samba - Jan 2019 - Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname

Thank You, Luis, Rowland,

for the initial hints. I checked them all.


As of system, it is Debian Strech, Bind 9.10.3, Samba 4.5.12 (I know it 
is old, but is native for distribution, and should work in such simple 
setup I suppose). I used this howto:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller


As of hosts.conf, there are only localhost and server itself, because 
everything else should be resolved by DNS anyway...

127.0.0.1    localhost.interbronz.local    localhost
10.20.1.1    blacktux.interbronz.local    blacktux

--------

I also checked resolv.conf, there is no typo in search or nameserver.

search interbronz.local
nameserver 10.20.1.1

--------

There is not much in named.conf and surroundings. This is Debian, so the 
config is scattered here and there, but if I put all includes together, 
we get this:

options {
     directory "/var/cache/bind";

     // External DNS forwarder

     forwarders {
          10.10.10.1;
      };

     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { any; };
};

// The RFC1918 zones file is modified by commenting out 10. section 
becouse this is our subnet and we don't want it to fall to empty zones

include "/etc/bind/zones.rfc1918";

zone "." {
     type hint;
     file "/etc/bind/db.root";
};

zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};


dlz "AD DNS Zone" {
      database "dlopen 
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};

--------------

As of smb.conf, it is also very sparse and mostly auto-created during 
domain provisioning, except the template options

[global]
     netbios name = BLACKTUX
     realm = INTERBRONZ.LOCAL
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
     workgroup = INTERBRONZ
     server role = active directory domain controller
     idmap_ldb:use rfc2307 = yes

     template shell = /bin/bash
     template homedir = /home/%U

[netlogon]
     path = /var/lib/samba/sysvol/interbronz.local/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

-------

Since there is BIND DLZ in use, I assume that it is up to Samba DNS 
module to resolve local domain issues for BIND, thus BIND config is of 
little interest here anyway, it simply gives whatever it takes from 
Samba. Correct?

So, it would seem that if anything unusual, it should take place inside 
Samba DNS records. That is area I have no expertise in. When I do

samba-tool dns query -U administrator 10.20.1.1 interbronz.local @ ALL

I get this:

   Name=, Records=8, Children=0
     SOA: serial=27, refresh=900, retry=600, expire=86400, minttl=3600, 
ns=blacktux.interbronz.local., email=hostmaster.interbronz.local. 
(flags=600000f0, serial=27, ttl=3600)
     NS: blacktux.interbronz.local. (flags=600000f0, serial=1, ttl=900)
     A: 10.10.10.101 (flags=600000f0, serial=1, ttl=900)
     A: 10.20.1.1 (flags=600000f0, serial=3, ttl=900)
     A: 10.20.2.1 (flags=600000f0, serial=9, ttl=900)
     A: 10.20.3.1 (flags=600000f0, serial=10, ttl=900)
     A: 10.20.4.1 (flags=600000f0, serial=11, ttl=900)
     A: 10.30.1.1 (flags=600000f0, serial=23, ttl=900)
   Name=_msdcs, Records=0, Children=0
   Name=_sites, Records=0, Children=1
   Name=_tcp, Records=0, Children=4
   Name=_udp, Records=0, Children=2
   Name=asus, Records=1, Children=0
     A: 10.20.4.69 (flags=f0, serial=27, ttl=900)
   Name=blacktux, Records=6, Children=0
     A: 10.10.10.101 (flags=f0, serial=1, ttl=900)
     A: 10.20.1.1 (flags=f0, serial=2, ttl=900)
     A: 10.30.1.1 (flags=f0, serial=22, ttl=900)
   Name=boss, Records=1, Children=0
     A: 10.20.3.78 (flags=f0, serial=18, ttl=900)
   Name=DomainDnsZones, Records=0, Children=2
   Name=ForestDnsZones, Records=0, Children=2
   Name=intelhd, Records=1, Children=0
     A: 10.20.1.82 (flags=f0, serial=20, ttl=900)
   Name=w7-virt, Records=1, Children=0
     A: 10.10.10.102 (flags=f0, serial=21, ttl=900)


The question is, whether Samba even knows how to, or should it ever, 
resolve FQDNs.

