[Samba] New PTR records not visible
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 27 09:48:19 UTC 2020
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian Naumer via samba
> Verzonden: donderdag 27 februari 2020 10:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] New PTR records not visible
>
> Hello Louis,
> thanks for looking into this. Have you looked at what the original
> poster shared in the bug report?
>
> https://bugzilla.samba.org/show_bug.cgi?id=14268
Yes, im also looking again at that one.
>
> I don't have a big problem with this, just trying to help.
Which we very apriciate :-)
> Maybe the original poster can say more with regards of the problem he
> has with this.
>
>
> here are more of my details.
Thanks, now beside the few script errors due to your using centos, i'll ignore that.
But you setup is "tumbs up" good, based on what i see i would not change much.
But do verify this : > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
Later samba version use : tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
as of samba 4.9+
So this keeps strange.
Anyone else suggestion on debugging this, or to some verifications with Centos.
So far,
Greetz,
Louis
>
> Regards
>
>
> #####samba-debug-info.txt##############
> Collected config --- 2020-02-27-10:17 -----------
>
> Hostname: dc1
> DNS Domain: ad.domain.de
> FQDN: DC1.ad.domain.de
> ipaddress: 192.168.0.90
>
> -----------
>
> Kerberos SRV _kerberos._tcp.ad.domain.de record verified ok,
> sample output:
> Server: 192.168.0.90
> Address: 192.168.0.90#53
>
> _kerberos._tcp.ad.domain.de service = 0 100 88 dc1.ad.domain.de.
> _kerberos._tcp.ad.domain.de service = 0 100 88 dc3.ad.domain.de.
> _kerberos._tcp.ad.domain.de service = 0 100 88 dc2.ad.domain.de.
> _kerberos._tcp.ad.domain.de service = 0 100 88 dc4.ad.domain.de.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/"
> BUG_REPORT_URL="https://bugs.centos.org/"
>
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>
> -----------
>
>
> This computer is running an unknown distribution x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
> link/ether 6e:48:a7:59:a3:e4 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.90/21 brd 192.168.7.255 scope global eth0
> inet6 fe80::6c48:a7ff:fe59:a3e4/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 192.168.0.90 DC1.ad.domain.de DC1
> 192.168.0.91 DC2.ad.domain.de DC2
> 192.168.0.106 DC4.ad.domain.de DC4
> 192.168.0.190 DC3.ad.domain.de DC3
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> search ad.domain.de domain.de domain.com domain.de.
> domain.com. domain.de
> nameserver 192.168.0.90
> nameserver 192.168.0.91
> nameserver 192.168.0.106
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = ad.domain.DE
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the local database (.db) files
> # compat Use NIS on compat mode
> # hesiod Use Hesiod for user lookups
> # [NOTFOUND=return] Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you
> want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
>
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> #initgroups: files
>
> #hosts: db files nisplus nis dns
> hosts: files dns myhostname
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: files sss
>
> publickey: nisplus
>
> automount: files sss
> aliases: files nisplus
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = DC1
> realm = ad.domain.DE
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc,
> drepl, winbindd,
> ntp_signd, kcc, dnsupdate
> workgroup = DOMAIN-02
> logging =syslog
> log level = 1 auth_audit:4 dsdb_password_audit:5
> dsdb_transaction_audit:5 dsdb_group_audit:5
> #log level = 3 auth_audit:4
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash
> template homedir = /home/%U
> #username map = /etc/samba/smbusers
> #ntlm auth = yes
> ntlm auth = mschapv2-and-ntlmv2-only
> #rpc server dynamic port range = 1024-1300
> disable netbios = yes
> smb ports = 445
> server min protocol = SMB2
> client min protocol = SMB2
> tls enabled = yes
> tls keyfile = tls/server_de.key
> tls certfile = tls/server.pem
> tls cafile = tls/ca.pem
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.domain.de/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> You have a user.map set in your smb.conf
> This is not allowed because Samba is running as a DC
>
> -----------
> Detected bind DLZ enabled..
