Nice shell script,?Louis. Here are the results:
Collected config ?--- 2019-06-20-12:46 -----------
Hostname: umbriel
DNS Domain: samdom.mycompany.net
FQDN: umbriel.samdom.mycompany.net
ipaddress: 192.168.3.203?
-----------
Samba is running as an AD DC
-----------
? ? ? ?Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
-----------
This computer is running Ubuntu 16.04.6 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
? ? inet 127.0.0.1/8 scope host lo
? ? inet6 ::1/128 scope host?
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
? ? link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff
? ? inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32
? ? inet6 fe80::250:56ff:fea5:50b3/64 scope link?
-----------
? ? ? ?Checking file: /etc/hosts
127.0.0.1 localhost
192.168.3.203 umbriel.samdom.mycompany.net umbriel
# The following lines are desirable for IPv6 capable hosts
::1 ? ? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
? ? ? ?Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.3.201
nameserver 192.168.3.202
search samdom.mycompany.net mycompany.net mycompany.com
-----------
? ? ? ?Checking file: /etc/krb5.conf
[logging]
? ? ? ? default = FILE:/var/log/krb5libs.log
? ? ? ? kdc = FILE:/var/log/krb5kdc.log
? ? ? ? admin_server = FILE:/var/log/kadmin.log
[libdefaults]
? ? ? ? default_realm = SAMDOM.MYCOMPANY.NET
? ? ? ? dns_lookup_realm = false
? ? ? ? dns_lookup_kdc = true
? ? ? ? ticket_lifetime = 24h
? ? ? ? renew_lifetime = 7d
? ? ? ? forwardable = true
-----------
? ? ? ?Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: ? ? ? ? compat
group: ? ? ? ? ?compat
shadow: ? ? ? ? compat
gshadow: ? ? ? ?files
hosts: ? ? ? ? ?files dns
networks: ? ? ? files
protocols: ? ? ?db files
services: ? ? ? db files
ethers: ? ? ? ? db files
rpc: ? ? ? ? ? ?db files
netgroup: ? ? ? nis
-----------
? ? ? ?Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = UMBRIEL
realm = SAMDOM.MYCOMPANY.NET
server role = active directory domain controller
#server services = -dns
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
#dns forwarder = 8.8.4.4
#dns forwarder = 8.8.8.8
allow dns updates = disabled
dsdb:schema update allowed = true
printcap name = /dev/null
load printers = no
printing = bsd?
ldap server require strong auth = no?
ldap ssl = start tls
tls enabled ?= yes
tls keyfile ?= tls/myKey.pem
tls certfile = tls/umbriel_samdom_mycompany_net.pem
tls cafile ? = tls/umbriel_samdom_mycompany_net.ca-bundle.pem
#log file = /var/log/samba/%a.%M.log
max log size = 2048
log level = 1 auth_audit:3
apply group policies = yes
mdns name = mdns
[netlogon]
path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
? ? ? ?Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the?
// structure of BIND configuration files in Debian, *BEFORE* you customize?
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.options
options {
auth-nxdomain yes;
directory "/var/cache/bind";
dnssec-validation auto;
empty-zones-enable no;
managed-keys-directory "/var/cache/bind/";
notify yes; // Not recommended.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For
Dynamic DNS
allow-query {
any;
};
allow-recursion {
any;
};
?
allow-transfer {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
also-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
allow-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
forwarders {
9.9.9.9;
1.1.1.1;
8.8.8.8;
8.8.4.4;
};
};
-----------
? ? ? ?Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "7.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: ? 10 zone(s) found
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.com
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 7.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 3.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 2.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 11.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.loc
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 5.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : _msdcs.samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : ForestDnsZones.samdom.mycompany.net
Samba DNS zone list Automated check :?
zone : mycompany.com ok, no Bind flat-files found
-----------
zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.loc ok, no Bind flat-files found
-----------
zone : samdom.mycompany.net ok, no Bind flat-files found
-----------
zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.net ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found
-----------
Installed packages:
ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list utilities
ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for manipulating filesystem extended attributes
hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Internet Domain Name Server
ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ?
