Jiří Černý
2018-Aug-22 11:18 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
Hello, guys. First of all, I would like to thank you all for the time you spend with solving my problem. I appreciate that very much. Especially Rowland. You make great job every day here on lists. Louis:> ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. > https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key > > Im also wondering why RH is using : '--disable-isc-spnego'Good catch, but I'm not sure If that link is only related to OpenShift. If I understand it right, Samba uses Kerberos keytab (/var/lib/samba/private/dns.keytab) for updating DNS records in Bind loaded zones. Rowland:> Good catch Louis, that rang a bell and the answer is because you cannot > run a Samba AD DC on red-hat with distro packages, so they stop updates > (Don't ask why, I don't know)> see here:> https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updatesOh my God. You are right, Rowland. I know that page, but I but I assumed it was solved in CentOS 7. I'm very sorry I've missed that wiki page. But it looks like not, notice "--disable-isc-spnego" in named -V: named -V BIND 9.9.4-RedHat-9.9.4-61.el7 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' So that's my fault. And you right, I didn't study the wiki enough. I just looked here: https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server and here https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Configuring_the_BIND9_DLZ_Module I said: "Yeah, CentOS 7 has Bind 9.9.4 with --with-dlopen=yes -with-gssapi=yes, so it will just work". And it really works, but only for some domain computers. I'll try rebuild CentOS 7's Bind without --disable-isc-spnego and give you report.> Where ?? It has worked faithfully for me for the last 5 1/2 years.In our environment, CentOS 6, actually the same problem I addressed above. Some time I tested packages by Benjamin Kraft, but finally I just switched to internal DNS. It's been a long time, I'm gradually recalling how it was.> OK, try this: > > samba_dnsupdate --verbose --all-names --use-samba-toolsamba_dnsupdate --verbose --all-names --use-samba-tool IPs: ['192.168.45.1'] force update: A dc03x.samdom.svmetal.cz 192.168.45.1 force update: NS samdom.svmetal.cz dc03x.samdom.svmetal.cz force update: NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz force update: A samdom.svmetal.cz 192.168.45.1 force update: SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 force update: SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 force update: CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: A gc._msdcs.samdom.svmetal.cz 192.168.45.1 force update: SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 force update: SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 force update: SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 28 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ update (samba-tool): A dc03x.samdom.svmetal.cz 192.168.45.1 Calling samba-tool dns for A dc03x.samdom.svmetal.cz 192.168.45.1 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', 'dc03x', 'A', '192.168.45.1'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of A dc03x.samdom.svmetal.cz 192.168.45.1 update (samba-tool): NS samdom.svmetal.cz dc03x.samdom.svmetal.cz Calling samba-tool dns for NS samdom.svmetal.cz dc03x.samdom.svmetal.cz (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '@', 'NS', 'dc03x.samdom.svmetal.cz'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of NS samdom.svmetal.cz dc03x.samdom.svmetal.cz update (samba-tool): NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz Calling samba-tool dns for NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '@', 'NS', 'dc03x.samdom.svmetal.cz'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz update (samba-tool): A samdom.svmetal.cz 192.168.45.1 Calling samba-tool dns for A samdom.svmetal.cz 192.168.45.1 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '@', 'A', '192.168.45.1'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of A samdom.svmetal.cz 192.168.45.1 update (samba-tool): SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.dc', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling samba-tool dns for SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kerberos._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 update (samba-tool): SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling samba-tool dns for SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kerberos._udp', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 update (samba-tool): SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling samba-tool dns for SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_kerberos._tcp.dc', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 update (samba-tool): SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Calling samba-tool dns for SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kpasswd._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 464 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 update (samba-tool): SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Calling samba-tool dns for SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kpasswd._udp', 'SRV', 'dc03x.samdom.svmetal.cz 464 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 update (samba-tool): CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz Calling samba-tool dns for CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', 'a0fcd1d9-a5e2-428c-a271-ab17103bb4d0', 'CNAME', 'dc03x.samdom.svmetal.cz'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.dc', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling samba-tool dns for SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_kerberos._tcp.Default-First-Site-Name._sites', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 