[Samba] DNS question
Christian
chanlists at googlemail.com
Thu Sep 5 13:24:50 UTC 2019
Hi,
Am 05.09.2019 um 12:14 schrieb L.P.H. van Belle:
> This does not look bad, pretty ok.
>
> But im do have a question here.
>
>> ipaddress: 10.103.1.6 X.X.103.1
> This indicated that the primary interface is eno2
In your script, that output is generated using hostname -I. Not sure why
eno2 pops up first. eno1 is the main interface. eno1 is first in
/etc/network/interfaces, and the default route is on that. However, eno2
also appears first in the output of ip a (see below). Does this order
have any implications, or how is it set?
>> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
>> inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
>> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
>> inet X.X.103.1/22 brd X.X.103.255 scope global eno1
>
> Since im not seeing the routing table that could be a point of improvement.
> Check the default with : route |grep default
default gate-w1-0-vl103 0.0.0.0 UG 0 0 0 eno1
So seems OK
> Hostfile only has
>> X.X.103.1 dc1.xxx.yyy.zzz dc1
> Kerberos points to : X.X.103.1
>
> Smb.conf point to eno1 ( X.X.103.1 )
>> interfaces = lo eno1
>
> That the first what is see.
>
> To that is the ptr record set of dc1 ? Ip off eno1 or eno2?
eno1
Cheers
Christian
>> -----Oorspronkelijk bericht-----
>> Van: Christian [mailto:chanlists at googlemail.com]
>> Verzonden: donderdag 5 september 2019 11:43
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] DNS question
>>
>> OK... Voilà... Thanks,
>>
>> Christian
>>
>> Collected config --- 2019-09-05-11:33 -----------
>>
>> Hostname: dc1
>> DNS Domain: xxx.yyy.zzz
>> FQDN: dc1.xxx.yyy.zzz
>> ipaddress: 10.103.1.6 X.X.103.1
>>
>> -----------
>>
>> Kerberos SRV _kerberos._tcp.xxx.yyy.zzz record verified ok,
>> sample output:
>> Server: X.X.103.1
>> Address: X.X.103.1#53
>>
>> _kerberos._tcp.xxx.yyy.zzz service = 0 100 88 dc1.xxx.yyy.zzz.
>> _kerberos._tcp.xxx.yyy.zzz service = 0 100 88 dc2.xxx.yyy.zzz.
>> Samba is running as an AD DC
>>
>> -----------
>> Checking file: /etc/os-release
>>
>> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
>> NAME="Debian GNU/Linux"
>> VERSION_ID="9"
>> VERSION="9 (stretch)"
>> ID=debian
>> HOME_URL="https://www.debian.org/"
>> SUPPORT_URL="https://www.debian.org/support"
>> BUG_REPORT_URL="https://bugs.debian.org/"
>>
>> -----------
>>
>>
>> This computer is running Debian 9.9 x86_64
>>
>> -----------
>> running command : ip a
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>> group default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> inet6 ::1/128 scope host
>> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
>> group default qlen 1000
>> link/ether 4c:ed:fb:91:aa:41 brd ff:ff:ff:ff:ff:ff
>> inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
>> inet6 fe80::4eed:fbff:fe91:aa41/64 scope link
>> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
>> group default qlen 1000
>> link/ether 4c:ed:fb:91:aa:42 brd ff:ff:ff:ff:ff:ff
>> inet X.X.103.1/22 brd X.X.103.255 scope global eno1
>> inet6 fe80::4eed:fbff:fe91:aa42/64 scope link
>>
>> -----------
>> Checking file: /etc/hosts
>>
>> 127.0.0.1 localhost
>> X.X.103.1 dc1.xxx.yyy.zzz dc1
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>> -----------
>>
>> Checking file: /etc/resolv.conf
>>
>> nameserver X.X.103.1
>> search xxx.yyy.zzz
>>
>> -----------
>>
>> Checking file: /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = YYY.XXX.ZZZ
>> dns_lookup_kdc = true
>> dns_lookup_realm = false
>> forwardable = true
>> proxiable = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> ccache_type = 4
>>
>> default_tgs_enctypes = aes256-cts-hmac-sha1-96
>> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = aes256-cts-hmac-sha1-96
>> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes = aes256-cts-hmac-sha1-96
>> aes128-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>>
>> -----------
>>
>> Checking file: /etc/nsswitch.conf
>>
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: compat
>> group: compat
>> shadow: compat
>> gshadow: files
>>
>> hosts: files dns
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>> -----------
>>
>> Checking file: /etc/samba/smb.conf
>>
>> # Global parameters
>> [global]
>> bind interfaces only = Yes
>> interfaces = lo eno1
>> netbios name = DC1
>> realm = YYY.XXX.ZZZ
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> workgroup = XXX
>> idmap_ldb:use rfc2307 = yes
>> winbind expand groups = 2
>> wins support = yes
>> ntlm auth = yes
>> allow dns updates = disabled
>> kdc:service ticket lifetime = 24
>> kdc:user ticket lifetime = 24
>> kdc:renewal lifetime = 168
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/xxx.yyy.zzz/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> -----------
>>
>> Detected bind DLZ enabled..
>> Checking file: /etc/bind/named.conf
>>
>> // This is the primary configuration file for the BIND DNS
>> server named.
>> //
>> // Please read /usr/share/doc/bind9/README.Debian.gz for
>> information on the
>> // structure of BIND configuration files in Debian, *BEFORE*
>> you customize
>> // this configuration file.
>> //
>> // If you are just adding zones, please do that in
>> /etc/bind/named.conf.local
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> -----------
>>
>> Checking file: /etc/bind/named.conf.options
>>
>> options {
>> directory "/var/cache/bind";
>>
>> // If there is a firewall between you and nameservers you want
>> // to talk to, you may need to fix the firewall to allow multiple
>> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>>
>> // If your ISP provided one or more IP addresses for stable
>> // nameservers, you probably want to use them as forwarders.
>> // Uncomment the following block, and insert the
>> addresses replacing
>> // the all-0's placeholder.
>>
>> forwarders {
>> X.X.1.32;
>> X.X.1.40;
>> };
>>
>>
>> //============================================================
>> ============
>> // If BIND logs error messages about the root key being expired,
>> // you will need to update your keys. See
>> https://www.isc.org/bind-keys
>>
>> //============================================================
>> ============
>> dnssec-validation auto;
>>
>> auth-nxdomain yes; # conform to RFC1035 is no
>> listen-on-v6 { any; };
>> empty-zones-enable no;
>> // https://wiki.samba.org/index.php/Dns-backend_bind
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>>
>> -----------
>>
>> Checking file: /etc/bind/named.conf.local
>>
>> //
>> // Do any local configuration here
>> //
>>
>> // Consider adding the 1918 zones here, if they are not used in your
>> // organization
>> //include "/etc/bind/zones.rfc1918";
>>
>> // adding the dlopen ( Bind DLZ ) module for samba.
>> // at install debian already sets the correct bind9.XX version in this
>> file below.
>> include "/var/lib/samba/bind-dns/named.conf";
>>
>> -----------
>>
>> Checking file: /etc/bind/named.conf.default-zones
>>
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>>
>> // be authoritative for the localhost forward and reverse
>> zones, and for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>>
>> -----------
>>
>> Samba DNS zone list: 5 zone(s) found
>>
>> pszZoneName : xxx.yyy.zzz
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>>
>> pszZoneName : 103.X.X.in-addr.arpa
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>>
>> pszZoneName : 102.X.X.in-addr.arpa
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>>
>> pszZoneName : 1.103.10.in-addr.arpa
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : DomainDnsZones.xxx.yyy.zzz
>>
>> pszZoneName : _msdcs.xxx.yyy.zzz
>> Flags : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ZoneType : DNS_ZONE_TYPE_PRIMARY
>> Version : 50
>> dwDpFlags : DNS_DP_AUTOCREATED
>> DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>> pszDpFqdn : ForestDnsZones.xxx.yyy.zzz
>>
>> Samba DNS zone list Automated check :
>> zone : xxx.yyy.zzz ok, no Bind flat-files found
>> -----------
>> zone : 103.X.X.in-addr.arpa ok, no Bind flat-files found
>> -----------
>> zone : 102.X.X.in-addr.arpa ok, no Bind flat-files found
>> -----------
>> zone : 1.103.10.in-addr.arpa ok, no Bind flat-files found
>> -----------
>> zone : _msdcs.xxx.yyy.zzz ok, no Bind flat-files found
>> -----------
>>
>> Installed packages:
>> ii acl 2.2.52-3+b1
>> amd64 Access control list utilities
>> ii attr 1:2.4.47-2+b2
>> amd64 Utilities for manipulating filesystem extended attributes
>> ii bind9 1:9.10.3.dfsg.P4-12.3+deb9u5
>> amd64 Internet Domain Name Server
>> ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u5
>> amd64 Version of 'host' bundled with BIND 9.X
>> ii bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u5
>> amd64 Utilities for BIND
>> ii exim4-daemon-heavy 4.89-2+deb9u5
>> amd64 Exim MTA (v4) daemon with extended features, including
>> exiscan-acl
>> ii krb5-config 2.6
>> all Configuration files for Kerberos Version 5
>> ii krb5-locales 1.15-1+deb9u1
>> all internationalization support for MIT Kerberos
>> ii krb5-user 1.15-1+deb9u1
>> amd64 basic programs to authenticate using MIT Kerberos
>> ii libacl1:amd64 2.2.52-3+b1
>> amd64 Access control list shared library
>> ii libacl1-dev 2.2.52-3+b1
>> amd64 Access control list static libraries and headers
>> ii libattr1:amd64 1:2.4.47-2+b2
>> amd64 Extended attribute shared library
>> ii libattr1-dev:amd64 1:2.4.47-2+b2
>> amd64 Extended attribute static libraries and headers
>> ii libbind9-140:amd64 1:9.10.3.dfsg.P4-12.3+deb9u5
>> amd64 BIND9 Shared Library used by BIND
>> ii libgssapi-krb5-2:amd64 1.15-1+deb9u1
>> amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
>> ii libkrb5-26-heimdal:amd64 7.1.0+dfsg-13+deb9u3
>> amd64 Heimdal Kerberos - libraries
>> ii libkrb5-3:amd64 1.15-1+deb9u1
>> amd64 MIT Kerberos runtime libraries
>> ii libkrb5support0:amd64 1.15-1+deb9u1
>> amd64 MIT Kerberos runtime libraries - Support library
>> ii libnss-winbind:amd64 2:4.10.5+nmu-0debian0
>> amd64 Samba nameservice integration plugins
>> ii libpam-winbind:amd64 2:4.10.5+nmu-0debian0
>> amd64 Windows domain authentication integration plugin
>> ii libsmbclient:amd64 2:4.10.5+nmu-0debian0
>> amd64 shared library for communication with SMB/CIFS servers
>> ii libwbclient0:amd64 2:4.10.5+nmu-0debian0
>> amd64 Samba winbind client library
>> ii openafs-krb5 1.6.20-2+deb9u2
>> amd64 AFS distributed filesystem Kerberos 5 integration
>> ii python3-samba 2:4.10.5+nmu-0debian0
>> amd64 Python 3 bindings for Samba
>> ii samba 2:4.10.5+nmu-0debian0
>> amd64 SMB/CIFS file, print, and login server for Unix
>> ii samba-common 2:4.10.5+nmu-0debian0
>> all common files used by both the Samba server and client
>> ii samba-common-bin 2:4.10.5+nmu-0debian0
>> amd64 Samba common files used by both the server and the client
>> ii samba-dsdb-modules:amd64 2:4.10.5+nmu-0debian0
>> amd64 Samba Directory Services Database
>> ii samba-libs:amd64 2:4.10.5+nmu-0debian0
>> amd64 Samba core libraries
>> ii samba-vfs-modules:amd64 2:4.10.5+nmu-0debian0
>> amd64 Samba Virtual FileSystem plugins
>> ii smbclient 2:4.10.5+nmu-0debian0
>> amd64 command-line SMB/CIFS clients for Unix
>> ii winbind 2:4.10.5+nmu-0debian0
>> amd64 service to resolve user and group information
>> from Windows
>> NT servers
>>
>> -----------
>>
>> Am 05.09.2019 um 10:07 schrieb L.P.H. van Belle:
>>> Hai,
>>>
>>> Post me for both DC the debug output of:
>>>
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
>> ollect-debug-info.sh
>>>
>>> Anynomize it where needed.
>>>
>>> The problem your are having is due to.. "Something it not right."
>>> But what? That is not impossible to tell because we see any
>> config..
>>> And why? Because this setup should work fine. We know it
>> should work fine.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Christian via samba
>>>> Verzonden: donderdag 5 september 2019 10:01
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] DNS question
>>>>
>>>> Dear list,
>>>>
>>>> we use debian stretch with Louis's 4.10.5 packages and bind9_dlz
>>>> backend. There are two AD DCs with redundant ISC DHCP
>> servers on them.
>>>> The DHCP servers are updating the DNS along the lines of
>>>>
>>>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
>>>> records_with_BIND9
>>>>
>>>> but with nsupdate commands replaced by suitable calls to
>>>> "samba-tool" (I
>>>> had problems getting the nsupdate approach to work with
>> the redundant
>>>> dhcp servers on the second server). I am trying to debug
>> some strange
>>>> network issues right now. For example, when I ssh to the DCs,
>>>> the login
>>>> process sometimes stalls for extended periods of time without even
>>>> asking for the username. Could DNS be part of the mix? Is using the
>>>> calls to samba-tool a bad idea? Could this be related to
>> the "lockup
>>>> problem"?
>>>>
>>>> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
>>>> ckup_Problem
>>>>
>>>> Would that be different if I use nsupdate vs samba-tool? Would I be
>>>> better off with the internal DNS? If I switch to the
>> internal DNS, are
>>>> existing zones and entries transferred? Thanks for any
>>>> insights and best
>>>> wishes,
>>>>
>>>> Christian
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>
>>
>
More information about the samba
mailing list