? ? all ? ? ? ? ?Documentation for BIND
ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Version of 'host' bundled with BIND 9.X
ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for BIND
ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? ?all ? ? ? ? ?Configuration files for Kerberos Version 5
ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? all ? ? ? ? ?Internationalization support for MIT Kerberos
ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Development files for MIT Kerberos without Heimdal conflict
ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Basic programs to authenticate using MIT Kerberos
ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list shared library
ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list static libraries and headers
ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute shared library
ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute static libraries and headers
ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?BIND9 Shared Library used by BIND
ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?1.7~git20150920+dfsg-4ubuntu1.16.04.1
? ? ?amd64 ? ? ? ?Heimdal Kerberos - libraries
ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries
ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Headers and development libraries for MIT Kerberos
ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library
-----------
From: L.P.H. van Belle via samba <samba at lists.samba.org>
To: "samba at lists.samba.org" <samba at lists.samba.org>
Sent: 6/19/2019 1:48 AM
Subject: Re: [Samba] DLZ Backend DNS Hosed
Hai,
For bind, please to add this for bind if you use bind_DLZ.
How : systemctl edit bind9, or create the file manualy and run systemctl
daemon-reload after.
The edit command already does the reload.
# /etc/systemd/system/bind9.service.d/override.conf
[Service]
ExecReload=
But same for you. ?;-) as the other list message today. ([Samba] Reverse DNS)
Can you run this for me on the DC's.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
And post the output
It tells me almost all i need to know to help you fix this.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Matthew Delfino via samba
> Verzonden: woensdag 19 juni 2019 5:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] DLZ Backend DNS Hosed
>
>
> Hello,
>
>
> I'm in trouble here with what appears to be a total meltdown
> of my DNS on my Domain Controllers.
>
>
> I only have two DCs right now and I cannot resolve anything
> on either of them. I am on Ubuntu 16.04 with a compiled
> version of Samba 4.10.4.
>
>
> I also have a compiled version of BIND 9.10.3-P4-Ubuntu <id:ebd72b3>
>
>
> # service bind9 status
> ??? bind9.service - BIND Domain Name Server
> ? ?Loaded: loaded (/lib/systemd/system/bind9.service;
> enabled; vendor preset: enabled)
> ? Drop-In: /run/systemd/generator/bind9.service.d
> ? ? ? ? ? ???????50-insserv.conf-$named.conf
> ? ?Active: failed (Result: exit-code) since Tue 2019-06-18
> 21:14:39 CDT; 27min ago
> ? ? ?Docs: man:named(8)
> ? Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited,
> status=1/FAILURE)
> ? Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS
> (code=exited, status=1/FAILURE)
> ?Main PID: 28329 (code=exited, status=1/FAILURE)
>
>
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting configure
> Jun 18 21:14:39 cordelia named[28329]: zone
> mydomain.com/NONE: has no NS records
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to
> configure zone 'mydomain.com'
> Jun 18 21:14:39 cordelia named[28329]: loading configuration: bad zone
> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error)
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main
> process exited, code=exited, status=1/FAILURE
> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed:
> 127.0.0.1#953: connection refused
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control
> process exited, code=exited status=1
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit
> entered failed state.
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed
> with result 'exit-code'.
>
>
> It appears that somehow I lost my NS records for one of my
> zones. It seems that I cannot get BIND up long enough to edit
> anything.
>
>
> I've been able to delete my non-essential zones with samba-tool:
>
>
>
> ?# ?samba-tool dns zonedelete localhost mydomain.com
> ?# ?samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa
>
>
> But now my error is "zone _msdcs.samdom.mydomain.net/NONE:
> has no NS records" and I am real nervous to delete that zone.
>
>
> Does anyone know what I can do to get my samba DC to have NS
> records that my BIND DNS server will understand and therefore load?
>
>
>
> Thanks,
> Matthew
>
> ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered
> trademark of KNOCK, inc. This message and any attachments
> contain information, which is confidential and/or privileged.
> If you are not the intended recipient, please refrain from
> any disclosure, copying, distribution or use of this
> information. Please be aware that such actions are
> prohibited. If you have received this transmission in error,
> kindly notify the sender by e-mail. Your cooperation is appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: ?https://lists.samba.org/mailman/options/samba
? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.
And, BTW, right now, I am able to see my problem via the following 3 ways...
1) Through Windows DNS Manager, I cannot add, change or delete any DNS records
from:
mycompany.loc
samdom.mycompany.net
mycompany.net
I *can* add, change and delete DNS records from:
_msdcs.samdom.mycompany.net
mycompany.com
7.168.192.in-addr.arpa
5.168.192.in-addr.arpa
3.168.192.in-addr.arpa
2.168.192.in-addr.arpa
11.168.192.in-addr.arpa
2) Running the following command always ends with an error:
# samba_dnsupdate --verbos --all-names
IPs: ['192.168.3.203']
force update: A umbriel.samdom.mycompany.net 192.168.3.203
force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net
force update: NS _msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net
force update: A samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net
389
force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV _kerberos._tcp.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kerberos._udp.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kerberos._tcp.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kpasswd._tcp.samdom.mycompany.net
umbriel.samdom.mycompany.net 464
force update: SRV _kpasswd._udp.samdom.mycompany.net
umbriel.samdom.mycompany.net 464
force update: CNAME
a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203
force update: SRV _gc._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net
3268
force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.DomainDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.ForestDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
28 DNS updates and 0 DNS deletes needed
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 886, in <module>
? ? creds = get_credentials(lp)
? File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials
? ? get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.')
? File "/usr/sbin/samba_dnsupdate", line 161, in
get_krb5_rw_dns_server
? ? rw_dns_servers = get_possible_rw_dns_server(creds, domain)
? File "/usr/sbin/samba_dnsupdate", line 136, in
get_possible_rw_dns_server
? ? ans_soa = check_one_dns_name(domain, 'SOA')
? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name
? ? ans = resolver.query(name, name_type)
? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in
query
? ? raise NoNameservers
dns.resolver.NoNameservers
3) We have a mail server that occasionally rejects passwords from end users.
This is the problem end users see that started the whole investigation.
Also, this may be obvious from the output of your script, but in case it's
not... we do not have DHCP server running on our DCs, nor do we have any sort of
dynamic dhcp setup. It's just Samba and BIND (and kerberos, and ntp...).
Thank you!
Matthew
From: Matthew Delfino via samba <samba at lists.samba.org>
To: L.P.H. van Belle <belle at bazuin.nl>, "samba at
lists.samba.org" <samba at lists.samba.org>
Sent: 6/20/2019 1:00 PM
Subject: Re: [Samba] DLZ Backend DNS Hosed
Nice shell script,?Louis. Here are the results:
Collected config ?--- 2019-06-20-12:46 -----------
Hostname: umbriel
DNS Domain: samdom.mycompany.net
FQDN: umbriel.samdom.mycompany.net
ipaddress: 192.168.3.203?
-----------
Samba is running as an AD DC
-----------
? ? ? ?Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
-----------
This computer is running Ubuntu 16.04.6 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
? ? inet 127.0.0.1/8 scope host lo
? ? inet6 ::1/128 scope host?
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
? ? link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff
? ? inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32
? ? inet6 fe80::250:56ff:fea5:50b3/64 scope link?
-----------
? ? ? ?Checking file: /etc/hosts
127.0.0.1 localhost
192.168.3.203 umbriel.samdom.mycompany.net umbriel
# The following lines are desirable for IPv6 capable hosts
::1 ? ? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
? ? ? ?Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.3.201
nameserver 192.168.3.202
search samdom.mycompany.net mycompany.net mycompany.com
-----------
? ? ? ?Checking file: /etc/krb5.conf
[logging]
? ? ? ? default = FILE:/var/log/krb5libs.log
? ? ? ? kdc = FILE:/var/log/krb5kdc.log
? ? ? ? admin_server = FILE:/var/log/kadmin.log
[libdefaults]
? ? ? ? default_realm = SAMDOM.MYCOMPANY.NET
? ? ? ? dns_lookup_realm = false
? ? ? ? dns_lookup_kdc = true
? ? ? ? ticket_lifetime = 24h
? ? ? ? renew_lifetime = 7d
? ? ? ? forwardable = true
-----------
? ? ? ?Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: ? ? ? ? compat
group: ? ? ? ? ?compat
shadow: ? ? ? ? compat
gshadow: ? ? ? ?files
hosts: ? ? ? ? ?files dns
networks: ? ? ? files
protocols: ? ? ?db files
services: ? ? ? db files
ethers: ? ? ? ? db files
rpc: ? ? ? ? ? ?db files
netgroup: ? ? ? nis
-----------
? ? ? ?Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = UMBRIEL
realm = SAMDOM.MYCOMPANY.NET
server role = active directory domain controller
#server services = -dns
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
#dns forwarder = 8.8.4.4
#dns forwarder = 8.8.8.8
allow dns updates = disabled
dsdb:schema update allowed = true
printcap name = /dev/null
load printers = no
printing = bsd?
