[Samba] How to determine DNS anomaly
L. van Belle
belle at samba.org
Fri May 6 10:08:56 UTC 2022
Hai,
Ah.. sorry direct mail and not the list..
Yes, thats one i missed, your : search MY.. I assumed.. (yeah that's wrong
assumptions..)..
but now I know you use netplan..
Add in the netplan config the following so you are always sure your
resolv.conf is right.
DC1
Network
network:
version: 2
renderer: networkd
ethernets:
eno1:
addresses:
- 192.168.50.11/24
nameservers:
search [my.domain]
addresses: [192.168.50.11]
routes:
- to: default
via: 192.168.50.1
and DC2.
Network
network:
version: 2
renderer: networkd
ethernets:
eno1:
addresses:
- 10.0.1.9/24
nameservers:
search [my.domain]
addresses: [192.168.50.11]
routes:
- to: default
via: 192.168.50.1
so, with that.
first do DC2. So you have 2 DC online again.
change netplan
config apply it, check resolv.conf and reboot.
Then check again if replication is up again.
If not report back.
on this :
>>
DC02 (Clients on this site will still use dc01 as NS / for gpos etc)
if above works correctly, then do setup sysvol replication, windows "should"
go to the closed AD-DC..
But, first things first.
Greetz,
Louis
Van:
Hakim Liso
Verzonden:
vrijdag 6 mei 2022 11:04
Aan:
L.P.H. van Belle <belle at bazuin.nl>
Onderwerp:
AW: [Samba] How to determine DNS anomaly
Hello and thanks for the quick Reply. I will Reply to both of you as i got 2
answers.
I am really confused with those 2 answers at this Point.
I've followed the suggested steps but it didnt work out.
Samba version 4.13.17-Ubuntu on Ubuntu Server 21.10
They're on different Locations so i use 2 sites.
I've removed DC01 from DC02's resolvconf. Clients on site 2 still connect to
dc01 and i cannot replicate anymore.
Wont the working DC get into Trouble if i remove the other ns now. Lets say
both DNS Servers have wrong entries because they definitely differ when
Looking at both.
Below is the "old" Setup but removing the otherhand dc as nameserver in
resolv.conf Ends up in no connectivity Nothing else.
I might have a wrong understanding of resolv.conf but i've had 2 Samba-DCs
running properly in the past with the same resolv.conf Setup. Can i not just
completely demote the dc02, fix or reset the dns entries and correctly join
dc02 on the site, it does not complement the entries for sites.
DC01 (working)
Network
network:
version: 2
renderer: networkd
ethernets:
eno1:
addresses:
- 192.168.50.11/24
nameservers:
addresses: [192.168.50.11, 10.0.1.9, 192.168.50.1]
routes:
- to: default
via: 192.168.50.1
Hosts
127.0.0.1 localhost
192.168.50.11 dc01.my.domain dc01
10.0.1.9 dc02.my.domain dc02
# The following lines are desirable for IPv6 capable hosts
::1
ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
smb.conf
# Global parameters
[global]
min protocol = NT1
dns forwarder = 8.8.8.8
netbios name = dc01
realm = my.domain
server role = active directory domain controller
workgroup = my
idmap_ldb:use rfc2307 = yes
map to guest = Bad User
log file = /var/log/samba/%m
log level = 3
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/my.domain/scripts
read only = No
#--------------------Location1----------------------------
[U2-Sono]
path = /var/lib/samba/shares/Location1/U2/Sono
read only = no
[U1-Sono]
path = /var/lib/samba/shares/Location1/U1/Sono
read only = no
[U1-Kolposkop]
path = /var/lib/samba/shares/Location1/U1/Kolposkop
read only = no
[U1-Fetview]
path = /var/lib/samba/shares/Location1/U1/Fetview
read only = no
[CTG]
path = /var/lib/samba/shares/Location1/CTG
read only = no
[Scan]
path = /var/lib/samba/shares/Location1/Scan
read only = no
DC02 (Clients on this site will still use dc01 as NS / for gpos etc)
Network
network:
version: 2
renderer: networkd
ethernets:
eno1:
addresses:
- 10.0.1.9/24
nameservers:
addresses: [192.168.50.11, 10.0.1.9]
routes:
- to: default
via: 10.0.1.253
Etc/hosts/
127.0.0.1 localhost
10.0.1.9 dc02.my.domain dc02
192.168.50.11 dc01.my.domain dc01
# The following lines are desirable for IPv6 capable hosts
::1
ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = dc02
realm = my.domain
server role = active directory domain controller
workgroup = my
idmap_ldb:use rfc2307
= yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/my.domain/scripts
read only = No
resolv.conf
search my
nameserver 10.0.1.9
nameserver 192.168.50.11
Von: L.P.H. van Belle
Gesendet: Freitag, 6. Mai 2022 09:49
An: Hakim Liso
Betreff: RE: [Samba] How to determine DNS anomaly
I suggest the following.
on the failing DC.
