samba - Oct 2017 - Samba 4.6.8 (Non packaged version) dns update issue

Hi Rowland,

Sure, I have pastebinned the configs (and done some public ip masking)
DC1 - bind config
https://www.jacklin.co.za/privatebin/?be125b7e578c53d4#q9nGwU3f9Tz7wtHLTf3UIcFhz/GIJjryq6/cN2rip1kDC2
- bind config
https://www.jacklin.co.za/privatebin/?c1c921a4289a4e91#URHcPgK0B1fgeoTCeWXL6QDKdUxR6YpHZ1dcwXR44Iw
DC1 - Samba Config
https://www.jacklin.co.za/privatebin/?ed9cb025a144be44#NA4HNPN/ms8wZfxWI9FaPN4TZpGA7DhB/d/VCXakR4EDC2
- Samba Config
https://www.jacklin.co.za/privatebin/?ab6a4260f9c0dc5e#ogp+o+xRmd4tMJYNaHZFEZPcvqqzyDPIJARe2W6FnDI
Kind regards

On 24 October 2017 at 12:45, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 24 Oct 2017 12:05:14 +0200
> Ian Coetzee via samba <samba at lists.samba.org> wrote:
>
>> Hi Guys,
>>
>> I am running into an issue here.
>>
>> We have 2 domain controllers using BIND_DLZ as dns backend
>>
>> OS: CentOS 6.9
>> Samba version: Samba 4.6.8 self compiled on another host and
>> distributed internally as RPM packages
>> Bind version: BIND 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4
>>
>> Almost daily I need to restart the named process (service named
>> restart) to make dynamic dns updates from the member servers (mix of
>> linux and windows) and desktops (windows) working.
>>
>> Note that I have changed some of the hostnames for security sake
>> (paranoia strikes again)
>>
>> Before the restart I get:
>> [root at archive1 ~]# net ads dns register -Uianc
>> Enter ianc's password:
>> DNS Update for archive1.[DOM_FQDN] failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed!
>> [root at archive1 ~]# net ads info
>> LDAP server: 10.10.10.4
>> LDAP server name: dc2.[DOM_FQDN]
>> Realm: [DOM_FQDN]
>> Bind Path: []
>> LDAP port: 389
>> Server time: Tue, 24 Oct 2017 08:14:49 UTC
>> KDC server: 10.10.10.4
>> Server time offset: 0
>> Last machine account password change: Tue, 24 Oct 2017 07:24:11 UTC
>> [root at archive1 ~]# net -V
>> Version 4.6.2
>> [root at archive1 ~]# cat /etc/redhat-release
>> CentOS Linux release 7.4.1708 (Core)
>>
>> I then restart bind on the relevant DC
>> 10:14:59 [ianc at dc2 ~]$ sudo service named restart
>> [sudo] password for ianc:
>> Stopping named: .                                          [  OK  ]
>> Starting named:                                            [  OK  ]
>>
>> After the restart
>> [root at archive1 ~]# net ads dns register -Uianc
>> Enter ianc's password:
>> Successfully registered hostname with DNS
>>
>> Has anybody else experienced an issue like this?
>>
>> I haven't found anything in the logs pointing me where to look.
>>
>> I am trying the samba list first. I will cross post to bind list if we
>> are out of ideas here.
>>
>> Kind regards
>>
>
> Will you please post your Bind conf files.
> Also the smb.conf from the DCs
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 24 Oct 2017 13:51:27 +0200
Ian Coetzee <samba at iancoetzee.za.net> wrote:
> Hi Rowland,
> 
> Sure, I have pastebinned the configs (and done some public ip masking)
> DC1 - bind config
>
https://www.jacklin.co.za/privatebin/?be125b7e578c53d4#q9nGwU3f9Tz7wtHLTf3UIcFhz/GIJjryq6/cN2rip1k>
DC2 - bind config
>
https://www.jacklin.co.za/privatebin/?c1c921a4289a4e91#URHcPgK0B1fgeoTCeWXL6QDKdUxR6YpHZ1dcwXR44Iw>
> DC1 - Samba Config
>
https://www.jacklin.co.za/privatebin/?ed9cb025a144be44#NA4HNPN/ms8wZfxWI9FaPN4TZpGA7DhB/d/VCXakR4E>
DC2 - Samba Config
>
https://www.jacklin.co.za/privatebin/?ab6a4260f9c0dc5e#ogp+o+xRmd4tMJYNaHZFEZPcvqqzyDPIJARe2W6FnDI>
There isn't much wrong there, except:

What is in '/etc/named/zones/internal.zones' ?

do you really need 'response-policy { zone "zone-overrides";
};' ?

