I've been working on this problem for a few hours. Here are some updates: Many of the domains I listed are duplicates of domains managed by other DNS servers on my network. There was no point in having them in Samba AD, so I deleted the zones in Windows DNS Manager and created slaves in my named.conf.local folder, so that they'd pull the records from my authoritative BIND DNS server, which runs on good old fashioned flat files (the SOA for zones like mycompany.net and the PTR zones for all my subnets). I'm now down to two zones: Able to be edited: _msdcs.samdom.mycompany.net NOT able to be edited:?samdom.mycompany.net I believe these two zones to be the bare minimum I need to have everything working correctly. Closer inspection shows that I have no NS records and no SOA record in the "samdom.mycompany.net" zone. # samba_dnsupdate --verbose IPs: ['192.168.3.203'] Looking for DNS entry A umbriel.samdom.mycompany.net?192.168.3.203 as umbriel.samdom.mycompany.net. Looking for DNS entry NS?samdom.mycompany.net?umbriel.samdom.mycompany.net?as?samdom.mycompany.net. Traceback (most recent call last): ? File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name ? ? ans = check_one_dns_name(normalised_name, d.type, d) ? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name ? ? ans = resolver.query(name, name_type) ? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query ? ? raise NoNameservers dns.resolver.NoNameservers During handling of the above exception, another exception occurred: Traceback (most recent call last): ? File "/usr/sbin/samba_dnsupdate", line 851, in <module> ? ? elif not check_dns_name(d): ? File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name ? ? raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name)) Exception: Unable to contact a working DNS server while looking for NS orbital.samdom.mycompany.net umbriel.samdom.mycompany.net?as?samdom.mycompany.net. So, let's make those records, right? All attempts to add this info in the Properties window of DNS Manager end in a very unfriendly message: "Failure to write NS record <umbriel.samdom.mycompany.net.> The local security authority database contains an internal inconsistency." I try from samba-tool: # samba-tool dns add localhost samdom.mycompany.net?samdom.mycompany.net?NS umbriel.samdom.mycompany.net?-U"Administrator" Password for [ORBITAL\Administrator]: ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run ? ? return self.run(*args, **kwargs) ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run ? ? raise e ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run ? ? 0, server, zone, name, add_rec_buf, None) Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! Unsheathed by Matthew like And?ril by Aragorn: # samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone DNS records will be automatically created DNS partitions already exist dns-umbriel account already exists See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same results on every test. I'm feeling lonely here. Thanks, Matthew From: Matthew Delfino via samba <samba at lists.samba.org> To: L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> Sent: 6/20/2019 1:40 PM Subject: Re: [Samba] DLZ Backend DNS Hosed And, BTW, right now, I am able to see my problem via the following 3 ways... 1) Through Windows DNS Manager, I cannot add, change or delete any DNS records from: mycompany.loc samdom.mycompany.net mycompany.net I *can* add, change and delete DNS records from: _msdcs.samdom.mycompany.net mycompany.com 7.168.192.in-addr.arpa 5.168.192.in-addr.arpa 3.168.192.in-addr.arpa 2.168.192.in-addr.arpa 11.168.192.in-addr.arpa 2) Running the following command always ends with an error: # samba_dnsupdate --verbos --all-names IPs: ['192.168.3.203'] force update: A umbriel.samdom.mycompany.net 192.168.3.203 force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net force update: NS _msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net force update: A samdom.mycompany.net 192.168.3.203 force update: SRV _ldap._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: SRV _ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: SRV _kerberos._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 88 force update: SRV _kerberos._udp.samdom.mycompany.net umbriel.samdom.mycompany.net 88 force update: SRV _kerberos._tcp.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 88 force update: SRV _kpasswd._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 464 force update: SRV _kpasswd._udp.samdom.mycompany.net umbriel.samdom.mycompany.net 464 force update: CNAME a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 88 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 88 force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203 force update: SRV _gc._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203 force update: SRV _ldap._tcp.DomainDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203 force update: SRV _ldap._tcp.ForestDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 28 DNS updates and 0 DNS deletes needed Traceback (most recent call last): ? File "/usr/sbin/samba_dnsupdate", line 886, in <module> ? ? creds = get_credentials(lp) ? File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials ? ? get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.') ? File "/usr/sbin/samba_dnsupdate", line 161, in get_krb5_rw_dns_server ? ? rw_dns_servers = get_possible_rw_dns_server(creds, domain) ? File "/usr/sbin/samba_dnsupdate", line 136, in get_possible_rw_dns_server ? ? ans_soa = check_one_dns_name(domain, 'SOA') ? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name ? ? ans = resolver.query(name, name_type) ? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query ? ? raise NoNameservers dns.resolver.NoNameservers 3) We have a mail server that occasionally rejects passwords from end users. This is the problem end users see that started the whole investigation. Also, this may be obvious from the output of your script, but in case it's not... we do not have DHCP server running on our DCs, nor do we have any sort of dynamic dhcp setup. It's just Samba and BIND (and kerberos, and ntp...). Thank you! Matthew From: ? Matthew Delfino via samba <samba at lists.samba.org> To: ? L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> Sent: ? 6/20/2019 1:00 PM Subject: ? Re: [Samba] DLZ Backend DNS Hosed Nice shell script,?Louis. Here are the results: Collected config ?--- 2019-06-20-12:46 ----------- Hostname: umbriel DNS Domain: samdom.mycompany.net FQDN: umbriel.samdom.mycompany.net ipaddress: 192.168.3.203? ----------- Samba is running as an AD DC ----------- ? ? ? ?Checking file: /etc/os-release NAME="Ubuntu" VERSION="16.04.6 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.6 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial ----------- This computer is running Ubuntu 16.04.6 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ? ? inet 127.0.0.1/8 scope host lo ? ? inet6 ::1/128 scope host? 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ? ? link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff ? ? inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32 ? ? inet6 fe80::250:56ff:fea5:50b3/64 scope link? ----------- ? ? ? ?Checking file: /etc/hosts 127.0.0.1 localhost 192.168.3.203 umbriel.samdom.mycompany.net umbriel # The following lines are desirable for IPv6 capable hosts ::1 ? ? localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- ? ? ? ?Checking file: /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.3.201 nameserver 192.168.3.202 search samdom.mycompany.net mycompany.net mycompany.com ----------- ? ? ? ?Checking file: /etc/krb5.conf [logging] ? ? ? ? default = FILE:/var/log/krb5libs.log ? ? ? ? kdc = FILE:/var/log/krb5kdc.log ? ? ? ? admin_server = FILE:/var/log/kadmin.log [libdefaults] ? ? ? ? default_realm = SAMDOM.MYCOMPANY.NET ? ? ? ? dns_lookup_realm = false ? ? ? ? dns_lookup_kdc = true ? ? ? ? ticket_lifetime = 24h ? ? ? ? renew_lifetime = 7d ? ? ? ? forwardable = true ----------- ? ? ? ?Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: ? ? ? ? compat group: ? ? ? ? ?compat shadow: ? ? ? ? compat gshadow: ? ? ? ?files hosts: ? ? ? ? ?files dns networks: ? ? ? files protocols: ? ? ?db files services: ? ? ? db files ethers: ? ? ? ? db files rpc: ? ? ? ? ? ?db files netgroup: ? ? ? nis ----------- ? ? ? ?Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = UMBRIEL realm = SAMDOM.MYCOMPANY.NET server role = active directory domain controller #server services = -dns server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SAMDOM idmap_ldb:use rfc2307 = yes #dns forwarder = 8.8.4.4 #dns forwarder = 8.8.8.8 allow dns updates = disabled dsdb:schema update allowed = true printcap name = /dev/null load printers = no printing = bsd? ldap server require strong auth = no? ldap ssl = start tls tls enabled ?= yes tls keyfile ?= tls/myKey.pem tls certfile = tls/umbriel_samdom_mycompany_net.pem tls cafile ? = tls/umbriel_samdom_mycompany_net.ca-bundle.pem #log file = /var/log/samba/%a.%M.log max log size = 2048 log level = 1 auth_audit:3 apply group policies = yes mdns name = mdns [netlogon] path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ----------- Detected bind DLZ enabled.. ? ? ? ?Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the? // structure of BIND configuration files in Debian, *BEFORE* you customize? // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/bind-dns/named.conf"; ----------- ? ? ? ?Checking file: /etc/bind/named.conf.options options { auth-nxdomain yes; directory "/var/cache/bind"; dnssec-validation auto; empty-zones-enable no; managed-keys-directory "/var/cache/bind/"; notify yes; // Not recommended. tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For Dynamic DNS allow-query { any; }; allow-recursion { any; }; ? allow-transfer { 192.168.3.47; ? // DNS2 192.168.3.48; ? // DNS1 192.168.5.47; ? // Opal 192.168.5.48; ? // Pyrite 192.168.0.8; ? ?// DNS3 192.168.0.9; ? ?// DNS4 }; also-notify { 192.168.3.47; ? // DNS2 192.168.3.48; ? // DNS1 192.168.5.47; ? // Opal 192.168.5.48; ? // Pyrite 192.168.0.8; ? ?// DNS3 192.168.0.9; ? ?// DNS4 }; allow-notify { 192.168.3.47; ? // DNS2 192.168.3.48; ? // DNS1 192.168.5.47; ? // Opal 192.168.5.48; ? // Pyrite 192.168.0.8; ? ?// DNS3 192.168.0.9; ? ?// DNS4 }; forwarders { 9.9.9.9; 1.1.1.1; 8.8.8.8; 8.8.4.4; }; }; ----------- ? ? ? ?Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ----------- ? ? ? ?Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "7.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list: ? 10 zone(s) found ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.com ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : 7.168.192.in-addr.arpa ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : 3.168.192.in-addr.arpa ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : 2.168.192.in-addr.arpa ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : 11.168.192.in-addr.arpa ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.loc ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : samdom.mycompany.net ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : 5.168.192.in-addr.arpa ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.net ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net ? pszZoneName ? ? ? ? ? ? ? ? : _msdcs.samdom.mycompany.net ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE? ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY ? Version ? ? ? ? ? ? ? ? ? ? : 50 ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED? ? pszDpFqdn ? ? ? ? ? ? ? ? ? : ForestDnsZones.samdom.mycompany.net Samba DNS zone list Automated check :? zone : mycompany.com ok, no Bind flat-files found ----------- zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found ----------- zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found ----------- zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found ----------- zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found ----------- zone : mycompany.loc ok, no Bind flat-files found ----------- zone : samdom.mycompany.net ok, no Bind flat-files found ----------- zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found ----------- zone : mycompany.net ok, no Bind flat-files found ----------- zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found ----------- Installed packages: ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list utilities ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Utilities for manipulating filesystem extended attributes hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Internet Domain Name Server ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ? ? ? all ? ? ? ? ?Documentation for BIND ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Version of 'host' bundled with BIND 9.X ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Utilities for BIND ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?Configuration files for Kerberos Version 5 ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ?Internationalization support for MIT Kerberos ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Development files for MIT Kerberos without Heimdal conflict ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Basic programs to authenticate using MIT Kerberos ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list shared library ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list static libraries and headers ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Extended attribute shared library ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Extended attribute static libraries and headers ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?BIND9 Shared Library used by BIND ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?1.7~git20150920+dfsg-4ubuntu1.16.04.1 ? ? ?amd64 ? ? ? ?Heimdal Kerberos - libraries ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Headers and development libraries for MIT Kerberos ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library ----------- From: ? L.P.H. van Belle via samba <samba at lists.samba.org> ? To: ? "samba at lists.samba.org" <samba at lists.samba.org> ? Sent: ? 6/19/2019 1:48 AM ? Subject: ? Re: [Samba] DLZ Backend DNS Hosed ? Hai, ? ? ? For bind, please to add this for bind if you use bind_DLZ. ? How : systemctl edit bind9, or create the file manualy and run systemctl daemon-reload after. ? The edit command already does the reload. ? ? # /etc/systemd/system/bind9.service.d/override.conf ? [Service] ? ExecReload= ? ? ? But same for you. ?;-) as the other list message today. ([Samba] Reverse DNS) ? Can you run this for me on the DC's. ? https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh ? And post the output ? ? It tells me almost all i need to know to help you fix this. ? ? Greetz, ? ? Louis ? ?> -----Oorspronkelijk bericht----- ? > Van: samba [mailto:samba-bounces at lists.samba.org] Namens ? > Matthew Delfino via samba ? > Verzonden: woensdag 19 juni 2019 5:00 ? > Aan: samba at lists.samba.org ? > Onderwerp: [Samba] DLZ Backend DNS Hosed ? > ? > ? > Hello, ? > ? > ? > I'm in trouble here with what appears to be a total meltdown ? > of my DNS on my Domain Controllers. ? > ? > ? > I only have two DCs right now and I cannot resolve anything ? > on either of them. I am on Ubuntu 16.04 with a compiled ? > version of Samba 4.10.4. ? > ? > ? > I also have a compiled version of BIND 9.10.3-P4-Ubuntu <id:ebd72b3> ? > ? > ? > # service bind9 status ? > ??? bind9.service - BIND Domain Name Server ? > ? ?Loaded: loaded (/lib/systemd/system/bind9.service; ? > enabled; vendor preset: enabled) ? > ? Drop-In: /run/systemd/generator/bind9.service.d ? > ? ? ? ? ? ???????50-insserv.conf-$named.conf ? > ? ?Active: failed (Result: exit-code) since Tue 2019-06-18 ? > 21:14:39 CDT; 27min ago ? > ? ? ?Docs: man:named(8) ? > ? Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, ? > status=1/FAILURE) ? > ? Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS ? > (code=exited, status=1/FAILURE) ? > ?Main PID: 28329 (code=exited, status=1/FAILURE) ? > ? > ? > Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting configure ? > Jun 18 21:14:39 cordelia named[28329]: zone ? > mydomain.com/NONE: has no NS records ? > Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to ? > configure zone 'mydomain.com' ? > Jun 18 21:14:39 cordelia named[28329]: loading configuration: bad zone ? > Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error) ? > Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main ? > process exited, code=exited, status=1/FAILURE ? > Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: ? > 127.0.0.1#953: connection refused ? > Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control ? > process exited, code=exited status=1 ? > Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit ? > entered failed state. ? > Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed ? > with result 'exit-code'. ? > ? > ? > It appears that somehow I lost my NS records for one of my ? > zones. It seems that I cannot get BIND up long enough to edit ? > anything. ? > ? > ? > I've been able to delete my non-essential zones with samba-tool: ? > ? > ? > ? > ?# ?samba-tool dns zonedelete localhost mydomain.com ? > ?# ?samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa ? > ?# ?samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa ? > ?# ?samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa ? > ?# ?samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa ? > ?# ?samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa ? > ? > ? > But now my error is "zone _msdcs.samdom.mydomain.net/NONE: ? > has no NS records" and I am real nervous to delete that zone. ? > ? > ? > Does anyone know what I can do to get my samba DC to have NS ? > records that my BIND DNS server will understand and therefore load? ? > ? > ? > ? > Thanks, ? > Matthew ? ? > ? > ?? ? -- ? To unsubscribe from this list go to the following URL and read the ? instructions: ?https://lists.samba.org/mailman/options/samba? ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
On 20/06/2019 23:19, Matthew Delfino via samba wrote:> I've been working on this problem for a few hours. Here are some updates: > > > Many of the domains I listed are duplicates of domains managed by other DNS servers on my network. There was no point in having them in Samba AD, so I deleted the zones in Windows DNS Manager and created slaves in my named.conf.local folder, so that they'd pull the records from my authoritative BIND DNS server, which runs on good old fashioned flat files (the SOA for zones like mycompany.net and the PTR zones for all my subnets). I'm now down to two zones: > > > Able to be edited: _msdcs.samdom.mycompany.net > NOT able to be edited:?samdom.mycompany.netI read the output of Louis's script you posted and my first thought was, 'why has he got dns domains that have nothing to do with AD ?' In my opinion, you should only have the dns records for your Samba AD domain in AD, this should include any reverse zones.> > > I believe these two zones to be the bare minimum I need to have everything working correctly. > > > Closer inspection shows that I have no NS records and no SOA record in the "samdom.mycompany.net" zone. > > > > # samba_dnsupdate --verbose > IPs: ['192.168.3.203'] > Looking for DNS entry A umbriel.samdom.mycompany.net?192.168.3.203 as umbriel.samdom.mycompany.net. > Looking for DNS entry NS?samdom.mycompany.net?umbriel.samdom.mycompany.net?as?samdom.mycompany.net. > Traceback (most recent call last): > ? File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name > ? ? ans = check_one_dns_name(normalised_name, d.type, d) > ? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name > ? ? ans = resolver.query(name, name_type) > ? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query > ? ? raise NoNameservers > dns.resolver.NoNameservers > > > During handling of the above exception, another exception occurred: > > > Traceback (most recent call last): > ? File "/usr/sbin/samba_dnsupdate", line 851, in <module> > ? ? elif not check_dns_name(d): > ? File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name > ? ? raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name)) > Exception: Unable to contact a working DNS server while looking for NS orbital.samdom.mycompany.net umbriel.samdom.mycompany.net?as?samdom.mycompany.net. > > > So, let's make those records, right? All attempts to add this info in the Properties window of DNS Manager end in a very unfriendly message: > > > "Failure to write NS record <umbriel.samdom.mycompany.net.> > The local security authority database contains an internal inconsistency." > > > I try from samba-tool: > > > > # samba-tool dns add localhost samdom.mycompany.net?samdom.mycompany.net?NS umbriel.samdom.mycompany.net?-U"Administrator" > Password for [ORBITAL\Administrator]: > ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') > ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run > ? ? return self.run(*args, **kwargs) > ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run > ? ? raise e > ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run > ? ? 0, server, zone, name, add_rec_buf, None) > > > Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! Unsheathed by Matthew like And?ril by Aragorn: > > > > # samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone > DNS records will be automatically created > DNS partitions already exist > dns-umbriel account already exists > See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND > and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates > Finished upgrading DNS > > > Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same results on every test. > > > I'm feeling lonely here.Do you have a backup ? I have had something similar happen, but with the reverse zone and I just deleted the zone and recreated it with samba-tool and then let the records be recreated. In your case, I would be tempted to 'upgrade' to the internal dns server and then 'upgrade' to the Bind9 server. This should recreate all the required zones and records.