[Samba] AD bind DNS broken after 4.7.3 -> 4.9.2 upgrade

Král Gergely kralg at robolution.eu
Mon Dec 31 15:15:41 UTC 2018 

Hi,


I have been running a Samba AD PDC with BIND9_DLZ on a Debian system for 
a year now without problems, and in the hope for ability to create AD 
backups I upgraded the samba packages (along with other packages with 
minor updates).

Everything seemed OK during the upgrade, all processes restarted, but 
soon after I found that PAM refuses to authenticate AD usernames. By 
checking the samba logs I see weird messages constantly complaining 
about dnsupdate errors.

Since I read before that there were some database changes in 4.8, I ran 
"samba-tool dbcheck" with no errors. Bind9 logs look OK, but it refuses 
Windows workstations to update IP records, and I cannot get any domain 
names resolved in the samba domain zone. Bind resolves names in other 
zone OK.

I tried to reconfigure the samba DNS by running:

isa:~# /usr/sbin/samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/MYAD.DOMAIN.EU.zone
DNS records will be automatically created
DNS partitions already exist
dns-isa account already exists
Failed to create link /var/lib/samba/private/dns.keytab -> 
/var/lib/samba/bind-dns/dns.keytab: No such file or directory
Failed to chown /var/lib/samba/bind-dns to bind gid 107
Failed to chown /var/lib/samba/bind-dns/dns.keytab to bind gid 107
Traceback (most recent call last):
   File "/usr/sbin/samba_upgradedns", line 533, in <module>
     create_dns_dir(logger, paths)
   File "/usr/lib/python2.7/dist-packages/samba/provision/sambadns.py", 
line 699, in create_dns_dir
     os.mkdir(dns_dir, 0o770)
OSError: [Errno 2] No such file or directory: 
'/var/lib/samba/bind-dns/dns'


So is it trying to create a link in place of my dns.keytab file to a 
file that does not exist? I never had a "bind-dns" directory in 
/var/lib/samba.

Can anyone give me a hint where to look for the cause of this by 
checking the logs below, so I could the get the AD up running again? 
Please let me know if I can provide any more information that may be 
relevant.

Thanks,
Gergely Kral

---

isa:~# samba-tool dbcheck
Checking 359 objects
Checked 359 objects (0 errors)


isa:~# kinit -V administrator
Using default cache: /tmp/krb5cc_0
Using principal: administrator at MYAD.DOMAIN.EU
kinit: Cannot find KDC for realm "MYAD.DOMAIN.EU" while getting initial 
credentials


samba log after startup:

[2018/12/31 15:03:37.326791,  0] 
../source4/smbd/server.c:510(binary_smbd_main)
   samba version 4.9.2-Debian started.
   Copyright Andrew Tridgell and the Samba Team 1992-2018
[2018/12/31 15:03:37.851127,  0] 
../source4/smbd/server.c:696(binary_smbd_main)
   binary_smbd_main: samba: using 'standard' process model
[2018/12/31 15:03:37.893168,  0] 
../source4/dsdb/common/util.c:1815(samdb_reference_dn_is_our_ntdsa)
   Failed to find object DC=myad,DC=domain,DC=eu for attribute 
fsmoRoleOwner - Cannot find DN DC=myad,DC=domain,DC=eu to get attribute 
fsmoRoleOwner for reference dn: No such Base DN: DC=myad,DC=domain,DC=eu
[2018/12/31 15:03:37.914251,  0] 
../source4/smbd/service_task.c:36(task_server_terminate)
   task_server_terminate: task_server_terminate: [kdc: krb5_init_context 
samdb RODC connect failed]
[2018/12/31 15:03:37.944114,  0] 
../source4/dsdb/dns/dns_update.c:127(dnsupdate_rebuild)
[2018/12/31 15:03:38.039030,  0] 
../source4/smbd/service_task.c:36(task_server_terminate)
[2018/12/31 15:03:38.039029,  0] 
../source4/smbd/service_task.c:36(task_server_terminate)
   task_server_terminate: task_server_terminate: [kccsrv: Failed to 
connect to local samdb: WERR_DS_UNAVAILABLE
   task_server_terminate: task_server_terminate: [dreplsrv: Failed to 
connect to local samdb: WERR_DS_UNAVAILABLE
   ]
   ]
   ../source4/dsdb/dns/dns_update.c:127: Unable to find DCs list - No 
such Base DN: 
CN=Configuration,DC=myad,DC=domain,DC=eu../source4/dsdb/dns/dns_update.c:127: 
Unable to find DCs list - No such Base DN: 
CN=Configuration,DC=myad,DC=domain,DC=eu/usr/sbin/samba_dnsupdate: 
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1] 
NT_STATUS_LOGON_FAILURE
[2018/12/31 15:03:41.419176,  0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/sbin/samba_dnsupdate: ERROR: Connecting to DNS RPC server 
192.168.6.1 failed with (3221225581L, 'The attempted logon is invalid. 
This is either due to a bad username or authentication information.')
[2018/12/31 15:03:41.438997,  0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/sbin/samba_dnsupdate: Failed to bind to uuid 
50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1] 
NT_STATUS_LOGON_FAILURE
[2018/12/31 15:03:41.439169,  0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/sbin/samba_dnsupdate: ERROR: Connecting to DNS RPC server 
192.168.6.1 failed with (3221225581L, 'The attempted logon is invalid. 
This is either due to a bad username or authentication information.')
[2018/12/31 15:03:41.460318,  0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/sbin/samba_dnsupdate: Failed to bind to uuid 
50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1] 
NT_STATUS_LOGON_FAILURE
[2018/12/31 15:03:41.460457,  0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/sbin/samba_dnsupdate: ERROR: Connecting to DNS RPC server 
192.168.6.1 failed with (3221225581L, 'The attempted logon is invalid. 
This is either due to a bad username or authentication information.')
[2018/12/31 15:03:41.475008,  0] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/sbin/samba_dnsupdate: Failed to bind to uuid 
50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1] 
NT_STATUS_LOGON_FAILURE


samba related bind log after startup with a client trying to update:

Dec 31 15:15:09 isa named[16330]: Loading 'AD DNS Zone' using driver 
dlopen
Dec 31 15:15:10 isa named[16330]: samba_dlz: started for DN 
DC=myad,DC=domain,DC=eu
Dec 31 15:15:10 isa named[16330]: samba_dlz: starting configure
Dec 31 15:15:10 isa named[16330]: samba_dlz: configured writeable zone 
'myad.domain.eu'
Dec 31 15:15:10 isa named[16330]: samba_dlz: configured writeable zone 
'_msdcs.myad.domain.eu'
Dec 31 15:16:54 isa named[16330]: samba_dlz: starting transaction on 
zone myad.domain.eu
Dec 31 15:16:56 isa named[16330]: client @0xb2f3aae0 192.168.6.69#64626: 
update 'myad.domain.eu/IN' denied
Dec 31 15:16:56 isa named[16330]: samba_dlz: cancelling transaction on 
zone myad.domain.eu


/etc/samba/smb.conf:

[global]
	bind interfaces only = Yes
	interfaces = lo br0
	netbios name = ISA
	realm = MYAD.DOMAIN.EU
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
	workgroup = MYAD
	idmap_ldb:use rfc2307 = yes
	template shell = /bin/bash
	template homedir = /home/%U
	winbind use default domain = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
#	winbind separator = +
	winbind refresh tickets = yes
#	log level = 2


/etc/nsswitch.conf:

passwd:         compat systemd winbind
group:          compat systemd winbind
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

More information about the samba mailing list