[HELP WANTED] Samba DNS Corruption: any examples?

Rowland Penny repenny241155 at gmail.com
Wed Nov 2 09:56:08 UTC 2016 

On Wed, 02 Nov 2016 10:37:18 +0100
Daniele Dario <d.dario76 at gmail.com> wrote:

> 
> 
> 
> On mer, 2016-11-02 at 08:58 +0000, Rowland Penny wrote:
> > On Wed, 02 Nov 2016 09:12:25 +0100
> > Daniele Dario <d.dario76 at gmail.com> wrote:
> > 
> > > G'Day,
> > > 
> > > On mar, 2016-11-01 at 22:16 +1300, Andrew Bartlett wrote:
> > > > G'Day,
> > > > 
> > > > I'm chasing down an issue of DNS corruption for a customer,
> > > > where an A record coudln't be deleted with Samba's normal
> > > > tools, and had to be removed with ldbdel.
> > > > 
> > > > Sadly however we no longer have access to the corrupt record
> > > > (oops), but there is nothing new under the sun, and if it
> > > > happening for one customer it is probably happening elsewhere.
> > > > And in any case, the more examples the better with these things.
> > > > 
> > > > I'm aware of the ability of TXT records to be miss-parsed (it
> > > > even got as far as a security hole), but if anybody has other
> > > > records that get 'stuck' in our internal or BIND9 DLZ DNS
> > > > servers, and can share those with me (in private is fine), that
> > > > would be most helpful.
> > > > 
> > > > I'm looking for output from commands like:
> > > > 
> > > > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > > > "DC=773eed91-5cc6-4745-94c9-
> > > > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > > > nes,DC=samba,DC=example,DC=com" 
> > > > 
> > > > and 
> > > > 
> > > > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > > > "DC=773eed91-5cc6-4745-94c9-
> > > > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > > > nes,DC=samba,DC=example,DC=com"  --show-binary
> > > > 
> > > > Thanks!
> > > > 
> > > > Andrew Bartlett
> > > 
> > > I'm using samba 4.4.3 and tried the above searchs.
> > > 
> > > I'm not familiar with ldbsearch so I copied the posted command and
> > > just replaced $SERVER/$PASSWORD, samba.example.com with my realm
> > > name saitel.loc and DC=samba,DC=example,DC=com with
> > > DC=saitel,DC=loc but the only thing I get is 
> > > 
> > > search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read:
> > > Error retrieving instanceType for base.
> > > at ../source4/dsdb/samdb/ldb_modules/acl_read.c:362> <>
> > > 
> > > Am I missing something in the replacements or just search can't
> > > find any record matching what asked for?
> > > 
> > > Daniele.
> > > 
> > > 
> > 
> > The long string starting '773ee' will be different on your machine,
> > try reading this:
> > 
> > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Determining_a_DCs_objectGUID
> > 
> > Rowland
> > 
> 
> Yeah, thought something like that.
> 
> [root at kdc01:~]# ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD
> '(invocationId=*)' --cross-ncs objectguid
> resolve_lmhosts: Attempting lmhosts lookup for name kdc01<0x20>
> # record 1
> dn: CN=NTDS
> Settings,CN=KDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
> objectGUID: 9f63d183-b54c-4487-af07-bc5a021e20fd
> 
> # record 2
> dn: CN=NTDS
> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
> objectGUID: 0a384e9a-5178-4d03-bbbb-ac8372639405
> 
> # record 3
> dn: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
> objectGUID: be251245-387c-4a35-9554-a4ca6388bd55
> 
> # returned 3 records
> # 3 entries
> # 0 referrals
> 
> But even using KDC01 objectGUID I get
> 
> [root at kdc01:~]# ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD
> -b
> "DC=be251245-387c-4a35-9554-a4ca6388bd55,DC=_msdcs.saitel.loc,CN=MicrosoftDNS,DC=forestDnsZnes,DC=saitel,DC=loc"
> resolve_lmhosts: Attempting lmhosts lookup for name kdc01<0x20>
> search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error
> retrieving instanceType for base.
> at ../source4/dsdb/samdb/ldb_modules/acl_read.c:362> <>
> 
> So I don't understand if acl_read: Error ... means the query is wrong
> or query is ok and it just doesn't find anything and it is not bad.
> 
> Daniele.
> 

You have a typo, 'DC=forestDnsZnes' should be
'DC=forestDnsZones'.

Rowland

More information about the samba-technical mailing list