[HELP WANTED] Samba DNS Corruption: any examples?

Rowland Penny repenny241155 at gmail.com
Wed Nov 2 08:58:23 UTC 2016 

On Wed, 02 Nov 2016 09:12:25 +0100
Daniele Dario <d.dario76 at gmail.com> wrote:

> G'Day,
> 
> On mar, 2016-11-01 at 22:16 +1300, Andrew Bartlett wrote:
> > G'Day,
> > 
> > I'm chasing down an issue of DNS corruption for a customer, where
> > an A record coudln't be deleted with Samba's normal tools, and had
> > to be removed with ldbdel.
> > 
> > Sadly however we no longer have access to the corrupt record (oops),
> > but there is nothing new under the sun, and if it happening for one
> > customer it is probably happening elsewhere.  And in any case, the
> > more examples the better with these things.
> > 
> > I'm aware of the ability of TXT records to be miss-parsed (it even
> > got as far as a security hole), but if anybody has other records
> > that get 'stuck' in our internal or BIND9 DLZ DNS servers, and can
> > share those with me (in private is fine), that would be most
> > helpful.
> > 
> > I'm looking for output from commands like:
> > 
> > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > "DC=773eed91-5cc6-4745-94c9-
> > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > nes,DC=samba,DC=example,DC=com" 
> > 
> > and 
> > 
> > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > "DC=773eed91-5cc6-4745-94c9-
> > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > nes,DC=samba,DC=example,DC=com"  --show-binary
> > 
> > Thanks!
> > 
> > Andrew Bartlett
> 
> I'm using samba 4.4.3 and tried the above searchs.
> 
> I'm not familiar with ldbsearch so I copied the posted command and
> just replaced $SERVER/$PASSWORD, samba.example.com with my realm name
> saitel.loc and DC=samba,DC=example,DC=com with DC=saitel,DC=loc but
> the only thing I get is 
> 
> search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error
> retrieving instanceType for base.
> at ../source4/dsdb/samdb/ldb_modules/acl_read.c:362> <>
> 
> Am I missing something in the replacements or just search can't find
> any record matching what asked for?
> 
> Daniele.
> 
> 

The long string starting '773ee' will be different on your machine, try
reading this:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Determining_a_DCs_objectGUID

Rowland

More information about the samba-technical mailing list