[Samba] New DNS-Records not aviable

Heinz Hölzl heinz.hoelzl at gvcc.net
Tue Feb 11 12:11:40 UTC 2020


Hi Louis,

my system:

Ubuntu 18.04.3 LTS
Kernel 4.15.0-74

samba Version 4.11.6 (on 4.12.0.rc2 same issue)
on samba 4.10.5 it works fine.


compile option:
./configure --with-gpgme --with-ads --with-winbind --enable-cups --
with-pam --with-quotas --with-acl-support --with-dnsupdate --with-
syslog  --with-regedit --with-systemd  --sysconfdir=/etc/samba

# Global parameters
[global]
	bind interfaces only = Yes
	interfaces = lo eth2
	netbios name = DC2
	realm = KLINGONS.NET
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
	workgroup = KLINGONS
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	comment = 
	template homedir = /home/%U
 	template shell = /bin/bash
	ldap server require strong auth = No
        ntlm auth = Yes
	log level = auth_json_audit:0 auth_audit:3
	logging = syslog
	password hash gpg key ids = "4FE6CFC510ADE7B9"
	dns forwarder = 172.27.2.11
	dns update command = /usr/local/samba/sbin/samba_dnsupdate --
use-samba-tool


2 DC are running with samba_internal DNS and 2 with bind9 DLZ.


Regards,
heinz


Am Dienstag, den 11.02.2020, 10:14 +0100 schrieb L.P.H. van Belle via
samba:
> @Heinz, 
> Thanks for testing also, but what is your samba version, OS and
> packages samba of compiled samba.
> To keep info bit more complete
> 
> 
> @Christian, can you try purge the deleted DNS records.  
> Can you also add the debug 10 log, shown below to this bugreport. 
> https://bugzilla.samba.org/show_bug.cgi?id=14268 
> 
> I'll retest it here later on today with a few more zones.
> But i must finish some work first. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Christian Naumer via samba
> > Verzonden: dinsdag 11 februari 2020 9:23
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] New DNS-Records not aviable
> > 
> > Hi Louis.
> > 
> > Am 10.02.20 um 16:44 schrieb L.P.H. van Belle via samba:
> > > Hai Christian, 
> > > 
> > > > Can someone reproduce this?
> > > No, tried, but sorry, works fine for me on my 4.11.6 server. 
> > > 
> > > And what is you try it like this. 
> > > 
> > > samba-tool dns add dc1.zone1.domain.de 
> > 0.168.192.in-addr.arpa 157 PTR zone1.domain.de -U Administrator
> > 
> > This creates this entry (output from host 192.168.2.157, host
> > 192.168.0.157 returns NXDOMAIN):
> > 
> > 157.2.168.192.in-addr.arpa domain name pointer 
> > zone1.hq.brain-biotech.de.
> > 
> > 
> > 
> > 
> > > samba-tool dns add dc1.zone1.domain.de 
> > 2.168.192.in-addr.arpa 157 PTR zone2.domain.de -U Administrator
> > 
> > This creates the right record:
> > 
> > 157.2.168.192.in-addr.arpa domain name pointer 
> > zone2.hq.brain-biotech.de.
> > 
> > I tested some more. I have these zones:
> > 
> > 0.168.192.in-addr.arpa
> > 1.168.192.in-addr.arpa
> > 2.168.192.in-addr.arpa
> > 3.168.192.in-addr.arpa
> > 4.168.192.in-addr.arpa
> > 5.168.192.in-addr.arpa
> > 6.168.192.in-addr.arpa
> > 7.168.192.in-addr.arpa
> > 
> > I can create in all zone the right record except "0" where it is
> > then
> > created in "2" (not in "1") only if there is already a record with
> > the
> > same last digit. The zones 0,1 and 2 contain ~100-200 records the
> > rest
> > only 10 or so.
> > 
> > In another attempt I deleted all the records I created in the test
> > and
> > tried again. Strangely it only happens if in zone "2" there 
> > is a record
> > with the same last digit. Then the new record is created in zone
> > "2"
> > although I want it in zone "0".
> > 
> > It also works if in zone "0" there is an entry and I try to 
> > create zone
> > in zone "2". The record is then created in zone "0".
> > 
> > 
> > Here is a sequence of commands used with a d10:
> > 
> > Add a record in zone "2":
> > 
> > samba-tool dns add dc1.domain.de 2.168.192.in-addr.arpa 157 PTR
> > zone0.domain.de -U Administrator
> > Password for [DOMAIN-02\Administrator]:
> > Record added successfully
> > 
> > Check record:
> > 
> > host 192.168.2.157
> > 157.2.168.192.in-addr.arpa domain name pointer zone0.domain.de.
> > 
> > 
> > Add the record in zone "0" with d10:
> > 
> > samba-tool dns add dc1.domain.de 0.168.192.in-addr.arpa 157 PTR
> > zone0.domain.de -d10 -U Administrator
> > 
> > INFO: Current debug levels:
> >   all: 10
> >   tdb: 10
> >   printdrivers: 10
> >   lanman: 10
> >   smb: 10
> >   rpc_parse: 10
> >   rpc_srv: 10
> >   rpc_cli: 10
> >   passdb: 10
> >   sam: 10
> >   auth: 10
> >   winbind: 10
> >   vfs: 10
> >   idmap: 10
> >   quota: 10
> >   acls: 10