> ----------- > > > ? ? ? ?Checking file: /etc/resolv.conf > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.201 > nameserver 192.168.3.202 > search samdom.mycompany.net mycompany.net mycompany.comI would remove any domains that are not the Samba dns domain> > ? ? ? ?Checking file: /etc/samba/smb.conf > > > # Global parameters > [global] > netbios name = UMBRIEL > realm = SAMDOM.MYCOMPANY.NET > server role = active directory domain controller > #server services = -dns > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = SAMDOM > idmap_ldb:use rfc2307 = yes > #dns forwarder = 8.8.4.4 > #dns forwarder = 8.8.8.8 > allow dns updates = disabledBad move, something needs to be able to upgrade your dns records.> dsdb:schema update allowed = trueRemove this, it is only needed to extend the schema and can be used on the ldbmodify command line.> > ----------- > > > Detected bind DLZ enabled.. > ? ? ? ?Checking file: /etc/bind/named.conf > > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/bind-dns/named.conf"; > > > ----------- > > > ? ? ? ?Checking file: /etc/bind/named.conf.options > > > options { > > > auth-nxdomain yes; > directory "/var/cache/bind"; > dnssec-validation auto; > empty-zones-enable no; > managed-keys-directory "/var/cache/bind/"; > notify yes; // Not recommended. > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For Dynamic DNS > > > allow-query { > any; > }; > > > allow-recursion { > any; > }; > > allow-transfer { > 192.168.3.47; ? // DNS2 > 192.168.3.48; ? // DNS1 > 192.168.5.47; ? // Opal > 192.168.5.48; ? // Pyrite > 192.168.0.8; ? ?// DNS3 > 192.168.0.9; ? ?// DNS4 > }; > > > also-notify { > 192.168.3.47; ? // DNS2 > 192.168.3.48; ? // DNS1 > 192.168.5.47; ? // Opal > 192.168.5.48; ? // Pyrite > 192.168.0.8; ? ?// DNS3 > 192.168.0.9; ? ?// DNS4 > }; > > > allow-notify { > 192.168.3.47; ? // DNS2 > 192.168.3.48; ? // DNS1 > 192.168.5.47; ? // Opal > 192.168.5.48; ? // Pyrite > 192.168.0.8; ? ?// DNS3 > 192.168.0.9; ? ?// DNS4 > }; >Please set your dns up correctly, first remove the 3 blocks above, forward anything outside your Samba dns domain to another external dns server and inform any other, non AD dns servers that you have, where your AD domain is> > Installed packages: > ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list utilities > ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Utilities for manipulating filesystem extended attributes > hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Internet Domain Name Server > ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ? ? ? all ? ? ? ? ?Documentation for BIND > ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Version of 'host' bundled with BIND 9.X > ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Utilities for BIND > ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?Configuration files for Kerberos Version 5 > ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ?Internationalization support for MIT Kerberos > ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Development files for MIT Kerberos without Heimdal conflict > ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Basic programs to authenticate using MIT Kerberos > ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list shared library > ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list static libraries and headers > ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Extended attribute shared library > ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Extended attribute static libraries and headers > ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?BIND9 Shared Library used by BIND > ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?1.7~git20150920+dfsg-4ubuntu1.16.04.1 ? ? ?amd64 ? ? ? ?Heimdal Kerberos - libraries > ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries > ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Headers and development libraries for MIT Kerberos > ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library > > >Something not quite right there, you do not seem to have Samba installed. Rowland
Hi Matthew,> # samba-tool dns add localhost samdom.mycompany.net samdom.mycompany.net NS umbriel.samdom.mycompany.net -U"Administrator" > Password for [ORBITAL\Administrator]: > ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run > raise e > File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run > 0, server, zone, name, add_rec_buf, None)Like you have figured out, in more recent version of Bind-DLZ it is required to have a NS field for it to start. Please try with the following command line syntax to add it: samba-tool dns add umbriel samdom.mycompany.net @ NS umbriel.samdom.mycompany.net -P For you DNS field update, if you get some TSIG error, you may try to add the DNS entries directly in the local database. samba_dnsupdate --verbose --use-samba-tool Cheers, Denis> > > Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! Unsheathed by Matthew like And?ril by Aragorn: > > > > # samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone > DNS records will be automatically created > DNS partitions already exist > dns-umbriel account already exists > See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND > and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates > Finished upgrading DNS > > > Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same results on every test. > > > I'm feeling lonely here. > > > > Thanks, > Matthew > > > > From: Matthew Delfino via samba <samba at lists.samba.org> > To: L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> > Sent: 6/20/2019 1:40 PM > Subject: Re: [Samba] DLZ Backend DNS Hosed > > And, BTW, right now, I am able to see my problem via the following 3 ways... > > 1) Through Windows DNS Manager, I cannot add, change or delete any DNS records from: > > mycompany.loc > samdom.mycompany.net > mycompany.net > > I *can* add, change and delete DNS records from: > > _msdcs.samdom.mycompany.net > mycompany.com > 7.168.192.in-addr.arpa > 5.168.192.in-addr.arpa > 3.168.192.in-addr.arpa > 2.168.192.in-addr.arpa > 11.168.192.in-addr.arpa > > 2) Running the following command always ends with an error: > > # samba_dnsupdate --verbos --all-names > IPs: ['192.168.3.203'] > force update: A umbriel.samdom.mycompany.net 192.168.3.203 > force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net > force update: NS _msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net > force update: A samdom.mycompany.net 192.168.3.203 > force update: SRV _ldap._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _kerberos._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kerberos._udp.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kerberos._tcp.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kpasswd._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 464 > force update: SRV _kpasswd._udp.samdom.mycompany.net umbriel.samdom.mycompany.net 464 > force update: CNAME a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203 > force update: SRV _gc._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203 > force update: SRV _ldap._tcp.DomainDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203 > force update: SRV _ldap._tcp.ForestDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > 28 DNS updates and 0 DNS deletes needed > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 886, in <module> > creds = get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials > get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.') > File "/usr/sbin/samba_dnsupdate", line 161, in get_krb5_rw_dns_server > rw_dns_servers = get_possible_rw_dns_server(creds, domain) > File "/usr/sbin/samba_dnsupdate", line 136, in get_possible_rw_dns_server > ans_soa = check_one_dns_name(domain, 'SOA') > File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name > ans = resolver.query(name, name_type) > File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query > raise NoNameservers > dns.resolver.NoNameservers > > 3) We have a mail server that occasionally rejects passwords from end users. This is the problem end users see that started the whole investigation. > > Also, this may be obvious from the output of your script, but in case it's not... we do not have DHCP server running on our DCs, nor do we have any sort of dynamic dhcp setup. It's just Samba and BIND (and kerberos, and ntp...). > > Thank you! > Matthew > > > > > From: Matthew Delfino via samba <samba at lists.samba.org> > To: L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> > Sent: 6/20/2019 1:00 PM > Subject: Re: [Samba] DLZ Backend DNS Hosed > > Nice shell script, Louis. Here are the results: > > > > Collected config --- 2019-06-20-12:46 ----------- > > > Hostname: umbriel > DNS Domain: samdom.mycompany.net > FQDN: umbriel.samdom.mycompany.net > ipaddress: 192.168.3.203 > > > ----------- > > > Samba is running as an AD DC > > > ----------- > Checking file: /etc/os-release > > > NAME="Ubuntu" > VERSION="16.04.6 LTS (Xenial Xerus)" > ID=ubuntu > ID_LIKE=debian > PRETTY_NAME="Ubuntu 16.04.6 LTS" > VERSION_ID="16.04" > HOME_URL="http://www.ubuntu.com/" > SUPPORT_URL="http://help.ubuntu.com/" > BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" > VERSION_CODENAME=xenial > UBUNTU_CODENAME=xenial > > > ----------- > > > > > This computer is running Ubuntu 16.04.6 LTS x86_64 > > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff > inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32 > inet6 fe80::250:56ff:fea5:50b3/64 scope link > > > ----------- > Checking file: /etc/hosts > > > 127.0.0.1 localhost > 192.168.3.203 umbriel.samdom.mycompany.net umbriel > > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > > ----------- > > > Checking file: /etc/resolv.conf > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.201 > nameserver 192.168.3.202 > search samdom.mycompany.net mycompany.net mycompany.com > > > ----------- > > > Checking file: /etc/krb5.conf > > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > > > [libdefaults] > default_realm = SAMDOM.MYCOMPANY.NET > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > > ----------- > > > Checking file: /etc/nsswitch.conf > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > > passwd: compat > group: compat > shadow: compat > gshadow: files > > > hosts: files dns > networks: files > > > protocols: db files > services: db files > ethers: db files > rpc: db files > > > netgroup: nis > > > ----------- > > > Checking file: /etc/samba/smb.conf > > > # Global parameters > [global] > netbios name = UMBRIEL > realm = SAMDOM.MYCOMPANY.NET > server role = active directory domain controller > #server services = -dns > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = SAMDOM > idmap_ldb:use rfc2307 = yes > #dns forwarder = 8.8.4.4 > #dns forwarder = 8.8.8.8 > allow dns updates = disabled > dsdb:schema update allowed = true > printcap name = /dev/null > load printers = no > printing = bsd > ldap server require strong auth = no > ldap ssl = start tls > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/umbriel_samdom_mycompany_net.pem > tls cafile = tls/umbriel_samdom_mycompany_net.ca-bundle.pem > #log file = /var/log/samba/%a.