[Samba] New DNS-Records not aviable

L.P.H. van Belle belle at bazuin.nl
Tue Feb 11 09:14:28 UTC 2020


@Heinz, 
Thanks for testing also, but what is your samba version, OS and packages samba of compiled samba.
To keep info bit more complete


@Christian, can you try purge the deleted DNS records.  
Can you also add the debug 10 log, shown below to this bugreport. 
https://bugzilla.samba.org/show_bug.cgi?id=14268 

I'll retest it here later on today with a few more zones.
But i must finish some work first. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Naumer via samba
> Verzonden: dinsdag 11 februari 2020 9:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] New DNS-Records not aviable
> 
> Hi Louis.
> 
> Am 10.02.20 um 16:44 schrieb L.P.H. van Belle via samba:
> > Hai Christian, 
> > 
> >> Can someone reproduce this?
> > No, tried, but sorry, works fine for me on my 4.11.6 server. 
> > 
> > And what is you try it like this. 
> > 
> > samba-tool dns add dc1.zone1.domain.de 
> 0.168.192.in-addr.arpa 157 PTR zone1.domain.de -U Administrator
> 
> This creates this entry (output from host 192.168.2.157, host
> 192.168.0.157 returns NXDOMAIN):
> 
> 157.2.168.192.in-addr.arpa domain name pointer 
> zone1.hq.brain-biotech.de.
> 
> 
> 
> 
> > samba-tool dns add dc1.zone1.domain.de 
> 2.168.192.in-addr.arpa 157 PTR zone2.domain.de -U Administrator
> 
> This creates the right record:
> 
> 157.2.168.192.in-addr.arpa domain name pointer 
> zone2.hq.brain-biotech.de.
> 
> I tested some more. I have these zones:
> 
> 0.168.192.in-addr.arpa
> 1.168.192.in-addr.arpa
> 2.168.192.in-addr.arpa
> 3.168.192.in-addr.arpa
> 4.168.192.in-addr.arpa
> 5.168.192.in-addr.arpa
> 6.168.192.in-addr.arpa
> 7.168.192.in-addr.arpa
> 
> I can create in all zone the right record except "0" where it is then
> created in "2" (not in "1") only if there is already a record with the
> same last digit. The zones 0,1 and 2 contain ~100-200 records the rest
> only 10 or so.
> 
> In another attempt I deleted all the records I created in the test and
> tried again. Strangely it only happens if in zone "2" there 
> is a record
> with the same last digit. Then the new record is created in zone "2"
> although I want it in zone "0".
> 
> It also works if in zone "0" there is an entry and I try to 
> create zone
> in zone "2". The record is then created in zone "0".
> 
> 
> Here is a sequence of commands used with a d10:
> 
> Add a record in zone "2":
> 
> samba-tool dns add dc1.domain.de 2.168.192.in-addr.arpa 157 PTR
> zone0.domain.de -U Administrator
> Password for [DOMAIN-02\Administrator]:
> Record added successfully
> 
> Check record:
> 
> host 192.168.2.157
> 157.2.168.192.in-addr.arpa domain name pointer zone0.domain.de.
