[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
Jiří Černý
cerny at svmetal.cz
Wed Aug 22 11:18:47 UTC 2018
Hello, guys.
First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists.
Louis:
> ; TSIG error with server: tsig verify failure
>
> Mayabe update/setup your TSIG key.
> https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key
>
> Im also wondering why RH is using : '--disable-isc-spnego'
Good catch, but I'm not sure If that link is only related to OpenShift. If I understand it right, Samba uses Kerberos keytab (/var/lib/samba/private/dns.keytab) for updating DNS records in Bind loaded zones.
Rowland:
> Good catch Louis, that rang a bell and the answer is because you cannot
> run a Samba AD DC on red-hat with distro packages, so they stop updates
> (Don't ask why, I don't know)
> see here:
> https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates
Oh my God. You are right, Rowland. I know that page, but I but I assumed it was solved in CentOS 7. I'm very sorry I've missed that wiki page.
But it looks like not, notice "--disable-isc-spnego" in named -V:
named -V
BIND 9.9.4-RedHat-9.9.4-61.el7 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
So that's my fault. And you right, I didn't study the wiki enough. I just looked here: https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server and here https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Configuring_the_BIND9_DLZ_Module I said: "Yeah, CentOS 7 has Bind 9.9.4 with --with-dlopen=yes -with-gssapi=yes, so it will just work".
And it really works, but only for some domain computers.
I'll try rebuild CentOS 7's Bind without --disable-isc-spnego and give you report.
> Where ?? It has worked faithfully for me for the last 5 1/2 years.
In our environment, CentOS 6, actually the same problem I addressed above. Some time I tested packages by Benjamin Kraft, but finally I just switched to internal DNS.
It's been a long time, I'm gradually recalling how it was.
> OK, try this:
>
> samba_dnsupdate --verbose --all-names --use-samba-tool
samba_dnsupdate --verbose --all-names --use-samba-tool
IPs: ['192.168.45.1']
force update: A dc03x.samdom.svmetal.cz 192.168.45.1
force update: NS samdom.svmetal.cz dc03x.samdom.svmetal.cz
force update: NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
force update: A samdom.svmetal.cz 192.168.45.1
force update: SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
force update: SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
force update: CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: A gc._msdcs.samdom.svmetal.cz 192.168.45.1
force update: SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: A DomainDnsZones.samdom.svmetal.cz 192.168.45.1
force update: SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: A ForestDnsZones.samdom.svmetal.cz 192.168.45.1
force update: SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
28 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
update (samba-tool): A dc03x.samdom.svmetal.cz 192.168.45.1
Calling samba-tool dns for A dc03x.samdom.svmetal.cz 192.168.45.1 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', 'dc03x', 'A', '192.168.45.1']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of A dc03x.samdom.svmetal.cz 192.168.45.1
update (samba-tool): NS samdom.svmetal.cz dc03x.samdom.svmetal.cz
Calling samba-tool dns for NS samdom.svmetal.cz dc03x.samdom.svmetal.cz (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '@', 'NS', 'dc03x.samdom.svmetal.cz']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of NS samdom.svmetal.cz dc03x.samdom.svmetal.cz
update (samba-tool): NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
Calling samba-tool dns for NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '@', 'NS', 'dc03x.samdom.svmetal.cz']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
update (samba-tool): A samdom.svmetal.cz 192.168.45.1
Calling samba-tool dns for A samdom.svmetal.cz 192.168.45.1 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '@', 'A', '192.168.45.1']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of A samdom.svmetal.cz 192.168.45.1
update (samba-tool): SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.dc', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling samba-tool dns for SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kerberos._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
update (samba-tool): SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling samba-tool dns for SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kerberos._udp', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
update (samba-tool): SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling samba-tool dns for SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_kerberos._tcp.dc', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
update (samba-tool): SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Calling samba-tool dns for SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kpasswd._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 464 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
update (samba-tool): SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Calling samba-tool dns for SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kpasswd._udp', 'SRV', 'dc03x.samdom.svmetal.cz 464 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
update (samba-tool): CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
Calling samba-tool dns for CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', 'a0fcd1d9-a5e2-428c-a271-ab17103bb4d0', 'CNAME', 'dc03x.samdom.svmetal.cz']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.dc', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling samba-tool dns for SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kerberos._tcp.Default-First-Site-Name._sites', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
update (samba-tool): SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling samba-tool dns for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_kerberos._tcp.Default-First-Site-Name._sites.dc', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
update (samba-tool): A gc._msdcs.samdom.svmetal.cz 192.168.45.1
Calling samba-tool dns for A gc._msdcs.samdom.svmetal.cz 192.168.45.1 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', 'gc', 'A', '192.168.45.1']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of A gc._msdcs.samdom.svmetal.cz 192.168.45.1
update (samba-tool): SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling samba-tool dns for SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_gc._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
update (samba-tool): SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling samba-tool dns for SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.gc', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
update (samba-tool): SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling samba-tool dns for SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_gc._tcp.Default-First-Site-Name._sites', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.gc', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
update (samba-tool): A DomainDnsZones.samdom.svmetal.cz 192.168.45.1
Calling samba-tool dns for A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', 'DomainDnsZones', 'A', '192.168.45.1']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of A DomainDnsZones.samdom.svmetal.cz 192.168.45.1
update (samba-tool): SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.DomainDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): A ForestDnsZones.samdom.svmetal.cz 192.168.45.1
Calling samba-tool dns for A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', 'ForestDnsZones', 'A', '192.168.45.1']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of A ForestDnsZones.samdom.svmetal.cz 192.168.45.1
update (samba-tool): SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.ForestDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100']
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
raise e
Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Failed update of 28 entries
> Yes that is a pain, you need to manually remove it with samba-tool.
> Not sure, but I think the latest Samba removes it when a DC is
> demoted.
Yes, it looks like there are some improvements in 4.9 (https://wiki.samba.org/index.php/Samba_4.9_Features_added/changed):
"DNS entries are now cleaned up during DC demote DNS records are now cleaned up as part of the 'samba-tool domain demote' including both the default and --remove-other-dead-server modes.
Additionally DNS records can be automatically cleaned up for a given name with the 'samba-tool dns cleanup' command, which aids in cleaning up partially removed DCs."
> Not sure about that, do your DC's point to themselves as their first
> nameserver or another DC ?
I can remember some article about DNS islanding (maybe on Samba wiki too), even you and other people discussed it here on lists. But I cannot remember, if DC should or should no point to itself.
My configuration on DCs is (point to itself at third place):
cat /etc/resolv.conf
# Generated by NetworkManager
search samdom.svmetal.cz
nameserver 192.168.1.1
nameserver 192.168.200.20
nameserver 127.0.0.1
Jiri
More information about the samba
mailing list