[Samba] Bogus dnsRecord attribute with Rank==0

L.P.H. van Belle belle at bazuin.nl
Fri Jan 22 15:47:46 UTC 2021 

You have 4 options.. 

1, use sernet the packages and buy support with it. 
2, use debian packages but 4.9.x is way to old. 
   IF this is a minimal installed server, upgrade to bullseye. 
   Then your on 4.13.3 
3, Use my repo. Upgrade to at least 4.12.x 
4, compile latest yourself. 

you've hitted old bugs. 
the only good fix is upgrade samba. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jonathon Reinhart
> via samba
> Verzonden: vrijdag 22 januari 2021 15:40
> Aan: samba
> Onderwerp: [Samba] Bogus dnsRecord attribute with Rank==0
> 
> Hello,
> 
> I'm running an AD Domain using Samba 4.9.5 on Debian 10. I recently
> encountered
> an issue where a DNS record started acting funny. I'll call the record
> `sw1.example.com`.
> 
> We're not sure of the exact sequence, but it involved changing a CNAME and
> ended like this:
> - Admin 1 deleted the DNS record using Windows RSAT DNS Manager.
> - Admin 2 recreated a DNS record (with that name), but it would not
> resolve. He
>   was surprised to see that Admin 1 was the owner on the new record (in
> DNS
>   Manager).
> - Admin 2 deleted the record again.
> 
> I started investigating and confirmed that the record was not present in
> DNS
> Manager.
> 
> When I queried the whole zone, I would see sw1 with 0 Records:
> 
>     dc1:~$ samba-tool dns query dc1 example.com '@' ALL | grep sw1
>       Name=sw1, Records=0, Children=0
> 
> Oddly, when I query for `sw1`, it shows up with weird results:
> 
>     dc1:~$ samba-tool dns query dc1 example.com 'sw1' ALL
>       Name=, Records=0, Children=0
> 
> Why is `Name=` empty?! And if there are no Records and no Children then it
> shouldn't exist at all, right?
> 
> So then I dug into the DNS LDAP objects using ADSI Edit
> (DC=DomainDnsZones,DC=example,DC=com). I was surprised to see an object:
> DC=sw1,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
> 
> It had one dnsRecord [1] attribute with the following (modified/redacted)
> data:
> 
>     2A 00 05 00 05 00 00 00 BD 00 00 00 00 00 0E 10 00 00 00 00 00 00 00
> 00 ...
> 
> Decoding this manually, I found:
> 
>     dnsRecord:
>         DataLength: 42
>         Type: 5             (DNS_TYPE_CNAME)
>         Version: 5
>         Rank: 0             (No RANK_* flags set!)
>         Flags: 0
>         Serial: 189
>         TtlSeconds: 3600
>         Reserved: 0
>         TimeStamp: 0
>         Data: ...
> 
> Note that Rank is 0, which means none of the RANK_* flags are set!
> 
> In other funtional records, I see Rank=0xF0 (RANK_ZONE, which means "The
> record
> comes from an authoritative zone.")
> 
> So this "stale" dnsRecord attribute with Rank=0:
> - Somehow prevents the "good" dnsRecord from working
> - Does not appear in any DNS "views" (a DNS query, samba-tool, or DNS
> Manager)
> - Keeps the owning LDAP `dnsNode` object alive/around
>   - Which is why Admin 1 continually showed up as the owner, even though
>     Admin 2 thought he re-created the record
> 
> To fix this, I:
> - Deleted the `sw1` A record in DNS Manager
> - Renamed the `sw1` dnsNode object in ADSI Edit to `xxx-broken-sw1`
>   - Confirmed that `samba-tool dns query` gave the expected non-results.
> - Created the record as usual.
> 
> So of course, the big question is: "How the hell did Rank get set to 0x00
> on
> this dnsRecord?"
> 
> I can't find anywhere in the samba source code that would ever set Rank=0.
> But there is plenty of code (e.g. `dns_fill_records_array`) that
> explicitly
> checks for DNS_RANK_ZONE.
> 
> I have to assume that the Windows "DNS Manager" RSAT tool did this (via
> LDAP),
> but I have no idea why, nor can I recreate this.
> 
> I still have the xxx-broken-sw1 record for forensic purposes, although I'd
> like to delete it soon.
> 
> Has anyone ever seen anything like this?
> 
> Best regards,
> Jonathon Reinhart
> 
> 
> [1]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-
> dnsp/6912b338-5472-4f59-b912-0edb536b6ed8
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list