> 
> 
> Add the record in zone "0" with d10:
> 
> samba-tool dns add dc1.domain.de 0.168.192.in-addr.arpa 157 PTR
> zone0.domain.de -d10 -U Administrator
> 
> INFO: Current debug levels:
>   all: 10
>   tdb: 10
>   printdrivers: 10
>   lanman: 10
>   smb: 10
>   rpc_parse: 10
>   rpc_srv: 10
>   rpc_cli: 10
>   passdb: 10
>   sam: 10
>   auth: 10
>   winbind: 10
>   vfs: 10
>   idmap: 10
>   quota: 10
>   acls: 10
>   locking: 10
>   msdfs: 10
>   dmapi: 10
>   registry: 10
>   scavenger: 10
>   dns: 10
>   ldb: 10
>   tevent: 10
>   auth_audit: 10
>   auth_json_audit: 10
>   kerberos: 10
>   drs_repl: 10
>   smb2: 10
>   smb2_credits: 10
>   dsdb_audit: 10
>   dsdb_json_audit: 10
>   dsdb_password_audit: 10
>   dsdb_password_json_audit: 10
>   dsdb_transaction_audit: 10
>   dsdb_transaction_json_audit: 10
>   dsdb_group_audit: 10
>   dsdb_group_json_audit: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:dc1.domain.de[,sign]
> Mapped to DCERPC endpoint 135
> resolve_lmhosts: Attempting lmhosts lookup for name 
> dc1.domain.de<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> such file or directory
> rpc request data:
> [0000] 01 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
> ........ ........
> [0010] 00 00 00 00 02 00 00 00   4B 00 00 00 4B 00 00 00   
> ........ K...K...
> [0020] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   
> ........ PMW. at .f.
> [0030] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   
> O...v... .......]
> [0040] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   
> ........ ..+.H`..
> [0050] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   
> ........ ........
> [0060] 00 00 01 00 09 04 00 00   00 00 00 00 00 00 00 00   
> ........ ........
> [0070] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
> ........ ........
> [0080] 01 00 00 00                                        ....
> rpc reply data:
> [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
> ........ ........
> [0010] 00 00 00 00 01 00 00 00   01 00 00 00 00 00 00 00   
> ........ ........
> [0020] 01 00 00 00 03 00 00 00   4B 00 00 00 4B 00 00 00   
> ........ K...K...
> [0030] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   
> ........ PMW. at .f.
> [0040] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   
> O...v... .......]
> [0050] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   
> ........ ..+.H`..
> [0060] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   
> ........ ........
> [0070] C0 01 01 00 09 04 00 00   00 00 00 00 00 00 00 00   
> ........ ........
> Mapped to DCERPC endpoint 49153
> resolve_lmhosts: Attempting lmhosts lookup for name 
> dc1.domain.de<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Password for [DOMAIN-02\Administrator]:
> Received smb_krb5 packet of length 313
> Received smb_krb5 packet of length 189
> kinit for Administrator at DOMAIN.DE succeeded
> gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x209f180
> gensec_update_send: spnego[0x20a1450]: subreq: 0x208fe80
> gensec_update_done: gssapi_krb5[0x20a1840]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x209f180/../../source4/auth/gensec/gensec_gssapi.c:1057]:
> state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
> (0x209f330)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1067]
> gensec_update_done: spnego[0x20a1450]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x208fe80/../../auth/gensec/spnego.c:1631]: 
> state[2] error[0
> (0x0)]  state[struct gensec_spnego_update_state (0x2090030)]
> timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x20a2550
> gensec_update_send: spnego[0x20a1450]: subreq: 0x2094480
> gensec_update_done: gssapi_krb5[0x20a1840]: NT_STATUS_OK
> tevent_req[0x20a2550/../../source4/auth/gensec/gensec_gssapi.c:1057]:
> state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
> (0x20a2700)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1074]
> gensec_update_done: spnego[0x20a1450]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x2094480/../../auth/gensec/spnego.c:1631]: 
> state[2] error[0
> (0x0)]  state[struct gensec_spnego_update_state (0x2094630)]
> timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_update_send: spnego[0x20a1450]: subreq: 0x2094430
> gensec_update_done: spnego[0x20a1450]: NT_STATUS_OK
> tevent_req[0x2094430/../../auth/gensec/spnego.c:1631]: 
> state[2] error[0
> (0x0)]  state[struct gensec_spnego_update_state (0x20945e0)]
> timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> rpc request data:
> [0000] 00 00 07 00 00 00 00 00   00 00 02 00 18 00 00 00   
> ........ ........
> [0010] 00 00 00 00 18 00 00 00   64 00 63 00 31 00 2E 00   
> ........ d.c.1...
