[Samba] Problems with Samba as an AD and named
compeilermail-openbc at yahoo.de
compeilermail-openbc at yahoo.de
Fri Sep 15 15:07:53 UTC 2023
Hi Rowland,
I am administrating Solaris and AIX machines, but from samba and active directory server I do not understand much. So perhaps something is wrong.
This samba DC is just because of my kids, as in times of corona each one received its own PC and so we have now with the parents ones and the laptops about 8 PCs. And I was tired changing passwords on different systems. So I installed the free version of zentyal, because I did not want to make all the samba configuration from scratch with my little knowledge in samba and AD...So - until yesterday all run fine, just a reboot and perhaps the updates broke the running system. Now the children want to play, but as the Samba is the nameserver they can't connect to the internet without reconfiguration. So I have the urge of repairing it, as also the mother is on her side... :-(
I do not think, that the named Error is a real error. Found some indications in the web showing that it is a warning and not indicating that it has problems with root, but with the -u bind Option it should start as user bind (whó exists and works). Nevertheless I will look for this also, thanks.I think the problem is the "'_msdcs.compeiler.windows" --- I do not know if he needed that before. It's the first time I had this. In the named is just the compeiler.windows. But can be that this is part of the AD thing...
I changed the /etc/hosts as to your advice to:127.0.0.1 localhost.localdomain localhost
192.168.178.205 bombadil.compeiler.windows bombadilbut this was not made by me. This seems the default of the zentyal thing. Nothing changed here before
The resolv.conf was changed by me and I did not notice to change it back before I sent my questions. As DNS not worked I have put the real DNS server of my network (which is configured as forwarder in the DC machine). So I could do package updates etc.zentyal rewrites that file every reboot - so my changes are not permanent. It is normally "nameserver 127.0.1.1"
Also did not actively configure the /etc/krb5.conf. So if you advise to do also reverse lookups I will put them to yes. But first it seems necessary to me that it is possible to start named again... what do you think? The same with 'server role check: inhibit = yes' -- seems also to be done by the zentyal application. Can change it if you think that would be better. Hope only that the zentyal thing is not overwritting it next reboot. I do not need nmbd and dont think I want it to be started.
My suspicion is now:You said various times that the DNS I have should be in AD. Could it be, that they are really in the AD. Then I installed something on that Linux that had dependencies on named and installed and activated named. Then on next reboot it wanted to start named and it did not start well and as I read those things about samba_upgradedns and so on and some of this made it worse and copied my internal AD zones to named? Is that possible? If so just stopping the named would be fine for me. Just do not know what to put in the resolv.conf then to ask the AD? Or can I still put my firewall which is the real DNS Server in the resolv.conf without having problems with AD?
Thank you solong...
Matthias
Am Freitag, 15. September 2023 um 16:22:56 MESZ hat Rowland Penny via samba <samba at lists.samba.org> Folgendes geschrieben:
##### Please see inline comments #####
Note, my first inclination was to send you to zentyal, they are
probably responsible for all the mistakes.
On Fri, 15 Sep 2023 13:30:43 +0000 (UTC)
compeilermail-openbc--- via samba <samba at lists.samba.org> wrote:
> Hi,
> I have Zentyal as an AD Server installed on an Ubuntu 20.04.6
> System.All fine. It acts as an PDC.
I certainly hope it doesn't act as a PDC, that is something else
entirely, I think you mean that it is an AD DC that holds all the FSMO
roles. All AD DCs are equal, except some hold FSMO roles.
> (in the past there was another,
> which broke and was not replaced and the server is demoted and
> removed).I have now problems with starting bind. I am unsure what led
> to that situation. But named does not want to start:
> ---------------------
>
> Sep 15 15:17:01 bombadil named[1936]: unable to set effective uid to
> 0: Operation not permitted Sep 15 15:17:01 bombadil named[1936]:
> generating session key for dynamic DNS Sep 15 15:17:01 bombadil
> named[1936]: unable to set effective uid to 0: Operation not
> permitted Sep 15 15:17:01 bombadil named[1936]: sizing zone task pool
> based on 24 zones Sep 15 15:17:01 bombadil named[1936]: Loading 'AD
> DNS Zone' using driver dlopen Sep 15 15:17:01 bombadil CRON[1987]:
> (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Sep 15
> 15:17:01 bombadil named[1936]: samba_dlz: started for DN
> DC=compeiler,DC=windows Sep 15 15:17:01 bombadil named[1936]:
> samba_dlz: starting configure Sep 15 15:17:01 bombadil named[1936]:
> samba_dlz: configured writeable zone 'compeiler.windows' Sep 15
> 15:17:01 bombadil named[1936]: zone _msdcs.compeiler.windows/NONE:
> has no NS records Sep 15 15:17:01 bombadil named[1936]: samba_dlz:
> Failed to configure zone '_msdcs.compeiler.windows' Sep 15 15:17:01
> bombadil named[1936]: loading configuration: bad zone Sep 15 15:17:01
> bombadil named[1936]: exiting (due to fatal error)
You appear to have serious problems, you do not seem to be able to
become root and your forward zones do not seem to have the required
records.
