[Samba] samba4 AD DNS zone corrupted

Stephen Jones lloydsystems at fastmail.com.au
Wed Nov 28 19:26:03 MST 2012 

Hi,

If you want to delete the TXT record my suggestion would be to use
nsupdate.  This tool is part of BIND.  My advice would be to avoid
samba-tool, or at least the dns part of it.  When I tried to use it I
just got errors.  I think it's still rather experimental.  But nsupdate
works.

One catch.  DNS update requests to AD must be kerberos authenticated. 
This means you need the krb5 tool kinit.  I use CentOS, and this is part
of the krb5-workstation package.  I don't know what you are using so I
can't advise there.  Run kinit and authenticate as the domain
administrator:

# kinit Administrator
Response:
  Password for Administrator at MYDOMAIN.LOCAL: mypassword
Then launch nsupdate:
# nsupdate -g
To delete the TXT record:
  update delete mydomain.local TXT
  send

If you still have problems you could use nsupdate to update all the main
zone entry records for the AD domain.  To update a record just enter it
again with the new values.  Therefore:

update add mydomain.local 3600 SOA server.mydomain.local
hostmaster.mydomain.local serial-no 900 600 86400 3600
update add mydomain.local 3600 NS server.mydomain.local 
update add mydomain.local 3600 A 192.168.0.1
update add server.mydomain.local 3600 A 192.168.0.1
send

These are the records created by Samba when provisioning the domain. 
Obviously adjust values to suit your hostname and IP address and
increment the serial.  You can use dig to report everything you
currently have:
# dig -t ANY mydomain.local

For the record, I have a TXT record in my AD domain and it doesn't cause
a problem.  I can't recall whether I added it with nsupdate or the
Windows DNS Manager, but I think it was the latter.  Good luck.

