[Samba] DNS replication issue
Ilias Chasapakis forumZFD
chasapakis at forumZFD.de
Wed Dec 18 16:08:39 UTC 2019
Hi Rowland,
thanks for the tip. We modified configuration files as suggested,
without a result.
On the working machines we actually have a
/var/lib/samba/bind-dns/dns.keytab but not on the failing one.
On the working one the /etc/bind/named.conf.options the
/var/lib/samba/private/dns.keytab is referenced.
We also obtain the following error when issuing systemctl status
sernet-samba-ad:
Dec 18 23:03:24 addc-new samba[494]: /usr/sbin/samba_kcc:
RuntimeError: (12, 'Allocation Error')
Kind regards.
Ilias
root at addc-new:/var/lib/samba# systemctl status sernet-samba-ad
● sernet-samba-ad.service - LSB: initscript for the SAMBA AD services
Loaded: loaded (/etc/init.d/sernet-samba-ad; generated)
Active: active (running) since Wed 2019-12-18 22:38:07 +07; 26min ago
Docs: man:systemd-sysv-generator(8)
Process: 428 ExecStart=/etc/init.d/sernet-samba-ad start (code=exited,
status=0/SUCCESS)
Tasks: 23 (limit: 4701)
Memory: 179.8M
CGroup: /system.slice/sernet-samba-ad.service
├─470 /usr/sbin/samba -D
├─480 /usr/sbin/samba -D
├─481 /usr/sbin/samba -D
├─482 /usr/sbin/samba -D
├─483 /usr/sbin/samba -D
├─484 /usr/sbin/samba -D
├─485 /usr/sbin/samba -D
├─486 /usr/sbin/samba -D
├─487 /usr/sbin/samba -D
├─488 /usr/sbin/samba -D
├─489 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─490 /usr/sbin/samba -D
├─491 /usr/sbin/samba -D
├─492 /usr/sbin/samba -D
├─493 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
├─494 /usr/sbin/samba -D
├─495 /usr/sbin/samba -D
├─503 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─504 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
├─505 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
├─506 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
├─507 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
└─508 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.304371, 0]
../../lib/util/util_runcmd.c:327(
Dec 18 23:03:24 addc-new samba[494]: /usr/sbin/samba_kcc:
self.schedule = ndr_unpack(drsblobs.sch
Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.304607, 0]
../../lib/util/util_runcmd.c:327(
Dec 18 23:03:24 addc-new samba[494]: /usr/sbin/samba_kcc: File
"/usr/lib/python2.7/dist-packages/sa
Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.304841, 0]
../../lib/util/util_runcmd.c:327(
Dec 18 23:03:24 addc-new samba[494]: /usr/sbin/samba_kcc:
ndr_unpack(data, allow_remaining=allow_
Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.305101, 0]
../../lib/util/util_runcmd.c:327(
Dec 18 23:03:24 addc-new samba[494]: /usr/sbin/samba_kcc:
RuntimeError: (12, 'Allocation Error')
Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.316847, 0]
../../source4/dsdb/kcc/kcc_period
Dec 18 23:03:24 addc-new samba[494]:
../../source4/dsdb/kcc/kcc_periodic.c:768: Failed samba_kcc - NT
On 18.12.19 15:31, Rowland penny via samba wrote:
> On 18/12/2019 14:07, Ilias Chasapakis forumZFD via samba wrote:
>> Hi Rowland,
>>
>> Thank you for replying. Please find the output here below. Just a
>> possible tip:
>>
>> _kerberos._tcp.example.com service = 0 100 88 addc-new.example.com.
>>
>> output is present on the new machine but if we issue a host -t SRV
>> _kerberos._tcp.example.com on addc2 it does not appear in the list.
>>
>> Kind regards.
>>
>> Collected config --- 2019-12-18-20:30 -----------
>>
>> Hostname: addc-new
>> DNS Domain: example.com
>> FQDN: addc-new.example.com
>> ipaddress: 192.168.20.22 10.0.103.13
>>
>> -----------
>>
>> Kerberos SRV _kerberos._tcp.example.com record verified ok, sample
>> output:
>> Server: 192.168.20.22
>> Address: 192.168.20.22#53
>>
>> _kerberos._tcp.example.com service = 0 100 88 addc-sub1.example.com.
>> _kerberos._tcp.example.com service = 0 100 88 addc2.example.com.
>> _kerberos._tcp.example.com service = 0 100 88 addc3.example.com.
>> _kerberos._tcp.example.com service = 0 100 88 addc-sub2.example.com.
>> _kerberos._tcp.example.com service = 0 100 88 addc-sub3.example.com.
>> _kerberos._tcp.example.com service = 0 100 88 addc-new.example.com.