Set resolv.conf its first nameserver to the DC that works.
(dc1)
Stop samba on the failing DC (2)
and start it again.
Wait 1 minute.
Check again if the needed records are there now.
Still not?
The push the good DB to the other samba server.
stop samba, start samba, check again.
still not, post again to the list, include samba version /etc/hosts
/etc/resolv.conf and both smb.conf
and the list of packages (samba/winbind) that are installed.
Working,
And run samba-tool dbcheck on both servers.
And then if it looks ok now, then change the recolv.conf back normal.
which is.
> DC01 192.168.50.11
> search MY
> nameserver 192.168.50.11
> nameserver 10.0.1.9
>
> DC02 10.0.1.9
> search MY
> nameserver 10.0.1.9
> nameserver 192.168.50.11
reboot DC2, and check everything again.
(* purely to make sure its all set ok)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba Namens Hakim Liso via samba
> Verzonden: vrijdag 6 mei 2022 08:54
> Aan:
samba at lists.samba.org
> Onderwerp: Re: [Samba] How to determine DNS anomaly
>
> Resolve conf Looks like this for MY.DOMAIN
>
> DC01 192.168.50.11
> search MY
> nameserver 10.0.1.9
> nameserver 192.168.50.11
>
> DC02 10.0.1.9
> search MY
> nameserver 192.168.50.11
> nameserver 10.0.1.9
>
> But this was working without any Problems with the private ips before
the
> Errors on the backup appeared. I doubt changing the own ips to the
loopback
> address will fix my issues.
> I've expanded testing and it seems only ldap lookup doesnt work for
dc02
> and i noticed that there keeps on being a static A Record generated
Dc01
> 10.0.1.9, which seems wrong.
>
> Server:
192.168.50.11
> Address:
192.168.50.11#53
>
> Name:
dc01.my.domain
> Address: 192.168.50.11
> Name:
dc01.my.domain
> Address: 10.0.1.9
>
> I kept deleting it but it keeps come back. So something must be wrong
with
> Dynamic DNS
>
> Also there wasnt any NS entry in the Reverse lookup of the dc02s Site
but i
> guess that was because i didnt join the dc in a specific site.
Nevertheless the
> Entries did not complement.
>
> Also there is entries for DC01 only in Site 2/_tcp for
_gc,_ldap,_kerberos
> which has to be switched with dc02 i guess. Also the my.domain/_tcp
> contains gc,Kerberos,kpasswd,ldap entries for DC01 only. DNS Update
does
> not seem to have the Right entries.
>
> host -t SRV _ldap._tcp.my.domain
> _ldap._tcp.my.domain has SRV record 0 100 389 dc01.my.domain.
> My thoughts:
> Completely wiping dc02 from the Domain and Fixing all dns entries back
to
> normal. Properly joining dc02 to the site hoping the dns entries will
now
> appear correct.
>
> I cannot really troubleshoot this at this Point without risking to run
in to far
> more erros.
