samba - Dec 2018 - After upgrade to 4.9.4, internal DNS no longer working

Oh, that doesn't sound good...

Arch Linux. I did a regular system upgrade using pacman -Syu which
automatically upgrades all packages to their latest version.

I have another, practically identical system and I didn't have this issue
there. Though I might have had a smaller jump between versions.

On Sat, 22 Dec 2018 at 22:21, Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Sat, 22 Dec 2018 21:23:31 +0100
> Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
>
> > Hi list,
> >
> > I just upgraded my Samba AD DC to v4.9.4. Unfortunately, I can't
> > recall which version I had before that, I believe it must have been
> > something between 4.6 and 4.8.
> >
> > Anyway, now that the upgrade is done, it looks like DNS is gone. Host
> > commands are timing out, netstat reveals that no process is listening
> > on :53.
> >
> > Other than that, Samba is starting and working fine. I can list
> > shares, I can interact with the AD while I stay on localhost.
> >
> > /etc/samba/smb.conf:
> > ------------------------------------
> > [global]
> >         workgroup = samdom
> >         realm = samdom.example.com
> >         netbios name = dc1
> >         interfaces = lo br-lxc
> >         bind interfaces only = Yes
> >         server role = active directory domain controller
> >         dns forwarder = 192.168.1.2
> >         idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> >         path = /var/lib/samba/sysvol/samdom.example.com/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> >
> > /etc/hosts
> > ------------------------------------
> >
> > 127.0.0.1       localhost.localdomain   localhost
> > ::1             localhost.localdomain   localhost
> >
> > 192.168.1.1     dc1.samdom.example.com dc1
> >
> >
> > /etc/krb5.conf
> > ------------------------------------
> > [libdefaults]
> >         default_realm = samdom.example.com
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > # samba-tool dbcheck --cross-ncs
> > Checking 3539 objects
> > Checked 3539 objects (0 errors)
> >
> > Last but not least, here are the relevant lines from the syslog:
> > --------------------------------------
> > Dez 22 21:08:31 dc1 systemd[1]: Starting Samba AD Daemon...
> > Dez 22 21:08:31 dc1 kernel: audit: type=1131 audit(1545509311.984:52):
> > pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=samba
> > comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=?
> > terminal=? res=failed' Dez 22 21:08:32 dc1 samba[733]: root
> > process[733]: [2018/12/22 21:08:32.027397,
> > 0] ../source4/smbd/server.c:510(binary_smbd_main) Dez 22 21:08:32 dc1
> > samba[733]: root process[733]:   samba version 4.9.4 started.
> > Dez 22 21:08:32 dc1 samba[733]: root process[733]:   Copyright Andrew
> > Tridgell and the Samba Team 1992-2018
> > Dez 22 21:08:32 dc1 samba[733]: root process[733]: [2018/12/22
> > 21:08:32.318878,  0] ../source4/smbd/server.c:696(binary_smbd_main)
> > Dez 22 21:08:32 dc1 samba[733]: root process[733]:   binary_smbd_main:
> > samba: using 'standard' process model
> > Dez 22 21:08:32 dc1 samba[737]: task[nbtd][737]: [2018/12/22
> > 21:08:32.346083,  0]
> > ../source4/dsdb/common/util.c:1815(samdb_reference_dn_is_our_ntdsa)
> > Dez 22 21:08:32 dc1 samba[737]: task[nbtd][737]:   Failed to find
> > object DC=samdom,DC=example,DC=ch for attribute fsmoRoleOwner -
> > Cannot find DN DC=samdom,DC=example,DC=ch to get attribute
> > fsmoRoleOwner for reference dn: No such Base DN:>
> > Dez 22 21:08:32 dc1 samba[742]: task[kdc][742]: [2018/12/22
> > 21:08:32.347736,  0]
> > ../source4/smbd/service_task.c:36(task_server_terminate)
> > Dez 22 21:08:32 dc1 samba[742]: task[kdc][742]:
> > task_server_terminate: task_server_terminate: [kdc: krb5_init_context
> > samdb RODC connect failed] Dez 22 21:08:32 dc1 samba[743]:
> > task[dreplsrv][743]: [2018/12/22 21:08:32.369585,  0]
> > ../source4/smbd/service_task.c:36(task_server_terminate)
> > Dez 22 21:08:32 dc1 samba[743]: task[dreplsrv][743]:
> > task_server_terminate: task_server_terminate: [dreplsrv: Failed to
> > connect to local samdb: WERR_DS_UNAVAILABLE
