thr3ads.net - samba - [Samba] bind fails to start w/missing records [May 2015]

If this information is useful, please help other people find it:
Share via:

Steve Thompson

2015-May-10 14:34 UTC

[Samba] bind fails to start w/missing records

On Sun, 10 May 2015, Rowland Penny wrote:
> Have you really got 19 reverse zones for your samba 4 active directory ?
Yep :-)
> Can you try running 'samba-tool ldapcmp ldap://<YOUR_FIRST_DC>
ldap://<YOUR_SECOND_DC>
Interesting. DC1 and DC2 have many differences; DC1 and DC3 are the same. 
Maybe I will demote DC2 and join it again.
> Check if you actually have dns records:
For DC1 (host name baxter):

dn:
DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150430150532.0Z
whenChanged: 20150430150532.0Z
uSNCreated: 4725
uSNChanged: 4725
showInAdvancedViewOnly: TRUE
name: baxter
objectGUID: 739a5762-719a-44d2-968e-f8b12f5bc07b
dnsRecord:: BAABAAXwAAAWAAAAAAADhAAAAAAnazcAChbICw=objectCategory:
CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
dc: baxter
distinguishedName:
DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu

For DC2 (host name bear):

dn:
DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150504141356.0Z
whenChanged: 20150504141356.0Z
uSNCreated: 4897
uSNChanged: 4897
showInAdvancedViewOnly: TRUE
name: bear
objectGUID: 93d1aaa6-8c41-4754-8b27-370870b9129d
dnsRecord:: BAABAAXwAAA1AAAAAAADhAAAAACGazcAChbIDA=objectCategory: 
CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
dc: bear
distinguishedName:
DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu

and for DC3 (host name benford):

dn:
DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150504150126.0Z
whenChanged: 20150504150126.0Z
uSNCreated: 4996
uSNChanged: 4996
showInAdvancedViewOnly: TRUE
name: benford
objectGUID: 6701ab99-d883-44da-8ebf-769a98274a2c
dnsRecord:: BAABAAXwAABGAAAAAAADhAAAAACHazcAChbIDQ=objectCategory:
CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
dc: benford
distinguishedName:
DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
> To see defined zones:
   2 zone(s) found

   pszZoneName                 : europa.icse.cornell.edu
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
   pszDpFqdn                   : DomainDnsZones.europa.icse.cornell.edu

   pszZoneName                 : _msdcs.europa.icse.cornell.edu
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
   pszDpFqdn                   : ForestDnsZones.europa.icse.cornell.edu

with identical output from all three DC's.
> To see dns server info:
   dwVersion                   : 0xece0205
   fBootMethod                 : DNS_BOOT_METHOD_DIRECTORY
   fAdminConfigured            : FALSE
   fAllowUpdate                : TRUE
   fDsAvailable                : TRUE
   pszServerName               : BAXTER.europa.icse.cornell.edu
   pszDsContainer              :
CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
   aipServerAddrs              : ['10.22.200.11', '127.0.0.1']
   aipListenAddrs              : ['10.22.200.11', '127.0.0.1']
   aipForwarders               : []
   dwLogLevel                  : 0
   dwDebugLevel                : 0
   dwForwardTimeout            : 3
   dwRpcPrototol               : 0x5
   dwNameCheckFlag             : DNS_ALLOW_MULTIBYTE_NAMES
   cAddressAnswerLimit         : 0
   dwRecursionRetry            : 3
   dwRecursionTimeout          : 8
   dwMaxCacheTtl               : 86400
   dwDsPollingInterval         : 180
   dwScavengingInterval        : 0
   dwDefaultRefreshInterval    : 168
   dwDefaultNoRefreshInterval  : 168
   fAutoReverseZones           : FALSE
   fAutoCacheUpdate            : FALSE
   fRecurseAfterForwarding     : FALSE
   fForwardDelegations         : TRUE
   fNoRecursion                : FALSE
   fSecureResponses            : FALSE
   fRoundRobin                 : TRUE
   fLocalNetPriority           : FALSE
   fBindSecondaries            : FALSE
   fWriteAuthorityNs           : FALSE
   fStrictFileParsing          : FALSE
   fLooseWildcarding           : FALSE
   fDefaultAgingState          : FALSE
   dwRpcStructureVersion       : 0x2
   aipLogFilter                : []
   pwszLogFilePath             : None
   pszDomainName               : europa.icse.cornell.edu
   pszForestName               : europa.icse.cornell.edu
   pszDomainDirectoryPartition :
DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
   pszForestDirectoryPartition :
DC=ForestDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
   dwLocalNetPriorityNetMask   : 0xff
   dwLastScavengeTime          : 0
   dwEventLogLevel             : 4
   dwLogFileMaxSize            : 0
   dwDsForestVersion           : 2
   dwDsDomainVersion           : 2
   dwDsDsaVersion              : 4
   fReadOnlyDC                 : FALSE

