ForestDnsZones partition and TrustAnchors zone problem

Samuel Cabrero scabrero at zentyal.com
Fri Oct 5 06:12:52 MDT 2012 

On 02/10/12 05:14, Amitay Isaacs wrote:
> Hi Matthieu/Samuel,
>
> On Tue, Oct 2, 2012 at 11:37 AM, Matthieu Patou <mat at samba.org> wrote:
>> On 10/01/2012 03:35 PM, Samuel Cabrero wrote:
>>>
>>> Hi,
>>>
>>> I have found a problem related to the ForestDnsZones partition replication
>>> when using BIND9_DLZ as backend in samba4 rc1.
>>>
>>> If the "TrustAnchors" zone exists in the windows server, it is replicated
>>> to samba4 and named daemon exits with the following error when trying to
>>> load it:
>>>
>>> named[10704]: samba_dlz: Failed to configure zone '..TrustAnchors'
>>> named[10704]: loading configuration: empty label
>>> named[10704]: exiting (due to fatal error)
>>>
>>> As soon the zone is deleted in the windows server (dnscmd /zonedelete
>>> TrustAnchors /DsDel) and the change is replicated to samba, named starts
>>> without problems.
>>>
>>> This issue is more annoying than it seems because this TrustAnchors zone
>>> is automatically created each time that the server properties window is
>>> opened in the windows DNS management tool. If you right click in the server
>>> name and select properties, then select the Trust Anchors tab and click Ok
>>> button without make any changes, the zone is created again, replicated to
>>> samba4 and the problem is back.
>>>
>>> I don't know if it is related, but the zone have two dots prepended to the
>>> name when replicated to samba:
>>>
>>> root at s4dc1:/home/zen# samba-tool dns zonelist s4dc1.kernevil.lan
>>>    3 zone(s) found
>>>
>>>    pszZoneName                 : kernevil.lan
>>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>    Version                     : 50
>>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>>> DNS_DP_ENLISTED
>>>    pszDpFqdn                   : DomainDnsZones.kernevil.lan
>>>
>>>    pszZoneName                 : _msdcs.kernevil.lan
>>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>    Version                     : 50
>>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>>> DNS_DP_ENLISTED
>>>    pszDpFqdn                   : ForestDnsZones.kernevil.lan
>>>
>>>    pszZoneName                 : ..TrustAnchors
>>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>    Version                     : 50
>>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>>> DNS_DP_ENLISTED
>>>    pszDpFqdn                   : ForestDnsZones.kernevil.lan
>>>
>>>
>>> root at s4dc1:/home/zen# samba-tool dns zonelist windc1.kernevil.lan
>>>    3 zone(s) found
>>>
>>>    pszZoneName                 : _msdcs.kernevil.lan
>>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>    Version                     : 50
>>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>>> DNS_DP_ENLISTED
>>>    pszDpFqdn                   : ForestDnsZones.kernevil.lan
>>>
>>>    pszZoneName                 : kernevil.lan
>>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>    Version                     : 50
>>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>>> DNS_DP_ENLISTED
>>>    pszDpFqdn                   : DomainDnsZones.kernevil.lan
>>>
>>>    pszZoneName                 : TrustAnchors
>>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>    Version                     : 50
>>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>>> DNS_DP_ENLISTED
>>>    pszDpFqdn                   : ForestDnsZones.kernevil.lan
>
>
> Since we are not interpreting any records in ..TrustAnchors zone yet,
> that zone can be ignored by DLZ plugin and also by RPC dnsserver.
> samba-tool dns commands work against the RPC dnsserver.
>
>
>> I did a small search on my server and I have this:
>>
>> ./bin/ldbsearch -H ldap://172.16.100.49 -Uadministrator%totoTATA123 -b
>> DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net dn  | grep -i trust
>> dn:
>> DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
>> dn:
>> DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=w2k12,DC=home,DC=matws,DC=net
>> mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
>> 172.16.100.49
>> Password for [WORKGROUP\mat]:
>> Interrupted by signal.
>> mat at mpatou-t420:/usr/local/src/samba$ ./bin/samba-tool dns zonelist
>> 172.16.100.49   -Uadministrator%totoTATA123
>>    3 zone(s) found
>>
>>    pszZoneName                 : _msdcs.w2k12.home.matws.net
>>
>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>    Version                     : 50
>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>>    pszDpFqdn                   : ForestDnsZones.w2k12.home.matws.net
>>
>>
>>    pszZoneName                 : TrustAnchors
>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>    Version                     : 50
>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>>    pszDpFqdn                   : ForestDnsZones.w2k12.home.matws.net
>>
>>    pszZoneName                 : w2k12.home.matws.net
>>
>>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>    Version                     : 50
>>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>>    pszDpFqdn                   : DomainDnsZones.w2k12.home.matws.net
>>
>>
>> The server is Windows 2012 server, so it means that in the database the
>> record are saved in the ..TrustAnchors format but that windows in returning
>> them cleaned.
>>
>>
>>> I would be happy to provide as much debug info as you need to help to
>>> solve this issue.
>>>
>> Can you try to create another zone with the windows tools (ie foobar.lan)
>> wait for it to be replicated to samba and then restart bind.
>>
>> If everything is ok then it means that we "just" to have to skip the
>> trustanchors from being loaded + fix the samba-tool dns output.
>
> The patches for DLZ and RPC dnsserver are in the master branch and are
> also attached with this email.
>
>      http://git.samba.org/amitay/?p=amitay/samba.git;a=summary
>
> Samuel, can you test with the patches and confirm that BIND does not crash?
>
> Thanks.
>
> Amitay.
>

Hi Amitay,

your patches work great. Problem solved.

Matthieu, I have also tried to create additional DNS zones and they load 
without problems.

Thanks to both,

Cheers.

-- 
Samuel Cabrero - Developer
scabrero at zentyal.com

The Linux small business server
www.zentyal.com

More information about the samba-technical mailing list