[Samba] inconsistent DNS information, windows domain member issues..

Fri Jun 10 11:17:56 UTC 2016

2016-06-08 21:47 GMT+02:00 Jo <j.o.l at live.com>:

> I am omitting a lot of old stuff..
>
> >    -----Ursprüngliche Nachricht-----
> >    Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
> >    mathias dufresne
> >    Gesendet: Montag, 6. Juni 2016 12:01
> >    An: Rowland penny <rpenny at samba.org>
> >    Cc: samba <samba at lists.samba.org>; Jo <j.o.l at live.com>
> >    Betreff: Re: [Samba] inconsistent DNS information, windows domain
> >    member issues..
> >
> >    To regenerate dns.keytab I expect you only need to relaunch
> >    samba_upgradedns --dns-backend=BIND9_DLZ.
> >    If I'm wrong (it happens quiet often) you would have to first launch:
> >    samba_upgradedns --dns-backend=SAMBA_INTERNAL and then
> >    samba_upgradedns --dns-backend=BIND9_DLZ
> >
> >    Here you should have a dns.keytab.
> >
> Worked, thanks a lot.
>
> >    Now, right issues: dns related files in samba/private must be
> accessible to
> >    the UNIX user running Bind process. That means changing rights on
> files
> >    and on private (at least "x" permission to go through it).
> >
> My bind is running as root right now, and the authorizations look ok to
> me. Also don´t see log entries that contradict that.
>

If you are running Bind9 DLZ DNS back-end, try "dig -t SOA
samba.lindenberg.one @<ip dc1>" then change <ip dc1> to <ip dc2>.
These both command should reply in "ANSWER SECTION" <ip dc1> when asking
that to DC1 and <ip dc2> when asked to DC2.

A simple way I use to check my Bind are well configured is to launch
"samba_dnsupdate" (when /etc/resolv.conf point to local DC). Doing that
samba_dnsupdate is using nsupdate which is part of Bind utils, nsupdate
uses DNS protocol to push updates into AD, into the DNS server received as
SOA (SOA means Start Of authority which means nothing for most of us but
SOA means "where to push updates" in fact, so nsupdate will ask for SOA -
that's why the previous requests ;) - and use the received SOA - which
should be local server - to push updates).
If samba_dnsupdate works without errors, even when doing "samba_dnsupdate
--all-names", Bind should be OK locally if /etc/resolv.conf point to local
server.

Not clear, that bunch of explanations... Hoping it is understable :s

>
> >    And another note about 'islanding': this issue does not exist on
> recent
> >    Samba. In fact I never had this issue with any of Samba version we
> tried,
> >    and we tried almost all since 4.1.x (a big year). The issue wasn't
> there
> >    when we tried to make Samba's internal DNS working (what we stopped)
> >    and is not there also using Bind9+DLZ DNS backend.
> >    Islanding (https://support.microsoft.com/en-us/kb/275278) is solved
> in
> >    MS Windows Server 2012. It's a stupid bug from MS, they - as everyone
> -
> >    do mistakes sometimes. Samba team also do mistakes sometimes, but
> >    that one wasn't reproduced. Islanding does not exist with Samba AD DC.
> >
> >    Obviously you can use localhost as DNS resolver only once you have
> >    joined the DC to the domain and after replication happened. Otherwise
> >    your new DC will have empty DNS zones and so no reply.
> >
> >    If my English understanding is correct enough this was even told by
> >    Andrew Bartlett in a mail from May the 26th around 20h20 UTC, the
> title
> >    was "[Samba] DC2: TKEY is unacceptable, Failed DNS update?":
> >    "Yes, it should use itself as the DNS server, once the initial
> registration
> >    work is done."
> >
> I am also not a native speaker in English but my take is the same.
>

:)

>
> >    2016-06-05 20:46 GMT+02:00 Rowland penny <rpenny at samba.org>:
> [dropped lots]
>
> Now with the changes I still get the following in the log of dc2, at least
> occasionally.
>
> [2016/06/08 20:10:13.832105,  0]
> ../source4/librpc/rpc/dcerpc_sock.c:240(continue_ip_open_socket)
>   Failed to connect host 192.168.177.21
> (7fb38333-aced-4ce8-9a15-a3f6459ecc2a._msdcs.samba.lindenberg.one) on port
> 135 - NT_STATUS_CONNECTION_REFUSED.
>

Just try:
dig 7fb38333-aced-4ce8-9a15-a3f6459ecc2a._msdcs.samba.lindenberg.one
from all DC (if DC DNS resolver point to themselves, if they point to same
DNS server, use @<DC IP> in addition to really test DNS on all your DCs)

Answer of that dig should be some CNAME. That record is used for
replication and must exist for replilcation works (I believe at least ;)

If it appears only when asking to on DC, databases are not well synched.

My very not perfect script to for ce synchronisation:
#!/bin/bash

sam=/var/lib/samba/private/sam.ldb

function usage() {
  echo "This script is meant to replicate data coming from given DC"
  echo "Usage:"
  echo "$0 <IP source>"
  echo "or"
  echo "$0 <source DC name>"
  exit 1
}

if [ ! "$1" ] || ! ping -c 1 $1 > /dev/null 2>&1
then
  usage
fi

DC_SRC=$1
DC_DST=`hostname`

for DIT in `ls $sam.d | grep -v metadata.tdb | sed -e s/.ldb$//`
do
  echo $DIT
  samba-tool drs replicate $DC_DST $DC_SRC $DIT --add-ref --sync-forced
--sync-all --full-sync --local
done

>
> I write occasionally because  I tried restarting samba on dc2 and then the
> message did not appear.
>
> Nothing suspicious in log of dc1.
>
> Getting back to my initial issue list:
>
> >    -----Ursprüngliche Nachricht-----
> >    Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Jo
> >    Gesendet: Sonntag, 5. Juni 2016 11:06
> >    An: 'samba' <samba at lists.samba.org>
> >    Betreff: [Samba] inconsistent DNS information, windows domain member
> >    issues..
> >
> >    I joined a Windows 10 Pro system to my (still experimental) domain.
> The
> >    windows system actually hosts DC2 as a VM, and another Windows
> >    (Server 2008
> >    R2) at another location hosts DC1 also as a VM. The two locations are
> >    connected via a VPN, both systems run only when needed. The windows
> >    system does not directly use DC2 for DNS but instead talks to a DNS
> >    resolver that delegates the samba Domain to DC2. DC2 uses itself as
> >    nameserver.
> >
> >
> >
> >    I am observing the following issues that may be related or not:
> >
> >    *       When I do a nslookup samba.domain DC2 I get the address of
> DC1,
> >    nslookup DC2.sambadomain DC2 fails. Nslookup DC1.samba.domain DC2
> >    works.
> >    When I use dig @DC2 samba.domain it returns DC1 only. Dig
> >    samba.domain ANY returns
> >
>
> Dig reports now the same information on dc1 and dc2. However it reports
> the old and the new IP address of DC2. I was able to clean this up by
> deleting the extra A record. Afterwards the extra A record was gone. Same
> for nslookup on Ubuntu.
>
> >    *       windows nslookup -type=ANY samba.domain (without .) looks for
> >    samba.domain.domain. Is this OK or does it point to a problematic
> search
> >    configuration?
> >
> Works properly now. DNS mmc snap-in shows consistent information.
>
> >
> >    *       In windows management console, only some of the domain
> >    users&principals are shown with the name domain\identity, most of them
> >    are shown S-xxx. With the one use shown domain\user I can logon to the
> >    windows system however (likely with cached credentials, but don´t dare
> >    to change them to confirm)
> >
> >    *       When I try to modify folder permissions on the windows
> system, I
> >    get
> >    a message “Unable to contact Active Directory to access or verify
> claim
> >    types”
> >
> These two issues still exist.
>

I would try to re-join that client (lazy debug)

>
> >    *       On DC2: kinit Administrator returns “kinit: Cannot contact
> any KDC
> >    for realm ‘samba.domain’ while getting initial credentials. This one
> was
> >    easy to fix by adding the domain to /etc/krb5.conf. I am putting this
> in as I
> >    changed configuration at this point..
> >
> Working.
>
> In essence, the windows member is unable to use any information from
> Samba. The lookup described in
> https://wiki.samba.org/index.php/Testing_DNS_Name_Resolution does work
> and reports both dcs as expected.
> I checked the Windows system log. There is some noise about group policies
> and missing updates of the host address. The most relevant record shows:
> "This computer was not able to set up a secure session with a domain
> controller in domain SAMBA due to the following:
> There are currently no logon servers available to service the logon
> request.
> This may lead to authentication problems. Make sure that this computer is
> connected to the network. If the problem persists, please contact your
> domain administrator.
>
> ADDITIONAL INFO
> If this computer is a domain controller for the specified domain, it sets
> up the secure session to the primary domain controller emulator in the
> specified domain. Otherwise, this computer sets up the secure session to
> any domain controller in the specified domain."
>
> Looks like Windows 10 Pro expects encrypted configuration by default -
> which is totally OK to me. But which connection(s)? LDAP as in
> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC?
> And what certificates does a Windows host trust by default. I can easily
> use a Letsencrypt certificate if that is OK to windows..
>
> Thanks once more for your support.
> Joachim
>
>
>
>
>