and on DC2 and DC3 they are the same, except for host names and IP 
addresses.

There were two DC's that were members of the copnfiguration for about two 
years; these two were demoted and the three that I have now were added 
recently. Maybe something went wrong with the demotion of the original 
two, but the BIND problem did not surface until yesterday evening; the 
BIND servers had been restarted multiple times before then (and after the 
demotion of the original two).

-Steve
-- 
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,282 miles per second: it's not just a good idea, it's the
law"
----------------------------------------------------------------------------

Rowland Penny

2015-May-10 14:48 UTC

head link

[Samba] bind fails to start w/missing records

On 10/05/15 15:34, Steve Thompson wrote:> On Sun, 10 May 2015, Rowland Penny wrote:
>
>> Have you really got 19 reverse zones for your samba 4 active directory
?
>
> Yep :-)
Why ? And why don't they show up when you ask for the zones with 
samba-tool ?

>
>> Can you try running 'samba-tool ldapcmp
ldap://<YOUR_FIRST_DC>
>> ldap://<YOUR_SECOND_DC>
>
> Interesting. DC1 and DC2 have many differences; DC1 and DC3 are the 
> same. Maybe I will demote DC2 and join it again.
Just check that it isn't just non replicating attributes that are different.
>
>> Check if you actually have dns records:
>
> For DC1 (host name baxter):
>
> dn: 
>
DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
> objectClass: top
> objectClass: dnsNode
> instanceType: 4
> whenCreated: 20150430150532.0Z
> whenChanged: 20150430150532.0Z
> uSNCreated: 4725
> uSNChanged: 4725
> showInAdvancedViewOnly: TRUE
> name: baxter
> objectGUID: 739a5762-719a-44d2-968e-f8b12f5bc07b
> dnsRecord:: BAABAAXwAAAWAAAAAAADhAAAAAAnazcAChbICw=> objectCategory: 
> CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
> dc: baxter
> distinguishedName: 
>
DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
>
> For DC2 (host name bear):
>
> dn: 
>
DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
> objectClass: top
> objectClass: dnsNode
> instanceType: 4
> whenCreated: 20150504141356.0Z
> whenChanged: 20150504141356.0Z
> uSNCreated: 4897
> uSNChanged: 4897
> showInAdvancedViewOnly: TRUE
> name: bear
> objectGUID: 93d1aaa6-8c41-4754-8b27-370870b9129d
> dnsRecord:: BAABAAXwAAA1AAAAAAADhAAAAACGazcAChbIDA=> objectCategory: 
> CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
> dc: bear
> distinguishedName: 
>
DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
>
> and for DC3 (host name benford):
>
> dn: 
>
DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
> objectClass: top
> objectClass: dnsNode
> instanceType: 4
> whenCreated: 20150504150126.0Z
> whenChanged: 20150504150126.0Z
> uSNCreated: 4996
> uSNChanged: 4996
> showInAdvancedViewOnly: TRUE
> name: benford
> objectGUID: 6701ab99-d883-44da-8ebf-769a98274a2c
> dnsRecord:: BAABAAXwAABGAAAAAAADhAAAAACHazcAChbIDQ=> objectCategory: 
> CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
> dc: benford
> distinguishedName: 
>
DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
>
>> To see defined zones:
>
>   2 zone(s) found
>
>   pszZoneName                 : europa.icse.cornell.edu
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.europa.icse.cornell.edu