>
> Warning, detected bind is enabled in smb.conf, but no /etc/bind
> directory found
>
> -----------
>
> Installed packages:
>
>
> -----------
> ##########named.conf###################
>
> # /etc/named.conf
> # Global BIND configuration options
> include "/var/lib/samba/private/named.conf";
> options {
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain yes;
> directory "/var/named";
> notify no;
> empty-zones-enable no;
>
> allow-query {
> 127.0.0.1;
> 192.168.0.0/16;
> # add other networks you want to allow to query your DNS
> };
>
> allow-recursion {
> 192.168.0.0/16;
> # add other networks you want to allow to do recursive queries
> };
>
> forwarders {
> # Google public DNS server here - replace with your
> own if necessary
> 8.8.8.8;
> 8.8.4.4;
> };
>
> allow-transfer {
> # this config is for a single master DNS server
> none;
> };
>
> };
>
>
> # Root servers (required zone for recursive queries)
> zone "." {
> type hint;
> file "named.root";
> };
>
> # Required localhost forward-/reverse zones
> zone "localhost" {
> type master;
> file "master/localhost.zone";
> };
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "master/0.0.127.zone";
> };
>
>
> Am 27.02.20 um 09:53 schrieb L.P.H. van Belle via samba:
> > Ok, new test.
> >
> > Besides that i dont like the python errors shown, this
> still looks good.
> > So i dont know.. See below, i can not make it error.
> >
> >
> > for x in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ; do
> samba-tool dns add dc1.internal.dom.tld
> $x.249.10.in-addr.arpa 158 PTR host-test.extrazone.dom.tld ; done
> >
> > Record added successfully
> > Record added successfully
> > Record added successfully
> > Record added successfully
> > Record added successfully
> > ERROR: Zone does not exist; record coud not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> >
> >
> >
> > for x in 0 1 2 3 4 5 6 7 ; do samba-tool dns add
> dc1.internal.dom.tld $x.249.10.in-addr.arpa 158 PTR
> host-test.extrazone.dom.tld ; done
> > ERROR(runtime): uncaught exception - (9711,
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 186, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 945, in run
> > raise e
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 941, in run
> > 0, server, zone, name, add_rec_buf, None)
> > ERROR(runtime): uncaught exception - (9711,
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 186, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 945, in run
> > raise e
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 941, in run
> > 0, server, zone, name, add_rec_buf, None)
> > ERROR(runtime): uncaught exception - (9711,
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 186, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 945, in run
> > raise e
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 941, in run
> > 0, server, zone, name, add_rec_buf, None)
> > ERROR(runtime): uncaught exception - (9711,
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 186, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 945, in run
> > raise e
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 941, in run
> > 0, server, zone, name, add_rec_buf, None)
> > ERROR(runtime): uncaught exception - (9711,
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 186, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 945, in run
> > raise e
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 941, in run
> > 0, server, zone, name, add_rec_buf, None)
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> > ERROR: Zone does not exist; record could not be added.
> >
> > for x in 0 1 2 3 4 5 6 7 ; do nslookup 10.249.$x.158 ; done
> > 158.0.249.10.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 158.1.249.10.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 158.2.249.10.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 158.3.249.10.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 158.4.249.10.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > ** server can't find 158.5.249.10.in-addr.arpa: NXDOMAIN
> >
> > ** server can't find 158.6.249.10.in-addr.arpa: NXDOMAIN
> >
> > ** server can't find 158.7.249.10.in-addr.arpa: NXDOMAIN
> >
> >
> > Other range since you mentioned, this was in 192.168.x zones.
> > So here you go.
> >
> > for x in 0 1 2 3 4 5 6 ; do samba-tool dns zonecreate
> dc1.internal.dom.tld $x.168.192.in-addr.arpa ; done
> > Zone 0.168.192.in-addr.arpa created successfully
> > Zone 1.168.192.in-addr.arpa created successfully
> > Zone 2.168.192.in-addr.arpa created successfully
> > Zone 3.168.192.in-addr.arpa created successfully
> > Zone 4.168.192.in-addr.arpa created successfully
> > Zone 5.168.192.in-addr.arpa created successfully
> > Zone 6.168.192.in-addr.arpa created successfully
> >
> > for x in 0 1 2 3 4 5 6 ; do samba-tool dns add
> dc1.internal.dom.tld $x.168.192.in-addr.arpa 1 PTR
> host-test.extrazone.dom.tld ; done
> > Record added successfully
> > Record added successfully
> > Record added successfully
> > Record added successfully
> > Record added successfully
> > Record added successfully
> > Record added successfully
> >
> > for x in 0 1 2 3 4 5 6 ; do nslookup 192.168.$x.1 ; done
> > 1.0.168.192.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 1.1.168.192.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 1.2.168.192.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 1.3.168.192.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 1.4.168.192.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 1.5.168.192.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> > 1.6.168.192.in-addr.arpa name = host-test.extrazone.dom.tld.
