[Samba] Strange DNS issue...

Marco Gaiarin gaio at sv.lnf.it
Tue Jun 15 12:32:11 UTC 2021


Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

Sorry, i come back on this.

> You really should do this differenly.. 
> Because.. 
> A working DNS domain should be established with forward and 
> reverse mappings to at least the Kerberos KDC (Samba-DC's)
> and application servers you intend to Kerberize.

OK. But why in AD reverse zone get not created automatically, and need
to be created by hand?
Why forward zone get prpulated automatically directly by joined
clients, while reverse need DHCP?


> If you use bind_DLZ as your doing and you want other zones sync to 
> an other domain and you have bind running, as your have.. 
> Why not use master/slave setup of bind9 todo that. 
> So that keeps the question, why is "suddenly" differently. 

But i've clerly master/slave setup, all DC have a 'standard' conf using
bind_DLZ, as wiki suggest.

For now, i'm simply asking a rather simple question.

1) client boot and register itself on 'VDCSV1'; i see no error on logs:

 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=AAAA key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
 Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'gaunt.ad.fvg.lnf.it' AAAA
 Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'gaunt.ad.fvg.lnf.it' A
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: subtracted rdataset gaunt.ad.fvg.lnf.it 'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'
 Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'gaunt.ad.fvg.lnf.it' A 10.5.2.6
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: added rdataset gaunt.ad.fvg.lnf.it 'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'

if i query that DC DNS, i got the correct result:

 gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it @vdcsv1.ad.fvg.lnf.it | grep ^gaunt
 gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.6

if i query the other DC DNS in the same site, i got:

 gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it @vdcsv2.ad.fvg.lnf.it | grep ^gaunt
 gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.33

a different result.

Because DNS data are in AD/LDAP, i suppose that a 'samba-tool drs
showrepl' or a 'samba-tool ldapcmp' will return some differences, but
data seems replicated correctly around all DCs.


Why domains seamsd healty but does not replicate DNS data?!


> My "guess" is, latest change "security fix" of bind fixed something, 
> Which now is your problem.
> See Debian LTS: DLA-2647-1: bind9 

Mmmhh... interesting... I've land to:

	https://kb.isc.org/docs/cve-2021-25216

that stated:

	In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options.

effectively as suggested by samda docs, i've adedd:

	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

I've tried to lookup at debian patch for 9.10, but i've not found that.


Setting:
	dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

in smb,conf could be a useful workaround?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list