samba - May 2018 - Invalid zone operation IsSigned ERROR

Versions: 

Samba 4.3.11-Ubuntu

Ubuntu: 16.04 and 14.04

 

NOT using bind for DNS.

 

3 Domain Controllers:

dc-1

dc-2

identity-c01

 

Using the DNS tool on Windows, or the command:

samba-tool dns query localhost xxxx.com <http://xxxx.com>  @ ALL -U xxxx

 

causes the queried samba service to crash with the following output in the
syslog:

May 22 15:17:54 dc-1 samba[1115]: [2018/05/22 15:17:54.590059,  0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1086(dnsserver_query_zone
)

May 22 15:17:56 dc-1 samba[1115]:   dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone
operation IsSigneddnsserver: Invalid zone operation
IsSigned==============================================================
May 22 15:17:56 dc-1 samba[1115]: [2018/05/22 15:17:56.225586,  0]
../lib/util/fault.c:79(fault_report)

May 22 15:17:56 dc-1 samba[1115]:   INTERNAL ERROR: Signal 11 in pid 1115
(4.3.11-Ubuntu)

May 22 15:17:56 dc-1 samba[1115]:   Please read the Trouble-Shooting section
of the Samba HOWTO

May 22 15:17:56 dc-1 samba[1115]: [2018/05/22 15:17:56.225615,  0]
../lib/util/fault.c:81(fault_report)

May 22 15:17:56 dc-1 samba[1115]:
==============================================================
May 22 15:17:56 dc-1 samba[1115]: [2018/05/22 15:17:56.225640,  0]
../lib/util/fault.c:151(smb_panic_default)

May 22 15:17:56 dc-1 samba[1115]:   PANIC: internal error

May 22 15:18:02 dc-1 samba[1091]: [2018/05/22 15:18:02.683480,  0]
../source4/smbd/process_standard.c:127(standard_child_pipe_handler)

May 22 15:18:02 dc-1 samba[1091]:   Child 1115 (rpc) terminated with signal
6

May 22 15:18:08 dc-1 smbd[1256]: [2018/05/22 15:18:08.872383,  1]
../source3/rpc_server/rpc_ncacn_np.c:773(make_external_rpc_pipe)

 

 

To me this points to a corrupt record in DNS. Does anyone have any
suggestions on how I can clean up the DNS records when querying the service
crashes it?

 

For what it's worth, we have snapshots of dc-1 and dc-2 that are not
corrupt, but if we bring identity-c01 online, it replicates the corrupt
records down to dc-1 and dc-2, causing this failure to propagate across all
domain controllers.

 

Thanks for any help or suggestions.

 

 

Robb

On Tue, 22 May 2018 10:28:43 -0500
Robb Schiefer via samba <samba at lists.samba.org> wrote:
> Versions: 
> 
> Samba 4.3.11-Ubuntu
> 
> Ubuntu: 16.04 and 14.04
> 
>  
> 
> NOT using bind for DNS.
> 
>  
> 
> 3 Domain Controllers:
> 
> dc-1
> 
> dc-2
> 
> identity-c01
> 
>  
> 
> Using the DNS tool on Windows, or the command:
> 
> samba-tool dns query localhost xxxx.com <http://xxxx.com>  @ ALL -U
> xxxx
Where does this come from ----------------^^^^^^^^^^^^^^^^^ ?

Can you post your smb.conf from both DCs

Rowland

On Tue, 22 May 2018 11:00:05 -0500
rschiefer at suturehealth.com wrote:
> The xxxx.com is just sanitization of our logs/data.
You posted a samba-tool command, the '<http://xxxx.com>'
shouldn't be
part of the command.
> 
> Here you go:
> 
> --------------------------------------------------
> # Global parameters
> [global]
>         workgroup = xxxx
>         realm = xxxx.com
>         netbios name = DC-1
>         server role = active directory domain controller
>         server services = dns, dnsupdate, drepl, kcc, kdc, ldap,
> cldap, nbt, drepl, wrepl, rpc, s3fs, winbindd
Where did 'ntp_signd' go to ?
Just remove the line and it will come back ;-)
>         allow dns updates = nonsecure
>         dns forwarder = 8.8.4.4
>         idmap_ldb:use rfc2307 = yes
> 
>         kerberos method = secrets and keytab
>         ldap server require strong auth = no
>         client ldap sasl wrapping = plain
> 
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
>         logging = syslog at 1
>         log level = 1
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/xxxx.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> --------------------------------------------------
> # Global parameters
> [global]
>         workgroup = xxxx
>         realm = xxxx.com
>         netbios name = IDENTITY-C01
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         idman_ldb:use rfc2307 = yes
That should be 'idmap_ldb'
> 
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
> 
>         ldap server require strong auth = no
> 
>         log level = 1
>         syslog = 1
>         syslog only = yes
> 
>         idmap config *:backend = rid
>         idmap config *:range = 5000-100000
>         #idmap config xxxx:backend = rid
>         #idmap config xxxx:range = 2000-999999
>         #idmap backend = idmap_rid:xxxx=2000-999999
>         #idmap uid = 2000-999900
>         #idmap gid = 2000-999999
Remove all the 'idmap config' lines, they have no place on a DC
>         winbind use default domain = yes
The above doesn't work on a DC
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind nested groups = yes
>         winbind expand groups = 10
>         #winbind refresh tickets = yes
>         template homedir = /home/%U
>         template shell = /bin/bash
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/xxxx.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
Rowland

