samba4 dns delegation of _msdcs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

samba4 dns delegation of _msdcs

Samba - General mailing list
Hello samba,

I got the following situation:
there is the test domain 'test.d' built on samba 4.6 on freebsd 11

I am connecting MS project server 2013 to it.
When I try to sync pool resources from project server web app, it gives me
an error.
Wireshark shows that the ldap search request with object SID and null
baseDN inside was sent to domain controller to port 389 of ldap, it is
defined as incorrect.

I built test domain with native MS AD instead of samba4 and repeated all
actions.
Wireshark shows that the same request goes to the ldap port 3268 (gc) and
got correct answer from domain controller.

I think the cause of it is the difference between MS AD DNS structure and
Samba4 AD DNS structure.
The difference is: the MS AD DNS contains the glue record for _msdcs.test.d
inside the test.d, whilst Samba4 DNS does not.
In other words, there is no delegation recods of _msdcs.test.d in test.d,
therefore client machine cannot get all SRV records and then sends ldap
request to wrong port.

the glue record from MS AD DNS:
;  Delegated sub-zone:  _msdcs.test.d.
;
_msdcs                  NS    dc.test.d.
;  End delegation

I tried adding this record with samba-tool but got the error:

10:56:52 {root@fread}-# samba-tool dns add 127.0.0.1 test.d _msdcs NS
Password for [TEST\uzer]:
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
1098, in run
    raise e

My questions are:
1 - do you think my suspicions are correct?
2 - if so, how to add glue record for _msdcs.test.d in test.d ?
3 - if not, what should I do to solve this problem?

Thanks in advance.
__________________________
Regards,
Maks Melnikov
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 dns delegation of _msdcs

Samba - General mailing list
Hi,

I believe glue record are standard A records. Then you add NS record to the
zone.

Here I have no Samba/AD to test but I do have some MS/AD. "dig -t NS
_msdcs.ms-ad.domain.tld"  gives me the whole list of DC (at least it seems
to be the whole list).

What could be interesting is wireshark on domain port when doing your
tests, to see what DNS request gives global catalog servers instead of
standard LDAP servers. If your supposition is correct (and if I did
understood correctly too :) this request should appear in both test cases
and a reply should be sent back only against MS/AD, not when asking to
Samba/AD.

Cheers,

mathias

2017-07-12 10:45 GMT+02:00 maksemuz via samba <[hidden email]>:

> Hello samba,
>
> I got the following situation:
> there is the test domain 'test.d' built on samba 4.6 on freebsd 11
>
> I am connecting MS project server 2013 to it.
> When I try to sync pool resources from project server web app, it gives me
> an error.
> Wireshark shows that the ldap search request with object SID and null
> baseDN inside was sent to domain controller to port 389 of ldap, it is
> defined as incorrect.
>
> I built test domain with native MS AD instead of samba4 and repeated all
> actions.
> Wireshark shows that the same request goes to the ldap port 3268 (gc) and
> got correct answer from domain controller.
>
> I think the cause of it is the difference between MS AD DNS structure and
> Samba4 AD DNS structure.
> The difference is: the MS AD DNS contains the glue record for _msdcs.test.d
> inside the test.d, whilst Samba4 DNS does not.
> In other words, there is no delegation recods of _msdcs.test.d in test.d,
> therefore client machine cannot get all SRV records and then sends ldap
> request to wrong port.
>
> the glue record from MS AD DNS:
> ;  Delegated sub-zone:  _msdcs.test.d.
> ;
> _msdcs                  NS    dc.test.d.
> ;  End delegation
>
> I tried adding this record with samba-tool but got the error:
>
> 10:56:52 {root@fread}-# samba-tool dns add 127.0.0.1 test.d _msdcs NS
> Password for [TEST\uzer]:
> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> 1098, in run
>     raise e
>
> My questions are:
> 1 - do you think my suspicions are correct?
> 2 - if so, how to add glue record for _msdcs.test.d in test.d ?
> 3 - if not, what should I do to solve this problem?
>
> Thanks in advance.
> __________________________
> Regards,
> Maks Melnikov
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 dns delegation of _msdcs

Samba - General mailing list
Hi,
I compared DNS requests and results in both Samba/AD and MS/AD.
In Samba/AD requests were monitored with tcpdump on Samba DC.
In MS/AD it was Wireshark.
Request results were checked with 'ipconfig /displaydns' command on client
machine (Windows).
There are some differences: in Samba/AD client never req

2017-07-19 17:09 GMT+03:00 mathias dufresne <[hidden email]>:

> Hi,
>
> I believe glue record are standard A records. Then you add NS record to
> the zone.
>
> Here I have no Samba/AD to test but I do have some MS/AD. "dig -t NS
> _msdcs.ms-ad.domain.tld"  gives me the whole list of DC (at least it seems
> to be the whole list).
>
> What could be interesting is wireshark on domain port when doing your
> tests, to see what DNS request gives global catalog servers instead of
> standard LDAP servers. If your supposition is correct (and if I did
> understood correctly too :) this request should appear in both test cases
> and a reply should be sent back only against MS/AD, not when asking to
> Samba/AD.
>
> Cheers,
>
> mathias
>
> 2017-07-12 10:45 GMT+02:00 maksemuz via samba <[hidden email]>:
>
>> Hello samba,
>>
>> I got the following situation:
>> there is the test domain 'test.d' built on samba 4.6 on freebsd 11
>>
>> I am connecting MS project server 2013 to it.
>> When I try to sync pool resources from project server web app, it gives me
>> an error.
>> Wireshark shows that the ldap search request with object SID and null
>> baseDN inside was sent to domain controller to port 389 of ldap, it is
>> defined as incorrect.
>>
>> I built test domain with native MS AD instead of samba4 and repeated all
>> actions.
>> Wireshark shows that the same request goes to the ldap port 3268 (gc) and
>> got correct answer from domain controller.
>>
>> I think the cause of it is the difference between MS AD DNS structure and
>> Samba4 AD DNS structure.
>> The difference is: the MS AD DNS contains the glue record for
>> _msdcs.test.d
>> inside the test.d, whilst Samba4 DNS does not.
>> In other words, there is no delegation recods of _msdcs.test.d in test.d,
>> therefore client machine cannot get all SRV records and then sends ldap
>> request to wrong port.
>>
>> the glue record from MS AD DNS:
>> ;  Delegated sub-zone:  _msdcs.test.d.
>> ;
>> _msdcs                  NS    dc.test.d.
>> ;  End delegation
>>
>> I tried adding this record with samba-tool but got the error:
>>
>> 10:56:52 {root@fread}-# samba-tool dns add 127.0.0.1 test.d _msdcs NS
>> Password for [TEST\uzer]:
>> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>> 1098, in run
>>     raise e
>>
>> My questions are:
>> 1 - do you think my suspicions are correct?
>> 2 - if so, how to add glue record for _msdcs.test.d in test.d ?
>> 3 - if not, what should I do to solve this problem?
>>
>> Thanks in advance.
>> __________________________
>> Regards,
>> Maks Melnikov
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...