rschiefer at suturehealth.com
2018-May-22 15:28 UTC
[Samba] Invalid zone operation IsSigned ERROR
Versions: Samba 4.3.11-Ubuntu Ubuntu: 16.04 and 14.04 NOT using bind for DNS. 3 Domain Controllers: dc-1 dc-2 identity-c01 Using the DNS tool on Windows, or the command: samba-tool dns query localhost xxxx.com <http://xxxx.com> @ ALL -U xxxx causes the queried samba service to crash with the following output in the syslog: May 22 15:17:54 dc-1 samba[1115]: [2018/05/22 15:17:54.590059, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1086(dnsserver_query_zone ) May 22 15:17:56 dc-1 samba[1115]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigned============================================================== May 22 15:17:56 dc-1 samba[1115]: [2018/05/22 15:17:56.225586, 0] ../lib/util/fault.c:79(fault_report) May 22 15:17:56 dc-1 samba[1115]: INTERNAL ERROR: Signal 11 in pid 1115 (4.3.11-Ubuntu) May 22 15:17:56 dc-1 samba[1115]: Please read the Trouble-Shooting section of the Samba HOWTO May 22 15:17:56 dc-1 samba[1115]: [2018/05/22 15:17:56.225615, 0] ../lib/util/fault.c:81(fault_report) May 22 15:17:56 dc-1 samba[1115]: ============================================================== May 22 15:17:56 dc-1 samba[1115]: [2018/05/22 15:17:56.225640, 0] ../lib/util/fault.c:151(smb_panic_default) May 22 15:17:56 dc-1 samba[1115]: PANIC: internal error May 22 15:18:02 dc-1 samba[1091]: [2018/05/22 15:18:02.683480, 0] ../source4/smbd/process_standard.c:127(standard_child_pipe_handler) May 22 15:18:02 dc-1 samba[1091]: Child 1115 (rpc) terminated with signal 6 May 22 15:18:08 dc-1 smbd[1256]: [2018/05/22 15:18:08.872383, 1] ../source3/rpc_server/rpc_ncacn_np.c:773(make_external_rpc_pipe) To me this points to a corrupt record in DNS. Does anyone have any suggestions on how I can clean up the DNS records when querying the service crashes it? For what it's worth, we have snapshots of dc-1 and dc-2 that are not corrupt, but if we bring identity-c01 online, it replicates the corrupt records down to dc-1 and dc-2, causing this failure to propagate across all domain controllers. Thanks for any help or suggestions. Robb
On Tue, 22 May 2018 10:28:43 -0500 Robb Schiefer via samba <samba at lists.samba.org> wrote:> Versions: > > Samba 4.3.11-Ubuntu > > Ubuntu: 16.04 and 14.04 > > > > NOT using bind for DNS. > > > > 3 Domain Controllers: > > dc-1 > > dc-2 > > identity-c01 > > > > Using the DNS tool on Windows, or the command: > > samba-tool dns query localhost xxxx.com <http://xxxx.com> @ ALL -U > xxxxWhere does this come from ----------------^^^^^^^^^^^^^^^^^ ? Can you post your smb.conf from both DCs Rowland
On Tue, 22 May 2018 11:00:05 -0500 rschiefer at suturehealth.com wrote:> The xxxx.com is just sanitization of our logs/data.You posted a samba-tool command, the '<http://xxxx.com>' shouldn't be part of the command.> > Here you go: > > -------------------------------------------------- > # Global parameters > [global] > workgroup = xxxx > realm = xxxx.com > netbios name = DC-1 > server role = active directory domain controller > server services = dns, dnsupdate, drepl, kcc, kdc, ldap, > cldap, nbt, drepl, wrepl, rpc, s3fs, winbinddWhere did 'ntp_signd' go to ? Just remove the line and it will come back ;-)> allow dns updates = nonsecure > dns forwarder = 8.8.4.4 > idmap_ldb:use rfc2307 = yes > > kerberos method = secrets and keytab > ldap server require strong auth = no > client ldap sasl wrapping = plain > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > logging = syslog at 1 > log level = 1 > > [netlogon] > path = /var/lib/samba/sysvol/xxxx.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > -------------------------------------------------- > # Global parameters > [global] > workgroup = xxxx > realm = xxxx.com > netbios name = IDENTITY-C01 > server role = active directory domain controller > dns forwarder = 8.8.8.8 > idman_ldb:use rfc2307 = yesThat should be 'idmap_ldb'> > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > ldap server require strong auth = no > > log level = 1 > syslog = 1 > syslog only = yes > > idmap config *:backend = rid > idmap config *:range = 5000-100000 > #idmap config xxxx:backend = rid > #idmap config xxxx:range = 2000-999999 > #idmap backend = idmap_rid:xxxx=2000-999999 > #idmap uid = 2000-999900 > #idmap gid = 2000-999999Remove all the 'idmap config' lines, they have no place on a DC> winbind use default domain = yesThe above doesn't work on a DC> winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > winbind expand groups = 10 > #winbind refresh tickets = yes > template homedir = /home/%U > template shell = /bin/bash > > [netlogon] > path = /var/lib/samba/sysvol/xxxx.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No >Rowland
