No NS-record after recover a domain

Stefan Kania stefan at kania-online.de
Wed Feb 9 19:12:27 UTC 2022


Hi to all,

I already wrote on the other mailinglist that recovering a domain from
the backup with samba-tool will fail with a missing NS-record for any
reverse-zone. Here again my mail:
------------------
Hi to all,

I have a problem recovering a domain with a revers-zone. I'm using the
following setup:
- Debian 11
- 4.15.5 packages from louis
- original DC-name addc-01
- new DC to recover the domain an NEW VM namend recover-dc1
the new DC is also Debian 11 an louis packages

I do the recovery with:

samba-tool domain backup restore --backup-file
/root/samba-backup-2022-01-29T14-32-38.732614.tar.bz2
--targetdir=/var/lib/samba --newservername=recover-dc1

Then I did:
- cp /var/lib/samba/etc/smb.conf /etc/samba/smb.conf
- cp /var/lib/samba/private/krb5.conf /etc (set the dc-name in the last
line)
- samba-tool ntacl sysvolreset
- add "dns" to "server services" in smb.conf
- then a samba_upgradedns
- restart samba-ad-dc
- check name resolution and the SRV-records. Everything worked fine with
the internal DNS
- then samba_upgradedns --dns-backend=BIND9_DLZ
- remove "dns" from the "server services" in smb.conf
- switch to bind9 with samba_upgradedns --dns-backend=BIND9_DLZ
- restart samba-ad-dc and bind9

Then I got the messages:
 Loading 'AD DNS Zone' using driver dlopen
 samba_dlz: started for DN DC=example,DC=net
 samba_dlz: starting configure
 samba_dlz: configured writeable zone 'example.net'
 zone 56.168.192.in-addr.arpa/NONE: has no NS records
 samba_dlz: Failed to configure zone '56.168.192.in-addr.arpa'
 loading configuration: bad zone

I switched back to the internal DNS and checked the zone with "dig":
First the forward-zone:
--------------
root at recover-dc1:~# dig ns example.net

; <<>> DiG 9.16.22-Debian <<>> ns example.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5882
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;example.net.                   IN      NS

;; ANSWER SECTION:
example.net.            900     IN      NS      recover-dc1.example.net.

;; AUTHORITY SECTION:
example.net.            3600    IN      SOA     recover-dc1.example.net.
hostmaster.example.net. 68 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 192.168.56.103#53(192.168.56.103)
;; WHEN: Mon Feb 07 17:39:17 CET 2022
;; MSG SIZE  rcvd: 102
--------------

Then the reverse zone:
----------------------
root at recover-dc1:~# dig ns 56.168.192.in-addr.arpa

; <<>> DiG 9.16.22-Debian <<>> ns 56.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53249
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;56.168.192.in-addr.arpa.       IN      NS

;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 3600   IN      SOA     recover-dc1.example.net.
hostmaster.example.net. 9 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 192.168.56.103#53(192.168.56.103)
;; WHEN: Mon Feb 07 17:39:59 CET 2022
;; MSG SIZE  rcvd: 111
----------------------

No NS-record.
I added a NS-record:
samba-tool dns add recover-dc1 56.168.192.in-addr.arpa @ NS
recover-dc1.example.net -U administrator

switched back to bind9 and everything was working.

Now my question

Is this a bug or a feature? It would be nice if a reverse zone would
work correctly after a recovery.
-----------------

I post it here on the technical list because two of my customers having
the same problem. I tried it again with different setups and it always
ended with the missing NS-record.

Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20220209/77b33973/smime.bin>


More information about the samba-technical mailing list