> >   locking: 10
> >   msdfs: 10
> >   dmapi: 10
> >   registry: 10
> >   scavenger: 10
> >   dns: 10
> >   ldb: 10
> >   tevent: 10
> >   auth_audit: 10
> >   auth_json_audit: 10
> >   kerberos: 10
> >   drs_repl: 10
> >   smb2: 10
> >   smb2_credits: 10
> >   dsdb_audit: 10
> >   dsdb_json_audit: 10
> >   dsdb_password_audit: 10
> >   dsdb_password_json_audit: 10
> >   dsdb_transaction_audit: 10
> >   dsdb_transaction_json_audit: 10
> >   dsdb_group_audit: 10
> >   dsdb_group_json_audit: 10
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > pm_process() returned Yes
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:dc1.domain.de[,sign]
> > Mapped to DCERPC endpoint 135
> > resolve_lmhosts: Attempting lmhosts lookup for name 
> > dc1.domain.de<0x20>
> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> > No
> > such file or directory
> > rpc request data:
> > [0000] 01 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
> > ........ ........
> > [0010] 00 00 00 00 02 00 00 00   4B 00 00 00 4B 00 00 00   
> > ........ K...K...
> > [0020] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   
> > ........ PMW. at .f.
> > [0030] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   
> > O...v... .......]
> > [0040] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   
> > ........ ..+.H`..
> > [0050] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   
> > ........ ........
> > [0060] 00 00 01 00 09 04 00 00   00 00 00 00 00 00 00 00   
> > ........ ........
> > [0070] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
> > ........ ........
> > [0080] 01 00 00 00                                        ....
> > rpc reply data:
> > [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
> > ........ ........
> > [0010] 00 00 00 00 01 00 00 00   01 00 00 00 00 00 00 00   
> > ........ ........
> > [0020] 01 00 00 00 03 00 00 00   4B 00 00 00 4B 00 00 00   
> > ........ K...K...
> > [0030] 05 00 13 00 0D A4 C2 AB   50 4D 57 B3 40 9D 66 EE   
> > ........ PMW. at .f.
> > [0040] 4F D5 FB A0 76 05 00 02   00 00 00 13 00 0D 04 5D   
> > O...v... .......]
> > [0050] 88 8A EB 1C C9 11 9F E8   08 00 2B 10 48 60 02 00   
> > ........ ..+.H`..
> > [0060] 02 00 00 00 01 00 0B 02   00 00 00 01 00 07 02 00   
> > ........ ........
> > [0070] C0 01 01 00 09 04 00 00   00 00 00 00 00 00 00 00   
> > ........ ........
> > Mapped to DCERPC endpoint 49153
> > resolve_lmhosts: Attempting lmhosts lookup for name 
> > dc1.domain.de<0x20>
> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> > No
> > such file or directory
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gssapi_krb5
> > Password for [DOMAIN-02\Administrator]:
> > Received smb_krb5 packet of length 313
> > Received smb_krb5 packet of length 189
> > kinit for Administrator at DOMAIN.DE succeeded
> > gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x209f180
> > gensec_update_send: spnego[0x20a1450]: subreq: 0x208fe80
> > gensec_update_done: gssapi_krb5[0x20a1840]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x209f180/../../source4/auth/gensec/gensec_gssapi.c:1057
> > ]:
> > state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
> > (0x209f330)] timer[(nil)]
> > finish[../../source4/auth/gensec/gensec_gssapi.c:1067]
> > gensec_update_done: spnego[0x20a1450]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x208fe80/../../auth/gensec/spnego.c:1631]: 
> > state[2] error[0
> > (0x0)]  state[struct gensec_spnego_update_state (0x2090030)]
> > timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> > dcerpc_pull_auth_trailer: auth_pad_length 0
> > gensec_gssapi: NO credentials were delegated
> > GSSAPI Connection will be cryptographically signed
> > gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x20a2550
> > gensec_update_send: spnego[0x20a1450]: subreq: 0x2094480
> > gensec_update_done: gssapi_krb5[0x20a1840]: NT_STATUS_OK
> > tevent_req[0x20a2550/../../source4/auth/gensec/gensec_gssapi.c:1057
> > ]:
> > state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state
> > (0x20a2700)] timer[(nil)]
> > finish[../../source4/auth/gensec/gensec_gssapi.c:1074]
> > gensec_update_done: spnego[0x20a1450]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x2094480/../../auth/gensec/spnego.c:1631]: 
> > state[2] error[0
> > (0x0)]  state[struct gensec_spnego_update_state (0x2094630)]
> > timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> > dcerpc_pull_auth_trailer: auth_pad_length 0
> > gensec_update_send: spnego[0x20a1450]: subreq: 0x2094430
