[Samba] How to determine DNS anomaly
Hakim Liso
liso at frauenarzt.gmbh
Wed May 4 14:15:52 UTC 2022
Hello im back, i managed to fix the sysvol Problem. replication aswell as the backup scripts works properly now.
Still something with dns entries or sites must’ve messed up while rejoining, and moving dbs.
I can repl everything and Clients connected to dc02 are fully working EXCEPT
The Network showing no Internet Access = dns Problem i guess.
administrator at dc02:/etc/rsync$ host -t SRV _ldap._tcp.MYSITE2._sites.dc02._msdcs.MY.DOMAIN
Host _ldap._tcp.MYSITE2._sites.ggdc01._msdcs.MY.DOMAIN not found: 3(NXDOMAIN)
Same for _Kerberos._ . Ive checked on double entries, what ive got now is
Looking for DNS entry A dc01.my.domain 10.0.1.9 as dc01.my.domain.
Looking for DNS entry CNAME a452ed54-667a-43d3-9182-21d84a4919a4._msdcs.my.domain dc01.my.domain as a452ed54-667a-43d3-9182-21d84a4919a4._msdcs.my.domain.
Looking for DNS entry NS my.domain dc01.my.domain as my.domain.
Looking for DNS entry NS _msdcs.my.domain dc01.my.domain as _msdcs.my.domain.
Looking for DNS entry A my.domain 10.0.1.9 as my.domain.
Looking for DNS entry SRV _ldap._tcp.my.domain dc01.my.domain 389 as _ldap._tcp.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.my.domain dc01.my.domain 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain dc01.my.domain 389 as _ldap._tcp.dc._msdcs.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.dc._msdcs.my.domain dc01.my.domain 389
Looking for DNS entry SRV _ldap._tcp.32052c12-4458-47f7-adb0-95f7c16fc694.domains._msdcs.my.domain dc01.my.domain 389 as _ldap._tcp.32052c12-4458-47f7-adb0-95f7c16fc694.domains._msdcs.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.32052c12-4458-47f7-adb0-95f7c16fc694.domains._msdcs.my.domain dc01.my.domain 389
Looking for DNS entry SRV _kerberos._tcp.my.domain dc01.my.domain 88 as _kerberos._tcp.my.domain.
Checking 0 100 88 dc01.my.domain. against SRV _kerberos._tcp.my.domain dc01.my.domain 88
Looking for DNS entry SRV _kerberos._udp.my.domain dc01.my.domain 88 as _kerberos._udp.my.domain.
Checking 0 100 88 dc01.my.domain. against SRV _kerberos._udp.my.domain dc01.my.domain 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain dc01.my.domain 88 as _kerberos._tcp.dc._msdcs.my.domain.
Checking 0 100 88 dc01.my.domain. against SRV _kerberos._tcp.dc._msdcs.my.domain dc01.my.domain 88
Looking for DNS entry SRV _kpasswd._tcp.my.domain dc01.my.domain 464 as _kpasswd._tcp.my.domain.
Checking 0 100 464 dc01.my.domain. against SRV _kpasswd._tcp.my.domain dc01.my.domain 464
Looking for DNS entry SRV _kpasswd._udp.my.domain dc01.my.domain 464 as _kpasswd._udp.my.domain.
Checking 0 100 464 dc01.my.domain. against SRV _kpasswd._udp.my.domain dc01.my.domain 464
Looking for DNS entry SRV _ldap._tcp.Location1._sites.my.domain dc01.my.domain 389 as _ldap._tcp.Location1._sites.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.Location1._sites.my.domain dc01.my.domain 389
Looking for DNS entry SRV _ldap._tcp.Location1._sites.dc._msdcs.my.domain dc01.my.domain 389 as _ldap._tcp.Location1._sites.dc._msdcs.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.Location1._sites.dc._msdcs.my.domain dc01.my.domain 389
Looking for DNS entry SRV _kerberos._tcp.Location1._sites.my.domain dc01.my.domain 88 as _kerberos._tcp.Location1._sites.my.domain.
Checking 0 100 88 dc01.my.domain. against SRV _kerberos._tcp.Location1._sites.my.domain dc01.my.domain 88
Looking for DNS entry SRV _kerberos._tcp.Location1._sites.dc._msdcs.my.domain dc01.my.domain 88 as _kerberos._tcp.Location1._sites.dc._msdcs.my.domain.
Checking 0 100 88 dc01.my.domain. against SRV _kerberos._tcp.Location1._sites.dc._msdcs.my.domain dc01.my.domain 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.my.domain dc01.my.domain 389 as _ldap._tcp.pdc._msdcs.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.pdc._msdcs.my.domain dc01.my.domain 389
Looking for DNS entry A gc._msdcs.my.domain 10.0.1.9 as gc._msdcs.my.domain.
Looking for DNS entry SRV _gc._tcp.my.domain dc01.my.domain 3268 as _gc._tcp.my.domain.