> [0020] 68 00 71 00 2E 00 62 00   72 00 61 00 69 00 6E 00   
> x.x...x. x.x.x.x.
> [0030] 2D 00 62 00 69 00 6F 00   74 00 65 00 63 00 68 00   
> -.x.x.x. x.x.x.x.
> [0040] 2E 00 64 00 65 00 00 00   04 00 02 00 17 00 00 00   
> ..d.e... ........
> [0050] 00 00 00 00 17 00 00 00   30 2E 31 36 38 2E 31 39   
> ........ 0.168.19
> [0060] 32 2E 69 6E 2D 61 64 64   72 2E 61 72 70 61 00 00   
> 2.in-add r.arpa..
> [0070] 04 00 00 00 00 00 00 00   04 00 00 00 31 35 37 00   
> ........ ....157.
> [0080] 08 00 02 00 1A 00 00 00   1A 00 0C 00 F0 00 00 00   
> ........ ........
> [0090] 01 00 00 00 84 03 00 00   00 00 00 00 00 00 00 00   
> ........ ........
> [00A0] 19 7A 6F 6E 65 30 2E 68   71 2E 62 72 61 69 6E 2D   
> .zone0.x x.xxxxx-
> [00B0] 62 69 6F 74 65 63 68 2E   64 65 00 00 00 00 00 00   
> xxxxxxx. xx......
>      t: struct dcerpc_sec_verification_trailer
>         _pad                     : DATA_BLOB length=0
>         magic                    : 0000000000000000
>         count: struct dcerpc_sec_vt_count
>             count                    : 0x0002 (2)
>         commands: ARRAY(2)
>             commands: struct dcerpc_sec_vt
>                 command                  : 0x0001 (1)
>                     0x01: DCERPC_SEC_VT_COMMAND_ENUM (1)
>                        0: DCERPC_SEC_VT_COMMAND_END
>                        0: DCERPC_SEC_VT_MUST_PROCESS
>                 u                        : union
> dcerpc_sec_vt_union(case 0x1)
>                 bitmask1                 : 0x00000001 (1)
>                        1: DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
>             commands: struct dcerpc_sec_vt
>                 command                  : 0x4002 (16386)
>                     0x02: DCERPC_SEC_VT_COMMAND_ENUM (2)
>                        1: DCERPC_SEC_VT_COMMAND_END
>                        0: DCERPC_SEC_VT_MUST_PROCESS
>                 u                        : union
> dcerpc_sec_vt_union(case 0x2)
>                 pcontext: struct dcerpc_sec_vt_pcontext
>                     abstract_syntax: struct ndr_syntax_id
>                         uuid                     :
> 50abc2a4-574d-40b3-9d66-ee4fd5fba076
>                         if_version               : 0x00000005 (5)
>                     transfer_syntax: struct ndr_syntax_id
>                         uuid                     :
> 8a885d04-1ceb-11c9-9fe8-08002b104860
>                         if_version               : 0x00000002 (2)
> dcerpc_pull_auth_trailer: auth_pad_length 12
> rpc reply data:
> [0000] EF 25 00 00                                        .%..
> ERROR(runtime): uncaught exception - (9711,
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
> line 186, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py", line
> 945, in run
>     raise e
>   File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py", line
> 941, in run
>     0, server, zone, name, add_rec_buf, None)
> 
> It says it already exists. But it does not exist in zone "0" 
> only in "2".
> 
> Anything more I can do?
> 
> 
> 
> 
> > 
> > I tested on my production where i have 6 forward/reverse 
> zones in use. 
> > 
> > Is the hostname "dc1" also in other zones? 
> > Yes, use FQDN as i showed and test it.
> > No, we need to investigate more most probely. 
> 
> -- 
> Dr. Christian Naumer
> Unit Head Bioprocess Development
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
> 
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
> Manfred Bender, Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list