[HELP WANTED] Samba DNS Corruption: any examples?

Daniele Dario d.dario76 at gmail.com
Wed Nov 2 09:37:18 UTC 2016 



On mer, 2016-11-02 at 08:58 +0000, Rowland Penny wrote:
> On Wed, 02 Nov 2016 09:12:25 +0100
> Daniele Dario <d.dario76 at gmail.com> wrote:
> 
> > G'Day,
> > 
> > On mar, 2016-11-01 at 22:16 +1300, Andrew Bartlett wrote:
> > > G'Day,
> > > 
> > > I'm chasing down an issue of DNS corruption for a customer, where
> > > an A record coudln't be deleted with Samba's normal tools, and had
> > > to be removed with ldbdel.
> > > 
> > > Sadly however we no longer have access to the corrupt record (oops),
> > > but there is nothing new under the sun, and if it happening for one
> > > customer it is probably happening elsewhere.  And in any case, the
> > > more examples the better with these things.
> > > 
> > > I'm aware of the ability of TXT records to be miss-parsed (it even
> > > got as far as a security hole), but if anybody has other records
> > > that get 'stuck' in our internal or BIND9 DLZ DNS servers, and can
> > > share those with me (in private is fine), that would be most
> > > helpful.
> > > 
> > > I'm looking for output from commands like:
> > > 
> > > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > > "DC=773eed91-5cc6-4745-94c9-
> > > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > > nes,DC=samba,DC=example,DC=com" 
> > > 
> > > and 
> > > 
> > > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > > "DC=773eed91-5cc6-4745-94c9-
> > > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > > nes,DC=samba,DC=example,DC=com"  --show-binary
> > > 
> > > Thanks!
> > > 
> > > Andrew Bartlett
> > 
> > I'm using samba 4.4.3 and tried the above searchs.
> > 
> > I'm not familiar with ldbsearch so I copied the posted command and
> > just replaced $SERVER/$PASSWORD, samba.example.com with my realm name
> > saitel.loc and DC=samba,DC=example,DC=com with DC=saitel,DC=loc but
> > the only thing I get is 
> > 
> > search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error
> > retrieving instanceType for base.
> > at ../source4/dsdb/samdb/ldb_modules/acl_read.c:362> <>
> > 
> > Am I missing something in the replacements or just search can't find
> > any record matching what asked for?
> > 
> > Daniele.
> > 
> > 
> 
> The long string starting '773ee' will be different on your machine, try
> reading this:
> 
> https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Determining_a_DCs_objectGUID
> 
> Rowland
> 

Yeah, thought something like that.

[root at kdc01:~]# ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD
'(invocationId=*)' --cross-ncs objectguid
resolve_lmhosts: Attempting lmhosts lookup for name kdc01<0x20>
# record 1
dn: CN=NTDS
Settings,CN=KDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
objectGUID: 9f63d183-b54c-4487-af07-bc5a021e20fd

# record 2
dn: CN=NTDS
Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
objectGUID: 0a384e9a-5178-4d03-bbbb-ac8372639405

# record 3
dn: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
objectGUID: be251245-387c-4a35-9554-a4ca6388bd55

# returned 3 records
# 3 entries
# 0 referrals

But even using KDC01 objectGUID I get

[root at kdc01:~]# ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
"DC=be251245-387c-4a35-9554-a4ca6388bd55,DC=_msdcs.saitel.loc,CN=MicrosoftDNS,DC=forestDnsZnes,DC=saitel,DC=loc"
resolve_lmhosts: Attempting lmhosts lookup for name kdc01<0x20>
search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error
retrieving instanceType for base.
at ../source4/dsdb/samdb/ldb_modules/acl_read.c:362> <>

So I don't understand if acl_read: Error ... means the query is wrong or
query is ok and it just doesn't find anything and it is not bad.

Daniele.

More information about the samba-technical mailing list