I would try removing 'allow-update { none; };'

This is from my named conf files:

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;

        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.2; 127.0.0.1; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

Rowland

On 24 October 2017 at 14:33, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 24 Oct 2017 13:51:27 +0200
> Ian Coetzee <samba at iancoetzee.za.net> wrote:
>
>> Hi Rowland,
>>
>> Sure, I have pastebinned the configs (and done some public ip masking)
>> DC1 - bind config
>>
https://www.jacklin.co.za/privatebin/?be125b7e578c53d4#q9nGwU3f9Tz7wtHLTf3UIcFhz/GIJjryq6/cN2rip1k>>
DC2 - bind config
>>
https://www.jacklin.co.za/privatebin/?c1c921a4289a4e91#URHcPgK0B1fgeoTCeWXL6QDKdUxR6YpHZ1dcwXR44Iw>>
>> DC1 - Samba Config
>>
https://www.jacklin.co.za/privatebin/?ed9cb025a144be44#NA4HNPN/ms8wZfxWI9FaPN4TZpGA7DhB/d/VCXakR4E>>
DC2 - Samba Config
>>
https://www.jacklin.co.za/privatebin/?ab6a4260f9c0dc5e#ogp+o+xRmd4tMJYNaHZFEZPcvqqzyDPIJARe2W6FnDI>>
>
> There isn't much wrong there, except:
>
> What is in '/etc/named/zones/internal.zones' ?
>
> do you really need 'response-policy { zone "zone-overrides";
};' ?
>
> I would try removing 'allow-update { none; };'
>
> This is from my named conf files:
>
> options {
>         directory "/var/cache/bind";
>         version "0.0.7";
>         notify no;
>         empty-zones-enable no;
>         allow-query { 127.0.0.1; 192.168.0.0/24; };
>         allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>         forwarders { 8.8.8.8; };
>         allow-transfer { none; };
>         dnssec-validation no;
>         dnssec-enable no;
>
>         listen-on-v6 { none; };
>         listen-on port 53 { 192.168.0.2; 127.0.0.1; };
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> };
>
> Rowland
Hi Rowland,

Firstly, I would like to apologise to you and the list for my top post
and the reply to all, I seemed to have forgotten my ML etiquette.

The configs I inherited from my predecessor, there probably was a good
reason for the response-policy directive.

I will disable the "allow-update { none; };" and see if that makes a
difference. Thank you.

The contents of /etc/named/zones/internal.zones contains legacy static
zones as well as some override zones to make web filtering easier. I
can post the config if you want.

Kind regards
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 24 October 2017 at 14:33, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 24 Oct 2017 13:51:27 +0200
> Ian Coetzee <samba at iancoetzee.za.net> wrote:
>
>> Hi Rowland,
>>
>> Sure, I have pastebinned the configs (and done some public ip masking)
>> DC1 - bind config
>>
https://www.jacklin.co.za/privatebin/?be125b7e578c53d4#q9nGwU3f9Tz7wtHLTf3UIcFhz/GIJjryq6/cN2rip1k>>
DC2 - bind config
>>
https://www.jacklin.co.za/privatebin/?c1c921a4289a4e91#URHcPgK0B1fgeoTCeWXL6QDKdUxR6YpHZ1dcwXR44Iw>>
>> DC1 - Samba Config
>>
https://www.jacklin.co.za/privatebin/?ed9cb025a144be44#NA4HNPN/ms8wZfxWI9FaPN4TZpGA7DhB/d/VCXakR4E>>
DC2 - Samba Config
>>
https://www.jacklin.co.za/privatebin/?ab6a4260f9c0dc5e#ogp+o+xRmd4tMJYNaHZFEZPcvqqzyDPIJARe2W6FnDI>>
>
> There isn't much wrong there, except:
>
> What is in '/etc/named/zones/internal.zones' ?
>
> do you really need 'response-policy { zone "zone-overrides";
};' ?
>
> I would try removing 'allow-update { none; };'
>
> This is from my named conf files:
>
> options {
>         directory "/var/cache/bind";
>         version "0.0.7";
>         notify no;
>         empty-zones-enable no;
>         allow-query { 127.0.0.1; 192.168.0.0/24; };
>         allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>         forwarders { 8.8.8.8; };
>         allow-transfer { none; };
>         dnssec-validation no;
>         dnssec-enable no;
>
>         listen-on-v6 { none; };
>         listen-on port 53 { 192.168.0.2; 127.0.0.1; };
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> };
>
> Rowland
Hi Rowland,

I just noticed while I was removing the "allow-update {none; };"
directive, that the directive is only present on dc1. Yet as luck
would have it, the server in my example was trying to push the update
to dc2.

Contents of /etc/named/zones/internal.zones
https://www.jacklin.co.za/privatebin/?39cb9c2d39a5a6cb#BRBE/5LatQ4mcXd/qXa0QBWODbMA9rLjizTJM1slqiA
Kind regards
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba