ForestDnsZones partition and TrustAnchors zone problem
Amitay Isaacs
amitay at gmail.com
Mon Oct 1 21:14:36 MDT 2012
Hi Matthieu/Samuel,
On Tue, Oct 2, 2012 at 11:37 AM, Matthieu Patou <mat at samba.org> wrote:
> On 10/01/2012 03:35 PM, Samuel Cabrero wrote:
>>
>> Hi,
>>
>> I have found a problem related to the ForestDnsZones partition replication
>> when using BIND9_DLZ as backend in samba4 rc1.
>>
>> If the "TrustAnchors" zone exists in the windows server, it is replicated
>> to samba4 and named daemon exits with the following error when trying to
>> load it:
>>
>> named[10704]: samba_dlz: Failed to configure zone '..TrustAnchors'
>> named[10704]: loading configuration: empty label
>> named[10704]: exiting (due to fatal error)
>>
>> As soon the zone is deleted in the windows server (dnscmd /zonedelete
>> TrustAnchors /DsDel) and the change is replicated to samba, named starts
>> without problems.
>>
>> This issue is more annoying than it seems because this TrustAnchors zone
>> is automatically created each time that the server properties window is
>> opened in the windows DNS management tool. If you right click in the server
>> name and select properties, then select the Trust Anchors tab and click Ok
>> button without make any changes, the zone is created again, replicated to
>> samba4 and the problem is back.
>>
>> I don't know if it is related, but the zone have two dots prepended to the
>> name when replicated to samba:
>>
>> root at s4dc1:/home/zen# samba-tool dns zonelist s4dc1.kernevil.lan
>> 3 zone(s) found
>>
>> pszZoneName : kernevil.lan
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : DomainDnsZones.kernevil.lan
>>
>> pszZoneName : _msdcs.kernevil.lan
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : ForestDnsZones.kernevil.lan
>>
>> pszZoneName : ..TrustAnchors
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : ForestDnsZones.kernevil.lan
>>
>>
>> root at s4dc1:/home/zen# samba-tool dns zonelist windc1.kernevil.lan
>> 3 zone(s) found
>>
>> pszZoneName : _msdcs.kernevil.lan
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : ForestDnsZones.kernevil.lan
>>
>> pszZoneName : kernevil.lan
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : DomainDnsZones.kernevil.lan
>>
>> pszZoneName : TrustAnchors
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : ForestDnsZones.kernevil.lan
Since we are not interpreting any records in ..TrustAnchors zone yet,
that zone can be ignored by DLZ plugin and also by RPC dnsserver.
samba-tool dns commands work against the RPC dnsserver.
> I did a small search on my server and I have this:
>
> ./bin/ldbsearch -H ldap://172.16.100.49 -Uadministrator%totoTATA123 -b
> DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net dn | grep -i trust
> dn:
> DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
> dn:
> DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
> mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
> 172.16.100.49
> Password for [WORKGROUP\mat]:
> Interrupted by signal.
> mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
> 172.16.100.49 -Uadministrator%totoTATA123
> 3 zone(s) found
>
> pszZoneName : _msdcs.w2k12.home.matws.net
>
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.w2k12.home.matws.net
>
>
> pszZoneName : TrustAnchors
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.w2k12.home.matws.net
>
> pszZoneName : w2k12.home.matws.net
>
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.w2k12.home.matws.net
>
>
> The server is Windows 2012 server, so it means that in the database the
> record are saved in the ..TrustAnchors format but that windows in returning
> them cleaned.
>
>
>> I would be happy to provide as much debug info as you need to help to
>> solve this issue.
>>
> Can you try to create another zone with the windows tools (ie foobar.lan)
> wait for it to be replicated to samba and then restart bind.
>
> If everything is ok then it means that we "just" to have to skip the
> trustanchors from being loaded + fix the samba-tool dns output.
The patches for DLZ and RPC dnsserver are in the master branch and are
also attached with this email.
http://git.samba.org/amitay/?p=amitay/samba.git;a=summary
Samuel, can you test with the patches and confirm that BIND does not crash?
Thanks.
Amitay.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-dns-dlz_bind9-Ignore-zones-that-are-not-used-by-B.patch
Type: application/octet-stream
Size: 964 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/8521a222/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-rpc-dnsserver-Ignore-DNS-zones-that-are-not-used-.patch
Type: application/octet-stream
Size: 1051 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/8521a222/attachment-0003.obj>
More information about the samba-technical
mailing list