Regards,

Stephen Jones
Lloyd Systems Engineering



On Thu, Nov 29, 2012, at 10:59 AM, Johannes Schmid wrote:
> On 11/27/2012 08:32 PM, Matthieu Patou wrote:
>  >On 11/27/2012 02:56 PM, Johannes Schmid wrote:
>  >>
>  >> # samba-tool dns query sambapdc.mydomain.local mydomain.local @ ALL
>  >>
>  >> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>  >>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>  >> line 162, in _run
>  >>     return self.run(*args, **kwargs)
>  >>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line
>  >> 925, in run
>  >
>  > Can you restart samba ?
>  > Also can you rerun this command with -d 10 and post the log on the
>  > list ?
> 
> Restarting samba did not help (I already tried that multiple times).
> 
> But thanks for the hint. I should have tried that myself! Anyway, I 
> found what the problem is. Basically the problem cannot be seen in the 
> samba-tool dns query debug output, but it can be seen on the samba 
> *server* debug output. It look like the problem is an invalid record in 
> the DNS zone:
> 
> [2012/11/29 00:30:46,  2] 
> ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones)
>    dnsserver: Found DNS zone .
> [2012/11/29 00:30:46,  2] 
> ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones)
>    dnsserver: Found DNS zone mydomain.local
> [2012/11/29 00:30:46,  2] 
> ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones)
>    dnsserver: Found DNS zone 122.168.192.in-addr.arpa
> [2012/11/29 00:30:46,  2] 
> ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones)
>    dnsserver: Found DNS zone _msdcs.mydomain.local
> [2012/11/29 00:30:46,  1] ../librpc/ndr/ndr.c:411(ndr_pull_error)
>    ndr_pull_error(11): Pull bytes 10 (../librpc/ndr/ndr_basic.c:420)
> [2012/11/29 00:30:46,  0] 
> ../source4/rpc_server/dnsserver/dnsdata.c:782(dns_fill_records_array)
>    dnsserver: Unable to parse dns record 
> (DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local)Terminating 
> connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
> [2012/11/29 00:30:46,  5] 
> ../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
>    imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.0:0.43
> [2012/11/29 00:30:46,  3] 
> ../source4/smbd/process_single.c:104(single_terminate)
>    single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
> 
> I now remember that I added the _kerberos.mydomain.local TXT record in 
> the Windows DNS administration MSC GUI. I now know that it is not 
> necessary at all and that it shouldn't be there :)
> 
> But I get an error when trying to delete the record:
> 
> # samba-tool dns delete sambapdc.mydomain.local mydomain.local _kerberos 
> TXT MYDOMAIN.LOCAL
> ERROR: Deleting record of type TXT is not supported
> 
> Looks like samba isn't ready for handling TXT records in DNS :-( 
> Unfortunately, I somehow got my TXT record into the zone and I have no 
> idea how to remove it again.
> 
> Again, any help is really appreciated!
> 
> 
> 
> -----
> 
> PS: For completeness, here is the requested output:
> 
> # samba-tool dns query sambapdc.mydomain.local mydomain.local @ ALL -d 10
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:sambapdc.mydomain.local[,sign]
> Mapped to DCERPC endpoint 135
> added interface br0 ip=fe80::ea40:f2ff:fe3e:4e04%br0 
> bcast=fe80::ffff:ffff:ffff:ffff%br0 netmask=ffff:ffff:ffff:ffff::
> added interface vnet0 ip=fe80::fc54:ff:fe13:2bb1%vnet0 
> bcast=fe80::ffff:ffff:ffff:ffff%vnet0 netmask=ffff:ffff:ffff:ffff::
> added interface br0 ip=192.168.35.30 bcast=192.168.35.255 
> netmask=255.255.255.0
> added interface br0 ip=fe80::ea40:f2ff:fe3e:4e04%br0 
> bcast=fe80::ffff:ffff:ffff:ffff%br0 netmask=ffff:ffff:ffff:ffff::
> added interface vnet0 ip=fe80::fc54:ff:fe13:2bb1%vnet0 
> bcast=fe80::ffff:ffff:ffff:ffff%vnet0 netmask=ffff:ffff:ffff:ffff::
> added interface br0 ip=192.168.35.30 bcast=192.168.35.255 
> netmask=255.255.255.0
> rpc request data:
> [0000] 01 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........
> ........
> [0010] 00 00 00 00 02 00 00 00   4B 00 00 00 4B 00 00 00   ........
> K...K...
> [0020] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   ........
> PMW. at .f.
> [0030] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   O...v...
> .......]
> [0040] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   ........
> ..+.H`..
> [0050] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   ........
> ........
> [0060] 00 00 01 00 09 04 00 00   00 00 00 00 00 00 00 00   ........
> ........
> [0070] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........
> ........
> [0080] 01 00 00 00                                       ....
> rpc reply data:
> [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........
> ........
> [0010] 00 00 00 00 01 00 00 00   01 00 00 00 00 00 00 00   ........
> ........
> [0020] 01 00 00 00 03 00 00 00   4B 00 00 00 4B 00 00 00   ........
> K...K...
> [0030] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   ........
> PMW. at .f.
> [0040] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   O...v...
> .......]
> [0050] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   ........
> ..+.H`..
> [0060] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   ........
> ........
> [0070] 04 00 01 00 09 04 00 00   00 00 00 00 00 00 00 00   ........
> ........
> Mapped to DCERPC endpoint 1024
> added interface br0 ip=fe80::ea40:f2ff:fe3e:4e04%br0 
> bcast=fe80::ffff:ffff:ffff:ffff%br0 netmask=ffff:ffff:ffff:ffff::
> added interface vnet0 ip=fe80::fc54:ff:fe13:2bb1%vnet0 
> bcast=fe80::ffff:ffff:ffff:ffff%vnet0 netmask=ffff:ffff:ffff:ffff::
> added interface br0 ip=192.168.35.30 bcast=192.168.35.255 
> netmask=255.255.255.0
> added interface br0 ip=fe80::ea40:f2ff:fe3e:4e04%br0 
> bcast=fe80::ffff:ffff:ffff:ffff%br0 netmask=ffff:ffff:ffff:ffff::
> added interface vnet0 ip=fe80::fc54:ff:fe13:2bb1%vnet0 
> bcast=fe80::ffff:ffff:ffff:ffff%vnet0 netmask=ffff:ffff:ffff:ffff::
> added interface br0 ip=192.168.35.30 bcast=192.168.35.255 
> netmask=255.255.255.0
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Ticket in credentials cache for administrator at mydomain.local will expire 
> in 35471 secs
> Received smb_krb5 packet of length 1286
> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0
> gensec_gssapi: credentials were delegated
> GSSAPI Connection will be cryptographically signed
> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0
> [0000] 00 00 07 00 00 00 00 00   00 00 02 00 18 00 00 00   ........
> ........
> [0010] 00 00 00 00 18 00 00 00   73 00 61 00 6D 00 62 00   ........
> s.a.m.b.
> [0020] 61 00 70 00 64 00 63 00   2E 00 6D 00 79 00 64 00   a.p.d.c.
> ..m.y.d.
> [0030] 6F 00 6D 00 61 00 69 00   6E 00 2E 00 6C 00 6F 00   o.m.a.i.
> n...l.o.
> [0040] 63 00 61 00 6C 00 00 00   04 00 02 00 0F 00 00 00   c.a.l...
> ........
> [0050] 00 00 00 00 0F 00 00 00   6D 79 64 6F 6D 61 69 6E   ........
> mydomain
> [0060] 2E 6C 6F 63 61 6C 00 00   08 00 02 00 02 00 00 00   .local..
> ........
> [0070] 00 00 00 00 02 00 00 00   40 00 00 00 00 00 00 00   ........
> @.......
> [0080] FF 00 00 00 01 00 00 00   00 00 00 00 00 00 00 00   ........
> ........
> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 4
> rpc reply data:
> [0000] 00 00 00 00 00 00 00 00   67 05 00 00              ........ g...
> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 162, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 
> 925, in run
>      None)
> 
> 
> -- 
> Best regards,
>    -Johannes.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
  Stephen Jones
  lloydsystems at fastmail.com.au

More information about the samba mailing list