On Tue, 22 May 2018 11:30:33 -0500 rschiefer at suturehealth.com wrote:> Oh, that was added when I pasted, its actually "samba-tool dns query > localhost xxxx.com @ ALL". >In which case, you definitely have a problem, that command (altered for my domain) works on my DCs Can I suggest you make the changes I referred to, then (after restarting Samba), run 'samba-tool dbcheck' Rowland
On Tue, 22 May 2018 12:13:23 -0500 rschiefer at suturehealth.com wrote:> Made suggested conf changes, restarted samba-ad-dc, ran dbcheck, > fixed errors and still getting the same "Invalid zone operation > IsSigned" error. >Lets check a few other things, can you post the contents of the following (from both DCs): /etc/hostname /etc/hosts /etc/resolv.conf /etc/krb5.conf Is apparmor running ? Do both DCs show the same time and is this the same time as on the clients ? Is ntp running on the DCs ? Rowland
On Tue, 22 May 2018 13:34:28 -0500 rschiefer at suturehealth.com wrote:> /etc/hostname:Nothing wrong there.> /etc/hosts:Nothing wrong> /etc/resolv.conf: > --------------------------------- > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES > WILL BE OVERWRITTEN nameserver 10.57.2.21 > search xxxx.comNothing wrong data wise, but I wouldn't let anything be able to change /etc/resolv.conf> /etc/krb5.confThis only needs to be: [libdefaults] default realm = XXXX.COM dns_lookup_realm = false dns_lookup_kdc = true There seems to only three things different between your set up and mine. The Samba version, the dns server and the OS. The OS shouldn't come into it, except for the Samba version, 4.3.x is, as far as Samba is concerned, EOL, so if it is something in your version, it very unlikely to get fixed, mainly because it might already be fixed in a later version. I have never used the internal dns server, but I seem to remember there being problems with it and RSAT, but it should work with samba-tool. Rowland
On Tue, 22 May 2018 15:44:49 -0500 rschiefer at suturehealth.com wrote:> I noticed the krb5 service is not running on DC-1. Is that needed? > Is it needed on all the DCs? > > I can get it running if I run the "kdb5_util create" command.Are you running a kerberos server separately on each DC ? If you are, I suggest a quick 'apt-get purge <what you installed to get the kerberos server>'. You should only have kerberos client packages installed. What packages did you install to get Samba working on the DCs ? You should have something like these: attr samba smbclient dnsutils acl krb5-user ntp winbind You will also need these to use a DC as a fileserver: libpam-winbind libpam-krb5 libnss-winbind You can check if Samba kerberos is running with: netstat -an | grep :88 It should produce something like this: tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN tcp6 0 0 :::88 :::* LISTEN udp 0 0 192.168.0.6:88 0.0.0.0:* udp 0 0 0.0.0.0:88 0.0.0.0:* udp6 0 0 :::88 :::* Rowland
On Wed, 23 May 2018 05:12:36 -0500 rschiefer at suturehealth.com wrote:> No the Kerberos server was only installed on DC-1 but not running. > > I didn't set any of this up, inherited it with the new job. I > suspect they attempted to run a Kerberos server at some point but > abandoned it in a broken state. > > Yes, we have all the packages you suggest. > > Samba Kerberos is running. > > We have a VM snapshot of DC-1 in a working state. If I stop samba on > Identity-c01 and restore the snapshot it works perfectly but as soon > as I start Identity-c01 back up DC-1 goes back to having the error. > I assume Identity-C01 is replicating some bad state to DC-1 and > breaking it. Is there some way to force replication from DC-1 to > identity-c01 first to avoid this? Or, is there something I can > compare between the DC-1 working state against the broken state to > troubleshoot further? >There are various 'samba-tool' commands you can run: 'samba-tool ldapcmp' which will compare the databases 'samba-tool drs showrepl' which shows replication status 'samba-tool drs relicate' which will replicate NCs between DCs Just add '--help' on the end of the samba-tool for more information. It might just be easier to demote 'Identity-c01' and then set up a new DC, but if you do this, do not use the same hostname & IP. Rowland