samba - May 2017 - IP address getting overridden by Samba and domain member?

We have a Samba-4.3 AD-DC hosted on a FreeBSD-10.3 system.  We have
just discovered that for some reason our domain workstations are not
synchronising their time with the AD-DC.  We have not altered the
default GPO nor have we created a special GPO to handle time services.

I have been working on several of the domain clients and I cannot seem
to get them to source from the Samba server.  I have confirmed that
ntpd is running on the AD-DC and listening on udp:123. I have also
confirmed that udp:123 is not blocked by the firewall at either end.

I set the client's w32tm configuration this way:

w32tm /config /update /manualpeerlist:"time.nrc.ca time.chu.nrc.ca"
/syncfromflags:ALL

And when I check the status with

w32tm /query /status

then I see this:

Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - synced by (S)NTP)
Precision: -6 (15.62ms per tick)
Root Delay: 0.0313721s
Root Dispersion: 0.2973346s
ReferenceId: 0x84F60BE3 (source IP: 132.246.11.227)
Last Successful Sync Time: 2017-01-30 11:46:22
Source: time.nrc.ca
Poll Interval: 11 (2048s)

And if I do this:

w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.

I am afraid that I am mystified by this.  Have I misconfigured
something on the Samba server to account for this behaviour?  I have
not previously run into this problem before but I have seen from my
researches that many people have had this issue with MicroSoft servers
so it does not appear a Samba specific thing but I cannot be sure.

In any case, How does one fix this?



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On Mon, 30 Jan 2017 12:16:30 -0500 James B. Byrne wrote:
> I set the client's w32tm configuration this way:
>
> w32tm /config /update /manualpeerlist:"time.nrc.ca
time.chu.nrc.ca"
> /syncfromflags:ALL
>
> And when I check the status with
>
> w32tm /query /status
>
> then I see this:
>
> Leap Indicator: 0(no warning)
> Stratum: 3 (secondary reference - synced by (S)NTP)
> Precision: -6 (15.62ms per tick)
> Root Delay: 0.0313721s
> Root Dispersion: 0.2973346s
> ReferenceId: 0x84F60BE3 (source IP: 132.246.11.227)
> Last Successful Sync Time: 2017-01-30 11:46:22
> Source: time.nrc.ca
> Poll Interval: 11 (2048s)
>
> And if I do this:
>
> w32tm /resync /rediscover
> Sending resync command to local computer
> The computer did not resync because no time data was available.
>
> I am afraid that I am mystified by this.  Have I misconfigured
> something on the Samba server to account for this behaviour?  I have
> not previously run into this problem before but I have seen from my
> researches that many people have had this issue with MicroSoft servers
> so it does not appear a Samba specific thing but I cannot be sure.
>
> In any case, How does one fix this?
This is what worked for me:

$ w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL 
$ w32tm /config /update

where 'mail' is my Samba4 AD/DC.

"Depending on the type of the Windows PC ..., NTP servers may not respond
to the type of
queries sent by w32time.  w32time sends namely symmetric active instead of
client mode packets
to a NTP server. ... The flag "0x8" forces w32time not to send
"symmetric active" packets but
normal "client" requests which the NTP server replies to as
usual."

ref. https://www.meinbergglobal.com/english/info/ntp-w32time.htm

--Mark

I have been running Samba 4 as an AD/DC for a couple of years now with few
problems.  I
provisioned the domain using --dns-backend=BIND9_FLATFILE and the
/etc/named.conf includes the
samba-tool provision created file /var/lib/samba/private/named.conf, with zone
files in
/var/lib/samba/private/dns. 

All that has been working just fine for for 2 or 3 years.

Lately, I added a VirtualBox XP guest virtual machine to the domain running SQL
Server 2005 to
service a legacy application.  The virtual machine implements a virtual
"router" which dhcp
assigns an IP to the XP: 10.0.2.15 (host name: traverse).  In the VM I have
configured
port-forwarding to forward requests made to the Linux VM host (192.168.02) on
port 1433 to the
VM port 1433. 
>From domain workstations you cannot access the SQL Server via
10.0.2.15:1433. You can, however,
access the SQL Server via 192.168.0.2:1433.

