[Samba] DNS replication issue

Rowland penny rpenny at samba.org
Wed Dec 18 14:31:31 UTC 2019 

On 18/12/2019 14:07, Ilias Chasapakis forumZFD via samba wrote:
> Hi Rowland,
>
> Thank you for replying. Please find the output here below. Just a
> possible tip:
>
> _kerberos._tcp.example.com    service = 0 100 88 addc-new.example.com.
>
> output is present on the new machine but if we issue a host -t SRV
> _kerberos._tcp.example.com on addc2 it does not appear in the list.
>
> Kind regards.
>
> Collected config  --- 2019-12-18-20:30 -----------
>
> Hostname: addc-new
> DNS Domain: example.com
> FQDN: addc-new.example.com
> ipaddress: 192.168.20.22 10.0.103.13
>
> -----------
>
> Kerberos SRV _kerberos._tcp.example.com record verified ok, sample output:
> Server:        192.168.20.22
> Address:    192.168.20.22#53
>
> _kerberos._tcp.example.com    service = 0 100 88 addc-sub1.example.com.
> _kerberos._tcp.example.com    service = 0 100 88 addc2.example.com.
> _kerberos._tcp.example.com    service = 0 100 88 addc3.example.com.
> _kerberos._tcp.example.com    service = 0 100 88 addc-sub2.example.com.
> _kerberos._tcp.example.com    service = 0 100 88 addc-sub3.example.com.
> _kerberos._tcp.example.com    service = 0 100 88 addc-new.example.com.
> Samba is running as an AD DC
>
> -----------
>         Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.2 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>      link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff
>      inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3
>      inet6 fe80::5054:ff:fe86:8aba/64 scope link
> 3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>      link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff
>      inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10
>      inet6 fe80::5054:ff:fe43:10d2/64 scope link
>
> -----------
>         Checking file: /etc/hosts
>
> 127.0.0.1    localhost
> 192.168.20.22    addc-new.example.com    addc-new
> #list of heartbeat network hosts
> #
> 10.0.103.11 ctdb1.heartbeat.example    ctdb1
> 10.0.103.21 ctdb2.heartbeat.example    ctdb2
> 10.0.103.13 ad1.heartbeat.example ad1
> 10.0.103.42 jumpi.heartbeat.example jumpi
> 10.0.103.12 gluster1.heartbeat.example gluster1
> 10.0.103.22 gluster2.heartbeat.example gluster2
> 10.0.103.23 ad2.heartbeat.example ad2
I would remove all the heartbeat hosts from /etc/hosts, they shouldn't 
be there and CTDB and AD DC are incompatible.
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
>         Checking file: /etc/resolv.conf
>
> domain example.com
> search example.com
> nameserver 192.168.20.22
>
> -----------
>
>         Checking file: /etc/krb5.conf
>
> [libdefaults]
>      default_realm = example.com
The realm 'example.com' should be in uppercase 'EXAMPLE.COM'
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>
> -----------
>
>         Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> -----------
>
>         Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
>      netbios name = ADDC-new
>      realm = example.com
>      server role = active directory domain controller
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>      workgroup = ZFD
>      wins support = yes
'wins support' on an AD DC ????
>
> [netlogon]
>      path = /var/lib/samba/sysvol/example.com/scripts
>      read only = yes
>
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = yes
>
> -----------
>
> Detected bind DLZ enabled..
>         Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
>         Checking file: /etc/bind/named.conf.options
>
> options {
>      directory "/var/cache/bind";
>
>      // If there is a firewall between you and nameservers you want
>      // to talk to, you may need to fix the firewall to allow multiple
>      // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>
>      // If your ISP provided one or more IP addresses for stable
>      // nameservers, you probably want to use them as forwarders.
>      // Uncomment the following block, and insert the addresses replacing
>      // the all-0's placeholder.
>
>      forwarders {
>          192.168.20.1;
>      };
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>     
> //========================================================================
>      // If BIND logs error messages about the root key being expired,
>      // you will need to update your keys.  See https://www.isc.org/bind-keys
>     
> //========================================================================
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>
>      auth-nxdomain no;    # conform to RFC1035
>
>      allow-recursion { any; };
>      allow-query { any; };
>      allow-query-cache { any; };
>
>
>      listen-on-v6 { any; };
> };

I would add these to named.conf.options:

     notify no;
     empty-zones-enable no;
     allow-transfer { none; };
     listen-on port 53 { any; };

Also, I think you will find the dns.keytab here:

/var/lib/samba/bind-dns/dns.keytab

Rowland

More information about the samba mailing list