[Samba] DNS replication issue
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 18 15:29:35 UTC 2019
And that keytab file Rowland pointed to will most probley fix the replication problem.
And as Rowland pointed,
> I would remove all the heartbeat hosts from /etc/hosts, they
> shouldn't be there and CTDB and AD DC are incompatible.
If your DNS/resolving setup is correct, this should be in the dns.
Also,
> auth-nxdomain yes;
# Your AD-DC DNS is the Authoritive server of you domain. So set it to yes.
Last, Your package list is missing acl xattr you need these for your AD-DC, (obligated),
but unrelated to the DNS replication problems.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: woensdag 18 december 2019 15:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS replication issue
>
> On 18/12/2019 14:07, Ilias Chasapakis forumZFD via samba wrote:
> > Hi Rowland,
> >
> > Thank you for replying. Please find the output here below. Just a
> > possible tip:
> >
> > _kerberos._tcp.example.com service = 0 100 88
> addc-new.example.com.
> >
> > output is present on the new machine but if we issue a host -t SRV
> > _kerberos._tcp.example.com on addc2 it does not appear in the list.
> >
> > Kind regards.
> >
> > Collected config --- 2019-12-18-20:30 -----------
> >
> > Hostname: addc-new
> > DNS Domain: example.com
> > FQDN: addc-new.example.com
> > ipaddress: 192.168.20.22 10.0.103.13
> >
> > -----------
> >
> > Kerberos SRV _kerberos._tcp.example.com record verified ok,
> sample output:
> > Server: 192.168.20.22
> > Address: 192.168.20.22#53
> >
> > _kerberos._tcp.example.com service = 0 100 88
> addc-sub1.example.com.
> > _kerberos._tcp.example.com service = 0 100 88 addc2.example.com.
> > _kerberos._tcp.example.com service = 0 100 88 addc3.example.com.
> > _kerberos._tcp.example.com service = 0 100 88
> addc-sub2.example.com.
> > _kerberos._tcp.example.com service = 0 100 88
> addc-sub3.example.com.
> > _kerberos._tcp.example.com service = 0 100 88
> addc-new.example.com.
> > Samba is running as an AD DC
> >
> > -----------
> > Checking file: /etc/os-release
> >
> > PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> > NAME="Debian GNU/Linux"
> > VERSION_ID="10"
> > VERSION="10 (buster)"
> > VERSION_CODENAME=buster
> > ID=debian
> > HOME_URL="https://www.debian.org/"
> > SUPPORT_URL="https://www.debian.org/support"
> > BUG_REPORT_URL="https://bugs.debian.org/"
> >
> > -----------
> >
> >
> > This computer is running Debian 10.2 x86_64
> >
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1000
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 scope host lo
> > inet6 ::1/128 scope host
> > 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP group default qlen 1000
> > link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff
> > inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3
> > inet6 fe80::5054:ff:fe86:8aba/64 scope link
> > 3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast
> > state UP group default qlen 1000
> > link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff
> > inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10
> > inet6 fe80::5054:ff:fe43:10d2/64 scope link
> >
> > -----------
> > Checking file: /etc/hosts
> >
> > 127.0.0.1 localhost
> > 192.168.20.22 addc-new.example.com addc-new
> > #list of heartbeat network hosts
> > #
> > 10.0.103.11 ctdb1.heartbeat.example ctdb1
> > 10.0.103.21 ctdb2.heartbeat.example ctdb2
> > 10.0.103.13 ad1.heartbeat.example ad1
> > 10.0.103.42 jumpi.heartbeat.example jumpi
> > 10.0.103.12 gluster1.heartbeat.example gluster1
> > 10.0.103.22 gluster2.heartbeat.example gluster2
> > 10.0.103.23 ad2.heartbeat.example ad2
> I would remove all the heartbeat hosts from /etc/hosts, they
> shouldn't
> be there and CTDB and AD DC are incompatible.
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > -----------
> >
> > Checking file: /etc/resolv.conf
> >
> > domain example.com
> > search example.com
> > nameserver 192.168.20.22
> >
> > -----------
> >
> > Checking file: /etc/krb5.conf
> >
> > [libdefaults]
> > default_realm = example.com
> The realm 'example.com' should be in uppercase 'EXAMPLE.COM'
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > -----------
> >
> > Checking file: /etc/nsswitch.conf
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd: compat winbind
> > group: compat winbind
> > shadow: compat
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> > -----------
> >
> > Checking file: /etc/samba/smb.conf
> >
> > # Global parameters
> > [global]
> > netbios name = ADDC-new
> > realm = example.com
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = ZFD
> > wins support = yes
> 'wins support' on an AD DC ????
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/example.com/scripts
> > read only = yes
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = yes
> >
> > -----------
> >
> > Detected bind DLZ enabled..
> > Checking file: /etc/bind/named.conf
> >
> > // This is the primary configuration file for the BIND DNS
> server named.
> > //
> > // Please read /usr/share/doc/bind9/README.Debian.gz for
> information on the
> > // structure of BIND configuration files in Debian,
> *BEFORE* you customize
> > // this configuration file.
> > //
> > // If you are just adding zones, please do that in
> > /etc/bind/named.conf.local
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.options
> >
> > options {
> > directory "/var/cache/bind";
> >
> > // If there is a firewall between you and nameservers you want
> > // to talk to, you may need to fix the firewall to
> allow multiple
> > // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> >
> > // If your ISP provided one or more IP addresses for stable
> > // nameservers, you probably want to use them as forwarders.
> > // Uncomment the following block, and insert the
> addresses replacing
> > // the all-0's placeholder.
> >
> > forwarders {
> > 192.168.20.1;
> > };
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >
> >
> //============================================================
> ============
> > // If BIND logs error messages about the root key
> being expired,
> > // you will need to update your keys. See
> https://www.isc.org/bind-keys
> >
> >
> //============================================================
> ============
> > dnssec-validation no;
> > dnssec-enable no;
> > dnssec-lookaside no;
> >
> > auth-nxdomain no; # conform to RFC1035
> >
> > allow-recursion { any; };
> > allow-query { any; };
> > allow-query-cache { any; };
> >
> >
> > listen-on-v6 { any; };
> > };
>
> I would add these to named.conf.options:
>
> notify no;
> empty-zones-enable no;
> allow-transfer { none; };
> listen-on port 53 { any; };
>
> Also, I think you will find the dns.keytab here:
>
> /var/lib/samba/bind-dns/dns.keytab
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list