Emil Sandnabba
2024-Dec-11 09:58 UTC
[Samba] bind-dns configuration is generated incorrectly after "domain backup restore" + samba_upgradedns
Hello!
I'm trying the backup/restore functionality on Samba 4.21.1, but I'm
having
trouble with the Bind DNS configuration.
The domain is created by:
samba-tool domain provision --use-rfc2307 --adminpass={adminpassword}
--domain=domain.se --realm=realm --site=site --server-role=dc
--dns-backend=BIND9_DLZ
And after provisioning, bind is working perfectly fine, using the files in
"/var/lib/samba/bind-dns". I'm now taking a backup:
samba-tool domain backup offline --targetdir=.
To test our emergency recovery procedures, I'm then stopping Samba,
performing a full reset of the database (rm -rf /var/lib/samba/*), and then
restoring the backup:
samba-tool domain backup restore --targetdir=/var/lib/samba
--newservernamed=dc1-restored --backup-file=/samba-backup-xxxxxx.tar.bv2.
The restoration works fine, Samba starts and I can even get new Kerberos
tickets using kinit on the local server.
However, named is not so happy. I've noticed that the backup restore will
use the internal DNS (as stated in the Backup and restore FAQ), so I've
tried `samba_upgradedns`:
root at dc:/# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/DOMAIN.SE.zone (normal)
DNS partitions already exist
Adding dns-dc1-restored account
check_spn_alias_collision: trying to add SPN
'DNS/dc1-restored.domain.se'
on 'CN=dns-dc1-restored,CN=Users,DC=domain,DC=se' when 'host/
dc1-restored.domain.se' is on 'CN=DC1-RESTORED,OU=Domain
Controllers,DC=domain,DC=se'
See /var/lib/samba/bind-dns/named.conf for an example configuration include
file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required
for secure DNS updates
Please note the "check_spn_alias_collision" message. Not sure if this
is an
error or if it's just an info message?
Anyhow, now there are files in "/var/lib/samba/bind-dns".
But if I try to start named, I get the following error:
# named -4 -g -f -u bind
...
10-Dec-2024 20:26:31.455 Loading 'AD DNS Zone' using driver dlopen
10-Dec-2024 20:26:31.795 samba_dlz: started for DN DC=domain,DC=se
10-Dec-2024 20:26:31.795 samba_dlz: starting configure
10-Dec-2024 20:26:31.799 zone domain.se/NONE: has no NS records
10-Dec-2024 20:26:31.799 samba_dlz: Failed to configure zone 'domain.se'
10-Dec-2024 20:26:31.799 loading configuration: bad zone
10-Dec-2024 20:26:31.799 exiting (due to fatal error)
Have I missed something? And how can I troubleshoot this further? How can I
dump/view these DLZ zone-files?
Best regards
Emil Sandnabba
Rowland Penny
2024-Dec-11 10:43 UTC
[Samba] bind-dns configuration is generated incorrectly after "domain backup restore" + samba_upgradedns
On Wed, 11 Dec 2024 10:58:58 +0100 Emil Sandnabba via samba <samba at lists.samba.org> wrote:> Hello! > > I'm trying the backup/restore functionality on Samba 4.21.1, but I'm > having trouble with the Bind DNS configuration. > > The domain is created by: > samba-tool domain provision --use-rfc2307 --adminpass={adminpassword} > --domain=domain.se --realm=realm --site=site --server-role=dc > --dns-backend=BIND9_DLZ >While I do not think it will cure your problem (though it may do), can you please try again, but this time with correct values to your options: The domain in --domain is the NetBIOS domain, not the DNS domain and the dot is illegal in a NetBIOS domain name. The --realm should be the DNS domain in uppercase. If you want to use a registered dns domain, then I suggest you use a subdomain of that, something like 'ad.domain.se' instead of 'domain.se' Rowland