samba - May 2019 - Issues with bind9 dlz

Hi Rowland,

Thank you.

I think the 5 zones maybe a parsing issues somewhere. Also, the realms are
in capital, must have been a typo.
The UFW has been disabled and selinux is in a disbaled state

/etc/bind/named.conf.options has
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };


//=======================================================================       
// If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See
https://www.isc.org/bind-keys

//=======================================================================       
dnssec-validation auto;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

/usr/lib/x86_64-linux-gnu/samba/bind9
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9.so
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_10.so
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_11.so
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_9.so

/etc/hosts
192.168.117.10 server5
192.168.117.10 server5.intdom.group

/etc/hostname
server5























On Sun, May 5, 2019 at 12:58 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 5 May 2019 00:11:40 +1000
> Rob Thoman via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6.
> > The DNS backend is DLZ
> >
> > We are seeing DNS issues as per below
> >
> > When using dnsupdate we get the following error. The server can
> > resolve the hostname(itself)
> >
> > added interface eth0 ip=192.168.117.10 bcast=192.168.117.255
> > netmask=255.255.255.0
> > IPs: ['192.168.117.10']
> > need cache add: A server5.intdom.group 192.168.117.10
> > Looking for DNS entry A server5.intdom.group 192.168.117.10 as
> > server5.intdom.group.
> > Traceback (most recent call last):
> >   File "/usr/sbin/samba_dnsupdate", line 827, in
<module>
> >     elif not check_dns_name(d):
> >   File "/usr/sbin/samba_dnsupdate", line 317, in
check_dns_name
> >     raise Exception("Timeout while waiting to contact a working
DNS
> > server while looking for %s as %s" % (d, normalised_na$
> > Exception: Timeout while waiting to contact a working DNS server while
> > looking for A server5.intdom.group 192.168.117.10 $
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> >
> > service bind9 status
> >
> > May 04 13:50:40 server5-new named[2079]: sizing zone task pool based
> > on 5 zones
>
> Why '5' zones ?
>
> > May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone'
using
> > driver dlopen
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open
> > library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$
>
> Does /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so exist and if
> so, who owns it and what are the permissions ?
>
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS
Zone'
> > failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: loading configuration:
> > failure May 04 13:50:40 server5-new named[2079]: exiting (due to
> > fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service:
> > Main process exited, code=exited, status=1/FAILURE
> > May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with
> > result 'exit-code'.
> >
> > /etc/bind/name.conf has the following
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> >
> > named.conf.options has
> >
> > dnssec-validation auto;
> >         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on-v6 { any; };
>
> If that is all there is, there isn't enough.
> If it isn't all there is, please post the entire contents.
>
> > /etc/krb5.conf has
> >
> > [libdefaults]
> >         default_realm = intdom.GROUP
>
> All the REALM should be in UPPERCASE
>
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > [realms]
> >         intdom.GROUP = {
> >                 kdc = server5
> >                 admin_server = server5
>
> You do not require the [realms] part.
>
> > }
> >
> > /etc/resolv.conf has
> >
> > nameserver 192.168.117.10
> > search intdom.group
> >
> > smb.conf has
> >
> > [global]
> >         workgroup = intdom
> >         realm = intdom.GROUP
> >         netbios name = server5
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         log file = /var/log/samba/log.%m
> >         log level = 4
> >         acl allow execute always = True
> >         server services = -dns
> >         allow dns updates = nonsecure
> >
>
> Can you post the contents of /etc/hostname & /etc/hosts
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Sun, 5 May 2019 09:30:10 +1000
Rob Thoman <emailthomasrob at gmail.com> wrote:
> Hi Rowland,
> 
> Thank you.
> 
> I think the 5 zones maybe a parsing issues somewhere. 
I think you need to double check this, you normally only have 3, what
does this command produce when run on a DC:

samba-tool dns zonelist 127.0.0.1 -U Administrator%xxxxxxxxxx | grep
'pszZoneName'

Replace 'xxxxxxxxxx' with your Administrator password.

