[Samba] Strange DNS issue...

Tue Jun 15 13:01:59 UTC 2021

On 15/06/2021 13:32, Marco Gaiarin via samba wrote:
> Mandi! L.P.H. van Belle via samba
>    In chel di` si favelave...
>
> Sorry, i come back on this.
>
>> You really should do this differenly..
>> Because..
>> A working DNS domain should be established with forward and
>> reverse mappings to at least the Kerberos KDC (Samba-DC's)
>> and application servers you intend to Kerberize.
> OK. But why in AD reverse zone get not created automatically, and need
> to be created by hand?

Because it isn't strictly required, but it works better with it.

> Why forward zone get prpulated automatically directly by joined
> clients, while reverse need DHCP?

No, you don't need dhcp for reverse records on Windows clients, you just 
need to configure them to update their reverse records.

>
>
>> If you use bind_DLZ as your doing and you want other zones sync to
>> an other domain and you have bind running, as your have..
>> Why not use master/slave setup of bind9 todo that.
>> So that keeps the question, why is "suddenly" differently.
> But i've clerly master/slave setup, all DC have a 'standard' conf using
> bind_DLZ, as wiki suggest.

No you haven't, all AD DC's running a dns server are masters, it is 
known as multimaster, there are no 'slaves'.

>
> For now, i'm simply asking a rather simple question.
>
> 1) client boot and register itself on 'VDCSV1'; i see no error on logs:
>
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=AAAA key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
>   Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'gaunt.ad.fvg.lnf.it' AAAA
>   Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'gaunt.ad.fvg.lnf.it' A
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: subtracted rdataset gaunt.ad.fvg.lnf.it 'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'
>   Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'gaunt.ad.fvg.lnf.it' A 10.5.2.6
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: added rdataset gaunt.ad.fvg.lnf.it 'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'
>
> if i query that DC DNS, i got the correct result:
>
>   gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it @vdcsv1.ad.fvg.lnf.it | grep ^gaunt
>   gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.6
>
> if i query the other DC DNS in the same site, i got:
>
>   gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it @vdcsv2.ad.fvg.lnf.it | grep ^gaunt
>   gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.33
>
> a different result.

You appear to have replication errors

>
> Because DNS data are in AD/LDAP, i suppose that a 'samba-tool drs
> showrepl' or a 'samba-tool ldapcmp' will return some differences, but
> data seems replicated correctly around all DCs.
>
>
> Why domains seamsd healty but does not replicate DNS data?!

No idea, but you do seem to have replication problems, my DC's always 
produce the same result.

>
>
>> My "guess" is, latest change "security fix" of bind fixed something,
>> Which now is your problem.
>> See Debian LTS: DLA-2647-1: bind9
> Mmmhh... interesting... I've land to:
>
> 	https://kb.isc.org/docs/cve-2021-25216
>
> that stated:
>
> 	In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options.
>
> effectively as suggested by samda docs, i've adedd:
>
> 	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Aha, wrong path, it is now '/var/lib/samba/bind-dns/dns.keytab'

Can you provide a link to where it says to use the 'old' path ?

>
> I've tried to lookup at debian patch for 9.10, but i've not found that.
>
>
> Setting:
> 	dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>
> in smb,conf could be a useful workaround?

That only works for the default dns records, not the client records.

Rowland