[Samba] DLZ Backend DNS Hosed
Rowland penny
rpenny at samba.org
Fri Jun 21 07:39:25 UTC 2019
On 20/06/2019 23:19, Matthew Delfino via samba wrote:
> I've been working on this problem for a few hours. Here are some updates:
>
>
> Many of the domains I listed are duplicates of domains managed by other DNS servers on my network. There was no point in having them in Samba AD, so I deleted the zones in Windows DNS Manager and created slaves in my named.conf.local folder, so that they'd pull the records from my authoritative BIND DNS server, which runs on good old fashioned flat files (the SOA for zones like mycompany.net and the PTR zones for all my subnets). I'm now down to two zones:
>
>
> Able to be edited: _msdcs.samdom.mycompany.net
> NOT able to be edited: samdom.mycompany.net
I read the output of Louis's script you posted and my first thought was,
'why has he got dns domains that have nothing to do with AD ?'
In my opinion, you should only have the dns records for your Samba AD
domain in AD, this should include any reverse zones.
>
>
> I believe these two zones to be the bare minimum I need to have everything working correctly.
>
>
> Closer inspection shows that I have no NS records and no SOA record in the "samdom.mycompany.net" zone.
>
>
>
> # samba_dnsupdate --verbose
> IPs: ['192.168.3.203']
> Looking for DNS entry A umbriel.samdom.mycompany.net 192.168.3.203 as umbriel.samdom.mycompany.net.
> Looking for DNS entry NS samdom.mycompany.net umbriel.samdom.mycompany.net as samdom.mycompany.net.
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name
> ans = check_one_dns_name(normalised_name, d.type, d)
> File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name
> ans = resolver.query(name, name_type)
> File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query
> raise NoNameservers
> dns.resolver.NoNameservers
>
>
> During handling of the above exception, another exception occurred:
>
>
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 851, in <module>
> elif not check_dns_name(d):
> File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name
> raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
> Exception: Unable to contact a working DNS server while looking for NS orbital.samdom.mycompany.net umbriel.samdom.mycompany.net as samdom.mycompany.net.
>
>
> So, let's make those records, right? All attempts to add this info in the Properties window of DNS Manager end in a very unfriendly message:
>
>
> "Failure to write NS record <umbriel.samdom.mycompany.net.>
> The local security authority database contains an internal inconsistency."
>
>
> I try from samba-tool:
>
>
>
> # samba-tool dns add localhost samdom.mycompany.net samdom.mycompany.net NS umbriel.samdom.mycompany.net -U"Administrator"
> Password for [ORBITAL\Administrator]:
> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run
> raise e
> File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run
> 0, server, zone, name, add_rec_buf, None)
>
>
> Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! Unsheathed by Matthew like Andúril by Aragorn:
>
>
>
> # samba_upgradedns --dns-backend=BIND9_DLZ
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone
> DNS records will be automatically created
> DNS partitions already exist
> dns-umbriel account already exists
> See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
> and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
> Finished upgrading DNS
>
>
> Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same results on every test.
>
>
> I'm feeling lonely here.
Do you have a backup ?
I have had something similar happen, but with the reverse zone and I
just deleted the zone and recreated it with samba-tool and then let the
records be recreated. In your case, I would be tempted to 'upgrade' to
the internal dns server and then 'upgrade' to the Bind9 server. This
should recreate all the required zones and records.
> -----------
>
>
> Checking file: /etc/resolv.conf
>
>
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.168.3.201
> nameserver 192.168.3.202
> search samdom.mycompany.net mycompany.net mycompany.com
I would remove any domains that are not the Samba dns domain
>
> Checking file: /etc/samba/smb.conf
>
>
> # Global parameters
> [global]
> netbios name = UMBRIEL
> realm = SAMDOM.MYCOMPANY.NET
> server role = active directory domain controller
> #server services = -dns
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = SAMDOM
> idmap_ldb:use rfc2307 = yes
> #dns forwarder = 8.8.4.4
> #dns forwarder = 8.8.8.8
> allow dns updates = disabled
Bad move, something needs to be able to upgrade your dns records.
> dsdb:schema update allowed = true
Remove this, it is only needed to extend the schema and can be used on
the ldbmodify command line.
>
> -----------
>
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/bind-dns/named.conf";
>
>
> -----------
>
>
> Checking file: /etc/bind/named.conf.options
>
>
> options {
>
>
> auth-nxdomain yes;
> directory "/var/cache/bind";
> dnssec-validation auto;
> empty-zones-enable no;
> managed-keys-directory "/var/cache/bind/";
> notify yes; // Not recommended.
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For Dynamic DNS
>
>
> allow-query {
> any;
> };
>
>
> allow-recursion {
> any;
> };
>
> allow-transfer {
> 192.168.3.47; // DNS2
> 192.168.3.48; // DNS1
> 192.168.5.47; // Opal
> 192.168.5.48; // Pyrite
> 192.168.0.8; // DNS3
> 192.168.0.9; // DNS4
> };
>
>
> also-notify {
> 192.168.3.47; // DNS2
> 192.168.3.48; // DNS1
> 192.168.5.47; // Opal
> 192.168.5.48; // Pyrite
> 192.168.0.8; // DNS3
> 192.168.0.9; // DNS4
> };
>
>
> allow-notify {
> 192.168.3.47; // DNS2
> 192.168.3.48; // DNS1
> 192.168.5.47; // Opal
> 192.168.5.48; // Pyrite
> 192.168.0.8; // DNS3
> 192.168.0.9; // DNS4
> };
>
Please set your dns up correctly, first remove the 3 blocks above,
forward anything outside your Samba dns domain to another external dns
server and inform any other, non AD dns servers that you have, where
your AD domain is
>
> Installed packages:
> ii acl 2.2.52-3 amd64 Access control list utilities
> ii attr 1:2.4.47-2 amd64 Utilities for manipulating filesystem extended attributes
> hi bind9 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Internet Domain Name Server
> ii bind9-doc 1:9.10.3.dfsg.P4-8ubuntu1.14 all Documentation for BIND
> ii bind9-host 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Version of 'host' bundled with BIND 9.X
> ii bind9utils 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Utilities for BIND
> ii krb5-config 2.3 all Configuration files for Kerberos Version 5
> ii krb5-locales 1.13.2+dfsg-5ubuntu2.1 all Internationalization support for MIT Kerberos
> ii krb5-multidev 1.13.2+dfsg-5ubuntu2.1 amd64 Development files for MIT Kerberos without Heimdal conflict
> ii krb5-user 1.13.2+dfsg-5ubuntu2.1 amd64 Basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.52-3 amd64 Access control list shared library
> ii libacl1-dev 2.2.52-3 amd64 Access control list static libraries and headers
> ii libattr1:amd64 1:2.4.47-2 amd64 Extended attribute shared library
> ii libattr1-dev:amd64 1:2.4.47-2 amd64 Extended attribute static libraries and headers
> ii libbind9-140:amd64 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries
> ii libkrb5-dev 1.13.2+dfsg-5ubuntu2.1 amd64 Headers and development libraries for MIT Kerberos
> ii libkrb5support0:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries - Support library
>
>
>
Something not quite right there, you do not seem to have Samba installed.
Rowland
More information about the samba
mailing list