Bug 13590 - Demote deletes root records if deleted DC shares root IP
Summary: Demote deletes root records if deleted DC shares root IP
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-22 05:45 UTC by Aaron Haslett
Modified: 2018-08-22 05:45 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Haslett 2018-08-22 05:45:59 UTC
Reproduce by doing the following:
* Provision a root DC and start it
* Join two DCs with "samba-tool domain join" using the --targetdir option
* Run "host" command with the domain name passed to the provision command
* Demote one of them with on samba-tool domain demote --remove-other-dead-server
* Run "host" command again with the same domain name

First host command will return the name resolution as expected.
Second host command will return nothing but will exit with code 0.  If you use 'dig' you'll see there is a response with an authority section but no answer.  Looking at ldap it seems the demote process causes root records to be tombstoned (deleted, basically).  This happens because the remove_dns_references function assumes that each DC will have its own IP, so it removes all records with references to the IP of the DC being demoted.

For now I'm working around this problem by adding an option for the "join --targetdir" workflow allowing the user to override the IP of the new DC.  This shouldn't come up in the field since no one creates a second DC on the same machine as the root (or if they do they use VMs).