> >
> >
> >
> > Did you run my debugscript already, can you post it
> >
> https://github.com/thctlo/samba4/raw/master/samba-collect-debu
> g-info.sh
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Christian Naumer via samba
> >> Verzonden: donderdag 27 februari 2020 9:24
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] New PTR records not visible
> >>
> >> Hi,
> >> have you tried adding an entry to another host on 157? For
> me it only
> >> produces the error with 0.168.192.in-addr.arpa and
> >> 2.168.192.in-addr.arpa. Not with 1 or 3.
> >>
> >> Regards
> >>
> >> Christian
> >>
> >>
> >> Am 27.02.20 um 08:42 schrieb L.P.H. van Belle via samba:
> >>> Hai,
> >>>
> >>> Today i thought lets re-test this again.
> >>> So this was done yesterday,
> >>>
> >>> samba-tool dns add dc1.internal.dom.tld
> >> 2.249.10.in-addr.arpa 157 PTR host.extrazone.dom.tld
> >>> samba-tool dns add dc1.internal.dom.tld
> >> 0.249.10.in-addr.arpa 157 PTR host.extrazone.dom.tld
> >>> samba-tool dns add dc1.internal.dom.tld
> >> 1.249.10.in-addr.arpa 157 PTR host.extrazone.dom.tld
> >>>
> >>> I did keep the entries in the dns yesterday.
> >>>
> >>> Today :
> >>>
> >>> samba-tool dns add dc1.internal.dom.tld
> >> 2.249.10.in-addr.arpa 157 PTR host.extrazone.dom.tld
> >>> Password for [Administrator at REALM]:
> >>> ERROR(runtime): uncaught exception - (9711,
> >> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> >>> File
> >> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> >> line 186, in _run
> >>> return self.run(*args, **kwargs)
> >>> File
> >> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
> 945, in run
> >>> raise e
> >>> File
> >> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
> 941, in run
> >>> 0, server, zone, name, add_rec_buf, None)
> >>> # adding an extra on in "3"
> >>> samba-tool dns add dc1.internal.dom.tld
> >> 3.249.10.in-addr.arpa 157 PTR host.extrazone.dom.tld
> >>> Password for [Administrator at REALM]:
> >>> Record added successfully
> >>>
> >>> And i check all the reverse zones there dns records.
> >>> All checked out ok.
> >>>
> >>> Sorry i can not make if fail here.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >>>> Christian Naumer via samba
> >>>> Verzonden: woensdag 26 februari 2020 15:54
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] New PTR records not visible
> >>>>
> >>>> Am 26.02.20 um 15:40 schrieb L.P.H. van Belle via samba:
> >>>>> So strange..
> >>>>>
> >>>>> I copied your commando's only change the arpa and
> >>>> servername / domainnames
> >>>>> All worked.
> >>>>
> >>>> Have you checked that you have this situation?
> >>>>
> >>>> If this entry "192.168.2.157" exists and if you try to add
> >>>> "192.168.0.157" another entry to point to
> "192.168.2.157" is added.
> >>>>
> >>>>
> >>>>>
> >>>>> So far nobody told how there ad-dc and DNS is setup..
> >>>>> Which i why i added :
> >>>>>>> Debian 10, my own packages.
> >>>>>>> Samba 4.11.6 + BIND9_DLZ is used .
> >>>>>
> >>>>> Now are you using samba DNS or BIND_DLZ dns ?
> >>>>
> >>>> I am using BIND_DLZ. On Centos 7 with the Sernet Packages.
> >>>>
> >>>> Regards
> >>>>
> >>>> Christian
> >>>>
> >>>> --
More information about the samba
mailing list