>
> ---------------------
> A few days ago it still worked.I did updates on zentyal and on Linux.
> But I cannot distinguish if one of them caused that situation or not.
> I also tried the following to "repair" the samba installation:
> samba_upgradedns --dns-backend=BIND9_DLZ but this did not change
> anything.I read many things but until now I am unable to start named
> and so the AD Clients can't check - my children are worse than
> clients at work. So I hope someone could help fast ;-)
You could try upgrading to the internal dns server and then upgrade to
bind again.
>
> Here the output of all relevant files from
> samba-collect-debug-info.sh from github. If some information is
> missing - I will add... Thank you...Matthias
>
> Config collected --- 2023-09-15-14:06 -----------
>
> Hostname: bombadil
> DNS Domain: compeiler.windows
> Realm: COMPEILER.WINDOWS
> FQDN: bombadil.compeiler.windows
> ipaddress: 192.168.178.205
>
> -----------
>
> This computer is running Ubuntu 20.04.6 LTS x86_64
>
> -----------
>
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000 link/loopback 00:00:00:00:00:00 brd
> 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo
> inet 127.0.1.1/8 scope host secondary lo
> 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
> state UP group default qlen 1000 link/ether 5c:26:0a:58:c9:92 brd
> ff:ff:ff:ff:ff:ff inet 192.168.178.205/24 brd 192.168.178.255 scope
> global eno1 3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
> state DOWN group default qlen 1000 link/ether a0:88:b4:35:1a:98 brd
> ff:ff:ff:ff:ff:ff
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost.localdomain localhost
> 127.0.1.1 bombadil.compeiler.windows bombadil
This is a DC, so it should be '192.168.178.205' not '127.0.1.1'
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8) # and managed by Zentyal.
> #
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN #
> nameserver 127.0.0.1
> nameserver 192.168.178.1
Absolutely, totally wrong, it should be:
search compeiler.windows
nameserver 192.168.178.205
>
> -----------
>
> WARNING: 'kinit Administrator' will fail, you need to fix this.
> Unable to verify DNS kerberos._tcp SRV records
This is possibly because /etc/hosts and /etc/resolv.conf are wrong.
>
> -----------
>
> 'kinit Administrator' password checked failed.
> Wrong password or kerberos REALM problems.
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = COMPEILER.WINDOWS
> dns_lookup_kdc = true
> dns_lookup_realm = false
> rdns = no
Why not do reverse zone lookups ?
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
>
> # pre_auth-client-config # passwd: files systemd
> passwd: compat winbind
> # pre_auth-client-config # group: files systemd
> group: compat winbind
> # pre_auth-client-config # shadow: files
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> # pre_auth-client-config # netgroup: nis
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = compeiler
> realm = COMPEILER.WINDOWS
> netbios name = bombadil
> server string = Zentyal Server
> server role = dc
> server role check:inhibit = yes
Why is 'server role check: inhibit = yes' set ?
Are you really trying to run nmbd ?
> server services = -dns
> server signing = auto
> dsdb:schema update allowed = yes
Do you update the schema that regularly, that you need 'dsdb:schema
update allowed = yes' set ?
> ldap server require strong auth = no
> drs:max object sync = 1200
>
> idmap_ldb:use rfc2307 = yes
>
> winbind enum users = yes
> winbind enum groups = yes
The 'winbind enum' lines should only be set for testing purposes, they
can slow things down.
> template shell = /usr/bin/bash
> template homedir = /home/%U
>
> rpc server dynamic port range = 49152-65535
No need to set that, the ports listed are the defaults.
>
> interfaces = lo,eno1
> bind interfaces only = yes
>
> map to guest = Bad User
'map to guest' on a DC ???????
>
> log level = 3
> log file = /var/log/samba/samba.log
> max log size = 100000
>
>
>
> include = /etc/samba/shares.conf
Samba does not recommend using a DC as a fileserver.
>
>
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/compeiler.windows/scripts
> browseable = no
> read only = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = no
>
> -----------
>
> This DC is being used as a fileserver
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/keys";
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> include "/etc/bind/named.conf.local";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
>
> options {
> sortlist {
> 192.168.178.0/24;
> };
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you might need to uncomment the query-source
> // directive below. Previous versions of BIND always asked
> // questions using port 53, but BIND 8.1 and later use an
> unprivileged // port by default.
>
> //query-source address * port 53;
> //transfer-source * port 53;
> //notify-source * port 53;
>
> // DNSSEC configuration
> dnssec-enable yes;
> dnssec-validation yes;
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> forward first;
Do not 'forward first' on a Samba AD DC, it is supposed to be
authoritative for your AD domain, it is anything outside the domain
that is supposed to be forwarded.