ldap server require strong auth = no?
ldap ssl = start tls
tls enabled ?= yes
tls keyfile ?= tls/myKey.pem
tls certfile = tls/umbriel_samdom_mycompany_net.pem
tls cafile ? = tls/umbriel_samdom_mycompany_net.ca-bundle.pem
#log file = /var/log/samba/%a.%M.log
max log size = 2048
log level = 1 auth_audit:3
apply group policies = yes
mdns name = mdns
[netlogon]
path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
? ? ? ?Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the?
// structure of BIND configuration files in Debian, *BEFORE* you customize?
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.options
options {
auth-nxdomain yes;
directory "/var/cache/bind";
dnssec-validation auto;
empty-zones-enable no;
managed-keys-directory "/var/cache/bind/";
notify yes; // Not recommended.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For
Dynamic DNS
allow-query {
any;
};
allow-recursion {
any;
};
?
allow-transfer {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
also-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
allow-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
forwarders {
9.9.9.9;
1.1.1.1;
8.8.8.8;
8.8.4.4;
};
};
-----------
? ? ? ?Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "7.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: ? 10 zone(s) found
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.com
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 7.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 3.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 2.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 11.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.loc
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 5.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : _msdcs.samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : ForestDnsZones.samdom.mycompany.net
Samba DNS zone list Automated check :?
zone : mycompany.com ok, no Bind flat-files found
-----------
zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.loc ok, no Bind flat-files found
-----------
zone : samdom.mycompany.net ok, no Bind flat-files found
-----------
zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.net ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found
-----------
Installed packages:
ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list utilities
ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for manipulating filesystem extended attributes
hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Internet Domain Name Server
ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ?
? ? all ? ? ? ? ?Documentation for BIND
ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Version of 'host' bundled with BIND 9.X
ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for BIND
ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? ?all ? ? ? ? ?Configuration files for Kerberos Version 5
ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? all ? ? ? ? ?Internationalization support for MIT Kerberos
ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Development files for MIT Kerberos without Heimdal conflict
ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Basic programs to authenticate using MIT Kerberos
ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list shared library
ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list static libraries and headers
ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute shared library
ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute static libraries and headers
ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?BIND9 Shared Library used by BIND
ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?1.7~git20150920+dfsg-4ubuntu1.16.04.1
? ? ?amd64 ? ? ? ?Heimdal Kerberos - libraries
ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries
ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Headers and development libraries for MIT Kerberos
ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library
-----------
From: ? L.P.H. van Belle via samba <samba at lists.samba.org>
To: ? "samba at lists.samba.org" <samba at lists.samba.org>
Sent: ? 6/19/2019 1:48 AM
Subject: ? Re: [Samba] DLZ Backend DNS Hosed
Hai, ?
For bind, please to add this for bind if you use bind_DLZ. ?
How : systemctl edit bind9, or create the file manualy and run systemctl
daemon-reload after.
The edit command already does the reload. ?
# /etc/systemd/system/bind9.service.d/override.conf
[Service]
ExecReload=
But same for you. ?;-) as the other list message today. ([Samba] Reverse DNS) ?
Can you run this for me on the DC's. ?
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
?
And post the output
It tells me almost all i need to know to help you fix this. ?
Greetz, ?
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens ?
> Matthew Delfino via samba
> Verzonden: woensdag 19 juni 2019 5:00
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] DLZ Backend DNS Hosed
> ?
> ?
> Hello,
> ?
> ?
> I'm in trouble here with what appears to be a total meltdown ?
> of my DNS on my Domain Controllers.
> ?
> ?
> I only have two DCs right now and I cannot resolve anything ?
> on either of them. I am on Ubuntu 16.04 with a compiled ?
> version of Samba 4.10.4.
> ?
> ?
> I also have a compiled version of BIND 9.10.3-P4-Ubuntu <id:ebd72b3>
> ?
