[HELP WANTED] Samba DNS Corruption: any examples?

Daniele Dario d.dario76 at gmail.com
Wed Nov 2 10:11:13 UTC 2016




On mer, 2016-11-02 at 09:56 +0000, Rowland Penny wrote:
> On Wed, 02 Nov 2016 10:37:18 +0100
> Daniele Dario <d.dario76 at gmail.com> wrote:
> 
> > 
> > 
> > 
> > On mer, 2016-11-02 at 08:58 +0000, Rowland Penny wrote:
> > > On Wed, 02 Nov 2016 09:12:25 +0100
> > > Daniele Dario <d.dario76 at gmail.com> wrote:
> > > 
> > > > G'Day,
> > > > 
> > > > On mar, 2016-11-01 at 22:16 +1300, Andrew Bartlett wrote:
> > > > > G'Day,
> > > > > 
> > > > > I'm chasing down an issue of DNS corruption for a customer,
> > > > > where an A record coudln't be deleted with Samba's normal
> > > > > tools, and had to be removed with ldbdel.
> > > > > 
> > > > > Sadly however we no longer have access to the corrupt record
> > > > > (oops), but there is nothing new under the sun, and if it
> > > > > happening for one customer it is probably happening elsewhere.
> > > > > And in any case, the more examples the better with these things.
> > > > > 
> > > > > I'm aware of the ability of TXT records to be miss-parsed (it
> > > > > even got as far as a security hole), but if anybody has other
> > > > > records that get 'stuck' in our internal or BIND9 DLZ DNS
> > > > > servers, and can share those with me (in private is fine), that
> > > > > would be most helpful.
> > > > > 
> > > > > I'm looking for output from commands like:
> > > > > 
> > > > > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > > > > "DC=773eed91-5cc6-4745-94c9-
> > > > > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > > > > nes,DC=samba,DC=example,DC=com" 
> > > > > 
> > > > > and 
> > > > > 
> > > > > bin/ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD -b
> > > > > "DC=773eed91-5cc6-4745-94c9-
> > > > > 1c1796e377d0,DC=_msdcs.samba.example.com,CN=MicrosoftDNS,DC=forestDnsZo
> > > > > nes,DC=samba,DC=example,DC=com"  --show-binary
> > > > > 
> > > > > Thanks!
> > > > > 
> > > > > Andrew Bartlett
> > > > 
> > > > I'm using samba 4.4.3 and tried the above searchs.
> > > > 
> > > > I'm not familiar with ldbsearch so I copied the posted command and
> > > > just replaced $SERVER/$PASSWORD, samba.example.com with my realm
> > > > name saitel.loc and DC=samba,DC=example,DC=com with
> > > > DC=saitel,DC=loc but the only thing I get is 
> > > > 
> > > > search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read:
> > > > Error retrieving instanceType for base.
> > > > at ../source4/dsdb/samdb/ldb_modules/acl_read.c:362> <>
> > > > 
> > > > Am I missing something in the replacements or just search can't
> > > > find any record matching what asked for?
> > > > 
> > > > Daniele.
> > > > 
> > > > 
> > > 
> > > The long string starting '773ee' will be different on your machine,
> > > try reading this:
> > > 
> > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record#Determining_a_DCs_objectGUID
> > > 
> > > Rowland
> > > 
> > 
> > Yeah, thought something like that.
> > 
> > [root at kdc01:~]# ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD
> > '(invocationId=*)' --cross-ncs objectguid
> > resolve_lmhosts: Attempting lmhosts lookup for name kdc01<0x20>
> > # record 1
> > dn: CN=NTDS
> > Settings,CN=KDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
> > objectGUID: 9f63d183-b54c-4487-af07-bc5a021e20fd
> > 
> > # record 2
> > dn: CN=NTDS
> > Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
> > objectGUID: 0a384e9a-5178-4d03-bbbb-ac8372639405
> > 
> > # record 3
> > dn: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
> > objectGUID: be251245-387c-4a35-9554-a4ca6388bd55
> > 
> > # returned 3 records
> > # 3 entries
> > # 0 referrals
> > 
> > But even using KDC01 objectGUID I get
> > 
> > [root at kdc01:~]# ldbsearch -H ldap://$SERVER -Uadministrator%$PASSWORD
> > -b
> > "DC=be251245-387c-4a35-9554-a4ca6388bd55,DC=_msdcs.saitel.loc,CN=MicrosoftDNS,DC=forestDnsZnes,DC=saitel,DC=loc"
> > resolve_lmhosts: Attempting lmhosts lookup for name kdc01<0x20>
> > search error - LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error
> > retrieving instanceType for base.
> > at ../source4/dsdb/samdb/ldb_modules/acl_read.c:362> <>
> > 
> > So I don't understand if acl_read: Error ... means the query is wrong
> > or query is ok and it just doesn't find anything and it is not bad.
> > 
> > Daniele.
> > 
> 
> You have a typo, 'DC=forestDnsZnes' should be
> 'DC=forestDnsZones'.
> 
> Rowland
> 

Doh.
Damnt copy&paste. Sorry for the noise.
Daniele.




More information about the samba-technical mailing list