Hi,
debug result below:
Collected config --- 2021-05-17-21:43 -----------
Hostname: ad
DNS Domain: test.lan
FQDN: ad.test.lan
ipaddress: 10.10.10.50
-----------
Kerberos SRV _kerberos._tcp.test.lan record verified ok, sample output:
Server: 127.0.0.1
Address: 127.0.0.1#53
_kerberos._tcp.test.lan service = 0 100 88 ad.test.lan.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:d1:2e:6e brd ff:ff:ff:ff:ff:ff
inet 10.10.10.50/24 brd 10.10.10.255 scope global enp1s0
inet6 fe80::5054:ff:fed1:2e6e/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.10.10.50 ad.test.lan ad
# The following lines are desirable for IPv6 capable hosts
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
nameserver 127.0.0.1
domain test.lan
search test.lan
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = TEST.LAN
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
; ticket_lifetime = 24h
; renew_lifetime = 7d
; ccache_type = 4
; A note: This is not used for nfs4 but cifs uses it.
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = AD
realm = TEST.LAN
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = TEST
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/test.lan/scripts
read only = No
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
forwarders { 8.8.8.8; 8.8.4.4; };
// 0.0.0.0;
// };
//=======================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//=======================================================================#
dnssec-validation auto;
listen-on-v6 { any; };
empty-zones-enable no;
dnssec-enable no;
dnssec-validation no;
// https://wiki.samba.org/index.php/Dns-backend_bind
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// adding the dlopen ( Bind DLZ ) module for samba.
// at install debian already sets the correct bind9.XX version in this file
below.
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 3 zone(s) found
pszZoneName : 10.10.10.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.test.lan
pszZoneName : test.lan
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.test.lan
pszZoneName : _msdcs.test.lan
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.test.lan
Samba DNS zone list Automated check :
zone : 10.10.10.in-addr.arpa ok, no Bind flat-files found
-----------
zone : test.lan ok, no Bind flat-files found
-----------
zone : _msdcs.test.lan ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.53-4 amd64
access control list - utilities
ii attr 1:2.4.48-4 amd64
utilities for manipulating filesystem extended attributes
ii bind9 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64
Internet Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64
DNS lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64
MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.14.4+dfsg-0.1buster1 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.14.4+dfsg-0.1buster1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.14.4+dfsg-0.1buster1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.14.4+dfsg-0.1buster1 amd64
Samba winbind client library
ii python3-samba 2:4.14.4+dfsg-0.1buster1 amd64
Python 3 bindings for Samba
ii samba 2:4.14.4+dfsg-0.1buster1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.14.4+dfsg-0.1buster1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.14.4+dfsg-0.1buster1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.14.4+dfsg-0.1buster1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.14.4+dfsg-0.1buster1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.14.4+dfsg-0.1buster1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.14.4+dfsg-0.1buster1 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.14.4+dfsg-0.1buster1 amd64
service to resolve user and group information from Windows NT servers
-----------
Thanks,
Jan
pon., 17 maj 2021 o 21:28 Rowland penny via samba <samba at
lists.samba.org>
napisa?(a):
> On 17/05/2021 20:11, Jan JMPBL via samba wrote:
> > Hi everyone,
> > test environment based on Debian 10.9 with bind_dlz and van-belle
> > repositories - a lot of good work.
> > I've been working on it for two days - without success.
> >
> > Forward lookup DNS zones are working properly. Added hosts display
> > correctly in RSAT DNS in forward lookup zones. Everything looks fine
> except
> > for two log entries that always show up when updating the zone
> >
> >
> > *May 17 20:21:48 ad named [453]: client @ 0x7f73400703d0 10/10/10.160
#
> > 56059: update 'TEST.lan / IN' deniedMay 17 20:21:48 ad named
[453]:
> > samba_dlz: canceling transaction on zone TEST.lan*
> > May 17 20:21:48 ad named [453]: samba_dlz: starting transaction on
zone
> > TEST.lan
> > May 17 20:21:48 ad named [453]: samba_dlz: allowing update of signer
> RSAT
> > \ $ \ @ TEST.LAN name = rsat.TEST.lan tcpaddr = 10.10.10.160 type =
AAAA
> > key = 1336-ms-7.9 -24efa0.2b809d3a-b737-11eb-ae6f-525400a13ecb / 160/0
> > May 17 20:21:48 ad named [453]: samba_dlz: allowing update of signer
> RSAT
> > \ $ \ @ TEST.LAN name = rsat.TEST.lan tcpaddr = 10.10.10.160 type = A
> key > > 1336-ms-7.9 -24efa0.2b809d3a-b737-11eb-ae6f-525400a13ecb /
160/0
> > May 17 20:21:48 ad named [453]: samba_dlz: allowing update of signer
> RSAT
> > \ $ \ @ TEST.LAN name = rsat.TEST.lan tcpaddr = 10.10.10.160 type = A
> key > > 1336-ms-7.9 -24efa0.2b809d3a-b737-11eb-ae6f-525400a13ecb /
160/0
> > May 17 20:21:48 ad named [453]: client @ 0x7f73480c6ee0 10/10/10.160 #
> > 54323 / key RSAT \ $ \ @ TEST.LAN: updating zone 'TEST.lan /
NONE':
> > deleting rrset at 'rsat.TEST. lan 'AAAA
> > May 17 20:21:48 ad named [453]: client @ 0x7f73480c6ee0 10/10/10.160 #
> > 54323 / key RSAT \ $ \ @ TEST.LAN: updating zone 'TEST.lan /
NONE':
> > deleting rrset at 'rsat.TEST. lan 'A
> > May 17 20:21:48 ad named [453]: samba_dlz: subtracted rdataset
> > rsat.TEST.lan 'rsat.TEST.lan. # 0111200 # 011IN # 011A #
01110.10.10.160'
> >
> > I added via RSAT to the reverse lookup zone according to the SAMBA4
wiki.
> > It does not work.
> >
> > samba-tool dns zonelist 10.10.10.50 -U Administrator
> >
> > 3 zone (s) found
> >
> > pszZoneName: 10.10.10.in-addr.arpa
> > Flags: DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType: DNS_ZONE_TYPE_PRIMARY
> > Version: 50
> > dwDpFlags: DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn: DomainDnsZones.TEST.lan
> >
> > pszZoneName: TEST.lan
> > Flags: DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType: DNS_ZONE_TYPE_PRIMARY
> > Version: 50
> > dwDpFlags: DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn: DomainDnsZones.TEST.lan
> >
> > pszZoneName: _msdcs.TEST.lan
> > Flags: DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType: DNS_ZONE_TYPE_PRIMARY
> > Version: 50
> > dwDpFlags: DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn: ForestDnsZones.TEST.lan
> >
> > where should I look for the problem?
> >
> > Thanks,
> > Jan
>
>
> Please go here:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Download the script and run it on the DC, post the output (sanitised if
> required) into a reply to this, do not attach it, this list strips
> attachments.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>