update ad1.SAMPLE.DOM SAMPLE.DOM ad1.SAMPLE.DOM A 192.168.1.20 192.168.1.20
Unknown parameter encountered: "send spnego principal"
Ignoring unknown parameter "send spnego principal"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[home]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[users]"
Processing section "[groups]"
Processing section "[srv]"
Processing section "[testsmb]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:ad1.SAMPLE.DOM[,sign]
Mapped to DCERPC endpoint 135
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.1.20 bcast=192.168.26.255 netmask=255.255.255.0
ERROR: Record does not exist


within the BIND-DLZ usage of DC Join , "samba-tool domai join" shuold:

1- test if <SAMPLE.DOM> exist - if so create the dns A for ad2 within given realm and domain.
2- test if ad2 been ldap member if not , force correct that after dns A created 
3- test if ad2 been kdc member if not , force correct that after dns A created
4- publish updated krb5.conf sample  that adds new line kdc = ad2 at 
 [realms]
  SAMPLE.DOM = {
   kdc = ad1.SAMPLE.DOM
   kdc = ad2.SAMPLE.DOM
...
 }


5- run samba_dnsupdate --all-names  in "dc join mode" ( not exist today ):
  - update dc2 dns entrys
  - update dc1 dns entrys for dc2 
  - check that dns has updated as expected

IF 5- failed  then report that the domain join failed using samba4 DLZ.

reason for all this .. ADS based massivly on DNS - dns entries must exist.
Comment 2 Remsnet LTD Support 2014-12-25 21:27:39 UTC
This bug LOOKS Critical shuold be fixed asap within the 4.1 and up.
Comment 3 Andrew Bartlett 2015-09-18 20:13:26 UTC
Is this just a case that the DNS updates are made to the local DC (that just joined) as because they are not (at that point) known to the rest of the domain, and are critical to replication, they are not replicated to the rest of the system?
Comment 4 Marc Muehlfeld 2016-02-21 17:43:54 UTC
(In reply to Andrew Bartlett from comment #3)

The two missings DNS record arent't in the local databases of the new joined DC nor in the existing AD.