Král Gergely
2018-Dec-31 15:15 UTC
[Samba] AD bind DNS broken after 4.7.3 -> 4.9.2 upgrade
Hi,
I have been running a Samba AD PDC with BIND9_DLZ on a Debian system for
a year now without problems, and in the hope for ability to create AD
backups I upgraded the samba packages (along with other packages with
minor updates).
Everything seemed OK during the upgrade, all processes restarted, but
soon after I found that PAM refuses to authenticate AD usernames. By
checking the samba logs I see weird messages constantly complaining
about dnsupdate errors.
Since I read before that there were some database changes in 4.8, I ran
"samba-tool dbcheck" with no errors. Bind9 logs look OK, but it
refuses
Windows workstations to update IP records, and I cannot get any domain
names resolved in the samba domain zone. Bind resolves names in other
zone OK.
I tried to reconfigure the samba DNS by running:
isa:~# /usr/sbin/samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/MYAD.DOMAIN.EU.zone
DNS records will be automatically created
DNS partitions already exist
dns-isa account already exists
Failed to create link /var/lib/samba/private/dns.keytab ->
/var/lib/samba/bind-dns/dns.keytab: No such file or directory
Failed to chown /var/lib/samba/bind-dns to bind gid 107
Failed to chown /var/lib/samba/bind-dns/dns.keytab to bind gid 107
Traceback (most recent call last):
File "/usr/sbin/samba_upgradedns", line 533, in <module>
create_dns_dir(logger, paths)
File
"/usr/lib/python2.7/dist-packages/samba/provision/sambadns.py",
line 699, in create_dns_dir
os.mkdir(dns_dir, 0o770)
OSError: [Errno 2] No such file or directory:
'/var/lib/samba/bind-dns/dns'
So is it trying to create a link in place of my dns.keytab file to a
file that does not exist? I never had a "bind-dns" directory in
/var/lib/samba.
Can anyone give me a hint where to look for the cause of this by
checking the logs below, so I could the get the AD up running again?
Please let me know if I can provide any more information that may be
relevant.
Thanks,
Gergely Kral
---
isa:~# samba-tool dbcheck
Checking 359 objects
Checked 359 objects (0 errors)
isa:~# kinit -V administrator
Using default cache: /tmp/krb5cc_0
Using principal: administrator at MYAD.DOMAIN.EU
kinit: Cannot find KDC for realm "MYAD.DOMAIN.EU" while getting
initial
credentials
samba log after startup:
[2018/12/31 15:03:37.326791, 0]
../source4/smbd/server.c:510(binary_smbd_main)
samba version 4.9.2-Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2018
[2018/12/31 15:03:37.851127, 0]
../source4/smbd/server.c:696(binary_smbd_main)
binary_smbd_main: samba: using 'standard' process model
[2018/12/31 15:03:37.893168, 0]
../source4/dsdb/common/util.c:1815(samdb_reference_dn_is_our_ntdsa)
Failed to find object DC=myad,DC=domain,DC=eu for attribute
fsmoRoleOwner - Cannot find DN DC=myad,DC=domain,DC=eu to get attribute
fsmoRoleOwner for reference dn: No such Base DN: DC=myad,DC=domain,DC=eu
[2018/12/31 15:03:37.914251, 0]
../source4/smbd/service_task.c:36(task_server_terminate)
task_server_terminate: task_server_terminate: [kdc: krb5_init_context
samdb RODC connect failed]
[2018/12/31 15:03:37.944114, 0]
../source4/dsdb/dns/dns_update.c:127(dnsupdate_rebuild)
[2018/12/31 15:03:38.039030, 0]
../source4/smbd/service_task.c:36(task_server_terminate)
[2018/12/31 15:03:38.039029, 0]
../source4/smbd/service_task.c:36(task_server_terminate)
task_server_terminate: task_server_terminate: [kccsrv: Failed to
connect to local samdb: WERR_DS_UNAVAILABLE
task_server_terminate: task_server_terminate: [dreplsrv: Failed to
connect to local samdb: WERR_DS_UNAVAILABLE
]
]
../source4/dsdb/dns/dns_update.c:127: Unable to find DCs list - No
such Base DN:
CN=Configuration,DC=myad,DC=domain,DC=eu../source4/dsdb/dns/dns_update.c:127:
Unable to find DCs list - No such Base DN:
CN=Configuration,DC=myad,DC=domain,DC=eu/usr/sbin/samba_dnsupdate:
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1]
NT_STATUS_LOGON_FAILURE
[2018/12/31 15:03:41.419176, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: ERROR: Connecting to DNS RPC server
192.168.6.1 failed with (3221225581L, 'The attempted logon is invalid.
