[Samba] New DNS-Records not aviable
Heinz Hölzl
heinz.hoelzl at gvcc.net
Tue Feb 11 12:11:40 UTC 2020
Hi Louis,
my system:
Ubuntu 18.04.3 LTS
Kernel 4.15.0-74
samba Version 4.11.6 (on 4.12.0.rc2 same issue)
on samba 4.10.5 it works fine.
compile option:
./configure --with-gpgme --with-ads --with-winbind --enable-cups --
with-pam --with-quotas --with-acl-support --with-dnsupdate --with-
syslog --with-regedit --with-systemd --sysconfdir=/etc/samba
# Global parameters
[global]
bind interfaces only = Yes
interfaces = lo eth2
netbios name = DC2
realm = KLINGONS.NET
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
workgroup = KLINGONS
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
comment =
template homedir = /home/%U
template shell = /bin/bash
ldap server require strong auth = No
ntlm auth = Yes
log level = auth_json_audit:0 auth_audit:3
logging = syslog
password hash gpg key ids = "4FE6CFC510ADE7B9"
dns forwarder = 172.27.2.11
dns update command = /usr/local/samba/sbin/samba_dnsupdate --
use-samba-tool
2 DC are running with samba_internal DNS and 2 with bind9 DLZ.
Regards,
heinz
Am Dienstag, den 11.02.2020, 10:14 +0100 schrieb L.P.H. van Belle via
samba:
> @Heinz,
> Thanks for testing also, but what is your samba version, OS and
> packages samba of compiled samba.
> To keep info bit more complete
>
>
> @Christian, can you try purge the deleted DNS records.
> Can you also add the debug 10 log, shown below to this bugreport.
> https://bugzilla.samba.org/show_bug.cgi?id=14268
>
> I'll retest it here later on today with a few more zones.
> But i must finish some work first.
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Christian Naumer via samba
> > Verzonden: dinsdag 11 februari 2020 9:23
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] New DNS-Records not aviable
> >
> > Hi Louis.
> >
> > Am 10.02.20 um 16:44 schrieb L.P.H. van Belle via samba:
> > > Hai Christian,
> > >
> > > > Can someone reproduce this?
> > > No, tried, but sorry, works fine for me on my 4.11.6 server.
> > >
> > > And what is you try it like this.
> > >
> > > samba-tool dns add dc1.zone1.domain.de
> > 0.168.192.in-addr.arpa 157 PTR zone1.domain.de -U Administrator
> >
> > This creates this entry (output from host 192.168.2.157, host
> > 192.168.0.157 returns NXDOMAIN):
> >
> > 157.2.168.192.in-addr.arpa domain name pointer
> > zone1.hq.brain-biotech.de.
> >
> >
> >
> >
> > > samba-tool dns add dc1.zone1.domain.de
> > 2.168.192.in-addr.arpa 157 PTR zone2.domain.de -U Administrator
> >
> > This creates the right record:
> >
> > 157.2.168.192.in-addr.arpa domain name pointer
> > zone2.hq.brain-biotech.de.
> >
> > I tested some more. I have these zones:
> >
> > 0.168.192.in-addr.arpa
> > 1.168.192.in-addr.arpa
> > 2.168.192.in-addr.arpa
> > 3.168.192.in-addr.arpa
> > 4.168.192.in-addr.arpa
> > 5.168.192.in-addr.arpa
> > 6.168.192.in-addr.arpa
> > 7.168.192.in-addr.arpa
> >
> > I can create in all zone the right record except "0" where it is
> > then
> > created in "2" (not in "1") only if there is already a record with
> > the
> > same last digit. The zones 0,1 and 2 contain ~100-200 records the
> > rest
> > only 10 or so.
> >
> > In another attempt I deleted all the records I created in the test
> > and
> > tried again. Strangely it only happens if in zone "2" there
> > is a record
> > with the same last digit. Then the new record is created in zone
> > "2"
> > although I want it in zone "0".
> >
> > It also works if in zone "0" there is an entry and I try to
> > create zone
> > in zone "2". The record is then created in zone "0".
> >
> >
> > Here is a sequence of commands used with a d10:
> >
> > Add a record in zone "2":
> >
> > samba-tool dns add dc1.domain.de 2.168.192.in-addr.arpa 157 PTR
> > zone0.domain.de -U Administrator
> > Password for [DOMAIN-02\Administrator]:
> > Record added successfully
> >
> > Check record:
> >
> > host 192.168.2.157
> > 157.2.168.192.in-addr.arpa domain name pointer zone0.domain.de.