>
> Dnsupdate DC01
>
> A
${HOSTNAME}
$IP
> AAAA
${HOSTNAME}
$IP
> ${IF_DC}CNAME
${NTDSGUID}._msdcs.${DNSFOREST}
> ${HOSTNAME}
> ${IF_RWDNS_DOMAIN}NS
${DNSDOMAIN}
> ${HOSTNAME}
> ${IF_RWDNS_FOREST}NS
${DNSFOREST}
${HOSTNAME}
> ${IF_RWDNS_FOREST}NS
_msdcs.${DNSFOREST}
> ${HOSTNAME}
>
> # Stub entries in the parent zone
> ${IF_RWDNS_DOMAIN}RPC ${DNSFOREST}
NS ${DNSDOMAIN}
> ${HOSTNAME}
> ${IF_RWDNS_FOREST}RPC ${DNSFOREST}
NS _msdcs.${DNSFOREST}
> ${HOSTNAME}
>
> # RW domain controller
> ${IF_RWDC}A
${DNSDOMAIN}
$IP
> ${IF_RWDC}AAAA
${DNSDOMAIN}
$IP
> ${IF_RWDC}SRV
_ldap._tcp.${DNSDOMAIN}
> ${HOSTNAME} 389
> ${IF_RWDC}SRV
_ldap._tcp.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 389
> ${IF_RWDC}SRV
> _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}
${HOSTNAME}
> 389
> ${IF_RWDC}SRV
_kerberos._tcp.${DNSDOMAIN}
> ${HOSTNAME} 88
> ${IF_RWDC}SRV
_kerberos._udp.${DNSDOMAIN}
> ${HOSTNAME} 88
> ${IF_RWDC}SRV
_kerberos._tcp.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 88
> ${IF_RWDC}SRV
_kpasswd._tcp.${DNSDOMAIN}
> ${HOSTNAME} 464
> ${IF_RWDC}SRV
_kpasswd._udp.${DNSDOMAIN}
> ${HOSTNAME} 464
> # RW and RO domain controller
> ${IF_DC}SRV
_ldap._tcp.${SITE}._sites.${DNSDOMAIN}
> ${HOSTNAME} 389
> ${IF_DC}SRV
_ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 389
> ${IF_DC}SRV
_kerberos._tcp.${SITE}._sites.${DNSDOMAIN}
> ${HOSTNAME} 88
> ${IF_DC}SRV
_kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 88
>
> # The PDC emulator
> ${IF_PDC}SRV
_ldap._tcp.pdc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 389
>
> # RW GC servers
> ${IF_RWGC}A
gc._msdcs.${DNSFOREST}
$IP
> ${IF_RWGC}AAAA
gc._msdcs.${DNSFOREST}
$IP
> ${IF_RWGC}SRV
_gc._tcp.${DNSFOREST}
${HOSTNAME}
> 3268
> ${IF_RWGC}SRV
_ldap._tcp.gc._msdcs.${DNSFOREST}
> ${HOSTNAME} 3268
> # RW and RO GC servers
> ${IF_GC}SRV
_gc._tcp.${SITE}._sites.${DNSFOREST}
> ${HOSTNAME} 3268
> ${IF_GC}SRV
_ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}
> ${HOSTNAME} 3268
>
> # RW DNS servers
> ${IF_RWDNS_DOMAIN}A
DomainDnsZones.${DNSDOMAIN}
> $IP
> ${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN}
> $IP
> ${IF_RWDNS_DOMAIN}SRV
_ldap._tcp.DomainDnsZones.${DNSDOMAIN}
> ${HOSTNAME} 389
> # RW and RO DNS servers
> ${IF_DNS_DOMAIN}SRV
> _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME}
> 389
>
> # RW DNS servers
> ${IF_RWDNS_FOREST}A
ForestDnsZones.${DNSFOREST}
$IP
> ${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST}
$IP
> ${IF_RWDNS_FOREST}SRV
_ldap._tcp.ForestDnsZones.${DNSFOREST}
> ${HOSTNAME} 389
> # RW and RO DNS Servers
>
> Does not exist on dc02 as it has /var/lib/samba/* only.
>
> DC02 dns query ALL
>
> Name=, Records=5, Children=0
>
SOA: serial=127, refresh=900, retry=600, expire=86400, minttl=3600,
> ns=dc01.my.domain., email=hostmaster.my.domain. (flags=600000f0,
> serial=127, ttl=3600)
>
NS: dc01.my.domain. (flags=600000f0, serial=110, ttl=900)
>
NS: dc02.my.domain. (flags=600000f0, serial=110, ttl=900)
>
A: 192.168.50.11 (flags=600000f0, serial=110, ttl=900)
>
A: 10.0.1.9 (flags=600000f0, serial=110, ttl=900)
>
Name=_msdcs, Records=0, Children=0
>
Name=_sites, Records=0, Children=2
>
Name=_tcp, Records=0, Children=4
>
Name=_udp, Records=0, Children=2
>
Name=CTG-INTEL, Records=1, Children=0
>
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Anmeldung-Li, Records=1, Children=0
>
A: 192.168.50.182 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Anmeldung-re, Records=1, Children=0
>
A: 192.168.50.181 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-CTG, Records=1, Children=0
>
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Labor, Records=1, Children=0
>
A: 192.168.50.3 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Monitoring, Records=1, Children=0
>
A: 192.168.50.164 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Telefonzentrale, Records=1, Children=0
>
A: 192.168.50.243 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-U1, Records=1, Children=0
>
