Hi Rowland, I didn't build samba, I'm running the sernet packages, # rpm -qa | grep sernet sernet-samba-libsmbclient0-4.8.6-16.el7.x86_64 sernet-samba-ad-4.8.6-16.el7.x86_64 sernet-samba-libs-4.8.6-16.el7.x86_64 sernet-samba-client-4.8.6-16.el7.x86_64 sernet-samba-winbind-4.8.6-16.el7.x86_64 sernet-samba-common-4.8.6-16.el7.x86_64 sernet-samba-4.8.6-16.el7.x86_64 I don't mind having to remove and rebuild bind, but... Excuse my ignorance, but what I don't understand is that I have a test DC with random zones/data and migrating from INTERNAL DNS to BIND9 wasn't an issue. The only difference between the two environments is that my test site has 1 DC and my prod is 7 DC's. My test environment is working 100% as is, same packages as prod. Kind Regards On Wed, Oct 31, 2018 at 7:35 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 31 Oct 2018 18:36:52 +0200 > Eben Victor <eben.victor at gmail.com> wrote: > > > Hello Rowland, > > > > I have already checked and the DN's are in AD, see attached. > > > > SOA: > > <domain>.corp. 3600 IN SOA psad102zadprh.<domain>.corp. . > > 9766 3600 600 86400 3600 > > > > See below NS, but the 1st NS (zatprdc001) doesn't exsit, and I cannot > > find it anywhere. > > NS: > > <domain>.corp. 3600 IN NS zatprdc001.<domain>.corp. > > <domain>.corp. 3600 IN NS psad102zadprh.<domain>.corp. > > <domain>.corp. 3600 IN NS prdc001zacprh.<domain>.corp. > > <domain>.corp. 3600 IN NS prdc001zafsrh.<domain>.corp. > > <domain>.corp. 3600 IN NS prdc001zatcrh.<domain>.corp. > > <domain>.corp. 3600 IN NS prdc002zacprh.<domain>.corp. > > <domain>.corp. 3600 IN NS prdc003zacprh.<domain>.corp. > > <domain>.corp. 3600 IN NS psad101zatcrh.<domain>.corp. > > > > We did rebuild all our DC's to RHEL7. > > We demoted on the DC being rebuild, then removed any and all records > > we could find in AD/DNS. Rebuild the new server and rejoined. > > > > OK, after reading your 'named.log', there is the line that starts > (after the date) 'built with' and amongst all the build options there > is this '--disable-isc-spnego' > > I take it you have built Samba yourself as there are no RHEL7 packages > that provision as a DC, so you know how to build things. > > I think you know what is coming ;-) > > Read this: > > > https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates > > And this: > > https://github.com/hvenzke/CentOS-Bind-DLZ > > And then build Bind9 yourself, removing the thing that is stopping it > working for you '--disable-isc-spnego' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Eben Victor Cell: +27 82 759 5266 Email: eben.victor at gmail.com
On Wed, 31 Oct 2018 23:34:38 +0200 Eben Victor <eben.victor at gmail.com> wrote:> Hi Rowland, > > I didn't build samba, I'm running the sernet packages, > # rpm -qa | grep sernet > sernet-samba-libsmbclient0-4.8.6-16.el7.x86_64 > sernet-samba-ad-4.8.6-16.el7.x86_64 > sernet-samba-libs-4.8.6-16.el7.x86_64 > sernet-samba-client-4.8.6-16.el7.x86_64 > sernet-samba-winbind-4.8.6-16.el7.x86_64 > sernet-samba-common-4.8.6-16.el7.x86_64 > sernet-samba-4.8.6-16.el7.x86_64 > > I don't mind having to remove and rebuild bind, but... > Excuse my ignorance, but what I don't understand is that I have a > test DC with random zones/data and migrating from INTERNAL DNS to > BIND9 wasn't an issue. The only difference between the two > environments is that my test site has 1 DC and my prod is 7 DC's. > My test environment is working 100% as is, same packages as prod. >OK, I do not use RHEL or Centos, I use Devuan and Bind9 on that OS isn't built with '--disable-isc-spnego', this combined with what it says here: https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates#RHEL_.2F_CENTOS_.2F_FC_.2B_clones_-_ReBuild_Distributed_ISC_Bind_RPM Led me to believe this is your problem. However, you say it works on one DC, but not with multiple DC's. You have mentioned that you demoted DC's, removed all data for the deleted DC from AD and then rejoined it again with a newer version of Samba using the same DC name etc. I wonder if this could be your problem ? When you delete an object in AD, it does not get deleted, it gets 'tombstoned'. I would have given the new DC's a different name e.g. if the old DC was called DC01, the new one would be called DC02. The other thing I can think of is, how is resolv.conf setup ? Do the DC's point to themselves as DNS server, or to another DC ? If the latter, could your problem just be that you are trying to use the DC's kerberos ticket on the other DC ? Rowland