Checking 0 100 3268 dc01.my.domain. against SRV _gc._tcp.my.domain dc01.my.domain 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain dc01.my.domain 3268 as _ldap._tcp.gc._msdcs.my.domain.
Checking 0 100 3268 dc01.my.domain. against SRV _ldap._tcp.gc._msdcs.my.domain dc01.my.domain 3268
Looking for DNS entry SRV _gc._tcp.Location1._sites.my.domain dc01.my.domain 3268 as _gc._tcp.Location1._sites.my.domain.
Checking 0 100 3268 dc01.my.domain. against SRV _gc._tcp.Location1._sites.my.domain dc01.my.domain 3268
Looking for DNS entry SRV _ldap._tcp.Location1._sites.gc._msdcs.my.domain dc01.my.domain 3268 as _ldap._tcp.Location1._sites.gc._msdcs.my.domain.
Checking 0 100 3268 dc01.my.domain. against SRV _ldap._tcp.Location1._sites.gc._msdcs.my.domain dc01.my.domain 3268
Looking for DNS entry A DomainDnsZones.my.domain 10.0.1.9 as DomainDnsZones.my.domain.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain dc01.my.domain 389 as _ldap._tcp.DomainDnsZones.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.DomainDnsZones.my.domain dc01.my.domain 389
Looking for DNS entry SRV _ldap._tcp.Location1._sites.DomainDnsZones.my.domain dc01.my.domain 389 as _ldap._tcp.Location1._sites.DomainDnsZones.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.Location1._sites.DomainDnsZones.my.domain dc01.my.domain 389
Looking for DNS entry A ForestDnsZones.my.domain 10.0.1.9 as ForestDnsZones.my.domain.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain dc01.my.domain 389 as _ldap._tcp.ForestDnsZones.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.ForestDnsZones.my.domain dc01.my.domain 389
Looking for DNS entry SRV _ldap._tcp.Location1._sites.ForestDnsZones.my.domain dc01.my.domain 389 as _ldap._tcp.Location1._sites.ForestDnsZones.my.domain.
Checking 0 100 389 dc01.my.domain. against SRV _ldap._tcp.Location1._sites.ForestDnsZones.my.domain dc01.my.domain 389
No DNS updates needed
On the Dc02 samba_dnsupdate
Im Pretty sure this is not samba specific, some help would still be appreciated.
Samba tool dns query:
Name=, Records=5, Children=0
SOA: serial=117, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc01.my.domain., email=hostmaster.my.domain. (flags=600000f0, serial=110, ttl=3600)
NS: dc01.my.domain. (flags=600000f0, serial=110, ttl=900)
NS: dc02.my.domain. (flags=600000f0, serial=110, ttl=900)
A: 192.168.50.11 (flags=600000f0, serial=110, ttl=900)
A: 10.0.1.9 (flags=600000f0, serial=110, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=2
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=CTG-INTEL, Records=1, Children=0
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
Name=DA-Anmeldung-Li, Records=1, Children=0
A: 192.168.50.182 (flags=f0, serial=110, ttl=1200)
Name=DA-Anmeldung-re, Records=1, Children=0
A: 192.168.50.181 (flags=f0, serial=110, ttl=1200)
Name=DA-CTG, Records=1, Children=0
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
Name=DA-Labor, Records=1, Children=0
A: 192.168.50.3 (flags=f0, serial=110, ttl=1200)
Name=DA-Monitoring, Records=1, Children=0
A: 192.168.50.164 (flags=f0, serial=110, ttl=1200)
Name=DA-Telefonzentrale, Records=1, Children=0
A: 192.168.50.243 (flags=f0, serial=110, ttl=1200)
Name=DA-U1, Records=1, Children=0
A: 192.168.50.8 (flags=f0, serial=110, ttl=1200)
Name=DA-U2, Records=1, Children=0
A: 192.168.50.174 (flags=f0, serial=110, ttl=1200)
Name=DA-U3, Records=1, Children=0
A: 192.168.50.176 (flags=f0, serial=110, ttl=1200)
Name=dc01, Records=1, Children=0
A: 192.168.50.11 (flags=f0, serial=1, ttl=900)
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Name=dc02, Records=1, Children=0
A: 10.0.1.9 (flags=f0, serial=117, ttl=900)
Name=nasdd7fef, Records=1, Children=0
A: 192.168.50.232 (flags=f0, serial=110, ttl=3600)
Name=PC-Bakk, Records=1, Children=0
A: 10.0.1.182 (flags=f0, serial=110, ttl=1200)
I spotted the anomaly at the top of the query where both dc ips are listed as A record under each other but cannot delete them. Not in the RSAT Tools nor with the samba-tool.
Any ideas?
Von: Rowland Penny via samba
Gesendet: Dienstag, 3. Mai 2022 15:33
An: samba at lists.samba.org
Cc: Rowland Penny
Betreff: Re: [Samba] How to determine KCC/idmap error source
On Tue, 2022-05-03 at 14:09 +0200, Hakim Liso via samba wrote:
> Hello everyone,
> I am currently trying to get 2 Samba DCs to run.
But what OS and Samba version ?
> Both DCs set up according to Wiki incl. DRS and workaround Rsync
> Sysvol Replication.
> When trying to perform a remote online backup via Sh script
How are you trying to do the backup ? and are you aware that you
shouldn't backup an individual DC, you should only backup the domain.
> , I came across failures on the 2nd DC while pulling a backup of
> dc01. I re-joined the 2nd DC, same scenario. Samba completely wiped,
> installed and rejoined and now the replication doesn't work anymore.
>
> user create on DC1 → DC2 sees the user
>
> vice versa not.
It sounds like you have replication problems between DC2 and DC1
>
> Am i just missing out on something?
> smb.conf dc01
>
> # Global parameters
> [global]
> min protocol = NT1
Why are you using NT1
> dns forwarder = 8.8.8.8
> netbios name = DC01
> realm = MY.DOMAIN
> server role = active directory domain controller
> workgroup = MY
> idmap_ldb:use rfc2307 = yes
>
> map to guest = Bad User
'guest' on a DC ?
> log file = /var/log/samba/%m
> log level = 3
>
> template shell = /bin/bash
> winbind use default domain = true
The line above does nothing on a DC
> winbind offline logon = false
> winbind nss info = rfc2307
You do not require the two lines above on a DC
>
> winbind enum users = yes
> winbind enum groups = yes
If you have a lot of users the two lines above a bad idea and they are
not required anyway.
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
> read only = No
> #--------------------Location----------------------------
> [U2-Sono]
> path = /var/lib/samba/shares/Location/U2/Sono
> read only = no
> [U1-Sono]
> path = /var/lib/samba/shares/Location/U1/Sono
> read only = no
> [U1-Kolposkop]
> path = /var/lib/samba/shares/Location/U1/Kolposkop
> read only = no
> [U1-Fetview]
> path = /var/lib/samba/shares/Location/U1/Fetview
> read only = no
> [CTG]
> path = /var/lib/samba/shares/Location/CTG
> read only = no
> [Scan]
> path = /var/lib/samba/shares/Location/Scan
> read only = no
It isn't recommended to use a DC as a fileserver, I suggest you use a
Unix domain member instead.
>
> smb.conf dc02
> vergrößern
>
> # Global parameters
> [global]
> dns forwarder = 8.8.8.8
> netbios name = DC02
> realm = MY.DOMAIN
> server role = active directory domain controller
> workgroup = MY
> idmap_ldb:use rfc2307 = yes
>
> map to guest = Bad User
> log file = /var/log/samba/%m
> log level = 3
>
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
>
> winbind enum users = yes
> winbind enum groups = yes
> name resolve order = bcast host
AD uses DNS, so you definitely shouldn't have the 'name resolv order'
line.
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/MY.DOMAIN/scripts
> read only = No
>
>
>
> drs replicate von dc01
>
> root at dc01:~# sudo samba-tool drs replicate dc02 dc01 DC=MY,DC=DOMAIN
> ldb_wrap open of secrets.ldb
>
> Using binding ncacn_ip_tcp:dc02[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name dc02<0x20>
> Server ldap/dc02 at MY.DOMAIN is not registered with our
> KDC: Miscellaneous failure (see text): Server (ldap/dc02 at MY.DOMAIN)
> unknown
Is DC02 joined as a DC correctly (note that above it appears to be
called 'DC2'
> drs kcc
>
> administrator at DC02:~$ sudo samba-tool drs kcc
> Using binding ncacn_ip_tcp:DC02.MY.DOMAIN[,seal]
> resolve_lmhosts: Attempting lmhosts lookup for name
> DC02.MY.DOMAIN<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name
> DC02.MY.DOMAIN<0x20>
> Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED
> from 10.0.1.9
> Error reading smb_krb5 reply packet: NT_STATUS_CONNECTION_REFUSED
> from 10.0.1.9
> Server ldap/DC02.MY.DOMAIN at MY.DOMAIN is not registered with our
> KDC: Miscellaneous failure (see text): Server (
> ldap/DC02.MY.DOMAIN at MY.DOMAIN) unknown
It really looks like the join isn't correct.
>
>
>
> Smbd log während sysvolcheck
> 2022/05/03 13:49:46.897388, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897429, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17469 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897475, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897503, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1197 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897569, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897597, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17484 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897699, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897755, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17486 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.897863, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.897906, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1134 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898097, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898151, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1198 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898384, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898439, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1159 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898471, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898509, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 1263 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2022/05/03 13:49:46.898667, 3]
> ../../source3/lib/util_procid.c:53(pid_to_procid)
> pid_to_procid: messaging_dgm_get_unique failed: No such file or
> directory
> [2022/05/03 13:49:46.898727, 3]
> ../../source3/lib/messages.c:925(send_all_fn)
> send_all_fn: messaging_send_buf to 17437 failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> Which commands could limit the failure source?
The GPO's are stored in two places, in Sysvol and in AD, it looks like
either Sysvol or AD is missing at least one GPO (probably Sysvol).
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list