On Tue, 22 May 2018 11:30:33 -0500
rschiefer at suturehealth.com wrote:
> Oh, that was added when I pasted, its actually "samba-tool dns query
> localhost xxxx.com @ ALL".
> 
In which case, you definitely have a problem, that command (altered for
my domain) works on my DCs

Can I suggest you make the changes I referred to, then (after
restarting Samba), run 'samba-tool dbcheck'

Rowland

On Tue, 22 May 2018 12:13:23 -0500
rschiefer at suturehealth.com wrote:
> Made suggested conf changes, restarted samba-ad-dc, ran dbcheck,
> fixed errors and still getting the same "Invalid zone operation
> IsSigned" error.
> 
Lets check a few other things, can you post the contents of the
following (from both DCs):

/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf

Is apparmor running ?
Do both DCs show the same time and is this the same time as on the
clients ?
Is ntp running on the DCs ?

Rowland

On Tue, 22 May 2018 13:34:28 -0500
rschiefer at suturehealth.com wrote:
> /etc/hostname:
Nothing wrong there.
 
> /etc/hosts:
Nothing wrong
> /etc/resolv.conf:
> ---------------------------------
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8) #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES
> WILL BE OVERWRITTEN nameserver 10.57.2.21
> search xxxx.com
Nothing wrong data wise, but I wouldn't let anything be able to
change /etc/resolv.conf
 
> /etc/krb5.conf
This only needs to be:

[libdefaults]
    default realm = XXXX.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

There seems to only three things different between your set up and
mine. The Samba version, the dns server and the OS. The OS shouldn't
come into it, except for the Samba version, 4.3.x is, as far as Samba
is concerned, EOL, so if it is something in your version, it very
unlikely to get fixed, mainly because it might already be fixed in a
later version.
I have never used the internal dns server, but I seem to remember
there being problems with it and RSAT, but it should work with
samba-tool.

Rowland

On Tue, 22 May 2018 15:44:49 -0500
rschiefer at suturehealth.com wrote:
> I noticed the krb5 service is not running on DC-1.  Is that needed?
> Is it needed on all the DCs?
> 
> I can get it running if I run the "kdb5_util create" command.
Are you running a kerberos server separately on each DC ?

If you are, I suggest a quick 'apt-get purge <what you installed to
get the kerberos server>'. You should only have kerberos client
packages installed.

What packages did you install to get Samba working on the DCs ?

You should have something like these:

attr samba smbclient dnsutils acl krb5-user ntp winbind

You will also need these to use a DC as a fileserver:

libpam-winbind libpam-krb5 libnss-winbind

You can check if Samba kerberos is running with:

netstat -an | grep :88

It should produce something like this:

tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN     
tcp6       0      0 :::88                   :::*                    LISTEN     
udp        0      0 192.168.0.6:88          0.0.0.0:*                          
udp        0      0 0.0.0.0:88              0.0.0.0:*                          
udp6       0      0 :::88                   :::* 

Rowland

On Wed, 23 May 2018 05:12:36 -0500
rschiefer at suturehealth.com wrote:
> No the Kerberos server was only installed on DC-1 but not running.
> 
> I didn't set any of this up, inherited it with the new job.  I
> suspect they attempted to run a Kerberos server at some point but
> abandoned it in a broken state.
> 
> Yes, we have all the packages you suggest.
> 
> Samba Kerberos is running.
> 
> We have a VM snapshot of DC-1 in a working state.  If I stop samba on
> Identity-c01 and restore the snapshot it works perfectly but as soon
> as I start Identity-c01 back up DC-1 goes back to having the error.
> I assume Identity-C01 is replicating some bad state to DC-1 and
> breaking it.  Is there some way to force replication from DC-1 to
> identity-c01 first to avoid this?  Or, is there something I can
> compare between the DC-1 working state against the broken state to
> troubleshoot further?
> 
There are various 'samba-tool' commands you can run:

'samba-tool ldapcmp' which will compare the databases
'samba-tool drs showrepl' which shows replication status
'samba-tool drs relicate' which will replicate NCs between DCs

Just add '--help' on the end of the samba-tool for more information.

It might just be easier to demote 'Identity-c01' and then set up a new
DC, but if you do this, do not use the same hostname & IP.

Rowland