[Samba] DNS Updates after upgrade
Christian Naumer
cn at brain-biotech.de
Mon Jun 29 10:31:41 UTC 2020
Hello everybody,
last weeks I started upgrading our DC from Centos 7 to Centos 8. After
having read this
(https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC#Updating_Multiple_Samba_Domain_Controllers)
and especially this "Joining a DC to domain can be a troublesome process
for some users, and it can be difficult to recover your DC if something
goes wrong". I really looked forward to this ... :-| So this is a bit of
a long read...
This Domain was "classic upgraded" from an NT Style domain with Samba
version 4.4. All upgrades until now where done "in place".
We have 4 DCs. 3 VMs and one physical Server. Samba version is 4.12.3 on
all the DCs before and after the upgrade. We are using the Sernet
packages. I was very careful and went step by step. Here is the general
outline.
-- Demote old DC
-- check if all entries are gone as listed on the wiki
-- run "samba-tool dbcheck --cross-ncs --fix" to remove deleted objects
etc.
-- Install new dc as per Wiki and my notes (Same Name same IP)
-- Join DC
-- run checks (samba-tool drs showrepl,samba-tool dbcheck --cross-ncs)
-- Check DNS Updates (samba_dnsupdate --verbose --all-names)
Now here is how it worked out...
-- First DC demote and rejoin with the same name and IP (after
installing a new VM) went fine. No Errors! Great now to the next one I
thought.... (actually I waited a few days)
-- Second DC demote went fine. After the Rejoin bind would not start
because it complained about empty zones. I read about this on this list.
So I deleted those Zones and the entries (just a view so no big
problem). Now bind did start and all checks (samba-tool drs showrepl;
samba-tool dbcheck --cross-ncs --fix,samba_dnsupdate --verbose
--all-names) are fine. DNS Updates work. So on to the next one...
-- Third DC. This was the FSMO holder so I transferred the roles to DC2.
After the Join Bind complained on ALL zone except the primary AD zone
that they were empty and would not start. So I again deleted them and
recreated the zone and the entries. All worked OK. No errors after I
fixed the zones.
-- The last DC (this one a physical server) I demoted and reinstalled on
the same hardware. I followed my notes and because a read some more in
the meant time I added NS records for all DCs in all zones (they are
only added automatically to the AD zone not any reverse zones etc).
After the Join every check worked (samba-tool drs showrepl; samba-tool
dbcheck --cross-ncs --fix,samba_dnsupdate --verbose --all-names).
However, there is one problem Windows clients can not update there DNS
records on this DC. All the others work.
So here are my questions:
-- On two of the new joins I did. the KCC Objects appeared only after
running samba_kcc. Is this normal or should I have waited a bit longre?
-- Do any of you manually add NS records for all DCs into all your zones
(specificall the reverse zones) or should this be done by samba?
-- Is the file "/var/lib/samba/bind-dns/named.conf.update.static" still
needed? I needed this to get DNS updates from the clients working with
Samba 4.4 (when this Domain was provisioned the current version). I
moved it from the private dir to bind-dns dir. But named.conf.update
does not get created (on all DCs).
-- Last question does any one have an Idea how to fix this? At the
moment I am inclined to just remove the offending DC and join it again.