> ?
> # service bind9 status
> ??? bind9.service - BIND Domain Name Server
> ? ?Loaded: loaded (/lib/systemd/system/bind9.service; ?
> enabled; vendor preset: enabled)
> ? Drop-In: /run/systemd/generator/bind9.service.d
> ? ? ? ? ? ???????50-insserv.conf-$named.conf
> ? ?Active: failed (Result: exit-code) since Tue 2019-06-18 ?
> 21:14:39 CDT; 27min ago
> ? ? ?Docs: man:named(8)
> ? Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, ?
> status=1/FAILURE)
> ? Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS ?
> (code=exited, status=1/FAILURE)
> ?Main PID: 28329 (code=exited, status=1/FAILURE)
> ?
> ?
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting configure
> Jun 18 21:14:39 cordelia named[28329]: zone ?
> mydomain.com/NONE: has no NS records
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to ?
> configure zone 'mydomain.com'
> Jun 18 21:14:39 cordelia named[28329]: loading configuration: bad zone
> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error)
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main ?
> process exited, code=exited, status=1/FAILURE
> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: ?
> 127.0.0.1#953: connection refused
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control ?
> process exited, code=exited status=1
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit ?
> entered failed state.
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed ?
> with result 'exit-code'.
> ?
> ?
> It appears that somehow I lost my NS records for one of my ?
> zones. It seems that I cannot get BIND up long enough to edit ?
> anything.
> ?
> ?
> I've been able to delete my non-essential zones with samba-tool:
> ?
> ?
> ?
> ?# ?samba-tool dns zonedelete localhost mydomain.com
> ?# ?samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa
> ?# ?samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa
> ?
> ?
> But now my error is "zone _msdcs.samdom.mydomain.net/NONE: ?
> has no NS records" and I am real nervous to delete that zone.
> ?
> ?
> Does anyone know what I can do to get my samba DC to have NS ?
> records that my BIND DNS server will understand and therefore load?
> ?
> ?
> ?
> Thanks,
> Matthew
> ?
> ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered ?
> trademark of KNOCK, inc. This message and any attachments ?
> contain information, which is confidential and/or privileged. ?
> If you are not the intended recipient, please refrain from ?
> any disclosure, copying, distribution or use of this ?
> information. Please be aware that such actions are ?
> prohibited. If you have received this transmission in error, ?
> kindly notify the sender by e-mail. Your cooperation is appreciated.
> -- ?
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
> ?
> ?
-- ?
To unsubscribe from this list go to the following URL and read the
instructions: ?https://lists.samba.org/mailman/options/samba
? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.
--
To unsubscribe from this list go to the following URL and read the
instructions: ?https://lists.samba.org/mailman/options/samba
? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.
I've been working on this problem for a few hours. Here are some updates:
Many of the domains I listed are duplicates of domains managed by other DNS
servers on my network. There was no point in having them in Samba AD, so I
deleted the zones in Windows DNS Manager and created slaves in my
named.conf.local folder, so that they'd pull the records from my
authoritative BIND DNS server, which runs on good old fashioned flat files (the
SOA for zones like mycompany.net and the PTR zones for all my subnets). I'm
now down to two zones:
Able to be edited: _msdcs.samdom.mycompany.net
NOT able to be edited:?samdom.mycompany.net
I believe these two zones to be the bare minimum I need to have everything
working correctly.
Closer inspection shows that I have no NS records and no SOA record in the
"samdom.mycompany.net" zone.
# samba_dnsupdate --verbose
IPs: ['192.168.3.203']
Looking for DNS entry A umbriel.samdom.mycompany.net?192.168.3.203 as
umbriel.samdom.mycompany.net.
Looking for DNS entry
NS?samdom.mycompany.net?umbriel.samdom.mycompany.net?as?samdom.mycompany.net.
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name
? ? ans = check_one_dns_name(normalised_name, d.type, d)
? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name
? ? ans = resolver.query(name, name_type)
? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in
query
? ? raise NoNameservers
dns.resolver.NoNameservers
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 851, in <module>
? ? elif not check_dns_name(d):
? File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name
? ? raise Exception("Unable to contact a working DNS server while looking
for %s as %s" % (d, normalised_name))
Exception: Unable to contact a working DNS server while looking for NS
orbital.samdom.mycompany.net
umbriel.samdom.mycompany.net?as?samdom.mycompany.net.