%M.log > max log size = 2048 > log level = 1 auth_audit:3 > apply group policies = yes > mdns name = mdns > > > [netlogon] > path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > read only = No > > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > ----------- > > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in /etc/bind/named.conf.local > > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/bind-dns/named.conf"; > > > ----------- > > > Checking file: /etc/bind/named.conf.options > > > options { > > > auth-nxdomain yes; > directory "/var/cache/bind"; > dnssec-validation auto; > empty-zones-enable no; > managed-keys-directory "/var/cache/bind/"; > notify yes; // Not recommended. > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For Dynamic DNS > > > allow-query { > any; > }; > > > allow-recursion { > any; > }; > > allow-transfer { > 192.168.3.47; // DNS2 > 192.168.3.48; // DNS1 > 192.168.5.47; // Opal > 192.168.5.48; // Pyrite > 192.168.0.8; // DNS3 > 192.168.0.9; // DNS4 > }; > > > also-notify { > 192.168.3.47; // DNS2 > 192.168.3.48; // DNS1 > 192.168.5.47; // Opal > 192.168.5.48; // Pyrite > 192.168.0.8; // DNS3 > 192.168.0.9; // DNS4 > }; > > > allow-notify { > 192.168.3.47; // DNS2 > 192.168.3.48; // DNS1 > 192.168.5.47; // Opal > 192.168.5.48; // Pyrite > 192.168.0.8; // DNS3 > 192.168.0.9; // DNS4 > }; > > > forwarders { > 9.9.9.9; > 1.1.1.1; > 8.8.8.8; > 8.8.4.4; > }; > }; > > > ----------- > > > Checking file: /etc/bind/named.conf.local > > > // > // Do any local configuration here > // > > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > > ----------- > > > Checking file: /etc/bind/named.conf.default-zones > > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > > zone "7.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > > ----------- > > > Samba DNS zone list: 10 zone(s) found > > > pszZoneName : mycompany.com > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 7.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 3.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 2.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 11.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : mycompany.loc > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : samdom.mycompany.net > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 5.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : mycompany.net > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : _msdcs.samdom.mycompany.net > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.samdom.mycompany.net > > > Samba DNS zone list Automated check : > zone : mycompany.com ok, no Bind flat-files found > ----------- > zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : mycompany.loc ok, no Bind flat-files found > ----------- > zone : samdom.mycompany.net ok, no Bind flat-files found > ----------- > zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : mycompany.net ok, no Bind flat-files found > ----------- > zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found > ----------- > > > Installed packages: > ii acl 2.2.52-3 amd64 Access control list utilities > ii attr 1:2.4.47-2 amd64 Utilities for manipulating filesystem extended attributes > hi bind9 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Internet Domain Name Server > ii bind9-doc 1:9.10.3.dfsg.P4-8ubuntu1.14 all Documentation for BIND > ii bind9-host 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Version of 'host' bundled with BIND 9.X > ii bind9utils 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Utilities for BIND > ii krb5-config 2.3 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.13.2+dfsg-5ubuntu2.1 all Internationalization support for MIT Kerberos > ii krb5-multidev 1.13.2+dfsg-5ubuntu2.1 amd64 Development files for MIT Kerberos without Heimdal conflict > ii krb5-user 1.13.2+dfsg-5ubuntu2.1 amd64 Basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.52-3 amd64 Access control list shared library > ii libacl1-dev 2.2.52-3 amd64 Access control list static libraries and headers > ii libattr1:amd64 1:2.4.47-2 amd64 Extended attribute shared library > ii libattr1-dev:amd64 1:2.4.47-2 amd64 Extended attribute static libraries and headers > ii libbind9-140:amd64 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-26-heimdal:amd64 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 Heimdal Kerberos - libraries > ii libkrb5-3:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries > ii libkrb5-dev 1.13.2+dfsg-5ubuntu2.1 amd64 Headers and development libraries for MIT Kerberos > ii libkrb5support0:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries - Support library > > > ----------- > > > > > From: L.P.H. van Belle via samba <samba at lists.samba.org> > To: "samba at lists.samba.org" <samba at lists.samba.org> > Sent: 6/19/2019 1:48 AM > Subject: Re: [Samba] DLZ Backend DNS Hosed > > Hai, > > > For bind, please to add this for bind if you use bind_DLZ. > How : systemctl edit bind9, or create the file manualy and run systemctl daemon-reload after. > The edit command already does the reload. > > # /etc/systemd/system/bind9.service.d/override.conf > [Service] > ExecReload> > > But same for you. ;-) as the other list message today. ([Samba] Reverse DNS) > Can you run this for me on the DC's. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > And post the output > > It tells me almost all i need to know to help you fix this. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Matthew Delfino via samba >> Verzonden: woensdag 19 juni 2019 5:00 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] DLZ Backend DNS Hosed >> >> >> Hello, >> >> >> I'm in trouble here with what appears to be a total meltdown >> of my DNS on my Domain Controllers. >> >> >> I only have two DCs right now and I cannot resolve anything >> on either of them. I am on Ubuntu 16.04 with a compiled >> version of Samba 4.10.4. >> >> >> I also have a compiled version of BIND 9.10.3-P4-Ubuntu <id:ebd72b3> >> >> >> # service bind9 status >> ??? bind9.service - BIND Domain Name Server >> Loaded: loaded (/lib/systemd/system/bind9.service; >> enabled; vendor preset: enabled) >> Drop-In: /run/systemd/generator/bind9.service.d >> ??????50-insserv.conf-$named.conf >> Active: failed (Result: exit-code) since Tue 2019-06-18 >> 21:14:39 CDT; 27min ago >> Docs: man:named(8) >> Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, >> status=1/FAILURE) >> Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS >> (code=exited, status=1/FAILURE) >> Main PID: 28329 (code=exited, status=1/FAILURE) >> >> >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting configure >> Jun 18 21:14:39 cordelia named[28329]: zone >> mydomain.com/NONE: has no NS records >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to >> configure zone 'mydomain.com' >> Jun 18 21:14:39 cordelia named[28329]: loading configuration: bad zone >> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error) >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main >> process exited, code=exited, status=1/FAILURE >> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: >> 127.0.0.1#953: connection refused >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control >> process exited, code=exited status=1 >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit >> entered failed state. >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed >> with result 'exit-code'. >> >> >> It appears that somehow I lost my NS records for one of my >> zones. It seems that I cannot get BIND up long enough to edit >> anything. >> >> >> I've been able to delete my non-essential zones with samba-tool: >> >> >> >> # samba-tool dns zonedelete localhost mydomain.com >> # samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa >> >> >> But now my error is "zone _msdcs.samdom.mydomain.net/NONE: >> has no NS records" and I am real nervous to delete that zone. >> >> >> Does anyone know what I can do to get my samba DC to have NS >> records that my BIND DNS server will understand and therefore load? >> >> >> >> Thanks, >> Matthew >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint S?bastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
No, this is not needed. Solution here in this is simple. search primary.domain.tld # optional extra search domains after the primary. nameserver IP_AD-DC_OF_THIS_SERVER_FIRST nameserver IP_AD-DC_others Run : samba_upgradedns --dns-backend=BIND9_DLZ And your done, all needed records are fixed/updated. This goes wrong if the IP of the running server isnt the first and/or if search is setup wrong. So always keep ip of the server itself as first, yes i know about islanding dns but that wont happen If you setup correct and DONT use 127.0.0.1 because that is NOT the name of the server. Stimple trick. HOSTNAME="$(hostname -s)" PRIMARYDNSDOMAIN="$(hostname -d)" FQDN="$(hostname -f)" Netbiosname in smb.conf = echo "${HOSTNAME^^}" To be added if its not there in /etc/hosts: echo "$(hostname -i) $(hostname -f) $(hostname -s)" ONLY one line should exist for the hostname add any alias as CNAME in the dns. Resolv.conf : echo "nameserver $(hostname -i)" Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Denis Cardon via samba > Verzonden: vrijdag 21 juni 2019 10:30 > Aan: Matthew Delfino; samba at lists.samba.org > Onderwerp: Re: [Samba] DLZ Backend DNS Hosed > > Hi Matthew, > > > # samba-tool dns add localhost samdom.mycompany.net > samdom.mycompany.net NS umbriel.samdom.mycompany.net -U"Administrator" > > Password for [ORBITAL\Administrator]: > > ERROR(runtime): uncaught exception - (1383, > 'WERR_INTERNAL_DB_ERROR') > > File > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", > line 185, in _run > > return self.run(*args, **kwargs) > > File > "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run > > raise e > > File > "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run > > 0, server, zone, name, add_rec_buf, None) > > Like you have figured out, in more recent version of Bind-DLZ it is > required to have a NS field for it to start. Please try with the > following command line syntax to add it: > > samba-tool dns add umbriel samdom.mycompany.net @ NS > umbriel.samdom.mycompany.net -P > > For you DNS field update, if you get some TSIG error, you may > try to add > the DNS entries directly in the local database. > > samba_dnsupdate --verbose --use-samba-tool > > Cheers, > > Denis > > > > > > > Then, I remember my "samba_upgradedns > --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! > Unsheathed by Matthew like And?ril by Aragorn: > > > > > > > > # samba_upgradedns --dns-backend=BIND9_DLZ > > Reading domain information > > DNS accounts already exist > > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone > > DNS records will be