Here is the logentry with debug level 5 from the dlz module from the
faulty DC:
27-Jun-2020 21:02:46.144 samba_dlz: DSDB Transaction [rollback] at [Sat,
27 Jun 2020 21:02:46.144303 CEST] duration [3618]
27-Jun-2020 21:02:46.144 samba_dlz: {"timestamp":
"2020-06-27T21:02:46.144494+0200", "type": "dsdbTransaction",
"dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action":
"rollback", "transactionId": "9cb08a1a-01d2-467c-a582-616185189020",
"duration": 3618}}
27-Jun-2020 21:02:46.144 samba_dlz: cancelling transaction on zone
ad.domain.de
Here from a working DC:
27-Jun-2020 21:04:24.308 samba_dlz: starting transaction on zone
ad.domain.de
27-Jun-2020 21:04:24.311 client @0x7f5ab01c88f0 192.168.0.113#63319:
update 'ad.domain.de/IN' denied
27-Jun-2020 21:04:24.311 samba_dlz: DSDB Transaction [rollback] at [Sat,
27 Jun 2020 21:04:24.311712 CEST] duration [2575]
27-Jun-2020 21:04:24.311 samba_dlz: {"timestamp":
"2020-06-27T21:04:24.311817+0200", "type": "dsdbTransaction",
"dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action":
"rollback", "transactionId": "cfaf0fd3-3bd5-47e6-a3ba-5523b
4dea6f8", "duration": 2575}}
27-Jun-2020 21:04:24.312 samba_dlz: cancelling transaction on zone
ad.domain.de
27-Jun-2020 21:04:24.466 samba_dlz: starting transaction on zone
ad.domain.de
27-Jun-2020 21:04:24.468 samba_dlz: Starting GENSEC mechanism spnego
27-Jun-2020 21:04:24.468 samba_dlz: Starting GENSEC submechanism gssapi_krb5
27-Jun-2020 21:04:24.470 samba_dlz: gensec_gssapi: NO credentials were
delegated
27-Jun-2020 21:04:24.470 samba_dlz: GSSAPI Connection will be
cryptographically signed
27-Jun-2020 21:04:24.470 samba_dlz: Successful AuthZ: [(null),krb5] user
[BRAIN-02]\[LANSWEEPER$]
[S-1-5-21-773202902-494389186-2375354597-132211] at [Sat, 27 Jun 2020
21:04:24.470917 CEST] Remote host [NULL] local host [NULL]
27-Jun-2020 21:04:24.471 samba_dlz: {"timestamp":
"2020-06-27T21:04:24.471156+0200", "type": "Authorization",
"Authorization": {"version": {"major": 1, "minor": 1}, "localAddress":
null, "remoteAddress": null, "serviceDescription": null,
"authType": "krb5", "domain": "BRAIN-02", "account": "LANSWEEPER$",
"sid": "S-1-5-21-773202902-494389186-2375354597-132211", "sessionId":
"9887dc0f-41b2-4cb7-a7e8-b885ae239ac3", "logonServer": "DC2",
"transportProtection": "SIGN", "accoun
tFlags": "0x00000080"}}
27-Jun-2020 21:04:24.474 samba_dlz: allowing update of
signer=LANSWEEPER\$\@ad.domain.DE name=lansweeper.ad.domain.de
tcpaddr=192.168.0.113 type=AAAA
key=1080-ms-7.257-1bf1c173.234c263c-b466-11ea-e081-96f66ddcca4a/160/0
Here are the relevant configs:
---smb.conf---
[global]
netbios name = DC1
realm = AD.DOMAIN.DE
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN-02
log level = 1 auth_audit:4 dsdb_password_audit:5
dsdb_transaction_audit:5 dsdb_group_audit:5
#log level = 10
logging =syslog
server role = active directory domain controller
dns zone scavenging = yes
prefork children = 8
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
#ntlm auth = yes
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
smb ports = 445
server min protocol = SMB2
client min protocol = SMB2
tls enabled = yes
tls keyfile = tls/server_de.key
tls certfile = tls/server.pem
tls cafile = tls/ca.pem
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
[netlogon]
path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----/etc/named.conf------
# Global BIND configuration options
include "/var/lib/samba/bind-dns/named.conf";
options {
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;
allow-query {
127.0.0.1;
10.0.8.0/24;
# add other networks you want to allow to query your DNS
};
allow-recursion {
10.0.8.0/24;
# add other networks you want to allow to do recursive queries
};
forwarders {
# Google public DNS server here - replace with your own if necessary
8.8.8.8;
};
allow-transfer {
# this config is for a single master DNS server
none;
};
};
# Root servers (required zone for recursive queries)
zone "." {
type hint;
file "named.root";
};
# Required localhost forward-/reverse zones
zone "localhost" {
type master;
file "master/localhost.zone";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
---/var/lib/samba/bind-dns/named.conf---
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";
};
---/etc/krb5.conf---
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.DOMAIN.DE
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
Thanks for any help!
Regards
Christian
--
--
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Manfred Bender, Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
More information about the samba
mailing list