I've been been trying to investigate this for sometime now, hence I came to the experts :) I have rejoined all my DC's with new names, see below. ;; ANSWER SECTION: <domain>.corp. 3600 IN NS psad101zatcrh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade <domain>.corp. 3600 IN NS prdc001zafsrh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade <domain>.corp. 3600 IN NS prdc003zacprh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade <domain>.corp. 3600 IN NS zatprdc001.<domain>.corp. -> Old demoted DC, old hostname, cannot be found in AD <domain>.corp. 3600 IN NS prdc002zacprh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade <domain>.corp. 3600 IN NS psad102zadprh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade <domain>.corp. 3600 IN NS prdc001zatcrh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade <domain>.corp. 3600 IN NS prdc001zacprh.<domain>.corp. -> New rebuild, new hostname, RHEL6 to RHEL7 upgrade Here is the "/etc/resolv.conf" I have tried different changes in the /etc/resolv.conf as well $ cat /etc/resolv.conf # Generated by NetworkManager search <domain>.corp <domain2>.corp <domain3>.corp <domain4>.net <domain5>. co.za <domain6>.co.za nameserver <IP of DC 2> nameserver <IP of DC 1> nameserver <IP of DC 3> # NOTE: the libc resolver may not support more than 3 nameservers. # The nameservers listed below may not be recognized. nameserver <IP of DC 4> nameserver <IP of DC 5> nameserver <IP of DC 6> On Thu, Nov 1, 2018 at 12:15 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 31 Oct 2018 23:34:38 +0200 > Eben Victor <eben.victor at gmail.com> wrote: > > > Hi Rowland, > > > > I didn't build samba, I'm running the sernet packages, > > # rpm -qa | grep sernet > > sernet-samba-libsmbclient0-4.8.6-16.el7.x86_64 > > sernet-samba-ad-4.8.6-16.el7.x86_64 > > sernet-samba-libs-4.8.6-16.el7.x86_64 > > sernet-samba-client-4.8.6-16.el7.x86_64 > > sernet-samba-winbind-4.8.6-16.el7.x86_64 > > sernet-samba-common-4.8.6-16.el7.x86_64 > > sernet-samba-4.8.6-16.el7.x86_64 > > > > I don't mind having to remove and rebuild bind, but... > > Excuse my ignorance, but what I don't understand is that I have a > > test DC with random zones/data and migrating from INTERNAL DNS to > > BIND9 wasn't an issue. The only difference between the two > > environments is that my test site has 1 DC and my prod is 7 DC's. > > My test environment is working 100% as is, same packages as prod. > > > > OK, I do not use RHEL or Centos, I use Devuan and Bind9 on that OS > isn't built with '--disable-isc-spnego', this combined with what it says > here: > > > https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates#RHEL_.2F_CENTOS_.2F_FC_.2B_clones_-_ReBuild_Distributed_ISC_Bind_RPM > > Led me to believe this is your problem. However, you say it works on > one DC, but not with multiple DC's. > > You have mentioned that you demoted DC's, removed all data for the > deleted DC from AD and then rejoined it again with a newer version of > Samba using the same DC name etc. > > I wonder if this could be your problem ? > When you delete an object in AD, it does not get deleted, it gets > 'tombstoned'. > I would have given the new DC's a different name e.g. if the old DC was > called DC01, the new one would be called DC02. > > The other thing I can think of is, how is resolv.conf setup ? > Do the DC's point to themselves as DNS server, or to another DC ? > If the latter, could your problem just be that you are trying to use > the DC's kerberos ticket on the other DC ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Eben Victor Cell: +27 82 759 5266 Email: eben.victor at gmail.com
Hai,> > > > have rejoined all my DC's with new names, see below. > >;; ANSWER SECTION: > ><domain>.corp. 3600 IN NS psad101zatcrh.<domain>.corp. -> New > >rebuild, new hostname, RHEL6 to RHEL7 upgrade....> > > > Led me to believe this is your problem. However, you say it works on > > one DC, but not with multiple DC's...... That one DC that works, im betting, that is the only one that has its original hostname. Can you verify that?> > > > You have mentioned that you demoted DC's, removed all data for the > > deleted DC from AD and then rejoined it again with a newer > version of > > Samba using the same DC name etc. > > > > I wonder if this could be your problem ?Im betting this the source of your problem. This exactly why i dont support 2 things on a AD DC server. 1) changing its hostname 2) changing its domainname Its always troubles, its so easy to forget 1 small thing and that ends up in a big problem. ( story of my life ) And IP change, hmm, not my favorit but possible with much less problems. I suggest, remove 1 server completely from the domain . Re-install the server, a clean setup or go check you hostname changes in /etc/ /var But i would go for a clean install. Check/Do the folling. - Remove all the DNS objects ( A / PTR and any other record or CNAME of that server ) - Remove all the AD objects that are linked with this server. ( if no clean install ) - clear the files out of folder /var/cache/samba /var/lib/samba from any files Reboot the server, and check all you logs for errors, solved them before you join the domain. Now join the domain again. Transfer all FSMO roles to this server. Repeat for next server, but leave the FSMO roles where they are now. Now check if you problem still exists. This ^^^^^ is what i personaly would do. Greetz, Louis