> >
> >
> > Add the record in zone "0" with d10:
> >
> > samba-tool dns add dc1.domain.de 0.168.192.in-addr.arpa 157 PTR
> > zone0.domain.de -d10 -U Administrator
> >
> > INFO: Current debug levels:
> > all: 10
> > tdb: 10
> > printdrivers: 10
> > lanman: 10
> > smb: 10
> > rpc_parse: 10
> > rpc_srv: 10
> > rpc_cli: 10
> > passdb: 10
> > sam: 10
> > auth: 10
> > winbind: 10
> > vfs: 10
> > idmap: 10
> > quota: 10
> > acls: 10
> > locking: 10
> > msdfs: 10
> > dmapi: 10
> > registry: 10
> > scavenger: 10
> > dns: 10
> > ldb: 10
> > tevent: 10
> > auth_audit: 10
> > auth_json_audit: 10
> > kerberos: 10
> > drs_repl: 10
> > smb2: 10
> > smb2_credits: 10
> > dsdb_audit: 10
> > dsdb_json_audit: 10
> > dsdb_password_audit: 10
> > dsdb_password_json_audit: 10
> > dsdb_transaction_audit: 10
> > dsdb_transaction_json_audit: 10
> > dsdb_group_audit: 10
> > dsdb_group_json_audit: 10
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > Processing section "[global]"
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > pm_process() returned Yes
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:dc1.domain.de[,sign]
> > Mapped to DCERPC endpoint 135
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > dc1.domain.de<0x20>
> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> > No
> > such file or directory
> > rpc request data:
> > [0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ........ ........
> > [0010] 00 00 00 00 02 00 00 00 4B 00 00 00 4B 00 00 00
> > ........ K...K...
> > [0020] 05 00 13 00 0D A4 C2 AB 50 4D 57 B3 40 9D 66 EE
> > ........ PMW. at .f.
> > [0030] 4F D5 FB A0 76 05 00 02 00 00 00 13 00 0D 04 5D
> > O...v... .......]
> > [0040] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00
> > ........ ..+.H`..
> > [0050] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00
> > ........ ........
> > [0060] 00 00 01 00 09 04 00 00 00 00 00 00 00 00 00 00
> > ........ ........
> > [0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ........ ........
> > [0080] 01 00 00 00 ....
> > rpc reply data:
> > [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ........ ........
> > [0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00
> > ........ ........
> > [0020] 01 00 00 00 03 00 00 00 4B 00 00 00 4B 00 00 00
> > ........ K...K...
> > [0030] 05 00 13 00 0D A4 C2 AB 50 4D 57 B3 40 9D 66 EE
> > ........ PMW. at .f.
> > [0040] 4F D5 FB A0 76 05 00 02 00 00 00 13 00 0D 04 5D
> > O...v... .......]
> > [0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00
> > ........ ..+.H`..
> > [0060] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00
> > ........ ........
> > [0070] C0 01 01 00 09 04 00 00 00 00 00 00 00 00 00 00
> > ........ ........
> > Mapped to DCERPC endpoint 49153
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > dc1.domain.de<0x20>
> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> > No
> > such file or directory
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gssapi_krb5
> > Password for [DOMAIN-02\Administrator]:
> > Received smb_krb5 packet of length 313
> > Received smb_krb5 packet of length 189
> > kinit for Administrator at DOMAIN.DE succeeded
> > gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x209f180
> > gensec_update_send: spnego[0x20a1450]: subreq: 0x208fe80
> > gensec_update_done: gssapi_krb5[0x20a1840]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x209f180/../../source4/auth/gensec/gensec_gssapi.c:1057
> > ]:
> > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
> > (0x209f330)] timer[(nil)]
> > finish[../../source4/auth/gensec/gensec_gssapi.c:1067]
> > gensec_update_done: spnego[0x20a1450]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x208fe80/../../auth/gensec/spnego.c:1631]:
> > state[2] error[0
> > (0x0)] state[struct gensec_spnego_update_state (0x2090030)]
> > timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> > dcerpc_pull_auth_trailer: auth_pad_length 0
> > gensec_gssapi: NO credentials were delegated
> > GSSAPI Connection will be cryptographically signed
> > gensec_update_send: gssapi_krb5[0x20a1840]: subreq: 0x20a2550
> > gensec_update_send: spnego[0x20a1450]: subreq: 0x2094480
> > gensec_update_done: gssapi_krb5[0x20a1840]: NT_STATUS_OK
> > tevent_req[0x20a2550/../../source4/auth/gensec/gensec_gssapi.c:1057
> > ]:
> > state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state
> > (0x20a2700)] timer[(nil)]
> > finish[../../source4/auth/gensec/gensec_gssapi.c:1074]
> > gensec_update_done: spnego[0x20a1450]:
> > NT_STATUS_MORE_PROCESSING_REQUIRED
> > tevent_req[0x2094480/../../auth/gensec/spnego.c:1631]:
> > state[2] error[0
> > (0x0)] state[struct gensec_spnego_update_state (0x2094630)]
> > timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> > dcerpc_pull_auth_trailer: auth_pad_length 0
> > gensec_update_send: spnego[0x20a1450]: subreq: 0x2094430
> > gensec_update_done: spnego[0x20a1450]: NT_STATUS_OK
> > tevent_req[0x2094430/../../auth/gensec/spnego.c:1631]:
> > state[2] error[0
> > (0x0)] state[struct gensec_spnego_update_state (0x20945e0)]
> > timer[(nil)] finish[../../auth/gensec/spnego.c:2115]
> > rpc request data:
> > [0000] 00 00 07 00 00 00 00 00 00 00 02 00 18 00 00 00
> > ........ ........
