[Samba] Invalid PTR record in reverse lookup zone
Rowland penny
rpenny at samba.org
Sun Nov 10 19:19:40 UTC 2019
On 10/11/2019 17:49, andi via samba wrote:
> Maybe one thing in advance: I'm using a typical DSL wallbox which is doing
> telephone, dhcp and dns (.183.1 address) I have setup its internal DNS so that
> ad.home.arpa, .ad.home.arpa and 183.168.192.in-addr.arpa are forwarded
> to the DC (.183.5 address)
Similar to my setup, except I have turned off dhcp etc.
The problem is that whilst dhcp on the router will work with your
Windows and Linux clients, it will not update dns records in AD and
linux clients will not attempt to update their records in AD, but
Windows clients will.
>
> Here is the output for the server:
>
>
> Collected config --- 2019-11-10-18:30 -----------
>
> Hostname: kronos
> DNS Domain: ad.home.arpa
> FQDN: kronos.ad.home.arpa
> ipaddress: 192.168.183.5 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx 2003:e3:5705:5200:f6xx:xxff:fexx:xxxxxx fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx
>
> -----------
>
> Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output:
> Server: 192.168.183.1
> Address: 192.168.183.1#53
>
> _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa.
> Samba is running as an AD DC
Interesting, the kerberos record should point to the DC, it seems to be
pointing to the router.
The AD DC should be authoritative for the AD dns domain.
>
> This computer is running Devuan beowulf/ceres x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
> link/ether f4:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
> inet 192.168.183.5/24 brd 192.168.183.255 scope global dynamic eth0
> valid_lft 800299sec preferred_lft 800299sec
> inet6 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr
> valid_lft 6558sec preferred_lft 1158sec
> inet6 2003:e3:5705:5200:f6xx:xxff:fexx:xxxx/64 scope global deprecated dynamic mngtmpaddr
> valid_lft 3695sec preferred_lft 0sec
> inet6 fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx/64 scope global dynamic mngtmpaddr
> valid_lft 6558sec preferred_lft 2958sec
> inet6 fe80::f6xx:xxff:fexx:xxxx/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
Please tell me that your DC isn't getting its IP from DHCP, if it is,
then change it to a fixed IP, it must have a fixed IP and there should
be a line in /etc/hosts similar to this:
192.168.183.5 kronos.ad.home.arpa kronos
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> domain ad.home.arpa
> search ad.home.arpa
> nameserver 192.168.183.1
Remove the 'domain' line
The 'nameserver' should point to the AD DCs ipaddress, not the router
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = AD.HOME.ARPA
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files sss
> group: files sss
> shadow: files sss
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files sss
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
> sudoers: files sss
>
> -----------
If you wish your users to log into the DC, replace 'sss' with 'winbind'
in the 'passwd' & 'group' lines, remove 'sss' from the other lines and
'sudoers' will work from ldap if you install sudo-ldap. You should also
run 'apt-get purge sssd', you cannot use sssd with Samba >= 4.8.0
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> # dns forwarder = 192.168.183.1
Uncomment the line above, you need the forwarder
> netbios name = KRONOS
> realm = AD.HOME.ARPA
> server role = active directory domain controller
> workgroup = OLYMP
>
> idmap_ldb:use rfc2307 = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> #store dos attributes = yes
Remove the three lines above, they actually break your aD DC
>
> kerberos method = system keytab
> # log level = 1 kerberos:12
> log level = 3 dns:2
> [netlogon]
> path = /var/lib/samba/sysvol/ad.home.arpa/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> -----------
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
> Installed packages:
> ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
> ii krb5-admin-server 1.17-3 amd64 MIT Kerberos master server (kadmind)
> ii krb5-config 2.6 all Configuration files for Kerberos Version 5
> ii krb5-kdc 1.17-3 amd64 MIT Kerberos key server (KDC)
> ii krb5-kdc-ldap 1.17-3 amd64 MIT Kerberos key server (KDC) LDAP plugin
Remove 'krb5-kdc' & 'krb5-kdc-ldap', your Samba AD DC uses heimdal, so
you shouldn't have another kdc.
> ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos
> ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
> ii libacl1-dev:amd64 2.2.53-4 amd64 access control list - static libraries and headers
> ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
> ii libattr1-dev:amd64 1:2.4.48-4 amd64 extended attributes handling - static libraries and headers
> ii libcrypt-smbhash-perl 0.12-4 all generate LM/NT hash of a password for samba
> ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library
> ii libpam-krb5:amd64 4.8-2 amd64 PAM module for MIT Kerberos
> ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba winbind client library
> ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings for Samba
> ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common files used by both the server and the client
> ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core libraries
> ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba Virtual FileSystem plugins
> ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line SMB/CIFS clients for Unix
> ii sssd-krb5 1.16.3-3.1 amd64 System Security Services Daemon -- Kerberos back end
> ii sssd-krb5-common 1.16.3-3.1 amd64 System Security Services Daemon -- Kerberos helpers
As I said, remove sssd.
> ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve user and group information from Windows NT servers
>
> -----------
>
>
> And for the client:
>
>
> Collected config --- 2019-11-10-18:36 -----------
>
> Hostname: iris
> DNS Domain: ad.home.arpa
> FQDN: iris.ad.home.arpa
> ipaddress: 192.168.183.22 2003:e3:570b:9400:4exx:xxff:fexx:xxxx fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx
>
> -----------
>
> Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output:
> Server: 127.0.0.1
> Address: 127.0.0.1#53
Again that '127.0.0.1' should be the Samba AD DCs IP
>
> _kerberos._tcp.ad.home.arpa service = 0 100 88 kronos.ad.home.arpa.
> Samba is not being run as a DC or a Unix domain member.
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Devuan GNU/Linux ascii"
> NAME="Devuan GNU/Linux"
> ID=devuan
> ID_LIKE=debian
> HOME_URL="https://www.devuan.org/"
> SUPPORT_URL="https://devuan.org/os/community"
> BUG_REPORT_URL="https://bugs.devuan.org/"
>
> -----------
>
>
> This computer is running Devuan ascii x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether 4c:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
> inet 192.168.183.22/24 brd 192.168.183.255 scope global dynamic wlan0
> valid_lft 863507sec preferred_lft 863507sec
> inet6 2003:e3:570b:9400:4exx:xxff:fexx:xxxx/128 scope global dynamic
> valid_lft 6964sec preferred_lft 1564sec
> inet6 fd1f:6d10:24a0:1:4exx:xxff:fexx:xxxx/64 scope global noprefixroute dynamic
> valid_lft 6964sec preferred_lft 3364sec
> inet6 fe80::4exx:xxff:fexx:xxxx/64 scope link
> 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> link/ether 50:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
> 4: enx000011121314: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> link/ether 00:00:11:12:13:14 brd ff:ff:ff:ff:ff:ff
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 iris.ad.home.arpa iris
> 127.0.0.1 localhost.localdomain localhost
If this client gets its IP via DHCP, then you only need: 127.0.0.1 localhost
Otherwise:
127.0.0.1 localhost
192.168.183.22 iris.ad.home.arpa iris
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> search ad.home.arpa
> nameserver 127.0.0.1
The nameserver should point to the AD DC
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files sss
> group: files sss
> shadow: files sss
> gshadow: files
>
> hosts: files mdns4_minimal dns myhostname
> networks: files
>
> protocols: db files
> services: db files sss
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
> sudoers: files sss
Again remove sssd.
>
> -----------
>
> Warning, does not exist
Oh dear, it looks like you do not have a smb.conf
>
> -----------
>
>
> Installed packages:
> ii acl 2.2.52-3+b1 amd64 Access control list utilities
> ii krb5-config 2.6 all Configuration files for Kerberos Version 5
> ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos
> ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library
> ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library
> ii libdb-je-java 3.3.98-1 all Oracle Berkeley Database Java Edition
> ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libgssapi-krb5-2:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries
> ii libkrb5-3:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library
> ii libkrb5support0:i386 1.15-1+deb9u1 i386 MIT Kerberos runtime libraries - Support library
> ii libsmbclient:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba winbind client library
> ii python-samba 2:4.5.16+dfsg-1+deb9u2 amd64 Python bindings for Samba
> ii samba-common 2:4.5.16+dfsg-1+deb9u2 all common files used by both the Samba server and client
> ii samba-common-bin 2:4.5.16+dfsg-1+deb9u2 amd64 Samba common files used by both the server and the client
> ii samba-libs:amd64 2:4.5.16+dfsg-1+deb9u2 amd64 Samba core libraries
> ii spice-client-glib-usb-acl-helper 0.33-3.3+deb9u1 amd64 Helper tool to validate usb ACLs
> ii sssd-krb5 1.15.0-3 amd64 System Security Services Daemon -- Kerberos back end
> ii sssd-krb5-common 1.15.0-3 amd64 System Security Services Daemon -- Kerberos helpers
> ii vlc-plugin-samba:amd64 3.0.8-0+deb9u1 amd64 Samba plugin for VLC
Ah, that explains it, 'samba' isn't installed, remove the sssd files,
then install these:
samba attr winbind libpam-winbind libpam-krb5 libnss-winbind
You will then need a smb.conf similar to this:
[global]
workgroup = OLYMP
security = ADS
realm = AD.HOME.ARPA
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config OLYMP : backend = rid
idmap config OLYMP : range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
domain master = no
local master = no
preferred master = no
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Create /etc/samba/user.map containing this:
!root = OLYMP\Administrator
The above uses the 'rid' backend, but if you have added rfc2307
attributes and want to use the 'ad' backend, then see here:
https://wiki.samba.org/index.php/Idmap_config_ad
Rowland
More information about the samba
mailing list