[Samba] DNS question
Christian
chanlists at googlemail.com
Thu Sep 5 09:43:21 UTC 2019
OK... Voilà... Thanks,
Christian
Collected config --- 2019-09-05-11:33 -----------
Hostname: dc1
DNS Domain: xxx.yyy.zzz
FQDN: dc1.xxx.yyy.zzz
ipaddress: 10.103.1.6 X.X.103.1
-----------
Kerberos SRV _kerberos._tcp.xxx.yyy.zzz record verified ok, sample output:
Server: X.X.103.1
Address: X.X.103.1#53
_kerberos._tcp.xxx.yyy.zzz service = 0 100 88 dc1.xxx.yyy.zzz.
_kerberos._tcp.xxx.yyy.zzz service = 0 100 88 dc2.xxx.yyy.zzz.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 4c:ed:fb:91:aa:41 brd ff:ff:ff:ff:ff:ff
inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
inet6 fe80::4eed:fbff:fe91:aa41/64 scope link
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 4c:ed:fb:91:aa:42 brd ff:ff:ff:ff:ff:ff
inet X.X.103.1/22 brd X.X.103.255 scope global eno1
inet6 fe80::4eed:fbff:fe91:aa42/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
X.X.103.1 dc1.xxx.yyy.zzz dc1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver X.X.103.1
search xxx.yyy.zzz
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = YYY.XXX.ZZZ
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
ticket_lifetime = 24h
renew_lifetime = 7d
ccache_type = 4
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat
group: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
bind interfaces only = Yes
interfaces = lo eno1
netbios name = DC1
realm = YYY.XXX.ZZZ
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = XXX
idmap_ldb:use rfc2307 = yes
winbind expand groups = 2
wins support = yes
ntlm auth = yes
allow dns updates = disabled
kdc:service ticket lifetime = 24
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 168
[netlogon]
path = /var/lib/samba/sysvol/xxx.yyy.zzz/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
X.X.1.32;
X.X.1.40;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain yes; # conform to RFC1035 is no
listen-on-v6 { any; };
empty-zones-enable no;
// https://wiki.samba.org/index.php/Dns-backend_bind
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the dlopen ( Bind DLZ ) module for samba.
// at install debian already sets the correct bind9.XX version in this
file below.
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 5 zone(s) found
pszZoneName : xxx.yyy.zzz
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
pszZoneName : 103.X.X.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
pszZoneName : 102.X.X.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
pszZoneName : 1.103.10.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
pszZoneName : _msdcs.xxx.yyy.zzz
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.xxx.yyy.zzz
Samba DNS zone list Automated check :
zone : xxx.yyy.zzz ok, no Bind flat-files found
-----------
zone : 103.X.X.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 102.X.X.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 1.103.10.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.xxx.yyy.zzz ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.52-3+b1
amd64 Access control list utilities
ii attr 1:2.4.47-2+b2
amd64 Utilities for manipulating filesystem extended attributes
ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5
amd64 Internet Domain Name Server
ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5
amd64 Version of 'host' bundled with BIND 9.X
ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5
amd64 Utilities for BIND
ii exim4-daemon-heavy 4.89-2+deb9u5
amd64 Exim MTA (v4) daemon with extended features, including
exiscan-acl
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1
all internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1
amd64 Access control list shared library
ii libacl1-dev 2.2.52-3+b1
amd64 Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2+b2
amd64 Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2+b2
amd64 Extended attribute static libraries and headers
ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5
amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u3
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.10.5+nmu-0debian0
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.10.5+nmu-0debian0
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.10.5+nmu-0debian0
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.10.5+nmu-0debian0
amd64 Samba winbind client library
ii openafs-krb5 1.6.20-2+deb9u2
amd64 AFS distributed filesystem Kerberos 5 integration
ii python3-samba 2:4.10.5+nmu-0debian0
amd64 Python 3 bindings for Samba
ii samba 2:4.10.5+nmu-0debian0
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.10.5+nmu-0debian0
all common files used by both the Samba server and client
ii samba-common-bin 2:4.10.5+nmu-0debian0
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.10.5+nmu-0debian0
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.10.5+nmu-0debian0
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.10.5+nmu-0debian0
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.10.5+nmu-0debian0
amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.10.5+nmu-0debian0
amd64 service to resolve user and group information from Windows
NT servers
-----------
Am 05.09.2019 um 10:07 schrieb L.P.H. van Belle:
> Hai,
>
> Post me for both DC the debug output of:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Anynomize it where needed.
>
> The problem your are having is due to.. "Something it not right."
> But what? That is not impossible to tell because we see any config..
> And why? Because this setup should work fine. We know it should work fine.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Christian via samba
>> Verzonden: donderdag 5 september 2019 10:01
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] DNS question
>>
>> Dear list,
>>
>> we use debian stretch with Louis's 4.10.5 packages and bind9_dlz
>> backend. There are two AD DCs with redundant ISC DHCP servers on them.
>> The DHCP servers are updating the DNS along the lines of
>>
>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
>> records_with_BIND9
>>
>> but with nsupdate commands replaced by suitable calls to
>> "samba-tool" (I
>> had problems getting the nsupdate approach to work with the redundant
>> dhcp servers on the second server). I am trying to debug some strange
>> network issues right now. For example, when I ssh to the DCs,
>> the login
>> process sometimes stalls for extended periods of time without even
>> asking for the username. Could DNS be part of the mix? Is using the
>> calls to samba-tool a bad idea? Could this be related to the "lockup
>> problem"?
>>
>> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
>> ckup_Problem
>>
>> Would that be different if I use nsupdate vs samba-tool? Would I be
>> better off with the internal DNS? If I switch to the internal DNS, are
>> existing zones and entries transferred? Thanks for any
>> insights and best
>> wishes,
>>
>> Christian
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
More information about the samba
mailing list