Hi Marc, Thanks for getting back to me. Marc Muehlfeld wrote on 24-2-2015 21:12:> Hello Bram, > > Am 24.02.2015 um 12:37 schrieb Bram Matthys: >> Is there a way to re-initialize/re-provision DNS? > > No. >That would be a pitty.>> well.. I suppose since I started with 4.0.6 (migrated from Samba 3.x) but >> from a users' point of view everything worked fine.. it was mostly the DNS >> management from group policy that wasn't working. >> ... >> Today I wanted to install 4.1.17 but after the upgrade things go bad. On one >> hand DNS seems to work fine (can resolve the DC, etc). > > You did an update from an old version. There were some changes > meanwhile, you have to pay attention: > https://wiki.samba.org/index.php/Updating_Samba#Other_changes_you_should_pay_attention_to.2C_when_updatingRight.. The first two, the pem files and LDAP DNS Entries are fixed by Samba when it starts/runs, right. Then the 3rd one "Fixing dynamic DNS update problems (updating from < 4.0.7)" refers to this URL: https://wiki.samba.org/index.php/Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7 This is what I attempted. As you can see in my original e-mail it resulted in a mysterious Memory allocation error (with X gb free, so must be something else). Let me paste a bit more context of the error: # dns query 192.168.2.4 jnet.hermanjordan.nl @ ALL INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 scavenger: 9 dns: 9 ldb: 9 params.c:pm_process() - Processing configuration file "/etc/smb_shares.conf" .. pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:192.168.2.4[,sign] Mapped to DCERPC endpoint 135 added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 987, in run dns_conn = dns_connect(server, self.lp, self.creds) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 40, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) and # /usr/local/samba/bin/samba-tool dns zonelist 192.168.2.4 .. Using binding ncacn_ip_tcp:192.168.2.4[,sign] Mapped to DCERPC endpoint 135 added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 809, in run dns_conn = dns_connect(server, self.lp, self.creds) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line 40, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) I also ran all the commands mentioned in the section called "Updates of early Samba 4 version on Samba Active Directory DCs ". So I ran the dbcheck, the ntacl sysvolreset, etc.> - How many DCs do you have? > - What Samba versions do your DCs run? > - Does replication works?One Samba server (DC & file server), no replication, 4.0.6 and this is my Xth attempt to upgrade the #@$^ thing. Each time it ends up broken and I have to rollback, unfortunately. And each time I hope a new version fixes the issue or that I can find the cause. As you can imagine this is quite a problem, not in the least with regards to security. The machine is a virtualized host on KVM, Linux, fully up to date Debian 7.8 (wheezy), 64 bit. Not sure what else to say about it.> - Do you use the internal DNS or BIND_DLZ?Internal. Also, I'm using './configure' without any arguments. All pretty standard I would say.> - Is Samba/BIND listening on port 53 (netstat -taunp|grep :53) > - Does DNS entries resolve on the server (try > https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS)Resolving works fine both on the box itself (I tested 'host jnet.hermanjordan.nl 127.0.0.1' and on the 192.168.2.4 lan IP) and from the Windows client. I must confess I did not check the two SRV records at that time (but see next). I can login from a Windows client, but in eventlog and with gpupdate I get strange errors about not finding the logon server or unable to lookup the computer name or account name (well, what I wrote earlier). Similarly, on Windows the DNS MMC tool sometimes gave an error after connecting to the DC about DNS not being available for management (so to say). Then a minute later or after a restart it worked, then a little later it broke again and after F5 it's completely broken again. Broken as in: the UI says there's a problem with the zone file. That's on 4.1.17 and that's why I think there must be something broken... it shouldn't flip/flop. I would tend to think that all the issues I'm seeing, 1) the samba-tool dns giving a mysterious error, 2) the DNS MMC/RSAT tool giving strange results, and 3) the errors on the client with regards to group policy, are all related / caused by the same thing. But I'm stuck as to.. how to proceed. If there's no way to re-provision/re-create all the DNS stuff, then do you have any ideas on the "samba-tool dns" issues? If it's all the same issue then that one may be the best entry to debug my issue? (Samba speaking to Samba after all) The command works on 4.0.6 (.. but.. again.. I don't want to be stuck with such an old version), but not on 4.1.17. Unless, of course, that issue is completely unrelated. I kinda hope it's related, though. Thanks a lot for taking the time to look into this! Bram. -- Bram Matthys Software developer/IT consultant syzop at vulnscan.org Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