> > Dez 22 21:08:32 dc1 samba[743]: task[dreplsrv][743]:   ]
> > Dez 22 21:08:32 dc1 samba[746]: task[kccsrv][746]: [2018/12/22
> > 21:08:32.386039,  0]
> > ../source4/smbd/service_task.c:36(task_server_terminate)
> > Dez 22 21:08:32 dc1 samba[748]: task[dns][748]: [2018/12/22
> > 21:08:32.387265,  0]
> > ../source4/smbd/service_task.c:36(task_server_terminate)
> > Dez 22 21:08:32 dc1 samba[748]: task[dns][748]:
> > task_server_terminate: task_server_terminate: [dns: failed to load
> > DNS zones] Dez 22 21:08:32 dc1 samba[747]: task[dnsupdate][747]:
> > [2018/12/22 21:08:32.389228,
> > 0] ../source4/dsdb/dns/dns_update.c:127(dnsupdate_rebuild) Dez 22
> > 21:08:32 dc1 samba[746]: task[kccsrv][746]:   task_server_terminate:
> > task_server_terminate: [kccsrv: Failed to connect to local samdb:
> > WERR_DS_UNAVAILABLE Dez 22 21:08:32 dc1 samba[746]:
> > task[kccsrv][746]:   ] Dez 22 21:08:32 dc1 smbd[758]: [2018/12/22
> > 21:08:32.991583,
> > 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) Dez 22
> > 21:08:33 dc1 smbd[759]: [2018/12/22 21:08:33.003232,
> > 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) Dez 22
> > 21:08:33 dc1 smbd[758]:   pdb backend samba_dsdb did not correctly
> > init (error was NT_STATUS_UNSUCCESSFUL) Dez 22 21:08:33 dc1
> > smbd[759]:   pdb backend samba_dsdb did not correctly init (error was
> > NT_STATUS_UNSUCCESSFUL) Dez 22 21:08:33 dc1 winbindd[750]:
> > [2018/12/22 21:08:33.013026,
> > 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
> > Dez 22 21:08:33 dc1 winbindd[750]:   initialize_winbindd_cache:
> > clearing cache and re-creating with version number 2 Dez 22 21:08:33
> > dc1 systemd[1]: Started Samba AD Daemon. Dez 22 21:08:33 dc1
> > audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295
> > msg='unit=samba comm="systemd"
exe="/usr/lib/systemd/systemd"
> > hostname=? addr=? terminal=? res=success' Dez 22 21:08:33 dc1
> > winbindd[750]: [2018/12/22 21:08:33.182471,
> > 0] ../lib/util/become_daemon.c:138(daemon_ready) Dez 22 21:08:33 dc1
> > winbindd[750]:   daemon_ready: STATUS=daemon 'winbindd'
finished
> > starting up and ready to serve connections Dez 22 21:08:33 dc1
> > smbd[741]: [2018/12/22 21:08:33.183232,
> > 0] ../lib/util/become_daemon.c:138(daemon_ready) Dez 22 21:08:33 dc1
> > smbd[741]:   daemon_ready: STATUS=daemon 'smbd' finished
starting up
> > and ready to serve connections Dez 22 21:08:33 dc1 kernel: audit:
> > type=1130 audit(1545509313.178:53): pid=1 uid=0 auid=4294967295
> > ses=4294967295 msg='unit=samba comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success' Dez 22 21:08:33 dc1 dbus-daemon[340]: [system]
> > Activating via systemd: service name='org.freedesktop.Avahi'
> > unit='dbus-org.freedesktop.Avahi.service' requested by
> > ':1.249' (uid=0 pid=741 comm="/usr/bin/smbd -D
--option=server role
> > check:inhibi") Dez 22 21:08:33 dc1 dbus-daemon[340]: [system]
> > Activation via systemd failed for unit
> > 'dbus-org.freedesktop.Avahi.service': Unit
> > dbus-org.freedesktop.Avahi.service not found. Dez 22 21:08:33 dc1
> > smbd[760]: [2018/12/22 21:08:33.206151,
> > 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) Dez 22
> > 21:08:33 dc1 smbd[760]:   pdb backend samba_dsdb did not correctly
> > init (error was NT_STATUS_UNSUCCESSFUL)
> >
> > Any advice what I could try to get DNS running again?
> >
> > Thanks,
> > Viktor
>
> You have bigger problems than that:
>
> Cannot find DN DC=samdom,DC=example,DC=ch to get attribute
> fsmoRoleOwner for reference dn:No such Base DN:>
>
> What OS and how did you upgrade ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Sat, 22 Dec 2018 22:25:30 +0100
Viktor Trojanovic <viktor at troja.ch> wrote:
> Oh, that doesn't sound good...
> 
> Arch Linux. I did a regular system upgrade using pacman -Syu which
> automatically upgrades all packages to their latest version.
> 
> I have another, practically identical system and I didn't have this
> issue there. Though I might have had a smaller jump between versions.
The version jump shouldn't have caused this, I take it you have tried
restarting Samba again. If you still have the problem, try running the
'samba' daemon directly in a terminal:

/path/to/samba -i -d3

See if this works or shows anything new.

Did you have backups from before the upgrade ?
Have you checked if 'sam.ldb' is still there and if the databases are
in 'sam.ldb.d' ?

Rowland

Then I don't know what caused it. I had no problems prior to the upgrade,
and the upgrade was done without errors..

Unfortunately, no, I don't have backups. 'sam.ldb' is still there,
though,
and so are the databases unter 'sam.ldb.d'.

Yes, I tried restarting Samba, even rebooted the server but to no avail.
Here are the results from running samba in the shell:

lpcfg_load: refreshing parameters from /etc/samba/smb.conf
samba version 4.9.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2018
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
register_process_model: PROCESS_MODEL 'single' registered
register_process_model: PROCESS_MODEL 'prefork' registered
register_process_model: PROCESS_MODEL 'standard' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'winbind' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'unix' registered
ldb_wrap open of privilege.ldb
binary_smbd_main: samba: using 'standard' process model
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:518
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings objectGUID in the ldb!
kdc_task_init: Cannot determine if we are an RODC: operations error at
../source4/dsdb/common/util.c:3534
task_server_terminate: task_server_terminate: [kdc: krb5_init_context samdb
RODC connect failed]
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:518
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings objectGUID in the ldb!
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:518
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings objectGUID in the ldb!
task_server_terminate: task_server_terminate: [dreplsrv: Failed to connect
to local samdb: WERR_DS_UNAVAILABLE
]
task_server_terminate: task_server_terminate: [kccsrv: Failed to connect to
local samdb: WERR_DS_UNAVAILABLE
]
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