>
>   pszZoneName                 : _msdcs.europa.icse.cornell.edu
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.europa.icse.cornell.edu
>
> with identical output from all three DC's.
>
>> To see dns server info:
>
>   dwVersion                   : 0xece0205
>   fBootMethod                 : DNS_BOOT_METHOD_DIRECTORY
>   fAdminConfigured            : FALSE
>   fAllowUpdate                : TRUE
>   fDsAvailable                : TRUE
>   pszServerName               : BAXTER.europa.icse.cornell.edu
>   pszDsContainer              : 
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
>   aipServerAddrs              : ['10.22.200.11',
'127.0.0.1']
>   aipListenAddrs              : ['10.22.200.11',
'127.0.0.1']
>   aipForwarders               : []
>   dwLogLevel                  : 0
>   dwDebugLevel                : 0
>   dwForwardTimeout            : 3
>   dwRpcPrototol               : 0x5
>   dwNameCheckFlag             : DNS_ALLOW_MULTIBYTE_NAMES
>   cAddressAnswerLimit         : 0
>   dwRecursionRetry            : 3
>   dwRecursionTimeout          : 8
>   dwMaxCacheTtl               : 86400
>   dwDsPollingInterval         : 180
>   dwScavengingInterval        : 0
>   dwDefaultRefreshInterval    : 168
>   dwDefaultNoRefreshInterval  : 168
>   fAutoReverseZones           : FALSE
>   fAutoCacheUpdate            : FALSE
>   fRecurseAfterForwarding     : FALSE
>   fForwardDelegations         : TRUE
>   fNoRecursion                : FALSE
>   fSecureResponses            : FALSE
>   fRoundRobin                 : TRUE
>   fLocalNetPriority           : FALSE
>   fBindSecondaries            : FALSE
>   fWriteAuthorityNs           : FALSE
>   fStrictFileParsing          : FALSE
>   fLooseWildcarding           : FALSE
>   fDefaultAgingState          : FALSE
>   dwRpcStructureVersion       : 0x2
>   aipLogFilter                : []
>   pwszLogFilePath             : None
>   pszDomainName               : europa.icse.cornell.edu
>   pszForestName               : europa.icse.cornell.edu
>   pszDomainDirectoryPartition : 
> DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
>   pszForestDirectoryPartition : 
> DC=ForestDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu
>   dwLocalNetPriorityNetMask   : 0xff
>   dwLastScavengeTime          : 0
>   dwEventLogLevel             : 4
>   dwLogFileMaxSize            : 0
>   dwDsForestVersion           : 2
>   dwDsDomainVersion           : 2
>   dwDsDsaVersion              : 4
>   fReadOnlyDC                 : FALSE
>
> and on DC2 and DC3 they are the same, except for host names and IP 
> addresses.
>
> There were two DC's that were members of the copnfiguration for about 
> two years; these two were demoted and the three that I have now were 
> added recently. Maybe something went wrong with the demotion of the 
> original two, but the BIND problem did not surface until yesterday 
> evening; the BIND servers had been restarted multiple times before 
> then (and after the demotion of the original two).
>
> -Steve
Check your FSMO roles.

Rowland

Steve Thompson

2015-May-10 15:08 UTC

head link

[Samba] bind fails to start w/missing records

Roland,

Thank you very much for your attention to this. You should get a medal for 
all the help you give everyone on this list.