A: 192.168.50.8 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-U2, Records=1, Children=0
>
A: 192.168.50.174 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-U3, Records=1, Children=0
>
A: 192.168.50.176 (flags=f0, serial=110, ttl=1200)
>
Name=dc01, Records=1, Children=0
>
A: 192.168.50.11 (flags=f0, serial=110, ttl=900)
>
Name=DomainDnsZones, Records=0, Children=2
>
Name=ForestDnsZones, Records=0, Children=2
>
Name=dc02, Records=1, Children=0
>
A: 10.0.1.9 (flags=f0, serial=120, ttl=3600)
>
Name=nasdd7fef, Records=1, Children=0
>
A: 192.168.50.232 (flags=f0, serial=110, ttl=3600)
>
Name=PC-Bakk, Records=1, Children=0
>
A: 10.0.1.182 (flags=f0, serial=110, ttl=1200)
>
>
> DC02 dns query all
>
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:127.0.0.1[,sign]
> Cannot do GSSAPI to an IP address
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> Password for [my\administrator]:
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
>
Name=, Records=5, Children=0
>
SOA: serial=125, refresh=900, retry=600, expire=86400, minttl=3600,
> ns=dc01.my.domain., email=hostmaster.my.domain. (flags=600000f0,
> serial=125, ttl=3600)
>
NS: dc01.my.domain. (flags=600000f0, serial=110, ttl=900)
>
NS: dc02.my.domain. (flags=600000f0, serial=110, ttl=900)
>
A: 192.168.50.11 (flags=600000f0, serial=110, ttl=900)
>
A: 10.0.1.9 (flags=600000f0, serial=110, ttl=900)
>
Name=_msdcs, Records=0, Children=0
>
Name=_sites, Records=0, Children=2
>
Name=_tcp, Records=0, Children=4
>
Name=_udp, Records=0, Children=2
>
Name=CTG-INTEL, Records=1, Children=0
>
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Anmeldung-Li, Records=1, Children=0
>
A: 192.168.50.182 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Anmeldung-re, Records=1, Children=0
>
A: 192.168.50.181 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-CTG, Records=1, Children=0
>
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Labor, Records=1, Children=0
>
A: 192.168.50.3 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Monitoring, Records=1, Children=0
>
A: 192.168.50.164 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-Telefonzentrale, Records=1, Children=0
>
A: 192.168.50.243 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-U1, Records=1, Children=0
>
A: 192.168.50.8 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-U2, Records=1, Children=0
>
A: 192.168.50.174 (flags=f0, serial=110, ttl=1200)
>
Name=LOC1-U3, Records=1, Children=0
>
A: 192.168.50.176 (flags=f0, serial=110, ttl=1200)
>
Name=dc01, Records=2, Children=0
>
A: 192.168.50.11 (flags=f0, serial=110, ttl=900)
>
A: 10.0.1.9 (flags=f0, serial=110, ttl=900)
>
Name=DomainDnsZones, Records=0, Children=2
>
Name=ForestDnsZones, Records=0, Children=2
>
Name=dc02, Records=1, Children=0
>
A: 10.0.1.9 (flags=f0, serial=120, ttl=3600)
>
Name=nasdd7fef, Records=1, Children=0
>
A: 192.168.50.232 (flags=f0, serial=110, ttl=3600)
>
Name=PC-Bakk, Records=1, Children=0
>
A: 10.0.1.182 (flags=f0, serial=110, ttl=1200)
>
> Von: Rowland Penny via samba
> Gesendet: Donnerstag, 5. Mai 2022 18:17
> An:
samba at lists.samba.org
> Cc: Rowland Penny
> Betreff: Re: [Samba] How to determine DNS anomaly
>
> On Thu, 2022-05-05 at 11:37 +0200, Hakim Liso via samba wrote:
> > Hello, and thanks for your help
> > I've just sent another mail according the dns anomalies.
> > domainAL_SAMBA with DNS Forwarder 8.8.8.8 set on both in the
> > smb.conf.
>
> Your post was too big and got rejected and I don't see the point in
> replying to 'askubuntu' where you have now posted.
>
> When a DC is first joined to an existing domain there are numerous dns
> records missing (you can see them in
> usr/share/samba/setup/dns_update_list). When you join a new DC, the
> resolv.conf must point to an existing DC, but after the join, you must
> make the new DC use itself as its nameserver (use its ipaddress, not
> 127.0.0.1), have you done this ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list