automatically created > > DNS partitions already exist > > dns-umbriel account already exists > > See /var/lib/samba/bind-dns/named.conf for an example > configuration include file for BIND > > and /var/lib/samba/bind-dns/named.txt for further > documentation required for secure DNS updates > > Finished upgrading DNS > > > > > > Take that, DNS problems! Right? Oh.... no... it didn't help > AT ALL. Same results on every test. > > > > > > I'm feeling lonely here. > > > > > > > > Thanks, > > Matthew > > > > > > > > From: Matthew Delfino via samba <samba at lists.samba.org> > > To: L.P.H. van Belle <belle at bazuin.nl>, > "samba at lists.samba.org" <samba at lists.samba.org> > > Sent: 6/20/2019 1:40 PM > > Subject: Re: [Samba] DLZ Backend DNS Hosed > > > > And, BTW, right now, I am able to see my problem via the > following 3 ways... > > > > 1) Through Windows DNS Manager, I cannot add, change or > delete any DNS records from: > > > > mycompany.loc > > samdom.mycompany.net > > mycompany.net > > > > I *can* add, change and delete DNS records from: > > > > _msdcs.samdom.mycompany.net > > mycompany.com > > 7.168.192.in-addr.arpa > > 5.168.192.in-addr.arpa > > 3.168.192.in-addr.arpa > > 2.168.192.in-addr.arpa > > 11.168.192.in-addr.arpa > > > > 2) Running the following command always ends with an error: > > > > # samba_dnsupdate --verbos --all-names > > IPs: ['192.168.3.203'] > > force update: A umbriel.samdom.mycompany.net 192.168.3.203 > > force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net > > force update: NS _msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net > > force update: A samdom.mycompany.net 192.168.3.203 > > force update: SRV _ldap._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs > .samdom.mycompany.net umbriel.samdom.mycompany.net 389 > > force update: SRV _kerberos._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 88 > > force update: SRV _kerberos._udp.samdom.mycompany.net > umbriel.samdom.mycompany.net 88 > > force update: SRV > _kerberos._tcp.dc._msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net 88 > > force update: SRV _kpasswd._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 464 > > force update: SRV _kpasswd._udp.samdom.mycompany.net > umbriel.samdom.mycompany.net 464 > > force update: CNAME > a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.n > et umbriel.samdom.mycompany.net > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.myc > ompany.net umbriel.samdom.mycompany.net 389 > > force update: SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany > .net umbriel.samdom.mycompany.net 88 > > force update: SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom > .mycompany.net umbriel.samdom.mycompany.net 88 > > force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203 > > force update: SRV _gc._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 3268 > > force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net 3268 > > force update: SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net > umbriel.samdom.mycompany.net 3268 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.myc > ompany.net umbriel.samdom.mycompany.net 3268 > > force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203 > > force update: SRV > _ldap._tcp.DomainDnsZones.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdo > m.mycompany.net umbriel.samdom.mycompany.net 389 > > force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203 > > force update: SRV > _ldap._tcp.ForestDnsZones.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdo > m.mycompany.net umbriel.samdom.mycompany.net 389 > > 28 DNS updates and 0 DNS deletes needed > > Traceback (most recent call last): > > File "/usr/sbin/samba_dnsupdate", line 886, in <module> > > creds = get_credentials(lp) > > File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials > > get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.') > > File "/usr/sbin/samba_dnsupdate", line 161, in > get_krb5_rw_dns_server > > rw_dns_servers = get_possible_rw_dns_server(creds, domain) > > File "/usr/sbin/samba_dnsupdate", line 136, in > get_possible_rw_dns_server > > ans_soa = check_one_dns_name(domain, 'SOA') > > File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name > > ans = resolver.query(name, name_type) > > File "/usr/lib/python3/dist-packages/dns/resolver.py", > line 821, in query > > raise NoNameservers > > dns.resolver.NoNameservers > > > > 3) We have a mail server that occasionally rejects > passwords from end users. This is the problem end users see > that started the whole investigation. > > > > Also, this may be obvious from the output of your script, > but in case it's not... we do not have DHCP server running on > our DCs, nor do we have any sort of dynamic dhcp setup. It's > just Samba and BIND (and kerberos, and ntp...). > > > > Thank you! > > Matthew > > > > > > > > > > From: Matthew Delfino via samba <samba at lists.samba.org> > > To: L.P.H. van Belle <belle at bazuin.nl>, > "samba at lists.samba.org" <samba at lists.samba.org> > > Sent: 6/20/2019 1:00 PM > > Subject: Re: [Samba] DLZ Backend DNS Hosed > > > > Nice shell script, Louis. Here are the results: > > > > > > > > Collected config --- 2019-06-20-12:46 ----------- > > > > > > Hostname: umbriel > > DNS Domain: samdom.mycompany.net > > FQDN: umbriel.samdom.mycompany.net > > ipaddress: 192.168.3.203 > > > > > > ----------- > > > > > > Samba is running as an AD DC > > > > > > ----------- > > Checking file: /etc/os-release > > > > > > NAME="Ubuntu" > > VERSION="16.04.6 LTS (Xenial Xerus)" > > ID=ubuntu > > ID_LIKE=debian > > PRETTY_NAME="Ubuntu 16.04.6 LTS" > > VERSION_ID="16.04" > > HOME_URL="http://www.ubuntu.com/" > > SUPPORT_URL="http://help.ubuntu.com/" > > BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" > > VERSION_CODENAME=xenial > > UBUNTU_CODENAME=xenial > > > > > > ----------- > > > > > > > > > > This computer is running Ubuntu 16.04.6 LTS x86_64 > > > > > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > UNKNOWN group default qlen 1 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast state UP group default qlen 1000 > > link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff > > inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32 > > inet6 fe80::250:56ff:fea5:50b3/64 scope link > > > > > > ----------- > > Checking file: /etc/hosts > > > > > > 127.0.0.1 localhost > > 192.168.3.203 umbriel.samdom.mycompany.net umbriel > > > > > > # The following lines are desirable for IPv6 capable hosts > > ::1 localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > > > > > ----------- > > > > > > Checking file: /etc/resolv.conf > > > > > > # Dynamic resolv.conf(5) file for glibc resolver(3) > generated by resolvconf(8) > > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > OVERWRITTEN > > nameserver 192.168.3.201 > > nameserver 192.168.3.202 > > search samdom.mycompany.net mycompany.net mycompany.com > > > > > > ----------- > > > > > > Checking file: /etc/krb5.conf > > > > > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmin.log > > > > > > [libdefaults] > > default_realm = SAMDOM.MYCOMPANY.NET > > dns_lookup_realm = false > > dns_lookup_kdc = true > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > > > > > ----------- > > > > > > Checking file: /etc/nsswitch.conf > > > > > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > > # `info libc "Name Service Switch"' for information about this file. > > > > > > passwd: compat > > group: compat > > shadow: compat > > gshadow: files > > > > > > hosts: files dns > > networks: files > > > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > > > netgroup: nis > > > > > > ----------- > > > > > > Checking file: /etc/samba/smb.conf > > > > > > # Global parameters > > [global] > > netbios name = UMBRIEL > > realm = SAMDOM.MYCOMPANY.NET > > server role = active directory domain controller > > #server services = -dns > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = SAMDOM > > idmap_ldb:use rfc2307 = yes > > #dns forwarder = 8.8.4.4 > > #dns forwarder = 8.8.8.8 > > allow dns updates = disabled > > dsdb:schema update allowed = true > > printcap name = /dev/null > > load printers = no > > printing = bsd > > ldap server require strong auth = no > > ldap ssl = start tls > > tls enabled = yes > > tls keyfile = tls/myKey.pem > > tls certfile = tls/umbriel_samdom_mycompany_net.pem > > tls cafile = tls/umbriel_samdom_mycompany_net.ca-bundle.pem > > #log file = /var/log/samba/%a.%M.log > > max log size = 2048 > > log level = 1 auth_audit:3 > > apply group policies = yes > > mdns name = mdns > > > > > > [netlogon] > > path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > > read only = No > > > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > ----------- > > > > > > Detected bind DLZ enabled.. > > Checking file: /etc/bind/named.conf > > > > > > // This is the primary configuration file for the BIND DNS > server named. > > // > > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > > // structure of BIND configuration files in Debian, > *BEFORE* you customize > > // this configuration file. > > // > > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > > > > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/named.conf.local"; > > include "/etc/bind/named.conf.default-zones"; > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > ----------- > > > > > > Checking file: /etc/bind/named.conf.options > > > > > > options { > > > > > > auth-nxdomain yes; > > directory "/var/cache/bind"; > > dnssec-validation auto; > > empty-zones-enable no; > > managed-keys-directory "/var/cache/bind/"; > > notify yes; // Not recommended. > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > // For Dynamic DNS > > > > > > allow-query { > > any; > > }; > > > > > > allow-recursion { > > any; > > }; > > > > allow-transfer { > > 192.168.3.47; // DNS2 > > 192.168.3.48; // DNS1 > > 192.168.5.47; // Opal > > 192.168.5.48; // Pyrite > > 192.168.0.8; // DNS3 > > 192.168.0.9; // DNS4 > > }; > > > > > > also-notify { > > 192.168.3.47; // DNS2 > > 192.168.3.48; // DNS1 > > 192.168.5.47; // Opal > > 192.168.5.48; // Pyrite > > 192.168.0.8; // DNS3 > > 192.168.0.9; // DNS4 > > }; > > > > > > allow-notify { > > 192.168.3.47; // DNS2 > > 192.168.3.48; // DNS1 > > 192.168.5.47; // Opal > > 192.168.5.48; // Pyrite > > 192.168.0.8; // DNS3 > > 192.168.0.9; // DNS4 > > }; > > > > > > forwarders { > > 9.9.9.9; > > 1.1.1.1; > > 8.8.8.8; > > 8.8.4.4; > > }; > > }; > > > > > > ----------- > > > > > > Checking file: /etc/bind/named.conf.local > > > > > > // > > // Do any local configuration here > > // > > > > > > // Consider adding the 1918 zones here, if they are not used in your > > // organization > > //include "/etc/bind/zones.rfc1918"; > > > > > > ----------- > > > > > > Checking file: /etc/bind/named.conf.default-zones > > > > > > // prime the server with knowledge of the root servers > > zone "." { > > type hint; > > file "/etc/bind/db.root"; > > }; > > > > > > // be authoritative for the localhost forward and reverse > zones, and for > > // broadcast zones as per RFC 1912 > > > > > > zone "localhost" { > > type master; > > file "/etc/bind/db.local"; > > }; > > > > > > zone "7.in-addr.arpa" { > > type master; > > file "/etc/bind/db.127"; > > }; > > > > > > zone "0.in-addr.arpa" { > > type master; > > file "/etc/bind/db.0"; > > }; > > > > > > zone "255.in-addr.arpa" { > > type master; > > file "/etc/bind/db.255"; > > }; > > > > > > ----------- > > > > > > Samba DNS zone list: 10 zone(s) found > > > > > > pszZoneName : mycompany.com > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : 7.168.192.in-addr.arpa > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : 3.168.192.in-addr.arpa > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : 2.168.192.in-addr.arpa > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : 11.168.192.in-addr.arpa > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : mycompany.loc > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : samdom.mycompany.net > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : 5.168.192.in-addr.arpa > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : mycompany.net > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > > > > pszZoneName : _msdcs.samdom.mycompany.net > > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : ForestDnsZones.samdom.mycompany.net > > > > > > Samba DNS zone list Automated check : > > zone : mycompany.com ok, no Bind flat-files found > > ----------- > > zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : mycompany.loc ok, no Bind flat-files found > > ----------- > > zone : samdom.mycompany.net ok, no Bind flat-files found > > ----------- > > zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : mycompany.net ok, no Bind flat-files found > > ----------- > > zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found > > ----------- > > > > > > Installed packages: > > ii acl 2.2.52-3 > amd64 Access control list utilities > > ii attr 1:2.4.47-2 > amd64 Utilities for > manipulating filesystem extended attributes > > hi bind9 > 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 > Internet Domain Name Server > > ii bind9-doc > 1:9.10.3.dfsg.P4-8ubuntu1.14 all > Documentation for BIND > > ii bind9-host > 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 > Version of 'host' bundled with BIND 9.X > > ii bind9utils > 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 > Utilities for BIND > > ii krb5-config 2.3 > all Configuration files for > Kerberos Version 5 > > ii krb5-locales > 1.13.2+dfsg-5ubuntu2.1 all > Internationalization support for MIT Kerberos > > ii krb5-multidev > 1.13.2+dfsg-5ubuntu2.1 amd64 > Development files for MIT Kerberos without Heimdal conflict > > ii krb5-user > 1.13.2+dfsg-5ubuntu2.1 amd64 Basic > programs to authenticate using MIT Kerberos > > ii libacl1:amd64 2.2.52-3 > amd64 Access control list > shared library > > ii libacl1-dev 2.2.52-3 > amd64 Access control list > static libraries and headers > > ii libattr1:amd64 1:2.4.47-2 > amd64 Extended attribute > shared library > > ii libattr1-dev:amd64 1:2.4.47-2 > amd64 Extended attribute > static libraries and headers > > ii libbind9-140:amd64 > 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 BIND9 > Shared Library used by BIND > > ii libgssapi-krb5-2:amd64 > 1.13.2+dfsg-5ubuntu2.1 amd64 MIT > Kerberos runtime libraries - krb5 GSS-API Mechanism > > ii libkrb5-26-heimdal:amd64 > 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 > Heimdal Kerberos - libraries > > ii libkrb5-3:amd64 > 1.13.2+dfsg-5ubuntu2.1 amd64 MIT > Kerberos runtime libraries > > ii libkrb5-dev > 1.13.2+dfsg-5ubuntu2.1 amd64 > Headers and development libraries for MIT Kerberos > > ii libkrb5support0:amd64 > 1.13.2+dfsg-5ubuntu2.1 amd64 MIT > Kerberos runtime libraries - Support library > > > > > > ----------- > > > > > > > > > > From: L.P.H. van Belle via samba <samba at lists.samba.org> > > To: "samba at lists.samba.org" <samba at lists.samba.org> > > Sent: 6/19/2019 1:48 AM > > Subject: Re: [Samba] DLZ Backend DNS Hosed > > > > Hai, > > > > > > For bind, please to add this for bind if you use bind_DLZ. > > How : systemctl edit bind9, or create the file manualy and > run systemctl daemon-reload after. > > The edit command already does the reload. > > > > # /etc/systemd/system/bind9.service.d/override.conf > > [Service] > > ExecReload> > > > > > But same for you. ;-) as the other list message today. > ([Samba] Reverse DNS) > > Can you run this for me on the DC's. > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > ollect-debug-info.sh > > And post the output > > > > It tells me almost all i need to know to help you fix this. > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Matthew Delfino via samba > >> Verzonden: woensdag 19 juni 2019 5:00 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] DLZ Backend DNS Hosed > >> > >> > >> Hello, > >> > >> > >> I'm in trouble here with what appears to be a total meltdown > >> of my DNS on my Domain Controllers. > >> > >> > >> I only have two DCs right now and I cannot resolve anything > >> on either of them. I am on Ubuntu 16.04 with a compiled > >> version of Samba 4.10.4. > >> > >> > >> I also have a compiled version of BIND 9.10.3-P4-Ubuntu > <id:ebd72b3> > >> > >> > >> # service bind9 status > >> ??? bind9.service - BIND Domain Name Server > >> Loaded: loaded (/lib/systemd/system/bind9.service; > >> enabled; vendor preset: enabled) > >> Drop-In: /run/systemd/generator/bind9.service.d > >> ??????50-insserv.conf-$named.conf > >> Active: failed (Result: exit-code) since Tue 2019-06-18 > >> 21:14:39 CDT; 27min ago > >> Docs: man:named(8) > >> Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, > >> status=1/FAILURE) > >> Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS > >> (code=exited, status=1/FAILURE) > >> Main PID: 28329 (code=exited, status=1/FAILURE) > >> > >> > >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting > configure > >> Jun 18 21:14:39 cordelia named[28329]: zone > >> mydomain.com/NONE: has no NS records > >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to > >> configure zone 'mydomain.com' > >> Jun 18 21:14:39 cordelia named[28329]: loading > configuration: bad zone > >> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error) > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main > >> process exited, code=exited, status=1/FAILURE > >> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: > >> 127.0.0.1#953: connection refused > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control > >> process exited, code=exited status=1 > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit > >> entered failed state. > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed > >> with result 'exit-code'. > >> > >> > >> It appears that somehow I lost my NS records for one of my > >> zones. It seems that I cannot get BIND up long enough to edit > >> anything. > >> > >> > >> I've been able to delete my non-essential zones with samba-tool: > >> > >> > >> > >> # samba-tool dns zonedelete localhost mydomain.com > >> # samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa > >> # samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa > >> # samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa > >> # samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa > >> # samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa > >> > >> > >> But now my error is "zone _msdcs.samdom.mydomain.net/NONE: > >> has no NS records" and I am real nervous to delete that zone. > >> > >> > >> Does anyone know what I can do to get my samba DC to have NS > >> records that my BIND DNS server will understand and therefore load? > >> > >> > >> > >> Thanks, > >> Matthew > >> > >> > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a > registered trademark of KNOCK, inc. This message and any > attachments contain information, which is confidential and/or > privileged. If you are not the intended recipient, please > refrain from any disclosure, copying, distribution or use of > this information. Please be aware that such actions are > prohibited. If you have received this transmission in error, > kindly notify the sender by e-mail. Your cooperation is appreciated. > > > > -- > Denis Cardon > Tranquil IT > 12 avenue Jules Verne (Bat. A) > 44230 Saint S?bastien sur Loire (FRANCE) > tel : +33 (0) 240 975 755 > http://www.tranquil.it > > Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ > Samba install wiki for Frenchies : https://dev.tranquil.it > WAPT, software deployment made easy : https://wapt.fr > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Louis, I appreciate your efforts with my predicament. I'm very sorry to say that your advice hasn't gotten me to a solution. After updating my /etc/network/interfaces to put my localhost IP address first (192.168.3.201, for example), saving, restarting services, rebooting, running "samba_upgradedns --dns-backend=BIND9_DLZ", saving, rebooting, etc., I still cannot add, edit or remove records from the samdom.mycompany.net zone. # samba_dnsupdate --verbose IPs: ['192.168.3.201'] Looking for DNS entry A umbriel.samdom.mycompany.net 192.168.3.201 as umbriel.samdom.mycompany.net. Looking for DNS entry NS samdom.mycompany.net umbriel.samdom.mycompany.net as samdom.mycompany.net. Traceback (most recent call last): ? File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name ? ? ans = check_one_dns_name(normalised_name, d.type, d) ? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name ? ? ans = resolver.query(name, name_type) ? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query ? ? raise NoNameservers dns.resolver.NoNameservers During handling of the above exception, another exception occurred: Traceback (most recent call last): ? File "/usr/sbin/samba_dnsupdate", line 851, in <module> ? ? elif not check_dns_name(d): ? File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name ? ? raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name)) Exception: Unable to contact a working DNS server while looking for NS samdom.mycompany.net umbriel.samdom.mycompany.net as samdom.mycompany.net. Denis, I appreciate this email you sent. Running this command results in the following: #samba-tool dns add umbriel?samdom.mycompany.net?@ NS umbriel.samdom.mycompany.net?-P ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run ? ? return self.run(*args, **kwargs) ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run ? ? raise e ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run ? ? 0, server, zone, name, add_rec_buf, None) It just seems that my zone "samdom.mycompany.net" is completely hosed. Rowland, I always appreciate your tireless support. You made some comments, asked some questions. Here are my responses:>>? >>? >> Able to be edited: _msdcs.samdom.mycompany.net? >> NOT able to be edited:?samdom.mycompany.net? > > I read the output of Louis's script you posted and my first thought was,? > 'why has he got dns domains that have nothing to do with AD ?'