[Samba] Changing IP Scope on a Samba DC
Peter Pollock
peter.pollock at kingschristian.org
Tue Sep 1 17:48:57 UTC 2020
192.168.1.11 was from a time we tried to increase the number of available
IP's by adding a virtual IP in Zentyal for the server to listen on. It
never worked and now Zentyal won't let me remove it, due to not being able
to save changes.
We do use .local because Microsoft small business server, which we were
playing with before we started down this route automatically suggested we
use the .local extension for internal domains, which we stupidly trusted.
As far as I can tell Avahi is not running.
Collected config --- 2020-09-01-10:30 -----------
Hostname: genesis
DNS Domain: kcs.local
FQDN: genesis.kcs.local
ipaddress: 192.168.2.11 192.168.1.11 10.1.10.80
-----------
Kerberos SRV _kerberos._tcp.kcs.local record verified ok, sample output:
Server: 127.0.0.1
Address: 127.0.0.1#53
_kerberos._tcp.kcs.local service = 100 100 88 luke.kcs.local.
_kerberos._tcp.kcs.local service = 0 100 88 genesis.kcs.local.
_kerberos._tcp.kcs.local service = 100 100 88 genesis.kcs.local.
_kerberos._tcp.kcs.local service = 0 100 88 luke.kcs.local.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="
https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
-----------
This computer is running Ubuntu 18.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 127.0.1.1/8 scope host secondary lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:24:e8:76:cc:4a brd ff:ff:ff:ff:ff:ff
inet 192.168.2.11/24 brd 192.168.2.255 scope global eth0
inet 192.168.1.11/24 brd 192.168.1.255 scope global eth0:eth2
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:24:e8:76:cc:4c brd ff:ff:ff:ff:ff:ff
inet 10.1.10.80/24 brd 10.1.10.255 scope global eth1
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.2.11 genesis.kcs.local genesis
192.168.2.14 luke.kcs.local luke
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# and managed by Zentyal.
#
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 127.0.0.1
search kcs.local
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = KCS.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = false
rdns = no
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat
passwd: compat winbind
# pre_auth-client-config # group: compat
group: compat winbind
# pre_auth-client-config # shadow: compat
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# pre_auth-client-config # netgroup: nis
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = kcs
realm = KCS.LOCAL
netbios name = GENESIS
server string = The Genesis
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
rpc server dynamic port range = 49152-65535
interfaces = lo,eth0,eth0:eth2,eth0:eth2,eth1
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/kcs.local/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
-----------
Checking file: /etc/bind/named.conf.options
options {
sortlist {
192.168.2.0/24;
};
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
//query-source address * port 53;
//transfer-source * port 53;
//notify-source * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
forward first;
forwarders {
208.67.222.123;
208.67.220.123;
};
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-transfer { internal-local-nets; };
};
logging { category lame-servers { null; }; };
-----------
Checking file: /etc/bind/named.conf.local
// Generated by Zentyal
acl "trusted" {
localhost;
localnets;
};
acl "internal-local-nets" {
192.168.2.0/24;
};
dlz "AD DNS Zone" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
zone "10.1.10.in-addr.arpa" {
type master;
file "/var/lib/bind/db.10.1.10";
update-policy {
// The only allowed dynamic updates are PTR records
grant kcs.local. subdomain 10.1.10.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : 2.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.kcs.local
pszZoneName : kcs.local
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.kcs.local
pszZoneName : _msdcs.kcs.local
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.kcs.local
Samba DNS zone list Automated check :
zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
ERROR: AD DC zones found in the Bind flat-files
This is not allowed, you must remove them.
Conflicting zone name : kcs.local
File in question is : /etc/bind/keys:key "kcs.local" {
/etc/bind/named.conf.local: grant kcs.local. subdomain
10.1.10.in-addr.arpa. PTR TXT;
-----------
ERROR: AD DC zones found in the Bind flat-files
This is not allowed, you must remove them.
Conflicting zone name : _msdcs.kcs.local
File in question is :
-----------
Installed packages:
ii acl 2.2.52-3build1
amd64 Access control list utilities
ii bind9 1:9.11.3+dfsg-1ubuntu1.11
amd64 Internet Domain Name Server
ii bind9-host 1:9.11.3+dfsg-1ubuntu1.11
amd64 DNS lookup utility (deprecated)
ii bind9utils 1:9.11.3+dfsg-1ubuntu1.11
amd64 Utilities for BIND
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii libacl1:amd64 2.2.52-3build1
amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2build1
amd64 Extended attribute shared library
ii libauthen-krb5-easy-perl 0.91-4
amd64 Simple Kerberos 5 interaction
ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.11
amd64 BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API
Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.16-2ubuntu0.1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Samba winbind client library
ii python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Python bindings for Samba
ii samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
all common files used by both the Samba server and
client
ii samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Samba common files used by both the server and
the client
ii samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Samba core libraries
ii samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.7.6+dfsg~ubuntu-0ubuntu2.14
amd64 service to resolve user and group information
from Windows NT servers
ii zentyal-samba 6.1.2
all Zentyal - Domain Controller and File Sharing
-----------
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.
www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Mon, Aug 31, 2020 at 11:33 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 01/09/2020 00:33, Peter Pollock wrote:
> > I just ran samba_dnsupdate --all-names and got this:
> >
> > itadmin at genesis:~$ sudo samba_dnsupdate --all-names
> > add_interface: not adding duplicate interface 192.168.1.11
> You said that you were using the 192.168.2.0/24 network, where is that
> ipaddress coming from ?
> > ldb_wrap open of secrets.ldb
> >
> > update failed: NOTAUTH
> > update failed: NOTAUTH
> > Traceback (most recent call last):
> > File "/usr/sbin/samba_dnsupdate", line 925, in <module>
> > call_nsupdate(d)
> > File "/usr/sbin/samba_dnsupdate", line 498, in call_nsupdate
> > server = get_krb5_rw_dns_server(creds, zone)
> > File "/usr/sbin/samba_dnsupdate", line 156, in get_krb5_rw_dns_server
> > rw_dns_servers = get_possible_rw_dns_server(creds, domain)
> > File "/usr/sbin/samba_dnsupdate", line 140, in
> > get_possible_rw_dns_server
> > ans_ns = check_one_dns_name(domain, 'NS')
> > File "/usr/sbin/samba_dnsupdate", line 291, in check_one_dns_name
> > ans = resolver.query(name, name_type)
> > File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 1053,
> > in query
> > raise_on_no_answer)
> > File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 234,
> > in __init__
> > raise NoAnswer(response=response)
> > dns.resolver.NoAnswer: The DNS response does not contain an answer to
> > the question: _msdcs.kcs.local. IN NS
>
> Is your TLD really '.local' ?
>
> If it is, ensure that Avahi is turned off.
>
> >
> > It looks to me like there is an NS record missing. Do I create this
> > through Samba somehow or should I use Windows RSAT tools to create the
> > missing entry. I'm not 100% certain what answer it is looking for though.
>
> Can you please download this script:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Run it on a DC and post the output (sanitised if required) into a reply
> to this, do not attach it, this list removes attachments.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list