> forwarders {
> 192.168.178.1;
> };
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
That is the old path, it probably should
be: /var/lib/samba/bind-dns/dns/dns.keytab
>
> auth-nxdomain no; # conform to RFC1035
>
> allow-query { any; };
> allow-recursion { trusted; };
> allow-query-cache { trusted; };
> allow-transfer { internal-local-nets; };
> };
>
> logging { category lame-servers { null; }; };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> // Generated by Zentyal
>
> acl "trusted" {
> localhost;
> localnets;
> };
>
> acl "internal-local-nets" {
> 192.168.178.0/24;
> };
>
> dlz "AD DNS Zone" {
> database
> "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; };
>
>
>
> zone "178.168.192.in-addr.arpa" {
> type master;
> file "/var/lib/bind/db.178.168.192";
> update-policy {
> // The only allowed dynamic updates are PTR records
> grant compeiler.windows. subdomain 178.168.192.in-addr.arpa.
> PTR TXT; // Grant from localhost
> grant local-ddns zonesub any;
> };
> };
That appears to be your reverse zone and shouldn't be in your bind conf
files, it is in AD
>
> zone "10.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "16.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "17.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "18.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "19.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "20.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "21.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "22.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "23.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "24.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "25.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "26.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "27.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "28.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "29.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "30.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "31.172.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
> zone "168.192.in-addr.arpa" {
> type master;
> file "/etc/bind/db.empty";
> };
Why all the reverse zones ?
Do you actually use them ?
If you do, they shouldn't be here, they should be in AD.
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/usr/share/dns/root.hints";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list check :
>
> ERROR: AD DC zones found in the Bind flat-files
> This is not allowed, you must remove them.
> Conflicting zone name : compeiler.windows
> File in question is : /etc/bind/named.conf.local: grant
> compeiler.windows. subdomain 178.168.192.in-addr.arpa. PTR
> TXT; /etc/bind/keys:key "compeiler.windows" {
>
> -----------
>
>
> ERROR: AD DC zones found in the Bind flat-files
> This is not allowed, you must remove them.
> Conflicting zone name : _msdcs.compeiler.windows
> File in question is :
>
> -----------
You need to fix your bind conf files.
>
>
> -----------
>
> unknown 'include' file '/etc/bind/keys' in /etc/bind/named.conf
> -----------
>
>
> Time on the DC with PDC Emulator role is: 2023-09-15T14:23:20
>
>
> Time on this computer is: 2023-09-15T14:23:21
>
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
>
> -----------
>
> Installed packages:
> ii acl
> 2.2.53-6
> amd64 access control list - utilities ii
> attr
> 1:2.4.48-5
> amd64 utilities for manipulating filesystem extended
> attributes ii bind9
> 1:9.16.1-0ubuntu2.15
> amd64 Internet Domain Name Server ii
> bind9-dnsutils
> 1:9.16.1-0ubuntu2.15
> amd64 Clients provided with BIND 9 ii
> bind9-host
> 1:9.16.1-0ubuntu2.15
> amd64 DNS Lookup Utility ii
> bind9-libs:amd64
> 1:9.16.1-0ubuntu2.15
> amd64 Shared Libraries used by BIND 9 ii
> bind9-utils
> 1:9.16.1-0ubuntu2.15
> amd64 Utilities for BIND 9 ii
> krb5-config
> 2.6ubuntu1
> all Configuration files for Kerberos Version 5 ii
> krb5-locales
> 1.17-6ubuntu4.3
> all internationalization support for MIT Kerberos ii
> libacl1:amd64
> 2.2.53-6
> amd64 access control list - shared library ii
> libattr1:amd64
> 1:2.4.48-5
> amd64 extended attribute handling - shared library ii
> libauthen-krb5-easy-perl
> 0.92-0
> amd64 Simple Kerberos 5 interaction ii
> libgssapi-krb5-2:amd64
> 1.17-6ubuntu4.3
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64
> 7.7.0+dfsg-1ubuntu1.4
> amd64 Heimdal Kerberos - libraries ii
> libkrb5-3:amd64
> 1.17-6ubuntu4.3
> amd64 MIT Kerberos runtime libraries ii
> libkrb5support0:amd64
> 1.17-6ubuntu4.3
> amd64 MIT Kerberos runtime libraries - Support library ii
> libnss-winbind:amd64
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Samba nameservice integration plugins ii
> libpam-winbind:amd64
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Windows domain authentication integration plugin ii
> libwbclient0:amd64
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Samba winbind client library ii
> python3-attr
> 19.3.0-2
> all Attributes without boilerplate (Python 3) ii
> python3-nacl
> 1.3.0-5
> amd64 Python bindings to libsodium (Python 3) ii
> python3-samba
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Python 3 bindings for Samba ii
> samba
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 SMB/CIFS file, print, and login server for Unix ii
> samba-common
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> all common files used by both the Samba server and client
> ii samba-common-bin
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Samba common files used by both the server and the
> client ii samba-dsdb-modules:amd64
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Samba Directory Services Database ii
> samba-libs:amd64
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Samba core libraries ii
> samba-vfs-modules:amd64
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 Samba Virtual FileSystem plugins ii
> winbind
> 2:4.15.13+dfsg-0ubuntu0.20.04.5
> amd64 service to resolve user and group information from
> Windows NT servers ii zentyal-samba
> 7.1.0
> all Zentyal - Domain Controller and File Sharing
>
>
>
##### Please see inline comments #####
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list