Rowland Penny
2016-Aug-14 21:14 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
On Sun, 14 Aug 2016 21:52:43 +0100 Alex Crow via samba <samba at lists.samba.org> wrote:> > > I am fairly sure this is your problem, it should be able to find the > > KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts > > and /etc/resolv.conf ? > > With the BIND server not running, and this krb5.conf: > > [libdefaults] > default_realm = SAMBA.IFA.NET > dns_lookup_realm = false > dns_lookup_kdc = true > ~ > > samba_dnsupdate cannot find the KDC. Even if I add: > > [realms] > SAMBA4.IFA.NET { > kdc= 172.31.0.10 > } >Well, I don't think you can find the KDC if the DNS server isn't running, you could try changing 'dns_lookup_kdc = true' to false> it still complains about not finding a KDC and does not complete. > > Oddly if I can use the output to figure out the DNS entries I need to > add, so I thought "ah, cool, I'll use samba-tool dns" to add them back > in. To my great surprise, when I try to add each entry that > samba_dnsupdate says is missing, samba-tool tells me it already > exists!!OK, try running: ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs --show-binary replace nano with your favourite editor and '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb. You should now be able to search the entire AD and see if your entries do exist.> > /etc/hosts on the new DC: > > 172.31.0.10 samba4-dc-2.samba.ifa.net samba4-dc-2 > > also: > > [root at samba4-dc-2 ~]# hostname -f > samba4-dc-2.samba.ifa.net > > resolv.conf: > > search samba.ifa.net. ifa.net. > nameserver 172.31.0.10 > > > > > > >> I've done the dnsupdate on both DCs before turning off the first, > >> and it completes fine with after a couple of restarts of samba and > >> bind. I'm still not sure what I should turn off bind on the newer > >> DC as it's surely a requirement for the domain to function? > >> > > Yes it is, I was just making sure. > > > > Rowland > > Feels a bit chicken-and-egg at the moment. Is there a definitive > procedure documented for neophytes to, post-classicupgrade: > > 1) add an new BIND9_DLZ based DC properly > 2) remove all traces of the DC used for the classicupgrade > > ?I don't think so, most people just use the upgraded DC. Rowland
Alex Crow
2016-Aug-14 22:17 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
On 14/08/16 22:14, Rowland Penny via samba wrote:> On Sun, 14 Aug 2016 21:52:43 +0100 > Alex Crow via samba <samba at lists.samba.org> wrote: > >>> I am fairly sure this is your problem, it should be able to find the >>> KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts >>> and /etc/resolv.conf ? >> With the BIND server not running, and this krb5.conf: >> >> [libdefaults] >> default_realm = SAMBA.IFA.NET >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ~ >> >> samba_dnsupdate cannot find the KDC. Even if I add: >> >> [realms] >> SAMBA4.IFA.NET { >> kdc= 172.31.0.10 >> } >> > Well, I don't think you can find the KDC if the DNS server isn't > running, you could try changing 'dns_lookup_kdc = true' to falseI think I tried that, but I'm not 100% sure. I tried a lot of things to get back on track.> >> it still complains about not finding a KDC and does not complete. >> >> Oddly if I can use the output to figure out the DNS entries I need to >> add, so I thought "ah, cool, I'll use samba-tool dns" to add them back >> in. To my great surprise, when I try to add each entry that >> samba_dnsupdate says is missing, samba-tool tells me it already >> exists!! > OK, try running: > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs > --show-binary > > replace nano with your favourite editor and > '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb. > > You should now be able to search the entire AD and see if your entries > do exist.I did had a quick look with ldbedit before this last email. There were indeed a number of DNS nodes but perhaps as I didn't use " --show-binary " I was missing something. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
L.P.H. van Belle
2016-Aug-15 07:07 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
Just a question.. Did you reboot the servers after the join. And first the dc with FSMO, reboot it, wait untill its fully up again then the other. I dont know why but that helped me few times. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex Crow via > samba > Verzonden: maandag 15 augustus 2016 0:18 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Horrible BIND9_DLZ DNS breakage after DC replaced > and samba-tool domain demote --remove-other-dead-server > > > > On 14/08/16 22:14, Rowland Penny via samba wrote: > > On Sun, 14 Aug 2016 21:52:43 +0100 > > Alex Crow via samba <samba at lists.samba.org> wrote: > > > >>> I am fairly sure this is your problem, it should be able to find the > >>> KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts > >>> and /etc/resolv.conf ? > >> With the BIND server not running, and this krb5.conf: > >> > >> [libdefaults] > >> default_realm = SAMBA.IFA.NET > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> ~ > >> > >> samba_dnsupdate cannot find the KDC. Even if I add: > >> > >> [realms] > >> SAMBA4.IFA.NET { > >> kdc= 172.31.0.10 > >> } > >> > > Well, I don't think you can find the KDC if the DNS server isn't > > running, you could try changing 'dns_lookup_kdc = true' to false > I think I tried that, but I'm not 100% sure. I tried a lot of things to > get back on track. > > > > >> it still complains about not finding a KDC and does not complete. > >> > >> Oddly if I can use the output to figure out the DNS entries I need to > >> add, so I thought "ah, cool, I'll use samba-tool dns" to add them back > >> in. To my great surprise, when I try to add each entry that > >> samba_dnsupdate says is missing, samba-tool tells me it already > >> exists!! > > OK, try running: > > > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs > > --show-binary > > > > replace nano with your favourite editor and > > '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb. > > > > You should now be able to search the entire AD and see if your entries > > do exist. > > I did had a quick look with ldbedit before this last email. There were > indeed a number of DNS nodes but perhaps as I didn't use " > > --show-binary > > " > > I was missing something. > > Cheers > > Alex > > > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute > advice. > The information provided is correct to our knowledge & belief and must not > be used as a substitute for obtaining tax, regulatory, investment, legal > or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 > 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856). > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2016-Aug-15 13:44 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