I see there are more NS records for server itself, of whom some belong 
to interfaces no longer active. But still first 2 are valid, and the 
hostnames are resolved anyway, so that doesn't seem like the culprit.


Dňa 11. 1. 2019 o 15:06 Rowland Penny via samba
napísal(a):
> On Fri, 11 Jan 2019 14:55:08 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
>>>> Please, does somebody have a clue, what goes wrong here?
>>>>
>>>>
>>>>
>>> Nope, haven't got a clue ;-)
>> Not? Rowland not? really.. ;-)
> Well okay, I could take a guess, but I could be wide of the mark.
>   
>> I'm a gambler so here you go ;-)
>>
>> Hmm, first 3 guesses..
>> Typos in primary DNS/Search domain.  ( /etc/resolv.conf )
>> Typos in /etc/hosts
> My crystal ball is on the fritz ;-)
>   
>> Why.
>> Ping host works	( host file ) ip host.fqdn host
>> Ping host.fqdn does not, (host file or resolv.conf or typo in bind
>> config. ) Search dns.domain.tld domain.tld. <-> mismatch with
bind
>> config.
>>
>> Something like this is my guess.
>>
>>> I might have said this before, but I will say it again, why do you
>>> think we can help you, if you do not give us anything but 'it
>>> doesn't work' ?
>>>
>>> What OS ?
>>> What Samba version ?
>>> What Bind version ?
>>> What is in smb.conf ?
>>> What is in your named.conf files ?
>> The configs will tell whats going on.. :-)
> Exactly, we will only be able to try to find the problem with something
> to work with.
>
> Rowland
>
>
>

On Sat, 12 Jan 2019 10:35:59 +0100
Peter Tuharsky via samba <samba at lists.samba.org> wrote:
> Thank You, Luis, Rowland,
> 
> for the initial hints. I checked them all.
> 
> 
> As of system, it is Debian Strech, Bind 9.10.3, Samba 4.5.12 (I know
> it is old, but is native for distribution, and should work in such
> simple setup I suppose). I used this howto:
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
The problem with 4.5.12 is that it is, as far as Samba is concerned,
EOL. it will be even more EOL when 4.10.0 is released at the beginning
of March. The only Samba supported versions (at the moment) are 4.9.x,
4.8.x and 4.7.x. When 4.10.0 is released, 4.7.x will reach EOL.

This is easily fixed on Debian, see here:

http://apt.van-belle.nl/
> 
> 
> As of hosts.conf, there are only localhost and server itself, because 
> everything else should be resolved by DNS anyway...
> 
> 127.0.0.1    localhost.interbronz.local    localhost
The above should just be:

127.0.0.1	localhost

You also shouldn't have used '.local', bit late now, so you should
stop
Avahi from running.
> --------
> 
> There is not much in named.conf and surroundings. This is Debian, so
> the config is scattered here and there, but if I put all includes
> together, we get this:
> 
> options {
>      directory "/var/cache/bind";
> 
>      // External DNS forwarder
> 
>      forwarders {
>           10.10.10.1;
>       };
> 
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { any; };
> };
> 
This is my /etc/bind/named.conf.options:
options {
    directory "/var/cache/bind";
    version "0.0.7";
    notify no;
    empty-zones-enable no;
    allow-query { 127.0.0.1; 192.168.0.0/24; };
    allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
    forwarders { 8.8.8.8; 8.8.4.4; };
    allow-transfer { none; };

    dnssec-validation no;
    dnssec-enable no;
    dnssec-lookaside no;
    listen-on-v6 { none; };
    listen-on port 53 { 192.168.0.6; 127.0.0.1; };

    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
> --------------
> 
> Since there is BIND DLZ in use, I assume that it is up to Samba DNS 
> module to resolve local domain issues for BIND, thus BIND config is
> of little interest here anyway, it simply gives whatever it takes
> from Samba. Correct?
Very Wrong.
> 
> So, it would seem that if anything unusual, it should take place
> inside Samba DNS records. That is area I have no expertise in. When I
> do
> 
> samba-tool dns query -U administrator 10.20.1.1 interbronz.local @ ALL
The only problem with that is (as far as I am aware), samba-tool goes
direct to AD bypassing Bind9
> 
> The question is, whether Samba even knows how to, or should it ever, 
> resolve FQDNs.
It does, or rather, Bind9 with AD does.
> 
> I see there are more NS records for server itself, of whom some
> belong to interfaces no longer active. But still first 2 are valid,
> and the hostnames are resolved anyway, so that doesn't seem like the
> culprit.
If you have NS records that do not exist, you need to delete them.

