[Samba] Bind DLZ Crash named.conf

Zombie Ryushu zombie_ryushu at yahoo.com
Fri Jun 3 15:17:52 UTC 2022 

On 6/3/22 10:45, L.P.H. van Belle via samba wrote:
> Remove this part :
>
> zone "pukey" in {
>          allow-transfer { any; localnets; };
>          masters { 192.168.0.4; };
>          file "slave/pukey";
>          type slave;
> };
>
> you cant use this in current setup. Not with the samba-ad-dc.
> Members with bind as forwarder of slave, no problem.
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba<samba-bounces at lists.samba.org>  Namens Zombie Ryushu via
>> samba
>> Verzonden: vrijdag 3 juni 2022 16:07
>> Aan:samba at lists.samba.org
>> Onderwerp: Re: [Samba] Bind DLZ Crash named.conf
>>
>> options {
>>
>>          # The directory statement defines the name server's working directory
>>
>>          directory "/var/lib/named";
>>
>>          # enable DNSSEC validation
>>          #
>>          # If BIND logs error messages about the root key being expired, you
>>          # will need to update your keys. Seehttps://www.isc.org/bind-keys
>>          #
>>          # The dnssec-enable option has been obsoleted and no longer has any
>> effect.
>>          # DNSSEC responses are always enabled if signatures and other DNSSEC
>> data are present.
>>
>>          # dnssec-validation yes (default), indicates that a resolver
>>          # (a caching or caching-only name server) will attempt to validate
>>          # replies from DNSSEC enabled (signed) zones. To perform this task
>>          # the server also needs either a valid trusted-keys clause
>>          # (containing one or more trusted-anchors) or a managed-keys clause.
>>          # If you have problems with forwarders not returning signed responses,
>>          # set this to "no", but be aware that this may create security issues
>>          # so better switch to a forwarder which supports DNSSEC!
>>
>>          #dnssec-validation auto;
>>          managed-keys-directory "/var/lib/named/dyn/";
>>
>>          # Write dump and statistics file to the log subdirectory.  The
>>          # pathenames are relative to the chroot jail.
>>
>>          dump-file "/var/log/named_dump.db";
>>          statistics-file "/var/log/named.stats";
>>
>>          # The forwarders record contains a list of servers to which queries
>>          # should be forwarded.  Enable this line and modify the IP address to
>>          # your provider's name server.  Up to three servers may be listed.
>>
>>          #forwarders { 192.0.2.1; 192.0.2.2; };
>>
>>          # Enable the next entry to prefer usage of the name server declared in
>>          # the forwarders section.
>>
>>          #forward first;
>>
>>          # The listen-on record contains a list of local network interfaces to
>>          # listen on.  Optionally the port can be specified.  Default is to
>>          # listen on all interfaces found on your system.  The default port is
>>          # 53.
>>
>>          #listen-on port 53 { 127.0.0.1; };
>>
>>          # The listen-on-v6 record enables or disables listening on IPv6
>>          # interfaces.  Allowed values are 'any' and 'none' or a list of
>>          # addresses.
>>
>>          listen-on-v6 { any; };
>>
>>          # The next three statements may be needed if a firewall stands between
>>          # the local server and the internet.
>>
>>          #query-source address * port 53;
>>          #transfer-source * port 53;
>>          #notify-source * port 53;
>>
>>          # The allow-query record contains a list of networks or IP addresses
>>          # to accept and deny queries from. The default is to allow queries
>>          # from all hosts.
>>
>>          #allow-query { 127.0.0.1; };
>>
>>          # If notify is set to yes (default), notify messages are sent to other
>>          # name servers when the the zone data is changed.  Instead of setting
>>          # a global 'notify' statement in the 'options' section, a separate
>>          # 'notify' can be added to each zone definition.
>>
>>          notify no;
>>
>>          disable-empty-zone
>> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
>>          include "/etc/named.d/forwarders.conf";
>>          tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>          minimal-responses yes;
>>
>> };
>>
>> # To configure named's logging remove the leading '#' characters of the #
>> following examples.
>> #logging {
>> #       # Log queries to a file limited to a size of 100 MB.
>> #       channel query_logging {
>> #               file "/var/log/named_querylog"
>> #                       versions 3 size 100M; #               print-time yes;                 //
>> timestamp log entries #       }; #       category queries { #               query_logging;
>> #       }; # #       # Or log this kind alternatively to syslog.
>> #       channel syslog_queries {
>> #               syslog user;
>> #               severity info;
>> #       };
>> #       category queries { syslog_queries; }; # #       # Log general name server
>> errors to syslog.
>> #       channel syslog_errors {
>> #               syslog user;
>> #               severity error;
>> #       };
>> #       category default { syslog_errors;  }; # #       # Don't log lame server
>> messages.
>> #       category lame-servers { null; }; #};
>>
>> # The following zone definitions don't need any modification.  The first one #
>> is the definition of the root name servers.  The second one defines #
>> localhost while the third defines the reverse lookup for localhost.
>>
>> zone "." in {
>>          type hint;
>>          file "root.hint";
>> };
>>
>> zone "localhost" in {
>>          type master;
>>          file "localhost.zone";
>> };
>>
>> zone "0.0.127.in-addr.arpa" in {
>>          type master;
>>          file "127.0.0.zone";
>> };
>>
>> zone
>> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
>> in {
>>          type master;
>>          file "127.0.0.zone";
>> };
>>
>>
>> # Include the meta include file generated by createNamedConfInclude.  This
>> # includes all files as configured in NAMED_CONF_INCLUDE_FILES from
>> # /etc/sysconfig/named
>>
>> include "/etc/named.conf.include";
>> logging {
>>          category default { log_syslog; };
>>          channel log_syslog { syslog; };
>> };
>> zone "pukey" in {
>>          allow-transfer { any; localnets; };
>>          masters { 192.168.0.4; };
>>          file "slave/pukey";
>>          type slave;
>> };
>>
>> # You can insert further zone records for your own domains below or create
>> # single files in /etc/named.d/ and add the file names to
>> # NAMED_CONF_INCLUDE_FILES.
>> # See /usr/share/doc/packages/bind/README.SUSE for more details.
>> # dlz "AD DNS Zone" {
>> #    # For BIND 9.16.x
>> #    database "dlopen /usr/lib64/samba/bind9/dlz_bind9_16.so";
>> # };
>> s
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:https://lists.samba.org/mailman/options/samba

I have that commented out when the AD DLZ is active. I changed it back 
because Named wouldn't start otherwise. This also isn't getting me any 
closer to solving my original problem, my original problem was with 
idmap not working on my (Primary). Domain control.

This:

   Unable to convert first SID 
(S-1-5-21-2139989288-483860436-2398042574-2000) in user token to a UID. 
  Conversion was returned as type 0, full token:
[2022/06/03 09:44:33.138400,  0] 
../../libcli/security/security_token.c:52(security_token_debug)
  Security token SIDs (13):
    SID[  0]: S-1-5-21-2139989288-483860436-2398042574-2000
    SID[  1]: S-1-5-21-2139989288-483860436-2398042574-513
    SID[  2]: S-1-5-21-2139989288-483860436-2398042574-512
    SID[  3]: S-1-5-21-2139989288-483860436-2398042574-572
    SID[  4]: S-1-5-21-2139989288-483860436-2398042574-41238
    SID[  5]: S-1-5-21-2139989288-483860436-2398042574-41742
    SID[  6]: S-1-5-21-2139989288-483860436-2398042574-41237
    SID[  7]: S-1-1-0
    SID[  8]: S-1-5-2
    SID[  9]: S-1-5-11
    SID[ 10]: S-1-5-32-545
    SID[ 11]: S-1-5-32-544
    SID[ 12]: S-1-5-32-554
   Privileges (0x        1FFFFF00):
    Privilege[  0]: SeTakeOwnershipPrivilege
    Privilege[  1]: SeBackupPrivilege
    Privilege[  2]: SeRestorePrivilege
    Privilege[  3]: SeRemoteShutdownPrivilege
    Privilege[  4]: SeSecurityPrivilege
    Privilege[  5]: SeSystemtimePrivilege
    Privilege[  6]: SeShutdownPrivilege
    Privilege[  7]: SeDebugPrivilege
    Privilege[  8]: SeSystemEnvironmentPrivilege
    Privilege[  9]: SeSystemProfilePrivilege
    Privilege[ 10]: SeProfileSingleProcessPrivilege
    Privilege[ 11]: SeIncreaseBasePriorityPrivilege
    Privilege[ 12]: SeLoadDriverPrivilege
    Privilege[ 13]: SeCreatePagefilePrivilege
    Privilege[ 14]: SeIncreaseQuotaPrivilege
    Privilege[ 15]: SeChangeNotifyPrivilege
    Privilege[ 16]: SeUndockPrivilege
    Privilege[ 17]: SeManageVolumePrivilege
    Privilege[ 18]: SeImpersonatePrivilege
    Privilege[ 19]: SeCreateGlobalPrivilege
    Privilege[ 20]: SeEnableDelegationPrivilege
   Rights (0x             403):
    Right[  0]: SeInteractiveLogonRight
    Right[  1]: SeNetworkLogonRight
    Right[  2]: SeRemoteInteractiveLogonRight
[2022/06/03 09:44:33.138887,  3] 
../../source3/smbd/smb2_server.c:3955(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_INVALID_SID] || at ../../source3/smbd/smb2_sesssetup.c:147

Resulting in:


olympia:/var/log/samba #wbinfo -S 
S-1-5-21-2139989288-483860436-2398042574-2000
failed to call wbcSidToUid: WBC_ERR_UNKNOWN_FAILURE
Could not convert sid S-1-5-21-2139989288-483860436-2398042574-2000 to uid

VS.

serenity:/var/lib/samba/bind-dns/dns #wbinfo -S 
S-1-5-21-2139989288-483860436-2398042574-2000
500

More information about the samba mailing list