On Sun, 14 Aug 2016 23:17:57 +0100 Alex Crow via samba <samba at lists.samba.org> wrote:> > > On 14/08/16 22:14, Rowland Penny via samba wrote: > > On Sun, 14 Aug 2016 21:52:43 +0100 > > Alex Crow via samba <samba at lists.samba.org> wrote: > > > >>> I am fairly sure this is your problem, it should be able to find > >>> the KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts > >>> and /etc/resolv.conf ? > >> With the BIND server not running, and this krb5.conf: > >> > >> [libdefaults] > >> default_realm = SAMBA.IFA.NET > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> ~ > >> > >> samba_dnsupdate cannot find the KDC. Even if I add: > >> > >> [realms] > >> SAMBA4.IFA.NET { > >> kdc= 172.31.0.10 > >> } > >> > > Well, I don't think you can find the KDC if the DNS server isn't > > running, you could try changing 'dns_lookup_kdc = true' to false > I think I tried that, but I'm not 100% sure. I tried a lot of things > to get back on track. > > > > >> it still complains about not finding a KDC and does not complete. > >> > >> Oddly if I can use the output to figure out the DNS entries I need > >> to add, so I thought "ah, cool, I'll use samba-tool dns" to add > >> them back in. To my great surprise, when I try to add each entry > >> that samba_dnsupdate says is missing, samba-tool tells me it > >> already exists!! > > OK, try running: > > > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs > > --show-binary > > > > replace nano with your favourite editor and > > '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb. > > > > You should now be able to search the entire AD and see if your > > entries do exist. > > I did had a quick look with ldbedit before this last email. There were > indeed a number of DNS nodes but perhaps as I didn't use " > > --show-binary > > " > > I was missing something.Just had a thought, how is /etc/resolv.conf set up ? Is it set up so that each DC uses the other first ? If it is, then this 'could' be your problem, your second DC tries to find the KDC, so it asks DNS (via resolv.conf) for the KDCs address. now if the other DC is first in line and doesn't exist, it will have to timeout before it will try the next nameserver and most probably will give up and tell you it cannot find the KDC Rowland
L.P.H. van Belle
2016-Aug-15 14:20 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
In addition with Rowlands comment. I suggest you try /etc/hosts add only 127.0.0.1 localhost Now type Hostname -f Hostname -s Hostname -d Hostname -I Are these all correct? > No, Edit resolv.conf domain samba.ifa.net search samba.ifa.net ifa.net nameserver 127.0.0.1 What happens now if you try the above command. Correct? Yes => correct your hosts and resolv.conf No || \/ change resolv.conf to nameserver IP_of_server Still not working, error in named.conf or no entries in the AD DNS. Try it out. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: maandag 15 augustus 2016 15:45 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Horrible BIND9_DLZ DNS breakage after DC replaced > and samba-tool domain demote --remove-other-dead-server > > On Sun, 14 Aug 2016 23:17:57 +0100 > Alex Crow via samba <samba at lists.samba.org> wrote: > > > > > > > On 14/08/16 22:14, Rowland Penny via samba wrote: > > > On Sun, 14 Aug 2016 21:52:43 +0100 > > > Alex Crow via samba <samba at lists.samba.org> wrote: > > > > > >>> I am fairly sure this is your problem, it should be able to find > > >>> the KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts > > >>> and /etc/resolv.conf ? > > >> With the BIND server not running, and this krb5.conf: > > >> > > >> [libdefaults] > > >> default_realm = SAMBA.IFA.NET > > >> dns_lookup_realm = false > > >> dns_lookup_kdc = true > > >> ~ > > >> > > >> samba_dnsupdate cannot find the KDC. Even if I add: > > >> > > >> [realms] > > >> SAMBA4.IFA.NET { > > >> kdc= 172.31.0.10 > > >> } > > >> > > > Well, I don't think you can find the KDC if the DNS server isn't > > > running, you could try changing 'dns_lookup_kdc = true' to false > > I think I tried that, but I'm not 100% sure. I tried a lot of things > > to get back on track. > > > > > > > >> it still complains about not finding a KDC and does not complete. > > >> > > >> Oddly if I can use the output to figure out the DNS entries I need > > >> to add, so I thought "ah, cool, I'll use samba-tool dns" to add > > >> them back in. To my great surprise, when I try to add each entry > > >> that samba_dnsupdate says is missing, samba-tool tells me it > > >> already exists!! > > > OK, try running: > > > > > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs > > > --show-binary > > > > > > replace nano with your favourite editor and > > > '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb. > > > > > > You should now be able to search the entire AD and see if your > > > entries do exist. > > > > I did had a quick look with ldbedit before this last email. There were > > indeed a number of DNS nodes but perhaps as I didn't use " > > > > --show-binary > > > > " > > > > I was missing something. > > Just had a thought, how is /etc/resolv.conf set up ? > Is it set up so that each DC uses the other first ? > > If it is, then this 'could' be your problem, your second DC tries to > find the KDC, so it asks DNS (via resolv.conf) for the KDCs address. > now if the other DC is first in line and doesn't exist, it will have > to timeout before it will try the next nameserver and most probably > will give up and tell you it cannot find the KDC > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server