update (samba-tool): SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling samba-tool dns for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_kerberos._tcp.Default-First-Site-Name._sites.dc', 'SRV', 'dc03x.samdom.svmetal.cz 88 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 update (samba-tool): A gc._msdcs.samdom.svmetal.cz 192.168.45.1 Calling samba-tool dns for A gc._msdcs.samdom.svmetal.cz 192.168.45.1 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', 'gc', 'A', '192.168.45.1'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of A gc._msdcs.samdom.svmetal.cz 192.168.45.1 update (samba-tool): SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling samba-tool dns for SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_gc._tcp', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 update (samba-tool): SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling samba-tool dns for SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.gc', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 update (samba-tool): SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling samba-tool dns for SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_gc._tcp.Default-First-Site-Name._sites', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', '_msdcs.samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.gc', 'SRV', 'dc03x.samdom.svmetal.cz 3268 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 update (samba-tool): A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 Calling samba-tool dns for A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', 'DomainDnsZones', 'A', '192.168.45.1'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 update (samba-tool): SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.DomainDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 Calling samba-tool dns for A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', 'ForestDnsZones', 'A', '192.168.45.1'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 update (samba-tool): SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.ForestDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 update (samba-tool): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling samba-tool dns for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Calling samba-tool dns add -k no -P ['192.168.45.1', 'samdom.svmetal.cz', '_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones', 'SRV', 'dc03x.samdom.svmetal.cz 389 0 100'] ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Failed 'samba-tool dns' based update of SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Failed update of 28 entries> Yes that is a pain, you need to manually remove it with samba-tool. > Not sure, but I think the latest Samba removes it when a DC is > demoted.Yes, it looks like there are some improvements in 4.9 (https://wiki.samba.org/index.php/Samba_4.9_Features_added/changed): "DNS entries are now cleaned up during DC demote DNS records are now cleaned up as part of the 'samba-tool domain demote' including both the default and --remove-other-dead-server modes. Additionally DNS records can be automatically cleaned up for a given name with the 'samba-tool dns cleanup' command, which aids in cleaning up partially removed DCs."> Not sure about that, do your DC's point to themselves as their first > nameserver or another DC ?I can remember some article about DNS islanding (maybe on Samba wiki too), even you and other people discussed it here on lists. But I cannot remember, if DC should or should no point to itself. My configuration on DCs is (point to itself at third place): cat /etc/resolv.conf # Generated by NetworkManager search samdom.svmetal.cz nameserver 192.168.1.1 nameserver 192.168.200.20 nameserver 127.0.0.1 Jiri
Rowland Penny
2018-Aug-22 12:28 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
On Wed, 22 Aug 2018 13:18:47 +0200 Jiří Černý via samba <samba at lists.samba.org> wrote:> Hello, guys. > First of all, I would like to thank you all for the time you spend > with solving my problem. I appreciate that very much. Especially > Rowland. You make great job every day here on lists. > > > OK, try this: > > > > samba_dnsupdate --verbose --all-names --use-samba-tool > samba_dnsupdate --verbose --all-names --use-samba-tool > IPs: ['192.168.45.1']If you look carefully, they all fail because of this:> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')> dc03x.samdom.svmetal.cz 389 Failed update of 28 entriesYes, it is a failure, but a failure of the script, it shouldn't print all those Python errors, it should print something like 'No update required' for each attempted update and then 'No updates required' What it does show is that it isn't a Samba problem, but something to do with the interaction of Bind9 and Samba AD.> > Not sure about that, do your DC's point to themselves as their first > > nameserver or another DC ? > > I can remember some article about DNS islanding (maybe on Samba wiki > too), even you and other people discussed it here on lists. But I > cannot remember, if DC should or should no point to itself. My > configuration on DCs is (point to itself at third place): > cat /etc/resolv.conf # Generated by NetworkManager search > samdom.svmetal.cz nameserver 192.168.1.1 > nameserver 192.168.200.20 > nameserver 127.0.0.1It is your decision, but I wouldn't allow anything to change /etc/resolv.conf on a DC. I can only speak about my experience with the order of nameservers in /etc/resolv.conf. All my DC's have their ipaddress as the first nameserver, followed by the other DC's. I never add any nameservers outside the domain, this is what 'forwarders' is for. I also never add a 'domain' line. With a DC based on the above, I have never experienced 'islanding' Rowland