L.P.H. van Belle
2016-Aug-15 14:20 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
In addition with Rowlands comment. I suggest you try /etc/hosts add only 127.0.0.1 localhost Now type Hostname -f Hostname -s Hostname -d Hostname -I Are these all correct? > No, Edit resolv.conf domain samba.ifa.net search samba.ifa.net ifa.net nameserver 127.0.0.1 What happens now if you try the above command. Correct? Yes => correct your hosts and resolv.conf No || \/ change resolv.conf to nameserver IP_of_server Still not working, error in named.conf or no entries in the AD DNS. Try it out. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: maandag 15 augustus 2016 15:45 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Horrible BIND9_DLZ DNS breakage after DC replaced > and samba-tool domain demote --remove-other-dead-server > > On Sun, 14 Aug 2016 23:17:57 +0100 > Alex Crow via samba <samba at lists.samba.org> wrote: > > > > > > > On 14/08/16 22:14, Rowland Penny via samba wrote: > > > On Sun, 14 Aug 2016 21:52:43 +0100 > > > Alex Crow via samba <samba at lists.samba.org> wrote: > > > > > >>> I am fairly sure this is your problem, it should be able to find > > >>> the KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts > > >>> and /etc/resolv.conf ? > > >> With the BIND server not running, and this krb5.conf: > > >> > > >> [libdefaults] > > >> default_realm = SAMBA.IFA.NET > > >> dns_lookup_realm = false > > >> dns_lookup_kdc = true > > >> ~ > > >> > > >> samba_dnsupdate cannot find the KDC. Even if I add: > > >> > > >> [realms] > > >> SAMBA4.IFA.NET { > > >> kdc= 172.31.0.10 > > >> } > > >> > > > Well, I don't think you can find the KDC if the DNS server isn't > > > running, you could try changing 'dns_lookup_kdc = true' to false > > I think I tried that, but I'm not 100% sure. I tried a lot of things > > to get back on track. > > > > > > > >> it still complains about not finding a KDC and does not complete. > > >> > > >> Oddly if I can use the output to figure out the DNS entries I need > > >> to add, so I thought "ah, cool, I'll use samba-tool dns" to add > > >> them back in. To my great surprise, when I try to add each entry > > >> that samba_dnsupdate says is missing, samba-tool tells me it > > >> already exists!! > > > OK, try running: > > > > > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs > > > --show-binary > > > > > > replace nano with your favourite editor and > > > '/usr/local/samba/private/sam.ldb' with the path to your sam.ldb. > > > > > > You should now be able to search the entire AD and see if your > > > entries do exist. > > > > I did had a quick look with ldbedit before this last email. There were > > indeed a number of DNS nodes but perhaps as I didn't use " > > > > --show-binary > > > > " > > > > I was missing something. > > Just had a thought, how is /etc/resolv.conf set up ? > Is it set up so that each DC uses the other first ? > > If it is, then this 'could' be your problem, your second DC tries to > find the KDC, so it asks DNS (via resolv.conf) for the KDCs address. > now if the other DC is first in line and doesn't exist, it will have > to timeout before it will try the next nameserver and most probably > will give up and tell you it cannot find the KDC > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2016-Aug-15 15:02 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
OK, this has nothing to do with the classicupgrade, I have setup a couple of VMs and provisioned a test DC in one and joined another DC in the other. I am now at the point the OP is at, samba_dnsupdate cannot add the required records, all I get in log.samba is this multiple times: [2016/08/15 15:57:23.949917, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH and it ends with this: [2016/08/15 15:57:23.975421, 0] ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - NT_STATUS_UNSUCCESSFUL Now to try and find the cause and fix it. Rowland
Rowland Penny
2016-Aug-15 18:59 UTC
[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
On Mon, 15 Aug 2016 16:02:38 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > OK, this has nothing to do with the classicupgrade, I have setup a > couple of VMs and provisioned a test DC in one and joined another DC > in the other. > > I am now at the point the OP is at, samba_dnsupdate cannot add the > required records, all I get in log.samba is this multiple times: > > [2016/08/15 15:57:23.949917, > 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: > update failed: NOTAUTH > > and it ends with this: > > [2016/08/15 15:57:23.975421, > 0] ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:295: > Failed DNS update - NT_STATUS_UNSUCCESSFUL > > Now to try and find the cause and fix it. > > Rowland >OK, I think I have sorted this, I added some lines to samba_dnsupdate to print out why it didn't work and got this: Could not obtain Kerberos ticket for DNS/devdc1.example.com as DEVDC2$ response to GSS-TSIG query was unsuccessful .... response to GSS-TSIG query was unsuccessful Failed update of 24 entries So, I thought, no SOA records for DEVDC2 Added them: samba-tool dns add 127.0.0.1 example.com devdc2 A 192.168.0.251 -Uadministrator samba-tool dns add 127.0.0.1 example.com @ NS devdc2.example.com -Uadministrator samba-tool dns add 127.0.0.1 _msdcs.example.com @ NS devdc2.example.com -Uadministrator and then ran samba_dnsupdate again and this time it didn't print anything, so I tried this: root at devdc2:~# host -t SRV _ldap._tcp.example.com. and got this: _ldap._tcp.example.com has SRV record 0 100 389 devdc1.example.com. _ldap._tcp.example.com has SRV record 0 100 389 devdc2.example.com. I think all the records are now there. So, as the OP said, this is a bit of a chicken and egg situation, you need the SOA records to add the SOA records via samba_dnsupdate. Rowland