[Samba] debugging bind9_DLZ

Bob of Donelson Trophy bob at donelsontrophy.net
Sat Nov 5 00:33:40 UTC 2016 

On 2016-11-04 13:27, Bob of Donelson Trophy via samba wrote:

> On 2016-11-04 12:43, Rowland Penny via samba wrote:
> 
>> On Fri, 04 Nov 2016 12:29:42 -0500
>> Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:
>> 
>> On 2016-11-04 12:07, Rowland Penny via samba wrote:
>> 
>> On Fri, 04 Nov 2016 11:49:16 -0500
>> Bob of Donelson Trophy <bob at donelsontrophy.net> wrote:
>> 
>> On 2016-11-04 11:31, Rowland Penny via samba wrote:
>> 
>> <<<<<  cut >>>>>>>>
>> 
>> root at dtdc03:~# samba-tool dns zonelist dtdc03
>> 3 zone(s) found
>> 
>> pszZoneName                 : xxx.168.192.in-appr.arpa
>> Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE 
>> ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>> Version                     : 50
>> dwDpFlags                   : DNS_DP_AUTOCREATED
>> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
>> pszDpFqdn                   : DomainDnsZones.dtshrm.dt
>> 
>> pszZoneName                 : dtshrm.dt
>> Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE 
>> ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>> Version                     : 50
>> dwDpFlags                   : DNS_DP_AUTOCREATED
>> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
>> pszDpFqdn                   : DomainDnsZones.dtshrm.dt
>> 
>> pszZoneName                 : _msdcs.dtshrm.dt
>> Flags                       : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE 
>> ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>> Version                     : 50
>> dwDpFlags                   : DNS_DP_AUTOCREATED
>> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
>> pszDpFqdn                   : ForestDnsZones.dtshrm.dt 
>> 
>> These three look correct, but I am not sure as I am not familiar
>> with this detail. 
>> 
>> If it matters, I have two DC's but neither will reversedns.
>> (Thought I had this working and discovered, yesterday that one DC
>> was not working properly. Went through my entire setup again, on
>> both DC's, last night and now cannot add reversedns to either DC.)
>> All other dns testing checks out. 
>> 
>> Basically I keep being told, though log files and other, that the
>> zone does not exist. 
>> 
>> At this point I am a little confused but, bottom line is I cannot
>> add any reversedns zones to resolve my nslookup xxx.xxx.xxx.xxx
>> failure issue to either DC. I am puzzled. 
>> 
>> What else would you like to see? log files? 
>> OK, lets check if the record does exists, if I run this on a DC:
>> 
>> ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -s sub
>> '(&(objectclass=dnsNode)(cn=180))'
>> 
>> I get this:
>> 
>> # record 1
>> dn:
>> DC=180,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>> objectClass: top objectClass: dnsNode
>> instanceType: 4
>> whenCreated: 20161020160412.0Z
>> uSNCreated: 44302
>> showInAdvancedViewOnly: TRUE
>> name: 180
>> objectGUID: 85c0aade-15c9-48a8-822e-5ec24df2dbf9
>> objectCategory:
>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC =com
>> dc: 180
>> whenChanged: 20161104144426.0Z
>> dnsRecord::
>> IQAMAAXwAAAKAAAAAAAOEAAAAAAWnzcAHwQKZGV2c3RhdGlvbgZzYW1kb20HZXhhbX
>> BsZQNjb20A dNSTombstoned: FALSE
>> uSNChanged: 44985
>> distinguishedName:
>> DC=180,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainD
>> nsZones,DC=samdom,DC=example,DC=com
>> 
>> So, adapt it for your setup and see if the record does exist in AD.
>> 
>> Rowland 
>> Aha!!  0 records . . . but, doesn't the "xxx.168.192.in-addr.arpa"
>> represent the reverse zone? 
>> 
>> Okay, so 0 records, now?
>> 
>> Are you actually using 'xxx.168.192.in-addr.arpa', I thought you were
>> sanitizing your reverse zone (but why, I couldn't  work out)
>> 
>> Rowland 
>> 
>> No, I'm sanitizing just a little bit. 
>> 
>> What I am seeing is this search sees no reverse zone yet, a zonelist
>> appears to have a reverse zone? 
>> 
>> Any "zonecreate" or "zonedelete" or attempts to add a PTR record fail
>> in similar complaint like the query result posted. I have watched so
>> many log files that they have become a blur and I am sure I have
>> overlooked some detail. 
>> 
>> Any suggestion on my next step will be greatly appreciated.
> 
> I would start by running 'samba-tool dbcheck --cross-ncs --fix --yes'
> 
> Rowland 
> 
> One DC returns 0 errors and the other DC returns 30 errors (that it
> appears to have corrected.) 
> 
> It is really late where you are and I will not get back to this for 4 or
> 5 hours. 
> 
> More, if needed, tomorrow. 
> 
> Have a good night.
> 
> -- 
> _______________________________
> 
> Bob Wooden of Donelson Trophy

I discovered my mistake. While adding the PTR to the reverse zone I had
left out the domain. 

wrong way >>> root at dtdc03:~# samba-tool dns add >>dtdc03<<
16.168.192.in-addr.arpa 49 PTR dtdc03.dtshrm.dt 

THE RIGHT WAY >>> root at dtdc03:~# samba-tool dns add
>>>dtdc03.dtshrm.dt<<< 16.168.192.in-addr.arpa 49 PTR dtdc03.dtshrm.dt 

(Obviously without the arrows that are marking my error.) 

Then I added the other DC with: root at dtdc03:~# samba-tool dns add
dtdc03.dtshrm.dt 16.168.192.in-addr.arpa 50 PTR dtdc04.dtshrm.dt 

Now when I run : ldbsearch --cross-ncs -H
/usr/local/samba/private/sam.ldb '(invocationId=*)' --cross-ncs 

I get 2 records. 

Unless something appears in the morning all should be good, now. Problem
solved. (He types with fingers crossed.)

-- 
_______________________________

Bob Wooden of Donelson Trophy

More information about the samba mailing list