On 24/02/15 21:04, Bram Matthys wrote:> Hi Marc, > > Thanks for getting back to me. > > Marc Muehlfeld wrote on 24-2-2015 21:12: >> Hello Bram, >> >> Am 24.02.2015 um 12:37 schrieb Bram Matthys: >>> Is there a way to re-initialize/re-provision DNS? >> No. >> > That would be a pitty. > >>> well.. I suppose since I started with 4.0.6 (migrated from Samba 3.x) but >>> from a users' point of view everything worked fine.. it was mostly the DNS >>> management from group policy that wasn't working. >>> ... >>> Today I wanted to install 4.1.17 but after the upgrade things go bad. On one >>> hand DNS seems to work fine (can resolve the DC, etc). >> You did an update from an old version. There were some changes >> meanwhile, you have to pay attention: >> https://wiki.samba.org/index.php/Updating_Samba#Other_changes_you_should_pay_attention_to.2C_when_updating > Right.. The first two, the pem files and LDAP DNS Entries are fixed by Samba > when it starts/runs, right. > > Then the 3rd one "Fixing dynamic DNS update problems (updating from < > 4.0.7)" refers to this URL: > https://wiki.samba.org/index.php/Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7 > This is what I attempted. As you can see in my original e-mail it resulted > in a mysterious Memory allocation error (with X gb free, so must be > something else). Let me paste a bit more context of the error: > > # dns query 192.168.2.4 jnet.hermanjordan.nl @ ALL > INFO: Current debug levels: > all: 9 > tdb: 9 > printdrivers: 9 > lanman: 9 > smb: 9 > rpc_parse: 9 > rpc_srv: 9 > rpc_cli: 9 > passdb: 9 > sam: 9 > auth: 9 > winbind: 9 > vfs: 9 > idmap: 9 > quota: 9 > acls: 9 > locking: 9 > msdfs: 9 > dmapi: 9 > registry: 9 > scavenger: 9 > dns: 9 > ldb: 9 > params.c:pm_process() - Processing configuration file "/etc/smb_shares.conf" > .. > pm_process() returned Yes > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'schannel' registered > GENSEC backend 'spnego' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Using binding ncacn_ip_tcp:192.168.2.4[,sign] > Mapped to DCERPC endpoint 135 > added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 > added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 > added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 > added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 > ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error') > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", > line 987, in run > dns_conn = dns_connect(server, self.lp, self.creds) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", > line 40, in dns_connect > dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > and > > # /usr/local/samba/bin/samba-tool dns zonelist 192.168.2.4 > .. > Using binding ncacn_ip_tcp:192.168.2.4[,sign] > Mapped to DCERPC endpoint 135 > added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 > added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 > added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 > added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 > ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error') > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", > line 809, in run > dns_conn = dns_connect(server, self.lp, self.creds) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", > line 40, in dns_connect > dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > I also ran all the commands mentioned in the section called "Updates of > early Samba 4 version on Samba Active Directory DCs ". So I ran the dbcheck, > the ntacl sysvolreset, etc. > >> - How many DCs do you have? >> - What Samba versions do your DCs run? >> - Does replication works? > One Samba server (DC & file server), no replication, 4.0.6 and this is my > Xth attempt to upgrade the #@$^ thing. Each time it ends up broken and I > have to rollback, unfortunately. And each time I hope a new version fixes > the issue or that I can find the cause. As you can imagine this is quite a > problem, not in the least with regards to security. > > The machine is a virtualized host on KVM, Linux, fully up to date Debian 7.8 > (wheezy), 64 bit. Not sure what else to say about it. > >> - Do you use the internal DNS or BIND_DLZ? > Internal. > > Also, I'm using './configure' without any arguments. All pretty standard I > would say. > >> - Is Samba/BIND listening on port 53 (netstat -taunp|grep :53) >> - Does DNS entries resolve on the server (try >> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS) > Resolving works fine both on the box itself (I tested 'host > jnet.hermanjordan.nl 127.0.0.1' and on the 192.168.2.4 lan IP) and from the > Windows client. I must confess I did not check the two SRV records at that > time (but see next). > > I can login from a Windows client, but in eventlog and with gpupdate I get > strange errors about not finding the logon server or unable to lookup the > computer name or account name (well, what I wrote earlier). > Similarly, on Windows the DNS MMC tool sometimes gave an error after > connecting to the DC about DNS not being available for management (so to > say). Then a minute later or after a restart it worked, then a little later > it broke again and after F5 it's completely broken again. Broken as in: the > UI says there's a problem with the zone file. That's on 4.1.17 and that's > why I think there must be something broken... it shouldn't flip/flop. > > I would tend to think that all the issues I'm seeing, 1) the samba-tool dns > giving a mysterious error, 2) the DNS MMC/RSAT tool giving strange results, > and 3) the errors on the client with regards to group policy, are all > related / caused by the same thing. But I'm stuck as to.. how to proceed. > > If there's no way to re-provision/re-create all the DNS stuff, then do you > have any ideas on the "samba-tool dns" issues? If it's all the same issue > then that one may be the best entry to debug my issue? (Samba speaking to > Samba after all) > The command works on 4.0.6 (.. but.. again.. I don't want to be stuck with > such an old version), but not on 4.1.17. > Unless, of course, that issue is completely unrelated. I kinda hope it's > related, though. > > Thanks a lot for taking the time to look into this! > > Bram. > >Have you by any chance modified the files in the sam.ldb.d directory ?? Rowland
Hello Bram, Am 24.02.2015 um 22:04 schrieb Bram Matthys:> # /usr/local/samba/bin/samba-tool dns zonelist 192.168.2.4 > .. > Using binding ncacn_ip_tcp:192.168.2.4[,sign] > Mapped to DCERPC endpoint 135 > added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 > added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 > added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 > added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 > ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error') > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", > line 809, in run > dns_conn = dns_connect(server, self.lp, self.creds) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", > line 40, in dns_connect > dns_conn = dnsserver.dnsserver(binding_str, lp, creds)Is 4.0.6 the last version, that works? Have you tried just the next (4.0.7)? What happens if you connect to the second IP (10.0.0.2) instead? Or 127.0.0.1? Please show the output of # netstat -tulpn | grep :53 Regards, Marc
On 25/02/15 20:17, Marc Muehlfeld wrote:> Hello Bram, > > Am 24.02.2015 um 22:04 schrieb Bram Matthys: >> # /usr/local/samba/bin/samba-tool dns zonelist 192.168.2.4 >> .. >> Using binding ncacn_ip_tcp:192.168.2.4[,sign] >> Mapped to DCERPC endpoint 135 >> added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 >> added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 >> added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 >> added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 >> ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error') >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", >> line 809, in run >> dns_conn = dns_connect(server, self.lp, self.creds) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", >> line 40, in dns_connect >> dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > Is 4.0.6 the last version, that works? Have you tried just the next (4.0.7)? > > > What happens if you connect to the second IP (10.0.0.2) instead? Or > 127.0.0.1? > > > Please show the output of > # netstat -tulpn | grep :53 > > > > Regards, > Marc >Hi Marc, I asked the OP a question that he hasn't answered yet, I asked it because he sent an email to Achim, and he replied on list, to which the OP took great umbridge. Amongst the post he sent to Achim was this: # ldbmodify -H /root/DC\=DOMAINDNSZONES\,DC\=JNET\,DC\=HERMANJORDAN\,DC\=NL.ldb /root/killthese Now this was only a test, but what if he did it for real, there is a good chance he has hosed his setup and will probably never be able to upgrade, I personally think his only chance now is to try and join another DC and hope it replicates ok, but I wouldn't hold my breath over it working. Rowland