So, let's make those records, right? All attempts to add this info in the
Properties window of DNS Manager end in a very unfriendly message:
"Failure to write NS record <umbriel.samdom.mycompany.net.>
The local security authority database contains an internal inconsistency."
I try from samba-tool:
# samba-tool dns add localhost samdom.mycompany.net?samdom.mycompany.net?NS
umbriel.samdom.mycompany.net?-U"Administrator"
Password for [ORBITAL\Administrator]:
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185, in _run
? ? return self.run(*args, **kwargs)
? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944,
in run
? ? raise e
? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940,
in run
? ? 0, server, zone, name, add_rec_buf, None)
Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword,
plus 7 against DNS problems! Unsheathed by Matthew like And?ril by Aragorn:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone
DNS records will be automatically created
DNS partitions already exist
dns-umbriel account already exists
See /var/lib/samba/bind-dns/named.conf for an example configuration include file
for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for
secure DNS updates
Finished upgrading DNS
Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same
results on every test.
I'm feeling lonely here.
Thanks,
Matthew
From: Matthew Delfino via samba <samba at lists.samba.org>
To: L.P.H. van Belle <belle at bazuin.nl>, "samba at
lists.samba.org" <samba at lists.samba.org>
Sent: 6/20/2019 1:40 PM
Subject: Re: [Samba] DLZ Backend DNS Hosed
And, BTW, right now, I am able to see my problem via the following 3 ways...
1) Through Windows DNS Manager, I cannot add, change or delete any DNS records
from:
mycompany.loc
samdom.mycompany.net
mycompany.net
I *can* add, change and delete DNS records from:
_msdcs.samdom.mycompany.net
mycompany.com
7.168.192.in-addr.arpa
5.168.192.in-addr.arpa
3.168.192.in-addr.arpa
2.168.192.in-addr.arpa
11.168.192.in-addr.arpa
2) Running the following command always ends with an error:
# samba_dnsupdate --verbos --all-names
IPs: ['192.168.3.203']
force update: A umbriel.samdom.mycompany.net 192.168.3.203
force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net
force update: NS _msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net
force update: A samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net
389
force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV _kerberos._tcp.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kerberos._udp.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kerberos._tcp.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kpasswd._tcp.samdom.mycompany.net
umbriel.samdom.mycompany.net 464
force update: SRV _kpasswd._udp.samdom.mycompany.net
umbriel.samdom.mycompany.net 464
force update: CNAME
a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203
force update: SRV _gc._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net
3268
force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.DomainDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.ForestDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
28 DNS updates and 0 DNS deletes needed
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 886, in <module>
? ? creds = get_credentials(lp)
? File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials
? ? get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.')
? File "/usr/sbin/samba_dnsupdate", line 161, in
get_krb5_rw_dns_server
? ? rw_dns_servers = get_possible_rw_dns_server(creds, domain)
? File "/usr/sbin/samba_dnsupdate", line 136, in
get_possible_rw_dns_server
? ? ans_soa = check_one_dns_name(domain, 'SOA')
? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name
? ? ans = resolver.query(name, name_type)
? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in
query
? ? raise NoNameservers
dns.resolver.NoNameservers
3) We have a mail server that occasionally rejects passwords from end users.
This is the problem end users see that started the whole investigation.
Also, this may be obvious from the output of your script, but in case it's
not... we do not have DHCP server running on our DCs, nor do we have any sort of
dynamic dhcp setup. It's just Samba and BIND (and kerberos, and ntp...).
Thank you!
Matthew
From: ? Matthew Delfino via samba <samba at lists.samba.org>
To: ? L.P.H. van Belle <belle at bazuin.nl>, "samba at
lists.samba.org" <samba at lists.samba.org>
Sent: ? 6/20/2019 1:00 PM
Subject: ? Re: [Samba] DLZ Backend DNS Hosed
Nice shell script,?Louis. Here are the results:
Collected config ?--- 2019-06-20-12:46 -----------
Hostname: umbriel
DNS Domain: samdom.mycompany.net
FQDN: umbriel.samdom.mycompany.net
ipaddress: 192.168.3.203?