No problem, I thought. I created an 'A' record in the zone file as:

TRAVERSE   A  192.168.0.2

so now 192.168.0.2 has two hostnames that resolve to that address. That worked
... for a while.
Initially, the host command gave:

$ host traverse
TRAVERSE.hprs.local has address 192.168.0.2

Domain workstations were able to access the SQL Server.  However, after some
period of time,
that changed:

$ host traverse
TRAVERSE.hprs.local has address 10.0.2.15

Something is changing the DNS entry for this host from 192.168.0.2 to 10.0.2.15.
What?

Here's my theory. Windows domain members want to update the DNS via, I
assume, the DC/AD. If not
permitted to do so I get the message:

syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update
'hprs.local/IN' denied

in /var/log/syslog. To fix that, I added the following to the zone file:

allow-update { 192.168.0.0/24; 127.0.0.1; };

So, the question is this: is Samba honoring requests from the XP VM to update
the DNS? If so,
can I shut that off for a single host?

If not Samba, it must be something else, but I don't know what.

This is getting urgent. Users cannot access the SQL Server.

I'm running Slackware64 14.2, Samba 4.4.13 and BIND 9.10.4-P6

Thanks for any help. 

--Mark

On Mon, 1 May 2017 22:18:14 -0400 Matt Savin <matt at tegers.com>
wrote:
>
> Hello Mark,
>
> Did you uncheck "Register this connection's addresses in DNS"
check box in
> TCP/IP DNS Properties of your XP VM's network interface?
>
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_usednsconfig.mspx?mfr=true
> Did you try to assign static IP address to your VM XP network interface and
> uncheck ""Register this connection's addresses in DNS"
in TCP/IP DNS
> Properties?
>
> Regards,
> Matt
YES!!! That did the trick. Thanks!
>
> On Mon, May 1, 2017 at 9:36 PM, Mark Foley via samba <samba at
lists.samba.org>
> wrote:
>
> > I have been running Samba 4 as an AD/DC for a couple of years now with
few
> > problems.  I
> > provisioned the domain using --dns-backend=BIND9_FLATFILE and the
> > /etc/named.conf includes the
> > samba-tool provision created file /var/lib/samba/private/named.conf,
with
> > zone files in
> > /var/lib/samba/private/dns.
> >
> > All that has been working just fine for for 2 or 3 years.
> >
> > Lately, I added a VirtualBox XP guest virtual machine to the domain
> > running SQL Server 2005 to
> > service a legacy application.  The virtual machine implements a
virtual
> > "router" which dhcp
> > assigns an IP to the XP: 10.0.2.15 (host name: traverse).  In the VM I
> > have configured
> > port-forwarding to forward requests made to the Linux VM host
(192.168.02)
> > on port 1433 to the
> > VM port 1433.
> >
> > From domain workstations you cannot access the SQL Server via
> > 10.0.2.15:1433. You can, however,
> > access the SQL Server via 192.168.0.2:1433.
> >
> > No problem, I thought. I created an 'A' record in the zone
file as:
> >
> > TRAVERSE   A  192.168.0.2
> >
> > so now 192.168.0.2 has two hostnames that resolve to that address.
That
> > worked ... for a while.
> > Initially, the host command gave:
> >
> > $ host traverse
> > TRAVERSE.hprs.local has address 192.168.0.2
> >
> > Domain workstations were able to access the SQL Server.  However,
after
> > some period of time,
> > that changed:
> >
> > $ host traverse
> > TRAVERSE.hprs.local has address 10.0.2.15
> >
> > Something is changing the DNS entry for this host from 192.168.0.2 to
> > 10.0.2.15. What?
> >
> > Here's my theory. Windows domain members want to update the DNS
via, I
> > assume, the DC/AD. If not
> > permitted to do so I get the message:
> >
> > syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026:
update
> > 'hprs.local/IN' denied
> >
> > in /var/log/syslog. To fix that, I added the following to the zone
file:
> >
> > allow-update { 192.168.0.0/24; 127.0.0.1; };
> >
> > So, the question is this: is Samba honoring requests from the XP VM to
> > update the DNS? If so,
> > can I shut that off for a single host?
> >
> > If not Samba, it must be something else, but I don't know what.
> >
> > This is getting urgent. Users cannot access the SQL Server.
> >
> > I'm running Slackware64 14.2, Samba 4.4.13 and BIND 9.10.4-P6
> >
> > Thanks for any help.
> >
> > --Mark
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >