Reporting success this past year + new Issues Adding a new Samba 4 DC to existing Samba 4 AD

Aubrey Ekstrom aekstrom at proclivitysystems.com
Mon Dec 12 16:32:55 MST 2011 

Hi Andrew and everyone!

I hope you are all is well.

Some progress, but still short of the goal...

OK, 1st, Kerberos is NOT broken. Even before the below changes, kinit
worked for authentication from various computers I tested from. Windows
logon works for our 1 Windows server, and Web logon works for a web app on
that server (both authenticate to Samba 4 AD on PDC).

DNS on the PDC is still limping though since the Bind upgrade to 9.8.2.P1.
Today I recompiled Bind 9.8.1 as per BOTH the Samba 4 instructions:

$ apt-get install libkrb5-dev libssl-dev
 $ tar -zxvf bind9.x.x.tar.gz
 $ cd bind9.x.x
 $ ./configure --with-gssapi=/usr/include/gssapi
 $ make
 $ make install

http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates_.28optional.29

AND the Bind instructions I found here (not done previously):

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --localstatedir=/var \
            --mandir=/usr/share/man \
            --enable-threads \
            --with-libtool &&
make

make install &&
chmod 755 /usr/lib/lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.? &&

http://www.linuxfromscratch.org/blfs/view/svn/server/bind.html

I did this because I believed that Bind might be looking at the wrong
config files... and I may have been right since this seemed to have fixed
SOME things (but not everything).

_______________________________________________________________________________________________________

samba_dnsupdate no longer returns an error:

$ sudo /usr/local/samba/sbin/samba_dnsupdate --verbose
IPs: ['XX.XX.96.44']
Looking for DNS entry A not.our.domain XX.XX.96.44 as not.our.domain.
Looking for DNS entry A PDC.not.our.domain XX.XX.96.44 as
PDC.not.our.domain.
Looking for DNS entry CNAME
very-long-guid-like-number-here._msdcs.not.our.domain PDC.not.our.domain as
b36cf7ca-5d1f-4720-9cc1-3034b87312c4._msdcs.not.our.domain.
Looking for DNS entry SRV
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.not.our.domain
PDC.not.our.domain 88 as
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.not.our.domain.
Checking 0 100 88 PDC.not.our.domain. against SRV
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.not.our.domain
PDC.not.our.domain 88
Looking for DNS entry SRV
_ldap._tcp.default-first-site-name._sites.dc._msdcs.not.our.domain
PDC.not.our.domain 389 as
_ldap._tcp.default-first-site-name._sites.dc._msdcs.not.our.domain.
Checking 0 100 389 PDC.not.our.domain. against SRV
_ldap._tcp.default-first-site-name._sites.dc._msdcs.not.our.domain
PDC.not.our.domain 389
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.not.our.domain
PDC.not.our.domain 88 as _kerberos._tcp.dc._msdcs.not.our.domain.
Checking 0 100 88 PDC.not.our.domain. against SRV
_kerberos._tcp.dc._msdcs.not.our.domain PDC.not.our.domain 88
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.not.our.domain
PDC.not.our.domain 389 as _ldap._tcp.dc._msdcs.not.our.domain.
Checking 0 100 389 PDC.not.our.domain. against SRV
_ldap._tcp.dc._msdcs.not.our.domain PDC.not.our.domain 389
Looking for DNS entry SRV
_ldap._tcp.very-long-guid-like-number-here.domains._msdcs.not.our.domain
PDC.not.our.domain 389 as _ldap._tcp.very-long-guid-like-number-here
.domains._msdcs.not.our.domain.
Checking 0 100 389 PDC.not.our.domain. against SRV _ldap._tcp.
very-long-guid-like-number-here.domains._msdcs.not.our.domain
PDC.not.our.domain 389
Looking for DNS entry SRV
_ldap._tcp.default-first-site-name._sites.gc._msdcs.not.our.domain
PDC.not.our.domain 3268 as
_ldap._tcp.default-first-site-name._sites.gc._msdcs.not.our.domain.
Checking 0 100 3268 PDC.not.our.domain. against SRV
_ldap._tcp.default-first-site-name._sites.gc._msdcs.not.our.domain
PDC.not.our.domain 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.not.our.domain
PDC.not.our.domain 3268 as _ldap._tcp.gc._msdcs.not.our.domain.
Checking 0 100 3268 PDC.not.our.domain. against SRV
_ldap._tcp.gc._msdcs.not.our.domain PDC.not.our.domain 3268
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.not.our.domain
PDC.not.our.domain 389 as _ldap._tcp.pdc._msdcs.not.our.domain.
Checking 0 100 389 PDC.not.our.domain. against SRV
_ldap._tcp.pdc._msdcs.not.our.domain PDC.not.our.domain 389
Looking for DNS entry SRV
_gc._tcp.default-first-site-name._sites.not.our.domain PDC.not.our.domain
3268 as _gc._tcp.default-first-site-name._sites.not.our.domain.
Checking 0 100 3268 PDC.not.our.domain. against SRV
_gc._tcp.default-first-site-name._sites.not.our.domain PDC.not.our.domain
3268
Looking for DNS entry SRV
_kerberos._tcp.default-first-site-name._sites.not.our.domain
PDC.not.our.domain 88 as
_kerberos._tcp.default-first-site-name._sites.not.our.domain.
Checking 0 100 88 PDC.not.our.domain. against SRV
_kerberos._tcp.default-first-site-name._sites.not.our.domain
PDC.not.our.domain 88
Looking for DNS entry SRV
_ldap._tcp.default-first-site-name._sites.not.our.domain PDC.not.our.domain
389 as _ldap._tcp.default-first-site-name._sites.not.our.domain.
Checking 0 100 389 PDC.not.our.domain. against SRV
_ldap._tcp.default-first-site-name._sites.not.our.domain PDC.not.our.domain
389
Looking for DNS entry SRV _gc._tcp.not.our.domain PDC.not.our.domain 3268
as _gc._tcp.not.our.domain.
Checking 0 100 3268 PDC.not.our.domain. against SRV _gc._tcp.not.our.domain
PDC.not.our.domain 3268
Looking for DNS entry SRV _kerberos._tcp.not.our.domain PDC.not.our.domain
88 as _kerberos._tcp.not.our.domain.
Checking 0 100 88 PDC.not.our.domain. against SRV
_kerberos._tcp.not.our.domain PDC.not.our.domain 88
Looking for DNS entry SRV _kpasswd._tcp.not.our.domain PDC.not.our.domain
464 as _kpasswd._tcp.not.our.domain.
Checking 0 100 464 PDC.not.our.domain. against SRV
_kpasswd._tcp.not.our.domain PDC.not.our.domain 464
Looking for DNS entry SRV _ldap._tcp.not.our.domain PDC.not.our.domain 389
as _ldap._tcp.not.our.domain.
Checking 0 100 389 PDC.not.our.domain. against SRV
_ldap._tcp.not.our.domain PDC.not.our.domain 389
Looking for DNS entry SRV _kerberos._udp.not.our.domain PDC.not.our.domain
88 as _kerberos._udp.not.our.domain.
Checking 0 100 88 PDC.not.our.domain. against SRV
_kerberos._udp.not.our.domain PDC.not.our.domain 88
Looking for DNS entry SRV _kpasswd._udp.not.our.domain PDC.not.our.domain
464 as _kpasswd._udp.not.our.domain.
Checking 0 100 464 PDC.not.our.domain. against SRV
_kpasswd._udp.not.our.domain PDC.not.our.domain 464
No DNS updates needed

__________________________________________________________________________________________________________________

I can also see some computers registering in DDNS. NewDC.not.our.domain
still has replication issues though. Also DNS on the PDC still has some
issues too:

samba-tool drs showrepl PDC.not.our.domain from NewDC returns:

DC=not.our,DC=domain
    Default-First-Site-Name\NewDC via RPC
        DSA object GUID: very-long-guid-like-number-here
        Last attempt @ Mon Dec 12 18:06:42 2011 EST failed, result 2
(WERR_BADFILE)
        5794 consecutive failure(s).
        Last success @ NTTIME(0)

DC=not.our,DC=domain
    Default-First-Site-Name\NewDC via RPC
        DSA object GUID: very-long-guid-like-number-here
        Last attempt @ Mon Dec 12 18:06:42 2011 EST failed, result 2
(WERR_BADFILE)
        12 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=not.our,DC=domain
    Default-First-Site-Name\NewDC via RPC
        DSA object GUID: very-long-guid-like-number-here
        Last attempt @ Mon Dec 12 18:06:41 2011 EST failed, result 2
(WERR_BADFILE)
        5794 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=not.our,DC=domain
    Default-First-Site-Name\NewDC via RPC
        DSA object GUID: very-long-guid-like-number-here
        Last attempt @ Mon Dec 12 18:06:41 2011 EST failed, result 2
(WERR_BADFILE)
        12 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Configuration,DC=not.our,DC=domain
    Default-First-Site-Name\NewDC via RPC
        DSA object GUID: very-long-guid-like-number-here
        Last attempt @ Mon Dec 12 18:06:41 2011 EST failed, result 2
(WERR_BADFILE)
        5794 consecutive failure(s).
        Last success @ NTTIME(0)

CN=Configuration,DC=not.our,DC=domain
    Default-First-Site-Name\NewDC via RPC
        DSA object GUID: very-long-guid-like-number-here
        Last attempt @ Mon Dec 12 18:06:42 2011 EST failed, result 2
(WERR_BADFILE)
        12 consecutive failure(s).
        Last success @ NTTIME(0)

And Bind on PDC:

$ sudo /etc/init.d/bind9 status
bind9 is not running failed!

Even though both ps and logs show Bind is running!

$ ps -Af | grep named
bind 19344 1 0 15:04 ? 00:00:06 /usr/sbin/named -u bind
psadmin 30362 7199 0 17:29 pts/0 00:00:00 grep named


sudo cat /var/log/daemon.log shows lots of DNS activity, including:

Dec 12 16:11:17 PDC named[19344]: client XX.XX.96.207#64026: update
'not.our.domain/IN' denied
Dec 12 16:11:17 PDC named[19344]: client XX.XX.96.207#60301: updating zone
'not.our.domain/IN': deleting rrset at 'proclivi-43a72f.not.our.domain' A
Dec 12 16:11:17 PDC named[19344]: client XX.XX.96.207#60301: updating zone
'not.our.domain/IN': adding an RR at 'proclivi-43a72f.not.our.domain' A
Dec 12 16:34:27 PDC named[19344]: client XX.XX.96.199#55327: updating zone
'not.our.domain/IN': update unsuccessful: mac-mini.not.our.domain/A: 'RRset
exists (value dependent)' prerequisite not satisfied (NXRRSET)
Dec 12 16:34:27 PDC named[19344]: client XX.XX.96.199#55327: updating zone
'not.our.domain/IN': update failed: rejected by secure update (REFUSED)
Dec 12 16:35:53 PDC named[19344]: client XX.XX.132.60#57716: update
'not.our.domain/IN' denied
Dec 12 16:35:54 PDC named[19344]: client XX.XX.132.60#55461: updating zone
'not.our.domain/IN': deleting rrset at 'nqv0.not.our.domain' AAAA
Dec 12 16:35:54 PDC named[19344]: client XX.XX.132.60#55461: updating zone
'not.our.domain/IN': deleting rrset at 'nqv0.not.our.domain' A
Dec 12 16:35:54 PDC named[19344]: client XX.XX.132.60#55461: updating zone
'not.our.domain/IN': adding an RR at 'nqv0.not.our.domain' A
Dec 12 16:43:18 PDC named[19344]: client XX.XX.132.60#52682: query (cache) '
tools.google.com/A/IN' denied
Dec 12 16:50:06 PDC named[19344]: client XX.XX.136.6#38151: query (cache)
'NewDC.not.our.domain.domain/A/IN' denied
Dec 12 16:53:15 PDC named[19344]: client XX.XX.136.6#46013: query (cache)
'NewDC.not.our.domain.domain/A/IN' denied

Notice the malformed name "NewDC.not.our.domain.domain" at the end.

$ cat /usr/local/samba/private/dns/not.our.domain.zone
$ORIGIN .
$TTL 604800 ; 1 week
not.our.domain IN SOA PDC.not.our.domain. hostmaster.not.our.domain. (
2010112919 ; serial
172800 ; refresh (2 days)
14400 ; retry (4 hours)
3628800 ; expire (6 weeks)
604800 ; minimum (1 week)
)
NS PDC.not.our.domain.
A XX.XX.96.44
$ORIGIN not.our.domain.
_kerberos TXT "not.our.domain"
$ORIGIN _msdcs.not.our.domain.
very-long-guid-like-number-here CNAME PDC.not.our.domain.
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.not.our.domain.
_kerberos SRV 0 100 88 PDC.not.our.domain.
_ldap SRV 0 100 389 PDC.not.our.domain.
$ORIGIN _tcp.dc._msdcs.not.our.domain.
_kerberos SRV 0 100 88 PDC.not.our.domain.
_ldap SRV 0 100 389 PDC.not.our.domain.
$ORIGIN _msdcs.not.our.domain.
_ldap._tcp.very-long-guid-like-number-here.not.ours SRV 0 100 389
PDC.not.our.domain.
gc A XX.XX.96.44
$ORIGIN gc._msdcs.not.our.domain.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 PDC.not.our.domain.
_ldap._tcp SRV 0 100 3268 PDC.not.our.domain.
$ORIGIN _msdcs.not.our.domain.
_ldap._tcp.pdc SRV 0 100 389 PDC.not.our.domain.
$ORIGIN _tcp.Default-First-Site-Name._sites.not.our.domain.
_gc SRV 0 100 3268 PDC.not.our.domain.
_kerberos SRV 0 100 88 PDC.not.our.domain.
_ldap SRV 0 100 389 PDC.not.our.domain.
$ORIGIN _tcp.not.our.domain.
_gc SRV 0 100 3268 PDC.not.our.domain.
_kerberos SRV 0 100 88 PDC.not.our.domain.
_kerberos-master SRV 0 100 88 PDC.not.our.domain.
_kpasswd SRV 0 100 464 PDC.not.our.domain.
_ldap SRV 0 100 389 PDC.not.our.domain.
$ORIGIN _udp.not.our.domain.
_kerberos SRV 0 100 88 PDC.not.our.domain.
_kerberos-master SRV 0 100 88 PDC.not.our.domain.
_kpasswd SRV 0 100 464 PDC.not.our.domain.
$ORIGIN not.our.domain.
$TTL 1200 ; 20 minutes
*nqv0 A XX.XX.132.60*
$TTL 604800 ; 1 week
PDC A XX.XX.96.44
$TTL 1200 ; 20 minutes
*proclivi-43a72f A XX.XX.96.207*

The 2 bolded above computers are both Windows machines that were not listed
there before, and the above logs confirm that they were added via DDNS.

So some progress at least... but still more to do. Thanks again in advance
for any and all assistance!

Cheers,*

Aubrey Ekstrom | *Systems Administrator
Proclivity Systems
22 West 19th St., Ninth Floor
New York, NY 10011
p 646.380.2416
aekstrom at proclivitysystems.com
www.proclivitysystems.com

*Proclivity® | We Value Your Customers™*


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.







On Fri, Dec 9, 2011 at 3:30 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2011-12-09 at 12:20 -0500, Aubrey Ekstrom wrote:
> > Hi Andrew,
> >
> > I find the below error this in both /var/log/daemon.log & var/log/syslog
> > for process named:
> >
> > *invalid command from 127.0.0.1#40623: bad auth*
> >
> > To recap the error bind9 reload displays:
> >
> > $ sudo /etc/init.d/bind9 reload
> > Reloading domain name service...: bind9rndc: connection to remote host
> > closed
>
> Clearly bind is not running on this host at this time.  What happens if
> you simply start it?
>
> sudo /etc/init.d/bind9 start
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>

More information about the samba-technical mailing list