samba - Nov 2017 - Some strange errors in logs

Hai, 

cat "/var/lib/samba/private/named.conf"  also please. 
And check if the correct bind9_dlz is enabled. 

dpkg -l | grep bind9
Jessie, should be 9.9 
Stretch should be 9.10
If this server was upgraded then you need to manualy adjust the file above. 
Looks to my bind9-dlz is enable in smb.conf but not loaded. 

cat /var/log/daemon.log | grep dlz
You should see thing like: 
samba_dlz: starting configure 
samba_dlz: configured writeable zone '... 
And make sure you see _msdcs.your.domain.tld 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Mariusz80 via samba
> Verzonden: vrijdag 10 november 2017 12:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Some strange errors in logs
> 
> Samba - General mailing list wrote
> > On Fri, 10 Nov 2017 02:55:44 -0700 (MST)
> > Mariusz80 via samba <
> 
> > samba at .samba
> 
> > > wrote:
> > 
> >> Hello there. 
> >> I need consultation and any advice about my log file.
> >> 
> >> I have some strange errors in my log file about "invalid zone
> >> operation" and "pad length mismatch. Calculated 44  got
0"
> on my DC1
> >> and DC2 samba Version 4.5.12-Debian
> >> smb.conf:
> >> [global]
> >>         workgroup = !!!
> >>         realm = !!!
> >>         netbios name = !!!
> >>         server role = active directory domain controller
> >>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc, dnsupdate
> >>         idmap_ldb:use rfc2307 = yes
> >> 
> >> load printers = no
> >> printing = bsd
> >> printcap name = /dev/null
> >> disable spoolss = yes
> >> 
> >> log level = 1
> >> max log size = 1000
> >> log file = /var/log/samba/%m.log
> >> 
> >> lm announce = no
> >> client lanman auth = no
> >> 
> >> ntlm auth = yes
> >> lanman auth = no
> >> client ntlmv2 auth = yes
> >> 
> >> [netlogon]
> >>         path = /var/lib/samba/sysvol/dfm.biz.pl/scripts
> >>         read only = No
> >> 
> >> [sysvol]
> >>         path = /var/lib/samba/sysvol
> >>         read only = No
> >> 
> >> Sample log:
> >> [2017/11/09 11:22:46.190213,  0]
> >> 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> >>   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid
zone
> >> operation IsSigneddnsserver: Invalid zone operation 
> IsSigneddnsserver:
> >> Invalid zone operation IsSigneddnsserver: Invalid zone operation
> >> IsSigneddnsserver: Invalid zone operation 
> IsSigneddnsserver: Invalid
> >> zone operation IsSigneddnsserver: Invalid zone operation
> >> IsSigneddnsserver: Invalid zone operation 
> IsSigneddnsserver: Invalid
> >> zone operation IsSigned../librpc/rpc/dcerpc_util.c:227: ERROR: pad
> >> length mismatch. Calculated 44  got 0
> >> [2017/11/09 12:11:58.968226,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/09 12:28:13.768393,  0]
> >> 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> >>   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid
zone
> >> operation IsSigned../librpc/rpc/dcerpc_util.c:227: ERROR: 
> pad length
> >> mismatch. Calculated 44  got 0
> >> [2017/11/09 14:54:39.320660,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/09 15:02:11.878768,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/09 15:04:38.500247,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/09 15:28:39.928914,  0]
> >> 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> >>   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid
zone
> >> operation IsSigneddnsserver: Invalid zone operation 
> IsSigneddnsserver:
> >> Invalid zone operation IsSigned../librpc/rpc/dcerpc_util.c:227:
> >> ERROR: pad length mismatch. Calculated 44  got 0
> >> [2017/11/09 16:05:31.014135,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/09 21:53:03.428512,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/10 06:58:00.225241,  1]
