samba - Jul 2016 - samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH

On 18.07.2016 20:10, Rowland penny wrote:
> On 18/07/16 00:02, Norbert Hanke wrote:
>> Hello,
>>
>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
>> 9.10.4-P1, all brand new.
>>
>> The existing DC runs fine, but the added DC refuses to update its 
>> local bind database: every attempt to update the local DNS results in 
>> "update failed: NOTAUTH". AD replication works perfectly.
>>
>> Both systems are set up identically except for the 
>> provisioning/joining command. On the first I did
>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>> --server-role=dc --dns-backend=BIND9_DLZ \
>>  --realm=$realm --adminpass=Wonttell
>> and on the second I do
>> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>> --dns-backend=BIND9_DLZ
>>
>> Versions are the same, bind config is the same, I tried follow every 
>> rule I could find.
>>
>> # samba_dnsupdate --verbose -d 9
>> INFO: Current debug levels:
>>   all: 9
>> (... more such levels ...)
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>> netmask=255.255.255.0
>> IPs: ['192.168.1.9']
>> Module 'tombstone_reanimate' is disabled. Skip 
>> registration.lpcfg_servicenumber: couldn't find ldb
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>> dc2.ad.domain.ch.
>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>> need update: A ad.domain.ch 192.168.1.9
>> (... many more such Looking...need update blocks)
>> 24 DNS updates and 0 DNS deletes needed
>> ldb_wrap open of secrets.ldb
>> Received smb_krb5 packet of length 298
>> Received smb_krb5 packet of length 1311
>> update(nsupdate): A ad.domain.tld 192.168.1.9
>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> ad.domain.tld.        900     IN      A       192.168.1.9
>>
>> update failed: NOTAUTH
>> Failed nsupdate: 2
>> (... many more such failed updates ...)
>> Failed update of 24 entries
>> # 22:37:30 root at dc2:/root/
>>
>>
>> In /var/log/syslog there are these equivalent 24 error message every 
>> 10 minutes:
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>> Jul 17 22:52:06 dc2 samba[3960]: 
>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>> and the last of the 24 entries is always followed by
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> Jul 17 22:52:06 dc2 samba[3960]: 
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>> NT_STATUS_TOO_MANY_OPENED_FILES
>>
>> smb.conf is minimalistic:
>>
>> # Global parameters
>> [global]
>>         netbios name = DC2
>>         realm = AD.DOMAIN.TLD
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>         workgroup = DOMAIN
>>         server role = active directory domain controller
>>
>> [netlogon]
>>         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>> Maybe somebody has an idea what I did wrong?
>>
>>
>>
>
> Try reading this wiki page, it may help:
>
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> Rowland
>
>
Yes I did that from the begining. The entries were indeed missing and 
added them.

I also tried adding with a lower-case dc2 instead of DC2. It did not 
make a difference.

But now it surprises me that adding worked at all. Isn't a "*samba-tool
dns add ..." about the same as what **samba_dnsupdate does when adding 
entries?*

*And I just checked: the two added entries are still there and are 
resolvable through both DNS servers.* It's a mystery to me.