-----------
Samba is running as an AD DC
-----------
? ? ? ?Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
-----------
This computer is running Ubuntu 16.04.6 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
? ? inet 127.0.0.1/8 scope host lo
? ? inet6 ::1/128 scope host?
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
? ? link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff
? ? inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32
? ? inet6 fe80::250:56ff:fea5:50b3/64 scope link?
-----------
? ? ? ?Checking file: /etc/hosts
127.0.0.1 localhost
192.168.3.203 umbriel.samdom.mycompany.net umbriel
# The following lines are desirable for IPv6 capable hosts
::1 ? ? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
? ? ? ?Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.3.201
nameserver 192.168.3.202
search samdom.mycompany.net mycompany.net mycompany.com
-----------
? ? ? ?Checking file: /etc/krb5.conf
[logging]
? ? ? ? default = FILE:/var/log/krb5libs.log
? ? ? ? kdc = FILE:/var/log/krb5kdc.log
? ? ? ? admin_server = FILE:/var/log/kadmin.log
[libdefaults]
? ? ? ? default_realm = SAMDOM.MYCOMPANY.NET
? ? ? ? dns_lookup_realm = false
? ? ? ? dns_lookup_kdc = true
? ? ? ? ticket_lifetime = 24h
? ? ? ? renew_lifetime = 7d
? ? ? ? forwardable = true
-----------
? ? ? ?Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: ? ? ? ? compat
group: ? ? ? ? ?compat
shadow: ? ? ? ? compat
gshadow: ? ? ? ?files
hosts: ? ? ? ? ?files dns
networks: ? ? ? files
protocols: ? ? ?db files
services: ? ? ? db files
ethers: ? ? ? ? db files
rpc: ? ? ? ? ? ?db files
netgroup: ? ? ? nis
-----------
? ? ? ?Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = UMBRIEL
realm = SAMDOM.MYCOMPANY.NET
server role = active directory domain controller
#server services = -dns
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
#dns forwarder = 8.8.4.4
#dns forwarder = 8.8.8.8
allow dns updates = disabled
dsdb:schema update allowed = true
printcap name = /dev/null
load printers = no
printing = bsd?
ldap server require strong auth = no?
ldap ssl = start tls
tls enabled ?= yes
tls keyfile ?= tls/myKey.pem
tls certfile = tls/umbriel_samdom_mycompany_net.pem
tls cafile ? = tls/umbriel_samdom_mycompany_net.ca-bundle.pem
#log file = /var/log/samba/%a.%M.log
max log size = 2048
log level = 1 auth_audit:3
apply group policies = yes
mdns name = mdns
[netlogon]
path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
? ? ? ?Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the?
// structure of BIND configuration files in Debian, *BEFORE* you customize?
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.options
options {
auth-nxdomain yes;
directory "/var/cache/bind";
dnssec-validation auto;
empty-zones-enable no;
managed-keys-directory "/var/cache/bind/";
notify yes; // Not recommended.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For
Dynamic DNS
allow-query {
any;
};
allow-recursion {
any;
};
?
allow-transfer {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
also-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
allow-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
forwarders {
9.9.9.9;
1.1.1.1;
8.8.8.8;
8.8.4.4;
};
};
-----------
? ? ? ?Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "7.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: ? 10 zone(s) found
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.com
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 7.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 3.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 2.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 11.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.loc
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 5.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : _msdcs.samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : ForestDnsZones.samdom.mycompany.net
Samba DNS zone list Automated check :?
zone : mycompany.com ok, no Bind flat-files found
-----------
zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.loc ok, no Bind flat-files found
-----------
zone : samdom.mycompany.net ok, no Bind flat-files found
-----------
zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.net ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found
-----------
Installed packages:
ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list utilities
ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for manipulating filesystem extended attributes
hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Internet Domain Name Server
ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ?
? ? all ? ? ? ? ?Documentation for BIND
ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Version of 'host' bundled with BIND 9.X
ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for BIND
ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? ?all ? ? ? ? ?Configuration files for Kerberos Version 5
ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? all ? ? ? ? ?Internationalization support for MIT Kerberos
ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Development files for MIT Kerberos without Heimdal conflict
ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Basic programs to authenticate using MIT Kerberos
ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list shared library
ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list static libraries and headers
ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute shared library
ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute static libraries and headers
ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?BIND9 Shared Library used by BIND
ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?1.7~git20150920+dfsg-4ubuntu1.16.04.1
? ? ?amd64 ? ? ? ?Heimdal Kerberos - libraries
ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries
ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Headers and development libraries for MIT Kerberos
ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library
-----------
From: ? L.P.H. van Belle via samba <samba at lists.samba.org> ?