> >> 
> ../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_co
> llect_tombstones_part)
> >>   Doing a full scan on DC=ForestDnsZones,DC=dfm,DC=biz,DC=pl and
> >> looking for deleted objects
> >> [2017/11/10 06:58:00.228111,  1]
> >> 
> ../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_co
> llect_tombstones_part)
> >>   Doing a full scan on DC=DomainDnsZones,DC=dfm,DC=biz,DC=pl and
> >> looking for deleted objects
> >> [2017/11/10 06:58:00.236321,  1]
> >> 
> ../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_co
> llect_tombstones_part)
> >>   Doing a full scan on CN=Configuration,DC=dfm,DC=biz,DC=pl and
> >> looking for deleted objects
> >> [2017/11/10 06:58:00.287988,  1]
> >> 
> ../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_co
> llect_tombstones_part)
> >>   Doing a full scan on DC=dfm,DC=biz,DC=pl and looking for deleted
> >> objects [2017/11/10 07:59:55.958736,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/10 08:07:18.247157,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/10 08:18:51.026675,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/10 08:18:51.026990,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/10 09:26:40.073870,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/10 09:26:40.074160,  1]
> >> ../librpc/rpc/dcerpc_util.c:227(dcerpc_pull_auth_trailer)
> >>   ../librpc/rpc/dcerpc_util.c:227: ERROR: pad length mismatch.
> >> Calculated 44 got 0
> >> [2017/11/10 09:46:51.945841,  0]
> >> 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> >> 
> >> I have also strange thing with SOA record. It is changing onself
to
> >> DC2 and later during the day or next day back to DC1. Is it normal
> >> behaviour ? What do you think about that ?
> >> ---
> >> Mariusz
> >> Thanks
> >> 
> >> 
> >> 
> >> --
> >> Sent from:
> >> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> >> 
> > 
> > Can you post all your BIND named.conf files
> > 
> > Rowland
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> Of course, here they are:
> /etc/bind/named.conf
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> /etc/bind/named.conf.default-zones
> // prime the server with knowledge of the root servers
> zone "." {
> 	type hint;
> 	file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
> 	type master;
> 	file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.255";
> };
> 
> /etc/bind/named.conf.local
> include "/var/lib/samba/private/named.conf";
> 
> /etc/bind/named.conf.options
> options {
>         directory "/var/cache/bind";
>         allow-query { any; };
>         forwarders { 10.10.10.2; };
>         allow-recursion { any; };
>         dnssec-validation no;
>         dnssec-enable no;
>         listen-on-v6 { none; };
>          listen-on port 53 { any; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> #auth-nxdomain no;
> };
> 
> ------------
> Thanks
> Mariusz
> 
> 
> 
> 
> --
> Sent from: 
> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Samba - General mailing list wrote
> Hai, 
> 
> cat "/var/lib/samba/private/named.conf"  also please. 
> And check if the correct bind9_dlz is enabled. 
> 
> dpkg -l | grep bind9
> Jessie, should be 9.9 
> Stretch should be 9.10
> If this server was upgraded then you need to manualy adjust the file
> above. 
> Looks to my bind9-dlz is enable in smb.conf but not loaded. 
> 
> cat /var/log/daemon.log | grep dlz
> You should see thing like: 
> samba_dlz: starting configure 
> samba_dlz: configured writeable zone '... 
> And make sure you see _msdcs.your.domain.tld 
> 
> 
> Greetz, 
> Louis
Hi Louis
Yes the system was upgraded from Jessie to Stretch on DC1 but DC2 was built
from scratch on Debian Stretch 9.2

/var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
    # For BIND 9.9.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
    # For BIND 9.10.x
     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
    # For BIND 9.11.x
    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
dpkg -l | grep bind9 gives:

ii  bind9                             1:9.10.3.dfsg.P4-12.3+deb9u3   amd64
Internet Domain Name Server
ii  bind9-host                        1:9.10.3.dfsg.P4-12.3+deb9u3   amd64
Version of 'host' bundled with BIND 9.X
ii  bind9utils                        1:9.10.3.dfsg.P4-12.3+deb9u3   amd64
Utilities for BIND
ii  libbind9-140:amd64                1:9.10.3.dfsg.P4-12.3+deb9u3   amd64
BIND9 Shared Library used by BIND
ii  libbind9-90                       1:9.9.5.dfsg-9+deb8u14         amd64
BIND9 Shared Library used by BIND

cat /var/log/daemon.log | grep dlz
don't give:
samba_dlz: starting configure 
samba_dlz: configured writeable zone 
but there are a lot of records about started, update, committed or denied
transactions. 

named -V
BIND 9.10.3-P4-Debian
---
Thanks
Mariusz



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

On Fri, 10 Nov 2017 06:07:15 -0700 (MST)
Mariusz80 via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> > Hai, 
> > 
> > cat "/var/lib/samba/private/named.conf"  also please. 
> > And check if the correct bind9_dlz is enabled. 
> > 
> > dpkg -l | grep bind9
> > Jessie, should be 9.9 
> > Stretch should be 9.10
> > If this server was upgraded then you need to manualy adjust the file
> > above. 
> > Looks to my bind9-dlz is enable in smb.conf but not loaded. 
> > 
> > cat /var/log/daemon.log | grep dlz
> > You should see thing like: 
> > samba_dlz: starting configure 
> > samba_dlz: configured writeable zone '... 
> > And make sure you see _msdcs.your.domain.tld 
> > 
> > 
> > Greetz, 
> > Louis
> 
> Hi Louis
> Yes the system was upgraded from Jessie to Stretch on DC1 but DC2 was
> built from scratch on Debian Stretch 9.2
> 
> /var/lib/samba/private/named.conf
> dlz "AD DNS Zone" {
>     # For BIND 9.8.x
>     # database
> "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; #
For
> BIND 9.9.x # database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>     # For BIND 9.10.x
>      database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
>     # For BIND 9.11.x
>     # database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
> };
> dpkg -l | grep bind9 gives:
> 
> ii  bind9                             1:9.10.3.dfsg.P4-12.3+deb9u3
> amd64 Internet Domain Name Server
> ii  bind9-host                        1:9.10.3.dfsg.P4-12.3+deb9u3
> amd64 Version of 'host' bundled with BIND 9.X
> ii  bind9utils                        1:9.10.3.dfsg.P4-12.3+deb9u3
> amd64 Utilities for BIND
> ii  libbind9-140:amd64                1:9.10.3.dfsg.P4-12.3+deb9u3
> amd64 BIND9 Shared Library used by BIND
> ii  libbind9-90                       1:9.9.5.dfsg-9+deb8u14
> amd64 BIND9 Shared Library used by BIND
>
Shouldn't libbind9-90 be libbind9-140 (1:9.10.3.dfsg.P4-12.3+deb9u3) ?

Rowland

+1 "penny" :-) :-) for my thoughts..  :-p  

But yes, that should fix it. 
I also suggest, review your logs, you wil notice more messages. 
Rsyslog/apt/snmp/postfix/ntp need manual changes after the upgrade. 
At least these, maybe more but these are the one i've encountered. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 10 november 2017 14:44
> Aan: samba at lists.samba.org
> CC: Mariusz80
> Onderwerp: Re: [Samba] Some strange errors in logs
> 
> On Fri, 10 Nov 2017 06:07:15 -0700 (MST)
> Mariusz80 via samba <samba at lists.samba.org> wrote:
> 
> > Samba - General mailing list wrote
> > > Hai, 
> > > 
> > > cat "/var/lib/samba/private/named.conf"  also please. 
> > > And check if the correct bind9_dlz is enabled. 
> > > 
> > > dpkg -l | grep bind9
> > > Jessie, should be 9.9 
> > > Stretch should be 9.10
> > > If this server was upgraded then you need to manualy 
> adjust the file
> > > above. 
> > > Looks to my bind9-dlz is enable in smb.conf but not loaded. 
> > > 
> > > cat /var/log/daemon.log | grep dlz
> > > You should see thing like: 
> > > samba_dlz: starting configure 
> > > samba_dlz: configured writeable zone '... 
> > > And make sure you see _msdcs.your.domain.tld 
> > > 
> > > 
> > > Greetz, 
> > > Louis
> > 
> > Hi Louis
> > Yes the system was upgraded from Jessie to Stretch on DC1 
> but DC2 was
> > built from scratch on Debian Stretch 9.2
> > 
> > /var/lib/samba/private/named.conf
> > dlz "AD DNS Zone" {
> >     # For BIND 9.8.x
> >     # database
> > "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For
> > BIND 9.9.x # database "dlopen
> > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> >     # For BIND 9.10.x
> >      database "dlopen
> > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
> >     # For BIND 9.11.x
> >     # database "dlopen
> > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
> > };
> > dpkg -l | grep bind9 gives:
> > 
> > ii  bind9                             1:9.10.3.dfsg.P4-12.3+deb9u3
> > amd64 Internet Domain Name Server
> > ii  bind9-host                        1:9.10.3.dfsg.P4-12.3+deb9u3
> > amd64 Version of 'host' bundled with BIND 9.X
> > ii  bind9utils                        1:9.10.3.dfsg.P4-12.3+deb9u3
> > amd64 Utilities for BIND
> > ii  libbind9-140:amd64                1:9.10.3.dfsg.P4-12.3+deb9u3
> > amd64 BIND9 Shared Library used by BIND
> > ii  libbind9-90                       1:9.9.5.dfsg-9+deb8u14
> > amd64 BIND9 Shared Library used by BIND
> >
> 
> Shouldn't libbind9-90 be libbind9-140 (1:9.10.3.dfsg.P4-12.3+deb9u3) ?
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>