Problem:UCS@school: DNS Lookup Fails on Primary Node

Knowledge Base Community
, , , ,
1

Problem Description

In a UCS@school environment, the synchronization behavior between Samba domain controllers (DCs) differs fundamentally from that of a standard Samba setup. In particular, no DRS replication takes place between the Samba databases. Instead, synchronization is handled via the UCS LDAP and the S4 Connector.

As a result, DNS zone objects created on a school replica DC are not automatically present in the Samba database of the Primary Node. Consequently, DNS lookups (e.g., via nslookup) from the Primary Node may fail with NXDOMAIN errors.

Background Information

The synchronization mode between UCS LDAP and the Samba 4 LDAP is controlled via the UCR variable connector/s4/mapping/dc/syncmode. Supported values are:

  • read: Changes in the Samba 4 LDAP are synchronized into UCS LDAP only.
  • write: Changes in the UCS LDAP are synchronized into Samba 4 LDAP only.
  • sync: Bidirectional synchronization of changes between both directories.

If the variable is not explicitly set, the value of connector/s4/mapping/syncmode is used. By default, this is unset. The variable type is String and the category is service-s4con.

In standard environments, the S4 Connector handles bidirectional replication and DRS ensures consistency between Samba DCs. However, in UCS@school environments, there is no DRS connection between the Samba databases on the school replica and the Primary Node. Instead, changes are transferred from the UCS LDAP on the Primary Node to the school replica’s LDAP, and then into its local Samba database.

Because of this architecture, DNS zone objects created on the school replica do not propagate to the Primary Node, even though the Samba DNS backend (dns/backend=samba4) expects those objects to be present. If they are missing, DNS queries fail on the Primary Node with NXDOMAIN.

Recommended Approach vs Workaround

The recommended and supported method in UCS@school is to ensure all necessary objects are properly created and maintained in LDAP. This guarantees full consistency and supportability.

However, in specific scenarios where that approach is too complex or time-consuming, a manual workaround can be implemented.

Workaround Overview

The goal is to manually extract DNS zone objects from the Samba database on the school replica and import them into the Samba database on the Primary Node, thereby enabling correct DNS resolution.

Two shell scripts are used to:

  1. Export and sanitize the zone objects from the school replica (get_zones.sh)
  2. Import them into the Primary Node (import_zones.sh)

Step 1: Export Zone Objects from the School Replica

Run the following script (get_zones.sh) on the affected school replica DC:
get_zones.sh (526 Bytes)

#!/bin/bash

# Paths and filenames
SAMDB_PATH="/var/lib/samba/private/sam.ldb"
OUTPUT_LDIF="cleaned_output.ldif"
TEMP_LDIF="raw_output.ldif"

# Query Samba database and save output
ldbsearch -H "$SAMDB_PATH" --cross-ncs "dc=ws*" > "$TEMP_LDIF"

# Remove attributes that would conflict on import
grep -vE '^(objectGUID|whenCreated|uSNCreated|whenChanged|uSNChanged):' "$TEMP_LDIF" > "$OUTPUT_LDIF"

# Optional: clean up temporary file
rm -f "$TEMP_LDIF"

echo "Cleaned LDIF file created: $OUTPUT_LDIF"

:pushpin: Note: This script searches for objects whose DN begins with dc=ws* and strips out attributes that must be regenerated during import.

Copy the resulting cleaned_output.ldif file to the Primary Node (e.g., via scp).

Step 2: Import the LDIF File on the Primary Node

On the Primary Node, run the following script (import_zones.sh):
ldif_importer.sh (1.2 KB)

#!/bin/bash

# Enable path autocompletion
read -e -p "Enter path to LDIF file: " LDIF_PATH

# Check if file exists
if [[ ! -f "$LDIF_PATH" ]]; then
    echo "File not found: $LDIF_PATH"
    exit 1
fi

# Temporary working directory
TMP_DIR=$(mktemp -d)
LDIF_TMP="$TMP_DIR/filtered.ldif"

# Samba DB path (adjust if needed)
SAMBA_DB_PATH="/var/lib/samba/private/sam.ldb"

# Extract and process each DN
grep -E '^dn:' "$LDIF_PATH" | while read -r LINE; do
    DN=$(echo "$LINE" | cut -d':' -f2- | sed 's/^ *//')

    # Check if object already exists
    if ldbsearch -H "$SAMBA_DB_PATH" -b "$DN" dn > /dev/null 2>&1; then
        echo "Object already exists: $DN"
    else
        # Extract full block for this DN
        awk -v dn="$DN" '
            BEGIN { found=0 }
            /^dn:/ {
                if (found) exit;
                if ($0 ~ dn) found=1;
            }
            { if (found) print }
        ' "$LDIF_PATH" > "$LDIF_TMP"

        # Import block
        if ldbadd -H "$SAMBA_DB_PATH" "$LDIF_TMP" > /dev/null 2>&1; then
            echo "Successfully imported DN: $DN"
        else
            echo "Error importing DN: $DN"
        fi
    fi
done

# Clean up
rm -rf "$TMP_DIR"

:white_check_mark: This script ensures that only non-existent entries are imported, preventing duplicate objects and import errors.

Example Output: Before vs After

Before Import:

root@master:~/univention-support# nslookup ws2000
Server:         10.0.0.10
Address:        10.0.0.10#53

** server can't find ws2000: NXDOMAIN

After Import:

root@master:~/univention-support# nslookup ws2000
Server:         10.0.0.10
Address:        10.0.0.10#53

Name:   ws2000.schools.univention.intranet
Address: 10.200.x.x

Zone Object on Primary Node in the Samba DB

root@master:~/univention-support# ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs DC=ws2000
# record 1
dn: DC=ws2000,DC=schulen-univention.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schulen-univention,DC=intranet
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20250530233229.0Z
uSNCreated: 593991
showInAdvancedViewOnly: TRUE
name: ws2000
objectGUID: 21f011dc-fcf9-4994-8af5-680d1376911a
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=schulen-univention,DC=intranet
dNSTombstoned: FALSE
dc: ws2000
dnsRecord:: BAABAAXwAAABAAAAAAADhAAAAAAAAAAACgV4xQ==
whenChanged: 20250530233258.0Z
uSNChanged: 594040
distinguishedName: DC=ws2000,DC=schulen-univention.intranet,CN=MicrosoftDNS,DC=DomainDns
 Zones,DC=schulen-univention,DC=intranet

Important Notes

  • This method is considered a manual workaround and is not officially supported. Use only if LDAP-based object management is infeasible.
  • Make sure the UCR variable dns/backend is set to samba4.
  • Always document and review manual changes regularly to avoid inconsistencies.
  • Changes introduced this way will not replicate automatically to other DCs.

Conclusion

This workaround allows for manual transfer of missing DNS zone objects in UCS@school environments by exporting them from a school replica and importing them into the Primary Node. While this solves immediate DNS resolution issues, the preferred long-term solution remains proper LDAP object management through supported tools and mechanisms.