To: ? "samba at lists.samba.org" <samba at lists.samba.org> ?
Sent: ? 6/19/2019 1:48 AM ?
Subject: ? Re: [Samba] DLZ Backend DNS Hosed ?
Hai, ?
?
?
For bind, please to add this for bind if you use bind_DLZ. ?
How : systemctl edit bind9, or create the file manualy and run systemctl
daemon-reload after. ?
The edit command already does the reload. ?
?
# /etc/systemd/system/bind9.service.d/override.conf ?
[Service] ?
ExecReload= ?
?
?
But same for you. ?;-) as the other list message today. ([Samba] Reverse DNS) ?
Can you run this for me on the DC's. ?
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
?
And post the output ?
?
It tells me almost all i need to know to help you fix this. ?
?
Greetz, ?
?
Louis ?
? > -----Oorspronkelijk bericht----- ?
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens ?
> Matthew Delfino via samba ?
> Verzonden: woensdag 19 juni 2019 5:00 ?
> Aan: samba at lists.samba.org ?
> Onderwerp: [Samba] DLZ Backend DNS Hosed ?
> ?
> ?
> Hello, ?
> ?
> ?
> I'm in trouble here with what appears to be a total meltdown ?
> of my DNS on my Domain Controllers. ?
> ?
> ?
> I only have two DCs right now and I cannot resolve anything ?
> on either of them. I am on Ubuntu 16.04 with a compiled ?
> version of Samba 4.10.4. ?
> ?
> ?
> I also have a compiled version of BIND 9.10.3-P4-Ubuntu <id:ebd72b3>
?
> ?
> ?
> # service bind9 status ?
> ??? bind9.service - BIND Domain Name Server ?
> ? ?Loaded: loaded (/lib/systemd/system/bind9.service; ?
> enabled; vendor preset: enabled) ?
> ? Drop-In: /run/systemd/generator/bind9.service.d ?
> ? ? ? ? ? ???????50-insserv.conf-$named.conf ?
> ? ?Active: failed (Result: exit-code) since Tue 2019-06-18 ?
> 21:14:39 CDT; 27min ago ?
> ? ? ?Docs: man:named(8) ?
> ? Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, ?
> status=1/FAILURE) ?
> ? Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS ?
> (code=exited, status=1/FAILURE) ?
> ?Main PID: 28329 (code=exited, status=1/FAILURE) ?
> ?
> ?
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting configure ?
> Jun 18 21:14:39 cordelia named[28329]: zone ?
> mydomain.com/NONE: has no NS records ?
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to ?
> configure zone 'mydomain.com' ?
> Jun 18 21:14:39 cordelia named[28329]: loading configuration: bad zone ?
> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error) ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main ?
> process exited, code=exited, status=1/FAILURE ?
> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: ?
> 127.0.0.1#953: connection refused ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control ?
> process exited, code=exited status=1 ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit ?
> entered failed state. ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed ?
> with result 'exit-code'. ?
> ?
> ?
> It appears that somehow I lost my NS records for one of my ?
> zones. It seems that I cannot get BIND up long enough to edit ?
> anything. ?
> ?
> ?
> I've been able to delete my non-essential zones with samba-tool: ?
> ?
> ?
> ?
> ?# ?samba-tool dns zonedelete localhost mydomain.com ?
> ?# ?samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa ?
> ?
> ?
> But now my error is "zone _msdcs.samdom.mydomain.net/NONE: ?
> has no NS records" and I am real nervous to delete that zone. ?
> ?
> ?
> Does anyone know what I can do to get my samba DC to have NS ?
> records that my BIND DNS server will understand and therefore load? ?
> ?
> ?
> ?
> Thanks, ?
> Matthew ? ?
> ?
> ?
?
?
-- ?
To unsubscribe from this list go to the following URL and read the ?
instructions: ?https://lists.samba.org/mailman/options/samba?
? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.