[Samba] New DNS-Records not aviable
L.P.H. van Belle
belle at bazuin.nl
Tue Feb 11 09:14:28 UTC 2020
@Heinz,
Thanks for testing also, but what is your samba version, OS and packages samba of compiled samba.
To keep info bit more complete
@Christian, can you try purge the deleted DNS records.
Can you also add the debug 10 log, shown below to this bugreport.
https://bugzilla.samba.org/show_bug.cgi?id=14268
I'll retest it here later on today with a few more zones.
But i must finish some work first.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian Naumer via samba
> Verzonden: dinsdag 11 februari 2020 9:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] New DNS-Records not aviable
>
> Hi Louis.
>
> Am 10.02.20 um 16:44 schrieb L.P.H. van Belle via samba:
> > Hai Christian,
> >
> >> Can someone reproduce this?
> > No, tried, but sorry, works fine for me on my 4.11.6 server.
> >
> > And what is you try it like this.
> >
> > samba-tool dns add dc1.zone1.domain.de
> 0.168.192.in-addr.arpa 157 PTR zone1.domain.de -U Administrator
>
> This creates this entry (output from host 192.168.2.157, host
> 192.168.0.157 returns NXDOMAIN):
>
> 157.2.168.192.in-addr.arpa domain name pointer
> zone1.hq.brain-biotech.de.
>
>
>
>
> > samba-tool dns add dc1.zone1.domain.de
> 2.168.192.in-addr.arpa 157 PTR zone2.domain.de -U Administrator
>
> This creates the right record:
>
> 157.2.168.192.in-addr.arpa domain name pointer
> zone2.hq.brain-biotech.de.
>
> I tested some more. I have these zones:
>
> 0.168.192.in-addr.arpa
> 1.168.192.in-addr.arpa
> 2.168.192.in-addr.arpa
> 3.168.192.in-addr.arpa
> 4.168.192.in-addr.arpa
> 5.168.192.in-addr.arpa
> 6.168.192.in-addr.arpa
> 7.168.192.in-addr.arpa
>
> I can create in all zone the right record except "0" where it is then
> created in "2" (not in "1") only if there is already a record with the
> same last digit. The zones 0,1 and 2 contain ~100-200 records the rest
> only 10 or so.
>
> In another attempt I deleted all the records I created in the test and
> tried again. Strangely it only happens if in zone "2" there
> is a record
> with the same last digit. Then the new record is created in zone "2"
> although I want it in zone "0".
>
> It also works if in zone "0" there is an entry and I try to
> create zone
> in zone "2". The record is then created in zone "0".
>
>
> Here is a sequence of commands used with a d10:
>
> Add a record in zone "2":
>
> samba-tool dns add dc1.domain.de 2.168.192.in-addr.arpa 157 PTR
> zone0.domain.de -U Administrator
> Password for [DOMAIN-02\Administrator]:
> Record added successfully
>
> Check record:
>
> host 192.168.2.157
> 157.2.168.192.in-addr.arpa domain name pointer zone0.domain.de.
>
>
> Add the record in zone "0" with d10:
>
> samba-tool dns add dc1.domain.de 0.168.192.in-addr.arpa 157 PTR
> zone0.domain.de -d10 -U Administrator
>
> INFO: Current debug levels:
> all: 10
> tdb: 10
> printdrivers: 10
> lanman: 10
> smb: 10
> rpc_parse: 10
> rpc_srv: 10
> rpc_cli: 10
> passdb: 10
> sam: 10
> auth: 10
> winbind: 10
> vfs: 10
> idmap: 10
> quota: 10
> acls: 10
> locking: 10
> msdfs: 10
> dmapi: 10
> registry: 10
> scavenger: 10
> dns: 10
> ldb: 10
> tevent: 10
> auth_audit: 10
> auth_json_audit: 10
> kerberos: 10
> drs_repl: 10
> smb2: 10
> smb2_credits: 10
> dsdb_audit: 10
> dsdb_json_audit: 10
> dsdb_password_audit: 10
> dsdb_password_json_audit: 10
> dsdb_transaction_audit: 10
> dsdb_transaction_json_audit: 10
> dsdb_group_audit: 10
> dsdb_group_json_audit: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:dc1.domain.de[,sign]
> Mapped to DCERPC endpoint 135
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.domain.de<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> such file or directory
> rpc request data:
> [0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ........ ........
> [0010] 00 00 00 00 02 00 00 00 4B 00 00 00 4B 00 00 00
> ........ K...K...
> [0020] 05 00 13 00 0D A4 C2 AB 50 4D 57 B3 40 9D 66 EE
> ........ PMW. at .f.
> [0030] 4F D5 FB A0 76 05 00 02 00 00 00 13 00 0D 04 5D
> O...v... .......]
> [0040] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00
> ........ ..+.H`..
> [0050] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00
> ........ ........
> [0060] 00 00 01 00 09 04 00 00 00 00 00 00 00 00 00 00
> ........ ........
> [0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ........ ........
> [0080] 01 00 00 00 ....
> rpc reply data:
> [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ........ ........
> [0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00
> ........ ........
> [0020] 01 00 00 00 03 00 00 00 4B 00 00 00 4B 00 00 00
> ........ K...K...
> [0030] 05 00 13 00 0D A4 C2 AB 50 4D 57 B3 40 9D 66 EE
> ........ PMW. at .f.
> [0040] 4F D5 FB A0 76 05 00 02 00 00 00 13 00 0D 04 5D
> O...v... .......]
> [0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00
> ........ ..+.H`..
> [0060] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00
> ........ ........
> [0070] C0 01 01 00 09 04 00 00 00 00 00 00 00 00 00 00
> ........ ........