> > gensec_update_done: spnego[0x20a1450]: NT_STATUS_OK
> > tevent_req[0x2094430/../../auth/gensec/spnego.c:1631]: 
> > state[2] error[0
> > (0x0)]  state[struct gensec_spnego_update_state (0x20945e0)]
> > timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> > rpc request data:
> > [0000] 00 00 07 00 00 00 00 00   00 00 02 00 18 00 00 00   
> > ........ ........
> > [0010] 00 00 00 00 18 00 00 00   64 00 63 00 31 00 2E 00   
> > ........ d.c.1...
> > [0020] 68 00 71 00 2E 00 62 00   72 00 61 00 69 00 6E 00   
> > x.x...x. x.x.x.x.
> > [0030] 2D 00 62 00 69 00 6F 00   74 00 65 00 63 00 68 00   
> > -.x.x.x. x.x.x.x.
> > [0040] 2E 00 64 00 65 00 00 00   04 00 02 00 17 00 00 00   
> > ..d.e... ........
> > [0050] 00 00 00 00 17 00 00 00   30 2E 31 36 38 2E 31 39   
> > ........ 0.168.19
> > [0060] 32 2E 69 6E 2D 61 64 64   72 2E 61 72 70 61 00 00   
> > 2.in-add r.arpa..
> > [0070] 04 00 00 00 00 00 00 00   04 00 00 00 31 35 37 00   
> > ........ ....157.
> > [0080] 08 00 02 00 1A 00 00 00   1A 00 0C 00 F0 00 00 00   
> > ........ ........
> > [0090] 01 00 00 00 84 03 00 00   00 00 00 00 00 00 00 00   
> > ........ ........
> > [00A0] 19 7A 6F 6E 65 30 2E 68   71 2E 62 72 61 69 6E 2D   
> > .zone0.x x.xxxxx-
> > [00B0] 62 69 6F 74 65 63 68 2E   64 65 00 00 00 00 00 00   
> > xxxxxxx. xx......
> >      t: struct dcerpc_sec_verification_trailer
> >         _pad                     : DATA_BLOB length=0
> >         magic                    : 0000000000000000
> >         count: struct dcerpc_sec_vt_count
> >             count                    : 0x0002 (2)
> >         commands: ARRAY(2)
> >             commands: struct dcerpc_sec_vt
> >                 command                  : 0x0001 (1)
> >                     0x01: DCERPC_SEC_VT_COMMAND_ENUM (1)
> >                        0: DCERPC_SEC_VT_COMMAND_END
> >                        0: DCERPC_SEC_VT_MUST_PROCESS
> >                 u                        : union
> > dcerpc_sec_vt_union(case 0x1)
> >                 bitmask1                 : 0x00000001 (1)
> >                        1:
> > DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
> >             commands: struct dcerpc_sec_vt
> >                 command                  : 0x4002 (16386)
> >                     0x02: DCERPC_SEC_VT_COMMAND_ENUM (2)
> >                        1: DCERPC_SEC_VT_COMMAND_END
> >                        0: DCERPC_SEC_VT_MUST_PROCESS
> >                 u                        : union
> > dcerpc_sec_vt_union(case 0x2)
> >                 pcontext: struct dcerpc_sec_vt_pcontext
> >                     abstract_syntax: struct ndr_syntax_id
> >                         uuid                     :
> > 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> >                         if_version               : 0x00000005 (5)
> >                     transfer_syntax: struct ndr_syntax_id
> >                         uuid                     :
> > 8a885d04-1ceb-11c9-9fe8-08002b104860
> >                         if_version               : 0x00000002 (2)
> > dcerpc_pull_auth_trailer: auth_pad_length 12
> > rpc reply data:
> > [0000] EF 25 00 00                                        .%..
> > ERROR(runtime): uncaught exception - (9711,
> > 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> >   File "/usr/lib64/python3.6/site-
> > packages/samba/netcmd/__init__.py",
> > line 186, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py",
> > line
> > 945, in run
> >     raise e
> >   File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py",
> > line
> > 941, in run
> >     0, server, zone, name, add_rec_buf, None)
> > 
> > It says it already exists. But it does not exist in zone "0" 
> > only in "2".
> > 
> > Anything more I can do?
> > 
> > 
> > 
> > 
> > > I tested on my production where i have 6 forward/reverse 
> > zones in use. 
> > > Is the hostname "dc1" also in other zones? 
> > > Yes, use FQDN as i showed and test it.
> > > No, we need to investigate more most probely. 
> > 
> > -- 
> > Dr. Christian Naumer
> > Unit Head Bioprocess Development
> > B.R.A.I.N Aktiengesellschaft
> > Darmstaedter Str. 34-36, D-64673 Zwingenberg
> > e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> > fon +49-6251-9331-30  /   fax +49-6251-9331-11
> > 
> > Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> > Registergericht AG Darmstadt, HRB 24758
> > Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
> > Manfred Bender, Ludger Roedder
> > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 


More information about the samba mailing list