[Samba] recreate/re-provision DNS db from scratch?

Bram Matthys syzop at vulnscan.org
Tue Feb 24 14:04:45 MST 2015 

Hi Marc,

Thanks for getting back to me.

Marc Muehlfeld wrote on 24-2-2015 21:12:
> Hello Bram,
> 
> Am 24.02.2015 um 12:37 schrieb Bram Matthys:
>> Is there a way to re-initialize/re-provision DNS?
> 
> No.
> 

That would be a pitty.

>> well.. I suppose since I started with 4.0.6 (migrated from Samba 3.x) but
>> from a users' point of view everything worked fine.. it was mostly the DNS
>> management from group policy that wasn't working.
>> ...
>> Today I wanted to install 4.1.17 but after the upgrade things go bad. On one
>> hand DNS seems to work fine (can resolve the DC, etc).
> 
> You did an update from an old version. There were some changes
> meanwhile, you have to pay attention:
> https://wiki.samba.org/index.php/Updating_Samba#Other_changes_you_should_pay_attention_to.2C_when_updating

Right.. The first two, the pem files and LDAP DNS Entries are fixed by Samba
when it starts/runs, right.

Then the 3rd one "Fixing dynamic DNS update problems (updating from <
4.0.7)" refers to this URL:
https://wiki.samba.org/index.php/Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7
This is what I attempted. As you can see in my original e-mail it resulted
in a mysterious Memory allocation error (with X gb free, so must be
something else). Let me paste a bit more context of the error:

# dns query 192.168.2.4 jnet.hermanjordan.nl @ ALL
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
params.c:pm_process() - Processing configuration file "/etc/smb_shares.conf"
..
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:192.168.2.4[,sign]
Mapped to DCERPC endpoint 135
added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0
added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0
added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0
added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0
ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
line 987, in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
line 40, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

and

# /usr/local/samba/bin/samba-tool dns zonelist 192.168.2.4
..
Using binding ncacn_ip_tcp:192.168.2.4[,sign]
Mapped to DCERPC endpoint 135
added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0
added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0
added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0
added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0
ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
line 809, in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py",
line 40, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

I also ran all the commands mentioned in the section called "Updates of
early Samba 4 version on Samba Active Directory DCs ". So I ran the dbcheck,
the ntacl sysvolreset, etc.

> - How many DCs do you have?
> - What Samba versions do your DCs run?
> - Does replication works?

One Samba server (DC & file server), no replication, 4.0.6 and this is my
Xth attempt to upgrade the #@$^ thing. Each time it ends up broken and I
have to rollback, unfortunately. And each time I hope a new version fixes
the issue or that I can find the cause. As you can imagine this is quite a
problem, not in the least with regards to security.

The machine is a virtualized host on KVM, Linux, fully up to date Debian 7.8
(wheezy), 64 bit. Not sure what else to say about it.

> - Do you use the internal DNS or BIND_DLZ?

Internal.

Also, I'm using './configure' without any arguments. All pretty standard I
would say.

> - Is Samba/BIND listening on port 53 (netstat -taunp|grep :53)
> - Does DNS entries resolve on the server (try
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS)

Resolving works fine both on the box itself (I tested 'host
jnet.hermanjordan.nl 127.0.0.1' and on the 192.168.2.4 lan IP) and from the
Windows client. I must confess I did not check the two SRV records at that
time (but see next).

I can login from a Windows client, but in eventlog and with gpupdate I get
strange errors about not finding the logon server or unable to lookup the
computer name or account name (well, what I wrote earlier).
Similarly, on Windows the DNS MMC tool sometimes gave an error after
connecting to the DC about DNS not being available for management (so to
say). Then a minute later or after a restart it worked, then a little later
it broke again and after F5 it's completely broken again. Broken as in: the
UI says there's a problem with the zone file. That's on 4.1.17 and that's
why I think there must be something broken... it shouldn't flip/flop.

I would tend to think that all the issues I'm seeing, 1) the samba-tool dns
giving a mysterious error, 2) the DNS MMC/RSAT tool giving strange results,
and 3) the errors on the client with regards to group policy, are all
related / caused by the same thing. But I'm stuck as to.. how to proceed.

If there's no way to re-provision/re-create all the DNS stuff, then do you
have any ideas on the "samba-tool dns" issues? If it's all the same issue
then that one may be the best entry to debug my issue? (Samba speaking to
Samba after all)
The command works on 4.0.6 (.. but.. again.. I don't want to be stuck with
such an old version), but not on 4.1.17.
Unless, of course, that issue is completely unrelated. I kinda hope it's
related, though.

Thanks a lot for taking the time to look into this!

Bram.


-- 
Bram Matthys
Software developer/IT consultant        syzop at vulnscan.org
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

More information about the samba mailing list