../source4/dsdb/dns/dns_update.c:127: Unable to find DCs list - No such
Base DN: CN=Configuration,DC=samdom,DC=example,DC=chCalling DNS name update
script
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Calling SPN name update script
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'remote' registered
ldb_wrap open of secrets.ldb
task_server_terminate: task_server_terminate: [dns: failed to load DNS
zones]
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Failed to find object DC=samdom,DC=example,DC=ch for attribute
fsmoRoleOwner - Cannot find DN DC=samdom,DC=example,DC=ch to get attribute
fsmoRoleOwner for reference dn: No such Base DN: DC=samdom,DC=example,DC=ch
Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner
in DC=samdom,DC=example,DC=ch failed: Cannot find DN
DC=samdom,DC=example,DC=ch to get attribute fsmoRoleOwner for reference dn:
No such Base DN: DC=samdom,DC=example,DC=ch
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'backupkey' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'eventlog6' registered
DCERPC endpoint server 'dnsserver' registered
/usr/bin/winbindd: winbindd version 4.9.4 started.
/usr/bin/winbindd: Copyright Andrew Tridgell and the Samba Team 1992-2018
/usr/bin/smbd: smbd version 4.9.4 started.
/usr/bin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2018
/usr/bin/winbindd: initialize_winbindd_cache: clearing cache and
re-creating with version number 2
/usr/bin/smbd: pdb backend samba_dsdb did not correctly init (error was
NT_STATUS_UNSUCCESSFUL)
/usr/bin/smbd: pdb backend samba_dsdb did not correctly init (error was
NT_STATUS_UNSUCCESSFUL)
/usr/bin/winbindd: daemon_ready: STATUS=daemon 'winbindd' finished
starting
up and ready to serve connections
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:518
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings options in the ldb!
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:518
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings options in the ldb!
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:518
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings options in the ldb!
/usr/bin/winbindd: pdb backend samba_dsdb did not correctly init (error was
NT_STATUS_UNSUCCESSFUL)
../source4/dsdb/dns/dns_update.c:127: Unable to find DCs list - No such
Base DN:
CN=Configuration,DC=samdom,DC=example,DC=chsamba_runcmd_io_handler: Child
/usr/bin/samba_spnupdate exited 0
Completed SPN update check OK
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Failed to open domain S-1-5-21-4280320235-2980747731-3738778716: No such
Base DN: DC=samdom,DC=example,DC=ch
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Failed to open domain S-1-5-21-4280320235-2980747731-3738778716: No such
Base DN: DC=samdom,DC=example,DC=ch
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
ldb: Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs

Failed to open domain S-1-5-21-4280320235-2980747731-3738778716: No such
Base DN: DC=samdom,DC=example,DC=ch
stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: single_terminate: reason[dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED]
/usr/bin/smbd: daemon_ready: STATUS=daemon 'smbd' finished starting up
and
ready to serve connections
/usr/bin/smbd: pdb backend samba_dsdb did not correctly init (error was
NT_STATUS_UNSUCCESSFUL)
Registered dc1<00> with 192.168.1.1 on interface 192.168.1.255
Registered dc1<00> with 127.0.0.1 on interface 127.255.255.255
Registered dc1<03> with 192.168.1.1 on interface 192.168.1.255
Registered dc1<03> with 127.0.0.1 on interface 127.255.255.255
Registered dc1<20> with 192.168.1.1 on interface 192.168.1.255
Registered dc1<20> with 127.0.0.1 on interface 127.255.255.255
Registered samdom<1c> with 192.168.1.1 on interface 192.168.1.255
Registered samdom<1c> with 127.0.0.1 on interface 127.255.255.255
Registered samdom<00> with 192.168.1.1 on interface 192.168.1.255
Registered samdom<00> with 127.0.0.1 on interface 127.255.255.255
../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code
110



On Sat, 22 Dec 2018 at 22:54, Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Sat, 22 Dec 2018 22:25:30 +0100
> Viktor Trojanovic <viktor at troja.ch> wrote:
>
> > Oh, that doesn't sound good...
> >
> > Arch Linux. I did a regular system upgrade using pacman -Syu which
> > automatically upgrades all packages to their latest version.
> >
> > I have another, practically identical system and I didn't have
this
> > issue there. Though I might have had a smaller jump between versions.
>
> The version jump shouldn't have caused this, I take it you have tried
> restarting Samba again. If you still have the problem, try running the
> 'samba' daemon directly in a terminal:
>
> /path/to/samba -i -d3
>
> See if this works or shows anything new.
>
> Did you have backups from before the upgrade ?
> Have you checked if 'sam.ldb' is still there and if the databases
are
> in 'sam.ldb.d' ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba