[Samba] How to determine DNS anomaly

Hakim Liso liso at frauenarzt.gmbh
Fri May 6 06:54:23 UTC 2022


Resolve conf Looks like this for MY.DOMAIN

DC01 192.168.50.11
search MY
nameserver 10.0.1.9
nameserver 192.168.50.11

DC02 10.0.1.9
search MY
nameserver 192.168.50.11
nameserver 10.0.1.9

But this was working without any Problems with the private ips before the Errors on the backup appeared. I doubt changing the own ips to the loopback address will fix my issues.
I’ve expanded testing and it seems only ldap lookup doesnt work for dc02 and i noticed that there keeps on being a static A Record generated Dc01 10.0.1.9, which seems wrong. 

Server:         192.168.50.11
Address:        192.168.50.11#53

Name:   dc01.my.domain
Address: 192.168.50.11
Name:   dc01.my.domain
Address: 10.0.1.9

I kept deleting it but it keeps come back. So something must be wrong with Dynamic DNS

Also there wasnt any NS entry in the Reverse lookup of the dc02s Site but i guess that was because i didnt join the dc in a specific site. Nevertheless the Entries did not complement.

Also there is entries for DC01 only in Site 2/_tcp for _gc,_ldap,_kerberos which has to be switched with dc02 i guess. Also the my.domain/_tcp contains gc,Kerberos,kpasswd,ldap entries for DC01 only. DNS Update does not seem to have the Right entries.

host -t SRV _ldap._tcp.my.domain
_ldap._tcp.my.domain has SRV record 0 100 389 dc01.my.domain.
My thoughts:
Completely wiping dc02 from the Domain and Fixing all dns entries back to normal. Properly joining dc02 to the site hoping the dns entries will now appear correct.

I cannot really troubleshoot this at this Point without risking to run in to far more erros.

Dnsupdate DC01

A                      ${HOSTNAME}                                           $IP
AAAA                   ${HOSTNAME}                                           $IP
${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}                       ${HOSTNAME}
${IF_RWDNS_DOMAIN}NS   ${DNSDOMAIN}                                          ${HOSTNAME}
${IF_RWDNS_FOREST}NS   ${DNSFOREST}                                          ${HOSTNAME}
${IF_RWDNS_FOREST}NS   _msdcs.${DNSFOREST}                                   ${HOSTNAME}

# Stub entries in the parent zone
${IF_RWDNS_DOMAIN}RPC ${DNSFOREST}   NS ${DNSDOMAIN}                         ${HOSTNAME}
${IF_RWDNS_FOREST}RPC ${DNSFOREST}   NS _msdcs.${DNSFOREST}                  ${HOSTNAME}

# RW domain controller
${IF_RWDC}A            ${DNSDOMAIN}                                          $IP
${IF_RWDC}AAAA         ${DNSDOMAIN}                                          $IP
${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                               ${HOSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                     ${HOSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}  ${HOSTNAME} 389
${IF_RWDC}SRV          _kerberos._tcp.${DNSDOMAIN}                           ${HOSTNAME} 88
${IF_RWDC}SRV          _kerberos._udp.${DNSDOMAIN}                           ${HOSTNAME} 88
${IF_RWDC}SRV          _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                 ${HOSTNAME} 88
${IF_RWDC}SRV          _kpasswd._tcp.${DNSDOMAIN}                            ${HOSTNAME} 464
${IF_RWDC}SRV          _kpasswd._udp.${DNSDOMAIN}                            ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}                ${HOSTNAME} 389
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}      ${HOSTNAME} 389
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}            ${HOSTNAME} 88
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}  ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV           _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A            gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}AAAA         gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}SRV          _gc._tcp.${DNSFOREST}                                 ${HOSTNAME} 3268
${IF_RWGC}SRV          _ldap._tcp.gc._msdcs.${DNSFOREST}                     ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV            _gc._tcp.${SITE}._sites.${DNSFOREST}                  ${HOSTNAME} 3268
${IF_GC}SRV            _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}      ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A    DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}SRV  _ldap._tcp.DomainDnsZones.${DNSDOMAIN}                ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV    _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A    ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}SRV  _ldap._tcp.ForestDnsZones.${DNSFOREST}                ${HOSTNAME} 389
# RW and RO DNS Servers

Does not exist on dc02 as it has /var/lib/samba/* only.

DC02 dns query ALL

Name=, Records=5, Children=0
    SOA: serial=127, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc01.my.domain., email=hostmaster.my.domain. (flags=600000f0, serial=127, ttl=3600)
    NS: dc01.my.domain. (flags=600000f0, serial=110, ttl=900)
    NS: dc02.my.domain. (flags=600000f0, serial=110, ttl=900)
    A: 192.168.50.11 (flags=600000f0, serial=110, ttl=900)
    A: 10.0.1.9 (flags=600000f0, serial=110, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=2
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=CTG-INTEL, Records=1, Children=0
    A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Anmeldung-Li, Records=1, Children=0
    A: 192.168.50.182 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Anmeldung-re, Records=1, Children=0
    A: 192.168.50.181 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-CTG, Records=1, Children=0
    A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Labor, Records=1, Children=0
    A: 192.168.50.3 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Monitoring, Records=1, Children=0
    A: 192.168.50.164 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Telefonzentrale, Records=1, Children=0
    A: 192.168.50.243 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-U1, Records=1, Children=0
    A: 192.168.50.8 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-U2, Records=1, Children=0
    A: 192.168.50.174 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-U3, Records=1, Children=0
    A: 192.168.50.176 (flags=f0, serial=110, ttl=1200)
  Name=dc01, Records=1, Children=0
    A: 192.168.50.11 (flags=f0, serial=110, ttl=900)
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=dc02, Records=1, Children=0
    A: 10.0.1.9 (flags=f0, serial=120, ttl=3600)
  Name=nasdd7fef, Records=1, Children=0
    A: 192.168.50.232 (flags=f0, serial=110, ttl=3600)
  Name=PC-Bakk, Records=1, Children=0
    A: 10.0.1.182 (flags=f0, serial=110, ttl=1200)


DC02 dns query all

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
Password for [MVZ\administrator]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
  Name=, Records=5, Children=0
    SOA: serial=125, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc01.my.domain., email=hostmaster.my.domain. (flags=600000f0, serial=125, ttl=3600)
    NS: dc01.my.domain. (flags=600000f0, serial=110, ttl=900)
    NS: dc02.my.domain. (flags=600000f0, serial=110, ttl=900)
    A: 192.168.50.11 (flags=600000f0, serial=110, ttl=900)
    A: 10.0.1.9 (flags=600000f0, serial=110, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=2
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=CTG-INTEL, Records=1, Children=0
    A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Anmeldung-Li, Records=1, Children=0
    A: 192.168.50.182 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Anmeldung-re, Records=1, Children=0
    A: 192.168.50.181 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-CTG, Records=1, Children=0
    A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Labor, Records=1, Children=0
    A: 192.168.50.3 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Monitoring, Records=1, Children=0
    A: 192.168.50.164 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-Telefonzentrale, Records=1, Children=0
    A: 192.168.50.243 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-U1, Records=1, Children=0
    A: 192.168.50.8 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-U2, Records=1, Children=0
    A: 192.168.50.174 (flags=f0, serial=110, ttl=1200)
  Name=LOC1-U3, Records=1, Children=0
    A: 192.168.50.176 (flags=f0, serial=110, ttl=1200)
  Name=dc01, Records=2, Children=0
    A: 192.168.50.11 (flags=f0, serial=110, ttl=900)
    A: 10.0.1.9 (flags=f0, serial=110, ttl=900)
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=dc02, Records=1, Children=0
    A: 10.0.1.9 (flags=f0, serial=120, ttl=3600)
  Name=nasdd7fef, Records=1, Children=0
    A: 192.168.50.232 (flags=f0, serial=110, ttl=3600)
  Name=PC-Bakk, Records=1, Children=0
    A: 10.0.1.182 (flags=f0, serial=110, ttl=1200)

Von: Rowland Penny via samba
Gesendet: Donnerstag, 5. Mai 2022 18:17
An: samba at lists.samba.org
Cc: Rowland Penny
Betreff: Re: [Samba] How to determine DNS anomaly

On Thu, 2022-05-05 at 11:37 +0200, Hakim Liso via samba wrote:
> Hello, and thanks for your help
> I’ve just sent another mail according the dns anomalies.
> INTERNAL_SAMBA with DNS Forwarder 8.8.8.8 set on both in the
> smb.conf.

Your post was too big and got rejected and I don't see the point in
replying to 'askubuntu' where you have now posted.

When a DC is first joined to an existing domain there are numerous dns
records missing (you can see them in 
usr/share/samba/setup/dns_update_list). When you join a new DC, the
resolv.conf must point to an existing DC, but after the join, you must
make the new DC use itself as its nameserver (use its ipaddress, not
127.0.0.1), have you done this ?

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list