[Samba] Problems with Samba as an AD and named
compeilermail-openbc at yahoo.de
compeilermail-openbc at yahoo.de
Fri Sep 15 13:30:43 UTC 2023
Hi,
I have Zentyal as an AD Server installed on an Ubuntu 20.04.6 System.All fine. It acts as an PDC. (in the past there was another, which broke and was not replaced and the server is demoted and removed).I have now problems with starting bind. I am unsure what led to that situation. But named does not want to start:
---------------------
Sep 15 15:17:01 bombadil named[1936]: unable to set effective uid to 0: Operation not permitted
Sep 15 15:17:01 bombadil named[1936]: generating session key for dynamic DNS
Sep 15 15:17:01 bombadil named[1936]: unable to set effective uid to 0: Operation not permitted
Sep 15 15:17:01 bombadil named[1936]: sizing zone task pool based on 24 zones
Sep 15 15:17:01 bombadil named[1936]: Loading 'AD DNS Zone' using driver dlopen
Sep 15 15:17:01 bombadil CRON[1987]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Sep 15 15:17:01 bombadil named[1936]: samba_dlz: started for DN DC=compeiler,DC=windows
Sep 15 15:17:01 bombadil named[1936]: samba_dlz: starting configure
Sep 15 15:17:01 bombadil named[1936]: samba_dlz: configured writeable zone 'compeiler.windows'
Sep 15 15:17:01 bombadil named[1936]: zone _msdcs.compeiler.windows/NONE: has no NS records
Sep 15 15:17:01 bombadil named[1936]: samba_dlz: Failed to configure zone '_msdcs.compeiler.windows'
Sep 15 15:17:01 bombadil named[1936]: loading configuration: bad zone
Sep 15 15:17:01 bombadil named[1936]: exiting (due to fatal error)
---------------------
A few days ago it still worked.I did updates on zentyal and on Linux. But I cannot distinguish if one of them caused that situation or not.
I also tried the following to "repair" the samba installation:
samba_upgradedns --dns-backend=BIND9_DLZ
but this did not change anything.I read many things but until now I am unable to start named and so the AD Clients can't check - my children are worse than clients at work. So I hope someone could help fast ;-)
Here the output of all relevant files from samba-collect-debug-info.sh from github. If some information is missing - I will add...
Thank you...Matthias
Config collected --- 2023-09-15-14:06 -----------
Hostname: bombadil
DNS Domain: compeiler.windows
Realm: COMPEILER.WINDOWS
FQDN: bombadil.compeiler.windows
ipaddress: 192.168.178.205
-----------
This computer is running Ubuntu 20.04.6 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 127.0.1.1/8 scope host secondary lo
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 5c:26:0a:58:c9:92 brd ff:ff:ff:ff:ff:ff
inet 192.168.178.205/24 brd 192.168.178.255 scope global eno1
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether a0:88:b4:35:1a:98 brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost.localdomain localhost
127.0.1.1 bombadil.compeiler.windows bombadil
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# and managed by Zentyal.
#
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
nameserver 127.0.0.1
nameserver 192.168.178.1
-----------
WARNING: 'kinit Administrator' will fail, you need to fix this.
Unable to verify DNS kerberos._tcp SRV records
-----------
'kinit Administrator' password checked failed.
Wrong password or kerberos REALM problems.
-----------
Samba is running as an AD DC
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = COMPEILER.WINDOWS
dns_lookup_kdc = true
dns_lookup_realm = false
rdns = no
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: files systemd
passwd: compat winbind
# pre_auth-client-config # group: files systemd
group: compat winbind
# pre_auth-client-config # shadow: files
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# pre_auth-client-config # netgroup: nis
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = compeiler
realm = COMPEILER.WINDOWS
netbios name = bombadil
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /usr/bin/bash
template homedir = /home/%U
rpc server dynamic port range = 49152-65535
interfaces = lo,eno1
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/compeiler.windows/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
-----------
This DC is being used as a fileserver
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
-----------
Checking file: /etc/bind/named.conf.options
options {
sortlist {
192.168.178.0/24;
};
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
//query-source address * port 53;
//transfer-source * port 53;
//notify-source * port 53;
// DNSSEC configuration
dnssec-enable yes;
dnssec-validation yes;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
forward first;
forwarders {
192.168.178.1;
};
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-transfer { internal-local-nets; };
};
logging { category lame-servers { null; }; };
-----------
Checking file: /etc/bind/named.conf.local
// Generated by Zentyal
acl "trusted" {
localhost;
localnets;
};
acl "internal-local-nets" {
192.168.178.0/24;
};
dlz "AD DNS Zone" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
zone "178.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.178.168.192";
update-policy {
// The only allowed dynamic updates are PTR records
grant compeiler.windows. subdomain 178.168.192.in-addr.arpa. PTR TXT;
// Grant from localhost
grant local-ddns zonesub any;
};
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.empty";
};
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list check :
ERROR: AD DC zones found in the Bind flat-files
This is not allowed, you must remove them.
Conflicting zone name : compeiler.windows
File in question is : /etc/bind/named.conf.local: grant compeiler.windows. subdomain 178.168.192.in-addr.arpa. PTR TXT;
/etc/bind/keys:key "compeiler.windows" {
-----------
ERROR: AD DC zones found in the Bind flat-files
This is not allowed, you must remove them.
Conflicting zone name : _msdcs.compeiler.windows
File in question is :
-----------
-----------
unknown 'include' file '/etc/bind/keys' in /etc/bind/named.conf
-----------
Time on the DC with PDC Emulator role is: 2023-09-15T14:23:20
Time on this computer is: 2023-09-15T14:23:21
Time verified ok, within the allowed 300sec margin.
Time offset is currently : 0 seconds
-----------
Installed packages:
ii acl 2.2.53-6 amd64 access control list - utilities
ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem extended attributes
ii bind9 1:9.16.1-0ubuntu2.15 amd64 Internet Domain Name Server
ii bind9-dnsutils 1:9.16.1-0ubuntu2.15 amd64 Clients provided with BIND 9
ii bind9-host 1:9.16.1-0ubuntu2.15 amd64 DNS Lookup Utility
ii bind9-libs:amd64 1:9.16.1-0ubuntu2.15 amd64 Shared Libraries used by BIND 9
ii bind9-utils 1:9.16.1-0ubuntu2.15 amd64 Utilities for BIND 9
ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.3 all internationalization support for MIT Kerberos
ii libacl1:amd64 2.2.53-6 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared library
ii libauthen-krb5-easy-perl 0.92-0 amd64 Simple Kerberos 5 interaction
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1.4 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.3 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.3 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Samba winbind client library
ii python3-attr 19.3.0-2 all Attributes without boilerplate (Python 3)
ii python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Python 3 bindings for Samba
ii samba 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.15.13+dfsg-0ubuntu0.20.04.5 all common files used by both the Samba server and client
ii samba-common-bin 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.15.13+dfsg-0ubuntu0.20.04.5 amd64 service to resolve user and group information from Windows NT servers
ii zentyal-samba 7.1.0 all Zentyal - Domain Controller and File Sharing
More information about the samba
mailing list