[Samba] DNS replication issue
Rowland penny
rpenny at samba.org
Wed Dec 18 14:31:31 UTC 2019
On 18/12/2019 14:07, Ilias Chasapakis forumZFD via samba wrote:
> Hi Rowland,
>
> Thank you for replying. Please find the output here below. Just a
> possible tip:
>
> _kerberos._tcp.example.com service = 0 100 88 addc-new.example.com.
>
> output is present on the new machine but if we issue a host -t SRV
> _kerberos._tcp.example.com on addc2 it does not appear in the list.
>
> Kind regards.
>
> Collected config --- 2019-12-18-20:30 -----------
>
> Hostname: addc-new
> DNS Domain: example.com
> FQDN: addc-new.example.com
> ipaddress: 192.168.20.22 10.0.103.13
>
> -----------
>
> Kerberos SRV _kerberos._tcp.example.com record verified ok, sample output:
> Server: 192.168.20.22
> Address: 192.168.20.22#53
>
> _kerberos._tcp.example.com service = 0 100 88 addc-sub1.example.com.
> _kerberos._tcp.example.com service = 0 100 88 addc2.example.com.
> _kerberos._tcp.example.com service = 0 100 88 addc3.example.com.
> _kerberos._tcp.example.com service = 0 100 88 addc-sub2.example.com.
> _kerberos._tcp.example.com service = 0 100 88 addc-sub3.example.com.
> _kerberos._tcp.example.com service = 0 100 88 addc-new.example.com.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.2 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff
> inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3
> inet6 fe80::5054:ff:fe86:8aba/64 scope link
> 3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff
> inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10
> inet6 fe80::5054:ff:fe43:10d2/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.20.22 addc-new.example.com addc-new
> #list of heartbeat network hosts
> #
> 10.0.103.11 ctdb1.heartbeat.example ctdb1
> 10.0.103.21 ctdb2.heartbeat.example ctdb2
> 10.0.103.13 ad1.heartbeat.example ad1
> 10.0.103.42 jumpi.heartbeat.example jumpi
> 10.0.103.12 gluster1.heartbeat.example gluster1
> 10.0.103.22 gluster2.heartbeat.example gluster2
> 10.0.103.23 ad2.heartbeat.example ad2
I would remove all the heartbeat hosts from /etc/hosts, they shouldn't
be there and CTDB and AD DC are incompatible.
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> domain example.com
> search example.com
> nameserver 192.168.20.22
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = example.com
The realm 'example.com' should be in uppercase 'EXAMPLE.COM'
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = ADDC-new
> realm = example.com
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = ZFD
> wins support = yes
'wins support' on an AD DC ????
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.com/scripts
> read only = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = yes
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> forwarders {
> 192.168.20.1;
> };
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
> //========================================================================
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See https://www.isc.org/bind-keys
>
> //========================================================================
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
>
> auth-nxdomain no; # conform to RFC1035
>
> allow-recursion { any; };
> allow-query { any; };
> allow-query-cache { any; };
>
>
> listen-on-v6 { any; };
> };
I would add these to named.conf.options:
notify no;
empty-zones-enable no;
allow-transfer { none; };
listen-on port 53 { any; };
Also, I think you will find the dns.keytab here:
/var/lib/samba/bind-dns/dns.keytab
Rowland
More information about the samba
mailing list