It should produce something like this:

  pszZoneName                 : samdom.example.com
  pszZoneName                 : 0.168.192.in-addr.arpa
  pszZoneName                 : _msdcs.samdom.example.com
> /etc/bind/named.conf.options has
> options {
>         directory "/var/cache/bind";
>         dnssec-validation auto;
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { any; };
> };
This is mine, which has worked since 2012:

options {
    directory "/var/cache/bind";
    version "0.0.7";
    notify no;
    empty-zones-enable no;
    allow-query { 127.0.0.1; 192.168.0.0/24; };
    allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
    forwarders { 8.8.8.8; 8.8.4.4; };
    allow-transfer { none; };
    dnssec-validation no;
    dnssec-enable no;
    dnssec-lookaside no;
    listen-on-v6 { none; };
    listen-on port 53 { 192.168.0.6; 127.0.0.1; };

    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};

You do not have any forwarders and the 'dns.keytab' location has
changed.
> /usr/lib/x86_64-linux-gnu/samba/bind9
> -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9.so
> -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_10.so
> -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_11.so
> -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_9.so
Nothing wrong there
> /etc/hosts
> 192.168.117.10 server5
> 192.168.117.10 server5.intdom.group
That really should be on one line and what happened to '127.0.0.1' ?

try it like this:
127.0.0.1 localhost
192.168.117.10 server5.intdom.group server5
> /etc/hostname
> server5
Good, just the short hostname

Rowland

Hi Rowland,
The samba-tool dns zonelist 127.0.0.1 -U Administrator%xxxxxxxxxx | grep
'pszZoneName', gives

Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER

pszZoneName                 : intdom.group
pszZoneName                 : _msdcs.intdom.group

I went through the
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration bit
and setup the selinux and apparmor exceptions, restarting the apparmor. I
hadn't noticed but am seeing an rndc issue


May 05 13:19:20 dozer5-new named[17817]: dlz_dlopen of 'AD DNS Zone'
failed
May 05 13:19:20 dozer5-new named[17817]: SDLZ driver failed to load.
May 05 13:19:20 dozer5-new named[17817]: DLZ driver failed to load.
May 05 13:19:20 dozer5-new named[17817]: loading configuration: failure
May 05 13:19:20 dozer5-new named[17817]: exiting (due to fatal error)
May 05 13:19:20 dozer5-new systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
May 05 13:19:20 dozer5-new rndc[17824]: rndc: connect failed:
127.0.0.1#953: connection refused

Regards,
RT

On Sun, May 5, 2019 at 5:11 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 5 May 2019 09:30:10 +1000
> Rob Thoman <emailthomasrob at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thank you.
> >
> > I think the 5 zones maybe a parsing issues somewhere.
>
> I think you need to double check this, you normally only have 3, what
> does this command produce when run on a DC:
>
> samba-tool dns zonelist 127.0.0.1 -U Administrator%xxxxxxxxxx | grep
> 'pszZoneName'
>
> Replace 'xxxxxxxxxx' with your Administrator password.
>
> It should produce something like this:
>
>   pszZoneName                 : samdom.example.com
>   pszZoneName                 : 0.168.192.in-addr.arpa
>   pszZoneName                 : _msdcs.samdom.example.com
>
> > /etc/bind/named.conf.options has
> > options {
> >         directory "/var/cache/bind";
> >         dnssec-validation auto;
> >         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on-v6 { any; };
> > };
>
> This is mine, which has worked since 2012:
>
> options {
>     directory "/var/cache/bind";
>     version "0.0.7";
>     notify no;
>     empty-zones-enable no;
>     allow-query { 127.0.0.1; 192.168.0.0/24; };
>     allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
>     forwarders { 8.8.8.8; 8.8.4.4; };
>     allow-transfer { none; };
>     dnssec-validation no;
>     dnssec-enable no;
>     dnssec-lookaside no;
>     listen-on-v6 { none; };
>     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> };
>
> You do not have any forwarders and the 'dns.keytab' location has
> changed.
>
> > /usr/lib/x86_64-linux-gnu/samba/bind9
> > -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9.so
> > -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_10.so
> > -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_11.so
> > -rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_9.so
>
> Nothing wrong there
>
> > /etc/hosts
> > 192.168.117.10 server5
> > 192.168.117.10 server5.intdom.group
>
> That really should be on one line and what happened to '127.0.0.1'
?
>
> try it like this:
> 127.0.0.1 localhost
> 192.168.117.10 server5.intdom.group server5
>
> > /etc/hostname
> > server5
>
> Good, just the short hostname
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>