On Sun, 10 May 2015, Rowland Penny wrote:
> Why ? And why don't they show up when you ask for the zones with
samba-tool ?
I have that many subnets. As for why they don't show up: they are defined 
in BIND's configuration and not samba's; they never did show up with 
samba-tool. I wasn't expecting that they should.
> Just check that it isn't just non replicating attributes that are
different.
It looks like a real problem. This is what I get when I compare DC1 and 
DC2 (again, DC1 and DC3 are the same):

* Result for [DOMAIN]: FAILURE

Attributes found only in ldap://baxter:

     isCriticalSystemObject
     cn
     ipsecName
     fSMORoleOwner
     objectClass
     ipsecISAKMPReference
     iPSECNegotiationPolicyAction
     showInAdvancedViewOnly
     ipsecFilterReference
     priorSetTime
     instanceType
     ipsecOwnersReference
     distinguishedName
     ipsecNFAReference
     msDS-TombstoneQuotaFactor
     ipsecData
     description
     objectCategory
     objectGUID
     whenCreated
     systemFlags
     ipsecNegotiationPolicyReference
     ipsecID
     lastSetTime
     iPSECNegotiationPolicyType
     name
     memberOf
     ipsecDataType

* Result for [CONFIGURATION]: FAILURE

Attributes found only in ldap://baxter:

     distinguishedName
     isCriticalSystemObject
     name
     objectCategory
     objectClass
     msDS-Behavior-Version
     description
     msDS-TombstoneQuotaFactor
     objectGUID
     showInAdvancedViewOnly
     systemFlags
     whenCreated
     fSMORoleOwner
     instanceType
     cn

* Result for [DNSDOMAIN]: FAILURE

Attributes found only in ldap://baxter:

     distinguishedName
     isCriticalSystemObject
     cn
     objectCategory
     objectClass
     objectGUID
     whenCreated
     showInAdvancedViewOnly
     systemFlags
     instanceType
     name

* Result for [DNSFOREST]: FAILURE

Attributes found only in ldap://baxter:

     distinguishedName
     isCriticalSystemObject
     cn
     objectCategory
     objectClass
     objectGUID
     whenCreated
     showInAdvancedViewOnly
     systemFlags
     instanceType
     name

and everything else is in order. "samba-tool drs showrepl" shows no 
problems.
> Check your FSMO roles.
I've done that; this appears to be in order (DC1 = baxter):

InfrastructureMasterRole owner: CN=NTDS
Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu
SchemaMasterRole owner: CN=NTDS
Settings,CN=BAXTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu

-Steve
-- 
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,282 miles per second: it's not just a good idea, it's the
law"
----------------------------------------------------------------------------

Steve Thompson

2015-May-11 10:56 UTC

head link

[Samba] bind fails to start w/missing records

On Sun, 10 May 2015, Steve Thompson wrote:
> On Sun, 10 May 2015, Rowland Penny wrote:
>>  Can you try running 'samba-tool ldapcmp
ldap://<YOUR_FIRST_DC>
>>  ldap://<YOUR_SECOND_DC>
> Interesting. DC1 and DC2 have many differences; DC1 and DC3 are the same.
Turns out I made a dumb mistake. I did a kinit before ldapcmp, but omitted 
the "-k 1" on the latter. When I do it correctly, all three DC's
are
exactly the same. Phew.

Steve

mourik jan heupink

2015-May-11 11:08 UTC

head link

[Samba] bind fails to start w/missing records

> Turns out I made a dumb mistake. I did a kinit before ldapcmp, but
> omitted the "-k 1" on the latter. When I do it correctly, all
three DC's
> are exactly the same. Phew.I thought kinit is not required on samba-tool ldapcmp

I just tried _with_ kinit, and only saw the same differences on whenChanged.

MJ

Reasonably Related Threads

Search for more reasonably related threads

samba - May 2015 - bind fails to start w/missing records

[Samba] bind fails to start w/missing records

[Samba] bind fails to start w/missing records

[Samba] bind fails to start w/missing records

[Samba] bind fails to start w/missing records

[Samba] bind fails to start w/missing records

Reasonably Related Threads