> Mapped to DCERPC endpoint 49153
> resolve_lmhosts: Attempting lmhosts lookup for name
> dc1.domain.de<0x20>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
> such file or directory
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> Password for [DOMAIN-02\Administrator]:
> Received smb_krb5 packet of length 313
> Received smb_krb5 packet of length 189
> kinit for Administrator at DOMAIN.DE succeeded
> gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x209f180
> gensec_update_send: spnego[0x20a1450]: subreq: 0x208fe80
> gensec_update_done: gssapi_krb5[0x20a1840]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x209f180/../../source4/auth/gensec/gensec_gssapi.c:1057]:
> state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
> (0x209f330)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1067]
> gensec_update_done: spnego[0x20a1450]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x208fe80/../../auth/gensec/spnego.c:1631]:
> state[2] error[0
> (0x0)] state[struct gensec_spnego_update_state (0x2090030)]
> timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x20a2550
> gensec_update_send: spnego[0x20a1450]: subreq: 0x2094480
> gensec_update_done: gssapi_krb5[0x20a1840]: NT_STATUS_OK
> tevent_req[0x20a2550/../../source4/auth/gensec/gensec_gssapi.c:1057]:
> state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
> (0x20a2700)] timer[(nil)]
> finish[../../source4/auth/gensec/gensec_gssapi.c:1074]
> gensec_update_done: spnego[0x20a1450]:
> NT_STATUS_MORE_PROCESSING_REQUIRED
> tevent_req[0x2094480/../../auth/gensec/spnego.c:1631]:
> state[2] error[0
> (0x0)] state[struct gensec_spnego_update_state (0x2094630)]
> timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> dcerpc_pull_auth_trailer: auth_pad_length 0
> gensec_update_send: spnego[0x20a1450]: subreq: 0x2094430
> gensec_update_done: spnego[0x20a1450]: NT_STATUS_OK
> tevent_req[0x2094430/../../auth/gensec/spnego.c:1631]:
> state[2] error[0
> (0x0)] state[struct gensec_spnego_update_state (0x20945e0)]
> timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> rpc request data:
> [0000] 00 00 07 00 00 00 00 00 00 00 02 00 18 00 00 00
> ........ ........
> [0010] 00 00 00 00 18 00 00 00 64 00 63 00 31 00 2E 00
> ........ d.c.1...
> [0020] 68 00 71 00 2E 00 62 00 72 00 61 00 69 00 6E 00
> x.x...x. x.x.x.x.
> [0030] 2D 00 62 00 69 00 6F 00 74 00 65 00 63 00 68 00
> -.x.x.x. x.x.x.x.
> [0040] 2E 00 64 00 65 00 00 00 04 00 02 00 17 00 00 00
> ..d.e... ........
> [0050] 00 00 00 00 17 00 00 00 30 2E 31 36 38 2E 31 39
> ........ 0.168.19
> [0060] 32 2E 69 6E 2D 61 64 64 72 2E 61 72 70 61 00 00
> 2.in-add r.arpa..
> [0070] 04 00 00 00 00 00 00 00 04 00 00 00 31 35 37 00
> ........ ....157.
> [0080] 08 00 02 00 1A 00 00 00 1A 00 0C 00 F0 00 00 00
> ........ ........
> [0090] 01 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00
> ........ ........
> [00A0] 19 7A 6F 6E 65 30 2E 68 71 2E 62 72 61 69 6E 2D
> .zone0.x x.xxxxx-
> [00B0] 62 69 6F 74 65 63 68 2E 64 65 00 00 00 00 00 00
> xxxxxxx. xx......
> t: struct dcerpc_sec_verification_trailer
> _pad : DATA_BLOB length=0
> magic : 0000000000000000
> count: struct dcerpc_sec_vt_count
> count : 0x0002 (2)
> commands: ARRAY(2)
> commands: struct dcerpc_sec_vt
> command : 0x0001 (1)
> 0x01: DCERPC_SEC_VT_COMMAND_ENUM (1)
> 0: DCERPC_SEC_VT_COMMAND_END
> 0: DCERPC_SEC_VT_MUST_PROCESS
> u : union
> dcerpc_sec_vt_union(case 0x1)
> bitmask1 : 0x00000001 (1)
> 1: DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
> commands: struct dcerpc_sec_vt
> command : 0x4002 (16386)
> 0x02: DCERPC_SEC_VT_COMMAND_ENUM (2)
> 1: DCERPC_SEC_VT_COMMAND_END
> 0: DCERPC_SEC_VT_MUST_PROCESS
> u : union
> dcerpc_sec_vt_union(case 0x2)
> pcontext: struct dcerpc_sec_vt_pcontext
> abstract_syntax: struct ndr_syntax_id
> uuid :
> 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> if_version : 0x00000005 (5)
> transfer_syntax: struct ndr_syntax_id
> uuid :
> 8a885d04-1ceb-11c9-9fe8-08002b104860
> if_version : 0x00000002 (2)
> dcerpc_pull_auth_trailer: auth_pad_length 12
> rpc reply data:
> [0000] EF 25 00 00 .%..
> ERROR(runtime): uncaught exception - (9711,
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> File "/usr/lib64/python3.6/site-packages/samba/netcmd/__init__.py",
> line 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py", line
> 945, in run
> raise e
> File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py", line
> 941, in run
> 0, server, zone, name, add_rec_buf, None)
>
> It says it already exists. But it does not exist in zone "0"
> only in "2".
>
> Anything more I can do?
>
>
>
>
> >
> > I tested on my production where i have 6 forward/reverse
> zones in use.
> >
> > Is the hostname "dc1" also in other zones?
> > Yes, use FQDN as i showed and test it.
> > No, we need to investigate more most probely.
>
> --
> Dr. Christian Naumer
> Unit Head Bioprocess Development
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
> Manfred Bender, Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list