Rowland

Rowland, thank You for advice.

I can manage standard A records, but not sure, what to do with the NS. I 
can't figure out, how to delete invalid A subrecord of NS record.

I'm afraid to experiment much. Please, could You point me to some 
working example?

Peter

Dňa 12. 1. 2019 o 15:00 Rowland Penny via samba
napísal(a):
> On Sat, 12 Jan 2019 10:35:59 +0100
> Peter Tuharsky via samba <samba at lists.samba.org> wrote:
>
>> Thank You, Luis, Rowland,
>>
>> for the initial hints. I checked them all.
>>
>>
>> As of system, it is Debian Strech, Bind 9.10.3, Samba 4.5.12 (I know
>> it is old, but is native for distribution, and should work in such
>> simple setup I suppose). I used this howto:
>>
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> The problem with 4.5.12 is that it is, as far as Samba is concerned,
> EOL. it will be even more EOL when 4.10.0 is released at the beginning
> of March. The only Samba supported versions (at the moment) are 4.9.x,
> 4.8.x and 4.7.x. When 4.10.0 is released, 4.7.x will reach EOL.
>
> This is easily fixed on Debian, see here:
>
> http://apt.van-belle.nl/
>
>>
>> As of hosts.conf, there are only localhost and server itself, because
>> everything else should be resolved by DNS anyway...
>>
>> 127.0.0.1    localhost.interbronz.local    localhost
> The above should just be:
>
> 127.0.0.1	localhost
>
> You also shouldn't have used '.local', bit late now, so you
should stop
> Avahi from running.
>
>> --------
>>
>> There is not much in named.conf and surroundings. This is Debian, so
>> the config is scattered here and there, but if I put all includes
>> together, we get this:
>>
>> options {
>>       directory "/var/cache/bind";
>>
>>       // External DNS forwarder
>>
>>       forwarders {
>>            10.10.10.1;
>>        };
>>
>>       dnssec-validation auto;
>>
>>       auth-nxdomain no;    # conform to RFC1035
>>       listen-on-v6 { any; };
>> };
>>
> This is my /etc/bind/named.conf.options:
> options {
>      directory "/var/cache/bind";
>      version "0.0.7";
>      notify no;
>      empty-zones-enable no;
>      allow-query { 127.0.0.1; 192.168.0.0/24; };
>      allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
>      forwarders { 8.8.8.8; 8.8.4.4; };
>      allow-transfer { none; };
>
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>      listen-on-v6 { none; };
>      listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
>> --------------
>>
>> Since there is BIND DLZ in use, I assume that it is up to Samba DNS
>> module to resolve local domain issues for BIND, thus BIND config is
>> of little interest here anyway, it simply gives whatever it takes
>> from Samba. Correct?
> Very Wrong.
>
>> So, it would seem that if anything unusual, it should take place
>> inside Samba DNS records. That is area I have no expertise in. When I
>> do
>>
>> samba-tool dns query -U administrator 10.20.1.1 interbronz.local @ ALL
> The only problem with that is (as far as I am aware), samba-tool goes
> direct to AD bypassing Bind9
>
>> The question is, whether Samba even knows how to, or should it ever,
>> resolve FQDNs.
> It does, or rather, Bind9 with AD does.
>
>> I see there are more NS records for server itself, of whom some
>> belong to interfaces no longer active. But still first 2 are valid,
>> and the hostnames are resolved anyway, so that doesn't seem like
the
>> culprit.
> If you have NS records that do not exist, you need to delete them.
>
> Rowland
>   
>