[Samba] New DNS-Records not aviable

Christian Naumer cn at brain-biotech.de
Tue Feb 11 08:22:39 UTC 2020


Hi Louis.

Am 10.02.20 um 16:44 schrieb L.P.H. van Belle via samba:
> Hai Christian, 
> 
>> Can someone reproduce this?
> No, tried, but sorry, works fine for me on my 4.11.6 server. 
> 
> And what is you try it like this. 
> 
> samba-tool dns add dc1.zone1.domain.de 0.168.192.in-addr.arpa 157 PTR zone1.domain.de -U Administrator

This creates this entry (output from host 192.168.2.157, host
192.168.0.157 returns NXDOMAIN):

157.2.168.192.in-addr.arpa domain name pointer zone1.hq.brain-biotech.de.




> samba-tool dns add dc1.zone1.domain.de 2.168.192.in-addr.arpa 157 PTR zone2.domain.de -U Administrator

This creates the right record:

157.2.168.192.in-addr.arpa domain name pointer zone2.hq.brain-biotech.de.

I tested some more. I have these zones:

0.168.192.in-addr.arpa
1.168.192.in-addr.arpa
2.168.192.in-addr.arpa
3.168.192.in-addr.arpa
4.168.192.in-addr.arpa
5.168.192.in-addr.arpa
6.168.192.in-addr.arpa
7.168.192.in-addr.arpa

I can create in all zone the right record except "0" where it is then
created in "2" (not in "1") only if there is already a record with the
same last digit. The zones 0,1 and 2 contain ~100-200 records the rest
only 10 or so.

In another attempt I deleted all the records I created in the test and
tried again. Strangely it only happens if in zone "2" there is a record
with the same last digit. Then the new record is created in zone "2"
although I want it in zone "0".

It also works if in zone "0" there is an entry and I try to create zone
in zone "2". The record is then created in zone "0".


Here is a sequence of commands used with a d10:

Add a record in zone "2":

samba-tool dns add dc1.domain.de 2.168.192.in-addr.arpa 157 PTR
zone0.domain.de -U Administrator
Password for [DOMAIN-02\Administrator]:
Record added successfully

Check record:

host 192.168.2.157
157.2.168.192.in-addr.arpa domain name pointer zone0.domain.de.


Add the record in zone "0" with d10:

samba-tool dns add dc1.domain.de 0.168.192.in-addr.arpa 157 PTR
zone0.domain.de -d10 -U Administrator

INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:dc1.domain.de[,sign]
Mapped to DCERPC endpoint 135
resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain.de<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
rpc request data:
[0000] 01 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 02 00 00 00   4B 00 00 00 4B 00 00 00   ........ K...K...
[0020] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   ........ PMW. at .f.
[0030] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   O...v... .......]
[0040] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   ........ ..+.H`..
[0050] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   ........ ........
[0060] 00 00 01 00 09 04 00 00   00 00 00 00 00 00 00 00   ........ ........
[0070] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0080] 01 00 00 00                                        ....
rpc reply data:
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 00 00 01 00 00 00   01 00 00 00 00 00 00 00   ........ ........
[0020] 01 00 00 00 03 00 00 00   4B 00 00 00 4B 00 00 00   ........ K...K...
[0030] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   ........ PMW. at .f.
[0040] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   O...v... .......]
[0050] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   ........ ..+.H`..
[0060] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   ........ ........
[0070] C0 01 01 00 09 04 00 00   00 00 00 00 00 00 00 00   ........ ........
Mapped to DCERPC endpoint 49153
resolve_lmhosts: Attempting lmhosts lookup for name dc1.domain.de<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [DOMAIN-02\Administrator]:
Received smb_krb5 packet of length 313
Received smb_krb5 packet of length 189
kinit for Administrator at DOMAIN.DE succeeded
gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x209f180
gensec_update_send: spnego[0x20a1450]: subreq: 0x208fe80
gensec_update_done: gssapi_krb5[0x20a1840]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x209f180/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
(0x209f330)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1067]
gensec_update_done: spnego[0x20a1450]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x208fe80/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)]  state[struct gensec_spnego_update_state (0x2090030)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x20a2550
gensec_update_send: spnego[0x20a1450]: subreq: 0x2094480
gensec_update_done: gssapi_krb5[0x20a1840]: NT_STATUS_OK
tevent_req[0x20a2550/../../source4/auth/gensec/gensec_gssapi.c:1057]:
state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
(0x20a2700)] timer[(nil)]
finish[../../source4/auth/gensec/gensec_gssapi.c:1074]
gensec_update_done: spnego[0x20a1450]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x2094480/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)]  state[struct gensec_spnego_update_state (0x2094630)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
dcerpc_pull_auth_trailer: auth_pad_length 0
gensec_update_send: spnego[0x20a1450]: subreq: 0x2094430
gensec_update_done: spnego[0x20a1450]: NT_STATUS_OK
tevent_req[0x2094430/../../auth/gensec/spnego.c:1631]: state[2] error[0
(0x0)]  state[struct gensec_spnego_update_state (0x20945e0)]
timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
rpc request data:
[0000] 00 00 07 00 00 00 00 00   00 00 02 00 18 00 00 00   ........ ........
[0010] 00 00 00 00 18 00 00 00   64 00 63 00 31 00 2E 00   ........ d.c.1...
[0020] 68 00 71 00 2E 00 62 00   72 00 61 00 69 00 6E 00   x.x...x. x.x.x.x.
[0030] 2D 00 62 00 69 00 6F 00   74 00 65 00 63 00 68 00   -.x.x.x. x.x.x.x.
[0040] 2E 00 64 00 65 00 00 00   04 00 02 00 17 00 00 00   ..d.e... ........
[0050] 00 00 00 00 17 00 00 00   30 2E 31 36 38 2E 31 39   ........ 0.168.19
[0060] 32 2E 69 6E 2D 61 64 64   72 2E 61 72 70 61 00 00   2.in-add r.arpa..
[0070] 04 00 00 00 00 00 00 00   04 00 00 00 31 35 37 00   ........ ....157.
[0080] 08 00 02 00 1A 00 00 00   1A 00 0C 00 F0 00 00 00   ........ ........
[0090] 01 00 00 00 84 03 00 00   00 00 00 00 00 00 00 00   ........ ........
[00A0] 19 7A 6F 6E 65 30 2E 68   71 2E 62 72 61 69 6E 2D   .zone0.x x.xxxxx-
[00B0] 62 69 6F 74 65 63 68 2E   64 65 00 00 00 00 00 00   xxxxxxx. xx......
     t: struct dcerpc_sec_verification_trailer
        _pad                     : DATA_BLOB length=0
        magic                    : 0000000000000000
        count: struct dcerpc_sec_vt_count
            count                    : 0x0002 (2)
        commands: ARRAY(2)
            commands: struct dcerpc_sec_vt
                command                  : 0x0001 (1)
                    0x01: DCERPC_SEC_VT_COMMAND_ENUM (1)
                       0: DCERPC_SEC_VT_COMMAND_END
                       0: DCERPC_SEC_VT_MUST_PROCESS
                u                        : union
dcerpc_sec_vt_union(case 0x1)
                bitmask1                 : 0x00000001 (1)
                       1: DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
            commands: struct dcerpc_sec_vt
                command                  : 0x4002 (16386)
                    0x02: DCERPC_SEC_VT_COMMAND_ENUM (2)
                       1: DCERPC_SEC_VT_COMMAND_END
                       0: DCERPC_SEC_VT_MUST_PROCESS
                u                        : union
dcerpc_sec_vt_union(case 0x2)
                pcontext: struct dcerpc_sec_vt_pcontext
                    abstract_syntax: struct ndr_syntax_id
                        uuid                     :
50abc2a4-574d-40b3-9d66-ee4fd5fba076
                        if_version               : 0x00000005 (5)
                    transfer_syntax: struct ndr_syntax_id
                        uuid                     :
8a885d04-1ceb-11c9-9fe8-08002b104860
                        if_version               : 0x00000002 (2)
dcerpc_pull_auth_trailer: auth_pad_length 12
rpc reply data:
[0000] EF 25 00 00                                        .%..
ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py", line
945, in run
    raise e
  File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py", line
941, in run
    0, server, zone, name, add_rec_buf, None)

It says it already exists. But it does not exist in zone "0" only in "2".

Anything more I can do?




> 
> I tested on my production where i have 6 forward/reverse zones in use. 
> 
> Is the hostname "dc1" also in other zones? 
> Yes, use FQDN as i showed and test it.
> No, we need to investigate more most probely. 

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Manfred Bender, Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen



More information about the samba mailing list