>> Samba is running as an AD DC
>>
>> -----------
>> Checking file: /etc/os-release
>>
>> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
>> NAME="Debian GNU/Linux"
>> VERSION_ID="10"
>> VERSION="10 (buster)"
>> VERSION_CODENAME=buster
>> ID=debian
>> HOME_URL="https://www.debian.org/"
>> SUPPORT_URL="https://www.debian.org/support"
>> BUG_REPORT_URL="https://bugs.debian.org/"
>>
>> -----------
>>
>>
>> This computer is running Debian 10.2 x86_64
>>
>> -----------
>> running command : ip a
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>> group default qlen 1000
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> inet6 ::1/128 scope host
>> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff
>> inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3
>> inet6 fe80::5054:ff:fe86:8aba/64 scope link
>> 3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff
>> inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10
>> inet6 fe80::5054:ff:fe43:10d2/64 scope link
>>
>> -----------
>> Checking file: /etc/hosts
>>
>> 127.0.0.1 localhost
>> 192.168.20.22 addc-new.example.com addc-new
>> #list of heartbeat network hosts
>> #
>> 10.0.103.11 ctdb1.heartbeat.example ctdb1
>> 10.0.103.21 ctdb2.heartbeat.example ctdb2
>> 10.0.103.13 ad1.heartbeat.example ad1
>> 10.0.103.42 jumpi.heartbeat.example jumpi
>> 10.0.103.12 gluster1.heartbeat.example gluster1
>> 10.0.103.22 gluster2.heartbeat.example gluster2
>> 10.0.103.23 ad2.heartbeat.example ad2
> I would remove all the heartbeat hosts from /etc/hosts, they shouldn't
> be there and CTDB and AD DC are incompatible.
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 localhost ip6-localhost ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>> -----------
>>
>> Checking file: /etc/resolv.conf
>>
>> domain example.com
>> search example.com
>> nameserver 192.168.20.22
>>
>> -----------
>>
>> Checking file: /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = example.com
> The realm 'example.com' should be in uppercase 'EXAMPLE.COM'
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> -----------
>>
>> Checking file: /etc/nsswitch.conf
>>
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>> gshadow: files
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>> -----------
>>
>> Checking file: /etc/samba/smb.conf
>>
>> # Global parameters
>> [global]
>> netbios name = ADDC-new
>> realm = example.com
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> workgroup = ZFD
>> wins support = yes
> 'wins support' on an AD DC ????
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/example.com/scripts
>> read only = yes
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = yes
>>
>> -----------
>>
>> Detected bind DLZ enabled..
>> Checking file: /etc/bind/named.conf
>>
>> // This is the primary configuration file for the BIND DNS server named.
>> //
>> // Please read /usr/share/doc/bind9/README.Debian.gz for information
>> on the
>> // structure of BIND configuration files in Debian, *BEFORE* you
>> customize
>> // this configuration file.
>> //
>> // If you are just adding zones, please do that in
>> /etc/bind/named.conf.local
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> -----------
>>
>> Checking file: /etc/bind/named.conf.options
>>
>> options {
>> directory "/var/cache/bind";
>>
>> // If there is a firewall between you and nameservers you want
>> // to talk to, you may need to fix the firewall to allow multiple
>> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>>
>> // If your ISP provided one or more IP addresses for stable
>> // nameservers, you probably want to use them as forwarders.
>> // Uncomment the following block, and insert the addresses
>> replacing
>> // the all-0's placeholder.
>>
>> forwarders {
>> 192.168.20.1;
>> };
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>
>> //========================================================================
>> // If BIND logs error messages about the root key being expired,
>> // you will need to update your keys. See
>> https://www.isc.org/bind-keys
>>
>> //========================================================================
>> dnssec-validation no;
>> dnssec-enable no;
>> dnssec-lookaside no;
>>
>> auth-nxdomain no; # conform to RFC1035
>>
>> allow-recursion { any; };
>> allow-query { any; };
>> allow-query-cache { any; };
>>
>>
>> listen-on-v6 { any; };
>> };
>
> I would add these to named.conf.options:
>
> notify no;
> empty-zones-enable no;
> allow-transfer { none; };
> listen-on port 53 { any; };
>
> Also, I think you will find the dns.keytab here:
>
> /var/lib/samba/bind-dns/dns.keytab
>
> Rowland
>
>
>
--
forumZFD
Entschieden für Frieden|Committed to Peace
Ilias Chasapakis
IT-Systemadministrator
Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am Kölner Brett 8 | 50825 Köln | Germany
Tel 0221 91273233 | Fax 0221 91273299 |
http://www.forumZFD.de
Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz
VR 17651 Amtsgericht Köln
Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
More information about the samba
mailing list