On 18/07/16 21:31, Norbert Hanke wrote:
> On 18.07.2016 20:10, Rowland penny wrote:
>> On 18/07/16 00:02, Norbert Hanke wrote:
>>> Hello,
>>>
>>> I'm trying to join a samba 4 DC to an already existing samba 4
DC,
>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
>>> 9.10.4-P1, all brand new.
>>>
>>> The existing DC runs fine, but the added DC refuses to update its 
>>> local bind database: every attempt to update the local DNS results 
>>> in "update failed: NOTAUTH". AD replication works
perfectly.
>>>
>>> Both systems are set up identically except for the 
>>> provisioning/joining command. On the first I did
>>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>>> --server-role=dc --dns-backend=BIND9_DLZ \
>>>  --realm=$realm --adminpass=Wonttell
>>> and on the second I do
>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>>> --dns-backend=BIND9_DLZ
>>>
>>> Versions are the same, bind config is the same, I tried follow
every
>>> rule I could find.
>>>
>>> # samba_dnsupdate --verbose -d 9
>>> INFO: Current debug levels:
>>>   all: 9
>>> (... more such levels ...)
>>> lpcfg_load: refreshing parameters from
/usr/local/samba/etc/smb.conf
>>> Processing section "[global]"
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> pm_process() returned Yes
>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>>> netmask=255.255.255.0
>>> IPs: ['192.168.1.9']
>>> Module 'tombstone_reanimate' is disabled. Skip 
>>> registration.lpcfg_servicenumber: couldn't find ldb
>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>>> dc2.ad.domain.ch.
>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>>> need update: A ad.domain.ch 192.168.1.9
>>> (... many more such Looking...need update blocks)
>>> 24 DNS updates and 0 DNS deletes needed
>>> ldb_wrap open of secrets.ldb
>>> Received smb_krb5 packet of length 298
>>> Received smb_krb5 packet of length 1311
>>> update(nsupdate): A ad.domain.tld 192.168.1.9
>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   
0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> ad.domain.tld.        900     IN      A       192.168.1.9
>>>
>>> update failed: NOTAUTH
>>> Failed nsupdate: 2
>>> (... many more such failed updates ...)
>>> Failed update of 24 entries
>>> # 22:37:30 root at dc2:/root/
>>>
>>>
>>> In /var/log/syslog there are these equivalent 24 error message
every
>>> 10 minutes:
>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>>> and the last of the 24 entries is always followed by
>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>>> NT_STATUS_TOO_MANY_OPENED_FILES
>>>
>>> smb.conf is minimalistic:
>>>
>>> # Global parameters
>>> [global]
>>>         netbios name = DC2
>>>         realm = AD.DOMAIN.TLD
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>         workgroup = DOMAIN
>>>         server role = active directory domain controller
>>>
>>> [netlogon]
>>>         path =
/usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /usr/local/samba/var/locks/sysvol
>>>         read only = No
>>>
>>> Maybe somebody has an idea what I did wrong?
>>>
>>>
>>>
>>
>> Try reading this wiki page, it may help:
>>
>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>
>> Rowland
>>
>>
> Yes I did that from the begining. The entries were indeed missing and 
> added them.
>
> I also tried adding with a lower-case dc2 instead of DC2. It did not 
> make a difference.
>
> But now it surprises me that adding worked at all. Isn't a 
> "*samba-tool dns add ..." about the same as what
**samba_dnsupdate
> does when adding entries?*
>
> *And I just checked: the two added entries are still there and are 
> resolvable through both DNS servers.* It's a mystery to me.
>
>
Try adding 'allow dns updates = nonsecure and secure' to your smb.conf 
files.
I would also check that it isn't something like apparmor or selinux 
blocking the updates.

If I run the same command on my second DC, at the point it goes wrong 
for you, I get:

Looking for DNS entry A dc2.samdom.example.com 192.168.0.6 as 
dc2.samdom.example.com.
Looking for DNS entry A samdom.example.com 192.168.0.6 as 
samdom.example.com.
Looking for DNS entry SRV _ldap._tcp.samdom.example.com 
dc2.samdom.example.com 389 as _ldap._tcp.samdom.example.com.

 From your output, it looks as if it cannot find the 'A' record for your
second DC.

