[Samba] Bind9 issue

Robert Wooden wdn2420systm at gmail.com
Wed Sep 30 12:22:23 UTC 2020 

Yesterday I had an issue with Samba v 4.13.0.

Went to backup and discovered backup computer has a drive failure and
backup is gone.

Only resort is to rebuild the DC.

I cannot figure out why bind9 will not "host -t SRV _ldap._
tcp.ad.dtntwk.work." or "host -t SRV _kerberos._udp.ad.dtntwk.work."

root at dc1:~# host -t SRV _ldap._tcp.subdom.example.com.
> _ldap._tcp.subdom.example.com has no SRV record
>
root at dc1:~# host -t SRV _kerberos._udp.subdom.example.com.
> _ldap._tcp.subdom.example.com has no SRV record
>

root at dc1:~# host -t A dc1.subdom.example.com.
> dc1.subdom.example.com has address 164.98.xxx.xxx
>

This ip address is my external ip provided from the ISP. It should be a
local ip (192.168.0.xx)

root at dc1:~# cat /etc/bind/named.conf
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on
> the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>

 root at dc1:~# cat /etc/bind/named.conf.local
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> // adding the dlopen ( Bind DLZ ) module for samba.
> // at install debian already sets the correct bind9.XX version in this
> file below.
> include "/var/lib/samba/bind-dns/named.conf";
>

root at dc1:~# cat /etc/bind/named.conf.options
> // Defined ACL Begin
>         // define only ONE ip for thisserverip.
>         acl thisserverip {
>               // IF DC1
>                 192.168.0.41;
>               //
>                 };
>
>         acl all-networks {
>         // defines which networks are allowed to access/querie this server.
>         // add/remove networks if needed.
>                 192.168.0.0/24;
>                 };
>         // Defined ACL End
>
>         options {
>                 directory "/var/cache/bind";
>                 version "0.0.7";  // James Bond its DNS server
>
>                 // My ISP dns servers, change to you needs. (optional),
> test without it enabled.
>                 forwarders {  8.8.8.8; 8.8.4.4; };
>
>
> //========================================================================
>                 // If BIND logs error messages about the root key being
> expired,
>                 // you will need to update your keys.  See
> https://www.isc.org/bind-keys
>
> //========================================================================
>                 dnssec-validation no;  // i forgot why i set it to no.
> Sorry..
>
>                 auth-nxdomain yes;    // Because this server is an
> Authoritive server for domain. your.domain.tld
>                 listen-on-v6 { "none"; };  // I disabled Ipv6, i dont use
> it yet
>                 listen-on port 53 { "thisserverip"; 127.0.0.1; };
>                 notify no;
>                 // Added Per Debian buster.
>                 // due to : resolver: info: resolver priming query complete
>                 //
> https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
>                 minimal-responses yes;
>
>                 // security: warning: client 127.0.0.1#47583: RFC 1918
> response from Internet for xx.xx.xx.xx.in-addr.arpa
>                 empty-zones-enable no;
>
>                 //  Add any subnets or hosts you want to allow to use this
> DNS server
>                 allow-query { "all-networks"; 127.0.0.1/32; };
>                 allow-query-cache { "all-networks"; 127.0.0.1/32; };
>
>                 //  Add any subnets or hosts you want to allow to use
> recursive queries
>                 allow-recursion {  "all-networks"; 127.0.0.1/32; };
>
>                 // https://wiki.samba.org/index.php/Dns-backend_bind
>                 // DNS dynamic updates via Kerberos (optional, but
> recommended)
>               // the OLD location of dns.keytab
>                 //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>               // the NEW location of dns.keytab
>                 tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>               // ! This part, one of the 2 DC's does not have the file in
> the correct place.
>                 // that needs extra attention.
>                 // and if needed review :
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>                 // section : setting up BIND9 options and keytab for
> Kerberos
>
>               // Extra's
>                 // Caching settings
>                 max-cache-size 100m;
>                 //cleaning-interval 1;    // clean cache every 1 minutes
>                 //max-cache-ttl 120;        // limit cached record to a
> 60s TTL
>
>         };
>
>         // rndc.key is installed by default on debian. Just a matter of
> enableing it.
>         include "/etc/bind/rndc.key";
>             controls {
>              inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
>         //     inet ::1 allow { ::1; } keys { rndc-key; };
>         };
>

root at dc1:~# cat /etc/resolv.conf
> search subdom.example.com
> nameserver 192.168.0.41
>

 root at dc1:~# cat /etc/krb5.conf
> [libdefaults]
>      default_realm = SUBDOM.EXAMPLE.COM
>      dns_lookup_kdc = true
>      dns_lookup_realm = false
> ;   forwardable = true
> ;   proxiable = true
> ;    ticket_lifetime = 24h
> ;    renew_lifetime = 7d
> ;    ccache_type = 4
>
>
> ; A note: This is not used for nfs4 but cifs uses it.
> ; for Windows 2003
> ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ;
> ; for Windows 2008 with AES
>      default_tgs_enctypes =  aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>

And "dpkg-reconfigure krb5-user" will not reconfigure.

root at dc1:~# kinit administrator
> kinit: Cannot find KDC for realm "SUBDOM.EXAMPLE.COM" while getting
> initial credentials
>

root at dc1:~# cat /etc/network/interfaces
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> source /etc/network/interfaces.d/*
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> allow-hotplug enp1s0
> iface enp1s0 inet static
> address 192.168.0.41/24
> gateway 192.168.0.106
> # dns-* options are implemented by the resolvconf package, if installed
> ## dns-nameservers 8.8.8.8
> dns-nameservers 192.168.0.41
> dns-search subdom.example.com
>

Additional info, my subdom is on a registered FQDN. Which is why I think I
am getting an external ip address.

Any suggestions would be greatly appreciated?

More information about the samba mailing list