> > [0010] 00 00 00 00 18 00 00 00 64 00 63 00 31 00 2E 00
> > ........ d.c.1...
> > [0020] 68 00 71 00 2E 00 62 00 72 00 61 00 69 00 6E 00
> > x.x...x. x.x.x.x.
> > [0030] 2D 00 62 00 69 00 6F 00 74 00 65 00 63 00 68 00
> > -.x.x.x. x.x.x.x.
> > [0040] 2E 00 64 00 65 00 00 00 04 00 02 00 17 00 00 00
> > ..d.e... ........
> > [0050] 00 00 00 00 17 00 00 00 30 2E 31 36 38 2E 31 39
> > ........ 0.168.19
> > [0060] 32 2E 69 6E 2D 61 64 64 72 2E 61 72 70 61 00 00
> > 2.in-add r.arpa..
> > [0070] 04 00 00 00 00 00 00 00 04 00 00 00 31 35 37 00
> > ........ ....157.
> > [0080] 08 00 02 00 1A 00 00 00 1A 00 0C 00 F0 00 00 00
> > ........ ........
> > [0090] 01 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00
> > ........ ........
> > [00A0] 19 7A 6F 6E 65 30 2E 68 71 2E 62 72 61 69 6E 2D
> > .zone0.x x.xxxxx-
> > [00B0] 62 69 6F 74 65 63 68 2E 64 65 00 00 00 00 00 00
> > xxxxxxx. xx......
> > t: struct dcerpc_sec_verification_trailer
> > _pad : DATA_BLOB length=0
> > magic : 0000000000000000
> > count: struct dcerpc_sec_vt_count
> > count : 0x0002 (2)
> > commands: ARRAY(2)
> > commands: struct dcerpc_sec_vt
> > command : 0x0001 (1)
> > 0x01: DCERPC_SEC_VT_COMMAND_ENUM (1)
> > 0: DCERPC_SEC_VT_COMMAND_END
> > 0: DCERPC_SEC_VT_MUST_PROCESS
> > u : union
> > dcerpc_sec_vt_union(case 0x1)
> > bitmask1 : 0x00000001 (1)
> > 1:
> > DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
> > commands: struct dcerpc_sec_vt
> > command : 0x4002 (16386)
> > 0x02: DCERPC_SEC_VT_COMMAND_ENUM (2)
> > 1: DCERPC_SEC_VT_COMMAND_END
> > 0: DCERPC_SEC_VT_MUST_PROCESS
> > u : union
> > dcerpc_sec_vt_union(case 0x2)
> > pcontext: struct dcerpc_sec_vt_pcontext
> > abstract_syntax: struct ndr_syntax_id
> > uuid :
> > 50abc2a4-574d-40b3-9d66-ee4fd5fba076
> > if_version : 0x00000005 (5)
> > transfer_syntax: struct ndr_syntax_id
> > uuid :
> > 8a885d04-1ceb-11c9-9fe8-08002b104860
> > if_version : 0x00000002 (2)
> > dcerpc_pull_auth_trailer: auth_pad_length 12
> > rpc reply data:
> > [0000] EF 25 00 00 .%..
> > ERROR(runtime): uncaught exception - (9711,
> > 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> > File "/usr/lib64/python3.6/site-
> > packages/samba/netcmd/__init__.py",
> > line 186, in _run
> > return self.run(*args, **kwargs)
> > File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py",
> > line
> > 945, in run
> > raise e
> > File "/usr/lib64/python3.6/site-packages/samba/netcmd/dns.py",
> > line
> > 941, in run
> > 0, server, zone, name, add_rec_buf, None)
> >
> > It says it already exists. But it does not exist in zone "0"
> > only in "2".
> >
> > Anything more I can do?
> >
> >
> >
> >
> > > I tested on my production where i have 6 forward/reverse
> > zones in use.
> > > Is the hostname "dc1" also in other zones?
> > > Yes, use FQDN as i showed and test it.
> > > No, we need to investigate more most probely.
> >
> > --
> > Dr. Christian Naumer
> > Unit Head Bioprocess Development
> > B.R.A.I.N Aktiengesellschaft
> > Darmstaedter Str. 34-36, D-64673 Zwingenberg
> > e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> > fon +49-6251-9331-30 / fax +49-6251-9331-11
> >
> > Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> > Registergericht AG Darmstadt, HRB 24758
> > Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
> > Manfred Bender, Ludger Roedder
> > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
More information about the samba
mailing list