Rowland

On 18.07.2016 23:13, Rowland penny wrote:
> On 18/07/16 21:31, Norbert Hanke wrote:
>> On 18.07.2016 20:10, Rowland penny wrote:
>>> On 18/07/16 00:02, Norbert Hanke wrote:
>>>> Hello,
>>>>
>>>> I'm trying to join a samba 4 DC to an already existing
samba 4 DC,
>>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
>>>> 9.10.4-P1, all brand new.
>>>>
>>>> The existing DC runs fine, but the added DC refuses to update
its
>>>> local bind database: every attempt to update the local DNS
results
>>>> in "update failed: NOTAUTH". AD replication works
perfectly.
>>>>
>>>> Both systems are set up identically except for the 
>>>> provisioning/joining command. On the first I did
>>>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>>>> --server-role=dc --dns-backend=BIND9_DLZ \
>>>>  --realm=$realm --adminpass=Wonttell
>>>> and on the second I do
>>>> samba-tool domain join $domain DC -Uadministrator
--realm=$realm
>>>> --dns-backend=BIND9_DLZ
>>>>
>>>> Versions are the same, bind config is the same, I tried follow 
>>>> every rule I could find.
>>>>
>>>> # samba_dnsupdate --verbose -d 9
>>>> INFO: Current debug levels:
>>>>   all: 9
>>>> (... more such levels ...)
>>>> lpcfg_load: refreshing parameters from
/usr/local/samba/etc/smb.conf
>>>> Processing section "[global]"
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> pm_process() returned Yes
>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>>>> netmask=255.255.255.0
>>>> IPs: ['192.168.1.9']
>>>> Module 'tombstone_reanimate' is disabled. Skip 
>>>> registration.lpcfg_servicenumber: couldn't find ldb
>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>>>> dc2.ad.domain.ch.
>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as
ad.domain.ch.
>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>>>> need update: A ad.domain.ch 192.168.1.9
>>>> (... many more such Looking...need update blocks)
>>>> 24 DNS updates and 0 DNS deletes needed
>>>> ldb_wrap open of secrets.ldb
>>>> Received smb_krb5 packet of length 298
>>>> Received smb_krb5 packet of length 1311
>>>> update(nsupdate): A ad.domain.tld 192.168.1.9
>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>>>> Outgoing update query:
>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR,
id:      0
>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>> ;; UPDATE SECTION:
>>>> ad.domain.tld.        900     IN      A       192.168.1.9
>>>>
>>>> update failed: NOTAUTH
>>>> Failed nsupdate: 2
>>>> (... many more such failed updates ...)
>>>> Failed update of 24 entries
>>>> # 22:37:30 root at dc2:/root/
>>>>
>>>>
>>>> In /var/log/syslog there are these equivalent 24 error message 
>>>> every 10 minutes:
>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592,
0]
>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>>>> and the last of the 24 entries is always followed by
>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877,
0]
>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>>>> NT_STATUS_TOO_MANY_OPENED_FILES
>>>>
>>>> smb.conf is minimalistic:
>>>>
>>>> # Global parameters
>>>> [global]
>>>>         netbios name = DC2
>>>>         realm = AD.DOMAIN.TLD
>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>         workgroup = DOMAIN
>>>>         server role = active directory domain controller
>>>>
>>>> [netlogon]
>>>>         path =
/usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>>>         read only = No
>>>>
>>>> [sysvol]
>>>>         path = /usr/local/samba/var/locks/sysvol
>>>>         read only = No
>>>>
>>>> Maybe somebody has an idea what I did wrong?
>>>>
>>>>
>>>>
>>>
>>> Try reading this wiki page, it may help:
>>>
>>>
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>>
>>> Rowland
>>>
>>>
>> Yes I did that from the begining. The entries were indeed missing and 
>> added them.
>>
>> I also tried adding with a lower-case dc2 instead of DC2. It did not 
>> make a difference.
>>
>> But now it surprises me that adding worked at all. Isn't a 
>> "*samba-tool dns add ..." about the same as what
**samba_dnsupdate
>> does when adding entries?*
>>
>> *And I just checked: the two added entries are still there and are 
>> resolvable through both DNS servers.* It's a mystery to me.
>>
>>
>
> Try adding 'allow dns updates = nonsecure and secure' to your
smb.conf
> files.
> I would also check that it isn't something like apparmor or selinux 
> blocking the updates.
>
> If I run the same command on my second DC, at the point it goes wrong 
> for you, I get:
>
> Looking for DNS entry A dc2.samdom.example.com 192.168.0.6 as 
> dc2.samdom.example.com.
> Looking for DNS entry A samdom.example.com 192.168.0.6 as 
> samdom.example.com.
> Looking for DNS entry SRV _ldap._tcp.samdom.example.com 
> dc2.samdom.example.com 389 as _ldap._tcp.samdom.example.com.
>
> From your output, it looks as if it cannot find the 'A' record for 
> your second DC.
>
> Rowland
>
>
>
I added the smb.conf entry , rebooted: no change. This is on a plain 
vanilla raspberry pi system without apparmor or selinux configured. The 
first DC dc1 is on an indentical setup and works.

I check dc2: The A record of dc2 is known to both DNS servers.

But the A record for the domain alone (without the dc2) and the SRV 
record for _ldap... both point to the IP of dc1, on both DNS servers. 
Could that be the problem?