This is either due to a bad username or authentication information.')
[2018/12/31 15:03:41.438997, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: Failed to bind to uuid
50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1]
NT_STATUS_LOGON_FAILURE
[2018/12/31 15:03:41.439169, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: ERROR: Connecting to DNS RPC server
192.168.6.1 failed with (3221225581L, 'The attempted logon is invalid.
This is either due to a bad username or authentication information.')
[2018/12/31 15:03:41.460318, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: Failed to bind to uuid
50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1]
NT_STATUS_LOGON_FAILURE
[2018/12/31 15:03:41.460457, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: ERROR: Connecting to DNS RPC server
192.168.6.1 failed with (3221225581L, 'The attempted logon is invalid.
This is either due to a bad username or authentication information.')
[2018/12/31 15:03:41.475008, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: Failed to bind to uuid
50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:192.168.6.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=192.168.6.1]
NT_STATUS_LOGON_FAILURE
samba related bind log after startup with a client trying to update:
Dec 31 15:15:09 isa named[16330]: Loading 'AD DNS Zone' using driver
dlopen
Dec 31 15:15:10 isa named[16330]: samba_dlz: started for DN
DC=myad,DC=domain,DC=eu
Dec 31 15:15:10 isa named[16330]: samba_dlz: starting configure
Dec 31 15:15:10 isa named[16330]: samba_dlz: configured writeable zone
'myad.domain.eu'
Dec 31 15:15:10 isa named[16330]: samba_dlz: configured writeable zone
'_msdcs.myad.domain.eu'
Dec 31 15:16:54 isa named[16330]: samba_dlz: starting transaction on
zone myad.domain.eu
Dec 31 15:16:56 isa named[16330]: client @0xb2f3aae0 192.168.6.69#64626:
update 'myad.domain.eu/IN' denied
Dec 31 15:16:56 isa named[16330]: samba_dlz: cancelling transaction on
zone myad.domain.eu
/etc/samba/smb.conf:
[global]
bind interfaces only = Yes
interfaces = lo br0
netbios name = ISA
realm = MYAD.DOMAIN.EU
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MYAD
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
# winbind separator = +
winbind refresh tickets = yes
# log level = 2
/etc/nsswitch.conf:
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Rowland Penny
2018-Dec-31 16:29 UTC
[Samba] AD bind DNS broken after 4.7.3 -> 4.9.2 upgrade
On Mon, 31 Dec 2018 16:15:41 +0100 Král Gergely via samba <samba at lists.samba.org> wrote:> Hi, > > > I have been running a Samba AD PDC with BIND9_DLZ on a Debian system > for a year now without problems, and in the hope for ability to > create AD backups I upgraded the samba packages (along with other > packages with minor updates). > > Everything seemed OK during the upgrade, all processes restarted, but > soon after I found that PAM refuses to authenticate AD usernames. By > checking the samba logs I see weird messages constantly complaining > about dnsupdate errors. > > Since I read before that there were some database changes in 4.8, I > ran "samba-tool dbcheck" with no errors. Bind9 logs look OK, but it > refuses Windows workstations to update IP records, and I cannot get > any domain names resolved in the samba domain zone. Bind resolves > names in other zone OK. > > Can anyone give me a hint where to look for the cause of this by > checking the logs below, so I could the get the AD up running again? > Please let me know if I can provide any more information that may be > relevant. > > Thanks, > Gergely Kral >OK, downgrade again, this is the third report about this problem in about 10 days, see here: https://lists.samba.org/archive/samba/2018-December/220103.html https://lists.samba.org/archive/samba/2018-December/220180.html Rowland
Král Gergely
2018-Dec-31 17:34 UTC
[Samba] AD bind DNS broken after 4.7.3 -> 4.9.2 upgrade
2018-12-31 17:29 időpontban Rowland Penny via samba ezt írta:>> > > OK, downgrade again, this is the third report about this problem in > about 10 days, see here: > > https://lists.samba.org/archive/samba/2018-December/220103.html > > https://lists.samba.org/archive/samba/2018-December/220180.html >Thank You for the quick response. I read one of them before, but I thought my case is different, because I am not using internal DNS. So downgrading then...