Hi Bram,> One Samba server (DC & file server), no replication, 4.0.6 and this is my > Xth attempt to upgrade the #@$^ thing. Each time it ends up broken and I > have to rollback, unfortunately. And each time I hope a new version fixes > the issue or that I can find the cause. As you can imagine this is quite a > problem, not in the least with regards to security.if you are really eager to update as soon as possible and there is only a DNS issue, you can always switch back to plain file bind9 DNS zones like in the good ol' days, it still works great even if it is not as convenient as samba4 DNS. I had to do that once when working a DC with ailling DNS zones (I don't remember exactly what I did to get it back on track). On the screwed up DC, can you still connect throught ldap and display the base object of the dc=domaindnszones,dc=yourdomain,dc=lan? Cheers, Denis> > The machine is a virtualized host on KVM, Linux, fully up to date Debian 7.8 > (wheezy), 64 bit. Not sure what else to say about it. > >> - Do you use the internal DNS or BIND_DLZ? > > Internal. > > Also, I'm using './configure' without any arguments. All pretty standard I > would say. > >> - Is Samba/BIND listening on port 53 (netstat -taunp|grep :53) >> - Does DNS entries resolve on the server (try >> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS) > > Resolving works fine both on the box itself (I tested 'host > jnet.hermanjordan.nl 127.0.0.1' and on the 192.168.2.4 lan IP) and from the > Windows client. I must confess I did not check the two SRV records at that > time (but see next). > > I can login from a Windows client, but in eventlog and with gpupdate I get > strange errors about not finding the logon server or unable to lookup the > computer name or account name (well, what I wrote earlier). > Similarly, on Windows the DNS MMC tool sometimes gave an error after > connecting to the DC about DNS not being available for management (so to > say). Then a minute later or after a restart it worked, then a little later > it broke again and after F5 it's completely broken again. Broken as in: the > UI says there's a problem with the zone file. That's on 4.1.17 and that's > why I think there must be something broken... it shouldn't flip/flop. > > I would tend to think that all the issues I'm seeing, 1) the samba-tool dns > giving a mysterious error, 2) the DNS MMC/RSAT tool giving strange results, > and 3) the errors on the client with regards to group policy, are all > related / caused by the same thing. But I'm stuck as to.. how to proceed. > > If there's no way to re-provision/re-create all the DNS stuff, then do you > have any ideas on the "samba-tool dns" issues? If it's all the same issue > then that one may be the best entry to debug my issue? (Samba speaking to > Samba after all) > The command works on 4.0.6 (.. but.. again.. I don't want to be stuck with > such an old version), but not on 4.1.17. > Unless, of course, that issue is completely unrelated. I kinda hope it's > related, though. > > Thanks a lot for taking the time to look into this! > > Bram. > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Hi Marc, Good news. I managed to upgrade successfully... (see below) Marc Muehlfeld wrote on 25-2-2015 21:17:> Am 24.02.2015 um 22:04 schrieb Bram Matthys: >> # /usr/local/samba/bin/samba-tool dns zonelist 192.168.2.4 >> .. >> Using binding ncacn_ip_tcp:192.168.2.4[,sign] >> Mapped to DCERPC endpoint 135 >> added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 >> added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 >> added interface jnet ip=192.168.2.4 bcast=192.168.7.255 netmask=255.255.248.0 >> added interface wifi ip=10.0.0.2 bcast=10.255.255.255 netmask=255.0.0.0 >> ERROR(runtime): uncaught exception - (-1073741801, 'Memory allocation error') >> File >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", >> line 809, in run >> dns_conn = dns_connect(server, self.lp, self.creds) >> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", >> line 40, in dns_connect >> dns_conn = dnsserver.dnsserver(binding_str, lp, creds) > > > Is 4.0.6 the last version, that works? Have you tried just the next (4.0.7)? > > > What happens if you connect to the second IP (10.0.0.2) instead? Or > 127.0.0.1?First of all, a correction on my side: I see I said I was using 4.0.6, that's not true. I apologize for the confusion: I was actually using 4.1.6. Your suggestion to update to next version (in general) got me thinking. I then upgraded as follows: 4.1.6 -> 4.1.7 -> 4.1.10 -> 4.1.14 -> 4.1.16 -> 4.1.17 And now everything works great! :) So, not sure what caused it, but by following a more "gradual upgrade path" (so to speak) it worked. samba-tool dns zonelist.. etc.. no longer gives any errors. clients can log in fine, group policy is working, DNS management from MMC works even if I refresh a 100 times, etc. Only small issue I had were a few clients which behaved strangely (missing desktop.. maybe a group policy issue) but they worked after I rejoined them to the domain. Windows 7. It seems to affect only 2 clients at this point out of 100+. Not sure why it happens, have seen it happen before after an upgrade on two different networks/domains, actually, but ah well.. not a big problem. I'm really glad I'm finally able to run an up to date samba again :) Thanks again for your suggestion! Regards, Bram. -- Bram Matthys Software developer/IT consultant syzop at vulnscan.org Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6