?On the subject of Samba: Advice and how-tos on the Internet focus on telling us what to do, often with only the most minimal context. It has taken me time to learn and discover how the configurations advised can work best for my environment. There are bits of configuration representing the legacy of that evolution and there you saw one.> In my opinion, you should only have the dns records for your Samba AD?> domain in AD, this should include any reverse zones.?So, do be clear, the bare minimum in my case would be: samdom.mycompany.net _msdcs.samdom.mycompany.net 3.168.192.in-addr.arpa Do you concur?>> I'm feeling lonely here.? >? >?Do you have a backup ??Of course. But I'm confident the backups don't go far enough back to get me past whatever hosed my zone. I suspect all this started with me being ignorant of the change which moved many BIND DLZ backend stuff from ../samba/private/ to ../samba/bind-dns/. We make so few changes to the DNS on the DCs that I didn't notice that bind had been unable to talk to samba for goodness knows how long. Between my first email and my second email to the list, I discovered that erroneous configuration and addressed it, which helped immensely in terms of end user experience.>?I have had something similar happen, but with the reverse zone and I? >?just deleted the zone and recreated it with samba-tool and then let the? >?records be recreated. In your case, I would be tempted to 'upgrade' to? >?the internal dns server and then 'upgrade' to the Bind9 server. This? >?should recreate all the required zones and records.?This is the only thing I have not tried and it's the one that seems to make the most sense to me. But I don't want to do it during business hours. I'll need to stick around late tonight to give it a shot (including backups before I attempt all this). I've never done a?maneuver?like that before - I will report my results in several hours.>> search samdom.mycompany.net mycompany.net mycompany.com? >?I would remove any domains that are not the Samba dns domain?Done.>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate? >> ? workgroup = SAMDOM? >> ? idmap_ldb:use rfc2307 = yes? >> ? #dns forwarder = 8.8.4.4? >> ? #dns forwarder = 8.8.8.8? >> ? allow dns updates = disabled? >?Bad move, something needs to be able to upgrade your dns records.? >> ? dsdb:schema update allowed = true? >?Remove this, it is only needed to extend the schema and can be used on? >?the ldbmodify command line.?Done and done.>?Please set your dns up correctly, first remove the 3 blocks above,?> forward anything outside your Samba dns domain to another external dns? >?server and inform any other, non AD dns servers that you have, where? >?your AD domain isI removed the 3 blocks above as they are unnecessary. Forwards to external DNS servers were already there, the other DNS servers know about samdom.mycompany.net by way of glue records in db.mycompany.net like this: ;;;;;;;;;;;;;;;;;; ;; Glue Records ;; For the SAMBA Active Directory Domain Controllers ;;;;;;;;;;;;;;;;;; $ORIGIN samdom.mycompany.net. @ 86400 IN NS samdom.mycompany.net. 86400 IN NS samdom.mycompany.net. 86400 IN NS samdom.mycompany.net. cordelia.samdom.mycompany.net. IN A 192.168.3.201 hyperion.samdom.mycompany.net. IN A 192.168.3.202 umbriel.samdom.mycompany.net. IN A 192.168.3.203 Is this what you meant by "inform any other, non AD dns servers that you have, where your AD domain is?" Thanks again, there are no further comments from me below. Matthew From: L.P.H. van Belle via samba <samba at lists.samba.org> To: "samba at lists.samba.org" <samba at lists.samba.org> Sent: 6/21/2019 5:15 AM Subject: Re: [Samba] DLZ Backend DNS Hosed No, this is not needed. Solution here in this is simple. search primary.domain.tld # optional extra search domains after the primary. nameserver IP_AD-DC_OF_THIS_SERVER_FIRST nameserver IP_AD-DC_others Run : samba_upgradedns --dns-backend=BIND9_DLZ ? And your done, all needed records are fixed/updated. This goes wrong if the IP of the running server isnt the first and/or if search is setup wrong. So always keep ip of the server itself as first, yes i know about islanding dns but that wont happen If you setup correct and DONT use 127.0.0.1 because that is NOT the name of the server. Stimple trick. HOSTNAME="$(hostname -s)" PRIMARYDNSDOMAIN="$(hostname -d)" FQDN="$(hostname -f)" Netbiosname in smb.conf = echo "${HOSTNAME^^}" To be added if its not there in /etc/hosts: echo "$(hostname -i) $(hostname -f) $(hostname -s)" ONLY one line should exist for the hostname add any alias as CNAME in the dns. Resolv.conf : echo "nameserver $(hostname -i)" Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Denis Cardon via samba > Verzonden: vrijdag 21 juni 2019 10:30 > Aan: Matthew Delfino; samba at lists.samba.org > Onderwerp: Re: [Samba] DLZ Backend DNS Hosed > > Hi Matthew, > > > # samba-tool dns add localhost samdom.mycompany.net > samdom.mycompany.net NS umbriel.samdom.mycompany.net -U"Administrator" > > Password for [ORBITAL\Administrator]: > > ERROR(runtime): uncaught exception - (1383, > 'WERR_INTERNAL_DB_ERROR') > > ? File > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", > line 185, in _run > > ? ? return self.run(*args, **kwargs) > > ? File > "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run > > ? ? raise e > > ? File > "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run > > ? ? 0, server, zone, name, add_rec_buf, None) > > Like you have figured out, in more recent version of Bind-DLZ it is > required to have a NS field for it to start. Please try with the > following command line syntax to add it: > > samba-tool dns add umbriel ?samdom.mycompany.net @ NS > umbriel.samdom.mycompany.net -P > > For you DNS field update, if you get some TSIG error, you may > try to add > the DNS entries directly in the local database. > > samba_dnsupdate --verbose --use-samba-tool > > Cheers, > > Denis > > > > > > > Then, I remember my "samba_upgradedns > --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! > Unsheathed by Matthew like And?ril by Aragorn: > > > > > > > > # samba_upgradedns --dns-backend=BIND9_DLZ > > Reading domain information > > DNS accounts already exist > > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone > > DNS records will be automatically created > > DNS partitions already exist > > dns-umbriel account already exists > > See /var/lib/samba/bind-dns/named.conf for an example > configuration include file for BIND > > and /var/lib/samba/bind-dns/named.txt for further > documentation required for secure DNS updates > > Finished upgrading DNS > > > > > > Take that, DNS problems! Right? Oh.... no... it didn't help > AT ALL. Same results on every test. > > > > > > I'm feeling lonely here. > > > > > > > > Thanks, > > Matthew > > > > > > > > ?From: ? Matthew Delfino via samba <samba at lists.samba.org> > > ?To: ? L.P.H. van Belle <belle at bazuin.nl>, > "samba at lists.samba.org" <samba at lists.samba.org> > > ?Sent: ? 6/20/2019 1:40 PM > > ?Subject: ? Re: [Samba] DLZ Backend DNS Hosed > > > > And, BTW, right now, I am able to see my problem via the > following 3 ways... > > > > 1) Through Windows DNS Manager, I cannot add, change or > delete any DNS records from: > > > > mycompany.loc > > samdom.mycompany.net > > mycompany.net > > > > I *can* add, change and delete DNS records from: > > > > _msdcs.samdom.mycompany.net > > mycompany.com > > 7.168.192.in-addr.arpa > > 5.168.192.in-addr.arpa > > 3.168.192.in-addr.arpa > > 2.168.192.in-addr.arpa > > 11.168.192.in-addr.arpa > > > > 2) Running the following command always ends with an error: > > > > # samba_dnsupdate --verbos --all-names > > IPs: ['192.168.3.203'] > > force update: A umbriel.samdom.mycompany.net 192.168.3.203 > > force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net > > force update: NS _msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net > > force update: A samdom.mycompany.net 192.168.3.203 > > force update: SRV _ldap._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs > .samdom.mycompany.net umbriel.samdom.mycompany.net 389 > > force update: SRV _kerberos._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 88 > > force update: SRV _kerberos._udp.samdom.mycompany.net > umbriel.samdom.mycompany.net 88 > > force update: SRV > _kerberos._tcp.dc._msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net 88 > > force update: SRV _kpasswd._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 464 > > force update: SRV _kpasswd._udp.samdom.mycompany.net > umbriel.samdom.mycompany.net 464 > > force update: CNAME > a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.n > et umbriel.samdom.mycompany.net > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net > ?umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.myc > ompany.net umbriel.samdom.mycompany.net 389 > > force update: SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany > .net umbriel.samdom.mycompany.net 88 > > force update: SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom > .mycompany.net umbriel.samdom.mycompany.net 88 > > force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203 > > force update: SRV _gc._tcp.samdom.mycompany.net > umbriel.samdom.mycompany.net 3268 > > force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net > umbriel.samdom.mycompany.net 3268 > > force update: SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net > umbriel.samdom.mycompany.net 3268 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.myc > ompany.net umbriel.samdom.mycompany.net 3268 > > force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203 > > force update: SRV > _ldap._tcp.DomainDnsZones.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdo > m.mycompany.net umbriel.samdom.mycompany.net 389 > > force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203 > > force update: SRV > _ldap._tcp.ForestDnsZones.samdom.mycompany.net > umbriel.samdom.mycompany.net 389 > > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdo > m.mycompany.net umbriel.samdom.mycompany.net 389 > > 28 DNS updates and 0 DNS deletes needed > > Traceback (most recent call last): > > ? File "/usr/sbin/samba_dnsupdate", line 886, in <module> > > ? ? creds = get_credentials(lp) > > ? File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials > > ? ? get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.') > > ? File "/usr/sbin/samba_dnsupdate", line 161, in > get_krb5_rw_dns_server > > ? ? rw_dns_servers = get_possible_rw_dns_server(creds, domain) > > ? File "/usr/sbin/samba_dnsupdate", line 136, in > get_possible_rw_dns_server > > ? ? ans_soa = check_one_dns_name(domain, 'SOA') > > ? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name > > ? ? ans = resolver.query(name, name_type) > > ? File "/usr/lib/python3/dist-packages/dns/resolver.py", > line 821, in query > > ? ? raise NoNameservers > > dns.resolver.NoNameservers > > > > 3) We have a mail server that occasionally rejects > passwords from end users. This is the problem end users see > that started the whole investigation. > > > > Also, this may be obvious from the output of your script, > but in case it's not... we do not have DHCP server running on > our DCs, nor do we have any sort of dynamic dhcp setup. It's > just Samba and BIND (and kerberos, and ntp...). > > > > Thank you! > > Matthew > > > > > > > > > > ?From: ? Matthew Delfino via samba <samba at lists.samba.org> > > ?To: ? L.P.H. van Belle <belle at bazuin.nl>, > "samba at lists.samba.org" <samba at lists.samba.org> > > ?Sent: ? 6/20/2019 1:00 PM > > ?Subject: ? Re: [Samba] DLZ Backend DNS Hosed > > > > Nice shell script, Louis. Here are the results: > > > > > > > > Collected config ?--- 2019-06-20-12:46 ----------- > > > > > > Hostname: umbriel > > DNS Domain: samdom.mycompany.net > > FQDN: umbriel.samdom.mycompany.net > > ipaddress: 192.168.3.203 > > > > > > ----------- > > > > > > Samba is running as an AD DC > > > > > > ----------- > > ? ? ? ?Checking file: /etc/os-release > > > > > > NAME="Ubuntu" > > VERSION="16.04.6 LTS (Xenial Xerus)" > > ID=ubuntu > > ID_LIKE=debian > > PRETTY_NAME="Ubuntu 16.04.6 LTS" > > VERSION_ID="16.04" > > HOME_URL="http://www.ubuntu.com/" > > SUPPORT_URL="http://help.ubuntu.com/" > > BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" > > VERSION_CODENAME=xenial > > UBUNTU_CODENAME=xenial > > > > > > ----------- > > > > > > > > > > This computer is running Ubuntu 16.04.6 LTS x86_64 > > > > > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > UNKNOWN group default qlen 1 > > ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > ? ? inet 127.0.0.1/8 scope host lo > > ? ? inet6 ::1/128 scope host > > 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast state UP group default qlen 1000 > > ? ? link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff > > ? ? inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32 > > ? ? inet6 fe80::250:56ff:fea5:50b3/64 scope link > > > > > > ----------- > > ? ? ? ?Checking file: /etc/hosts > > > > > > 127.0.0.1 localhost > > 192.168.3.203 umbriel.samdom.mycompany.net umbriel > > > > > > # The following lines are desirable for IPv6 capable hosts > > ::1 ? ? localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > > > > > ----------- > > > > > > ? ? ? ?Checking file: /etc/resolv.conf > > > > > > # Dynamic resolv.conf(5) file for glibc resolver(3) > generated by resolvconf(8) > > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > OVERWRITTEN > > nameserver 192.168.3.201 > > nameserver 192.168.3.202 > > search samdom.mycompany.net mycompany.net mycompany.com > > > > > > ----------- > > > > > > ? ? ? ?Checking file: /etc/krb5.conf > > > > > > [logging] > > ? ? ? ? default = FILE:/var/log/krb5libs.log > > ? ? ? ? kdc = FILE:/var/log/krb5kdc.log > > ? ? ? ? admin_server = FILE:/var/log/kadmin.log > > > > > > [libdefaults] > > ? ? ? ? default_realm = SAMDOM.MYCOMPANY.NET > > ? ? ? ? dns_lookup_realm = false > > ? ? ? ? dns_lookup_kdc = true > > ? ? ? ? ticket_lifetime = 24h > > ? ? ? ? renew_lifetime = 7d > > ? ? ? ? forwardable = true > > > > > > ----------- > > > > > > ? ? ? ?Checking file: /etc/nsswitch.conf > > > > > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > > # `info libc "Name Service Switch"' for information about this file. > > > > > > passwd: ? ? ? ? compat > > group: ? ? ? ? ?compat > > shadow: ? ? ? ? compat > > gshadow: ? ? ? ?files > > > > > > hosts: ? ? ? ? ?files dns > > networks: ? ? ? files > > > > > > protocols: ? ? ?db files > > services: ? ? ? db files > > ethers: ? ? ? ? db files > > rpc: ? ? ? ? ? ?db files > > > > > > netgroup: ? ? ? nis > > > > > > ----------- > > > > > > ? ? ? ?Checking file: /etc/samba/smb.conf > > > > > > # Global parameters > > [global] > > ?netbios name = UMBRIEL > > ?realm = SAMDOM.MYCOMPANY.NET > > ?server role = active directory domain controller > > ?#server services = -dns > > ?server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > ?workgroup = SAMDOM > > ?idmap_ldb:use rfc2307 = yes > > ?#dns forwarder = 8.8.4.4 > > ?#dns forwarder = 8.8.8.8 > > ?allow dns updates = disabled > > ?dsdb:schema update allowed = true > > ?printcap name = /dev/null > > ?load printers = no > > ?printing = bsd > > ?ldap server require strong auth = no > > ?ldap ssl = start tls > > ?tls enabled ?= yes > > ?tls keyfile ?= tls/myKey.pem > > ?tls certfile = tls/umbriel_samdom_mycompany_net.pem > > ?tls cafile ? = tls/umbriel_samdom_mycompany_net.ca-bundle.pem > > ?#log file = /var/log/samba/%a.%M.log > > ?max log size = 2048 > > ?log level = 1 auth_audit:3 > > ?apply group policies = yes > > ?mdns name = mdns > > > > > > [netlogon] > > ?path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > > ?read only = No > > > > > > [sysvol] > > ?path = /var/lib/samba/sysvol > > ?read only = No > > > > > > ----------- > > > > > > Detected bind DLZ enabled.. > > ? ? ? ?Checking file: /etc/bind/named.conf > > > > > > // This is the primary configuration file for the BIND DNS > server named. > > // > > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > > // structure of BIND configuration files in Debian, > *BEFORE* you customize > > // this configuration file. > > // > > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > > > > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/named.conf.local"; > > include "/etc/bind/named.conf.default-zones"; > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > ----------- > > > > > > ? ? ? ?Checking file: /etc/bind/named.conf.options > > > > > > options { > > > > > > ?auth-nxdomain yes; > > ?directory "/var/cache/bind"; > > ?dnssec-validation auto; > > ?empty-zones-enable no; > > ?managed-keys-directory "/var/cache/bind/"; > > ?notify yes; // Not recommended. > > ?tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > // For Dynamic DNS > > > > > > ?allow-query { > > ?any; > > ?}; > > > > > > ?allow-recursion { > > ?any; > > ?}; > > > > ?allow-transfer { > > ?192.168.3.47; ? // DNS2 > > ?192.168.3.48; ? // DNS1 > > ?192.168.5.47; ? // Opal > > ?192.168.5.48; ? // Pyrite > > ?192.168.0.8; ? ?// DNS3 > > ?192.168.0.9; ? ?// DNS4 > > ?}; > > > > > > ?also-notify { > > ?192.168.3.47; ? // DNS2 > > ?192.168.3.48; ? // DNS1 > > ?192.168.5.47; ? // Opal > > ?192.168.5.48; ? // Pyrite > > ?192.168.0.8; ? ?// DNS3 > > ?192.168.0.9; ? ?// DNS4 > > ?}; > > > > > > ?allow-notify { > > ?192.168.3.47; ? // DNS2 > > ?192.168.3.48; ? // DNS1 > > ?192.168.5.47; ? // Opal > > ?192.168.5.48; ? // Pyrite > > ?192.168.0.8; ? ?// DNS3 > > ?192.168.0.9; ? ?// DNS4 > > ?}; > > > > > > ?forwarders { > > ?9.9.9.9; > > ?1.1.1.1; > > ?8.8.8.8; > > ?8.8.4.4; > > ?}; > > }; > > > > > > ----------- > > > > > > ? ? ? ?Checking file: /etc/bind/named.conf.local > > > > > > // > > // Do any local configuration here > > // > > > > > > // Consider adding the 1918 zones here, if they are not used in your > > // organization > > //include "/etc/bind/zones.rfc1918"; > > > > > > ----------- > > > > > > ? ? ? ?Checking file: /etc/bind/named.conf.default-zones > > > > > > // prime the server with knowledge of the root servers > > zone "." { > > ?type hint; > > ?file "/etc/bind/db.root"; > > }; > > > > > > // be authoritative for the localhost forward and reverse > zones, and for > > // broadcast zones as per RFC 1912 > > > > > > zone "localhost" { > > ?type master; > > ?file "/etc/bind/db.local"; > > }; > > > > > > zone "7.in-addr.arpa" { > > ?type master; > > ?file "/etc/bind/db.127"; > > }; > > > > > > zone "0.in-addr.arpa" { > > ?type master; > > ?file "/etc/bind/db.0"; > > }; > > > > > > zone "255.in-addr.arpa" { > > ?type master; > > ?file "/etc/bind/db.255"; > > }; > > > > > > ----------- > > > > > > Samba DNS zone list: ? 10 zone(s) found > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.com > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : 7.168.192.in-addr.arpa > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : 3.168.192.in-addr.arpa > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : 2.168.192.in-addr.arpa > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : 11.168.192.in-addr.arpa > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.loc > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : samdom.mycompany.net > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : 5.168.192.in-addr.arpa > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.net > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net > > > > > > ? pszZoneName ? ? ? ? ? ? ? ? : _msdcs.samdom.mycompany.net > > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY > > ? Version ? ? ? ? ? ? ? ? ? ? : 50 > > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : ForestDnsZones.samdom.mycompany.net > > > > > > Samba DNS zone list Automated check : > > zone : mycompany.com ok, no Bind flat-files found > > ----------- > > zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : mycompany.loc ok, no Bind flat-files found > > ----------- > > zone : samdom.mycompany.net ok, no Bind flat-files found > > ----------- > > zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found > > ----------- > > zone : mycompany.net ok, no Bind flat-files found > > ----------- > > zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found > > ----------- > > > > > > Installed packages: > > ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? > ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Access control list utilities > > ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? > ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Utilities for > manipulating filesystem extended attributes > > hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? > 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ? > Internet Domain Name Server > > ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? > 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ? ? ? all ? ? ? ? ? > Documentation for BIND > > ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ? > 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ? > Version of 'host' bundled with BIND 9.X > > ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ? > 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ? > Utilities for BIND > > ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? > ? ? ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?Configuration files for > Kerberos Version 5 > > ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ? > 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ? > Internationalization support for MIT Kerberos > > ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? > 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ? > Development files for MIT Kerberos without Heimdal conflict > > ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? > 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Basic > programs to authenticate using MIT Kerberos > > ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? > ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Access control list > shared library > > ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? > ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Access control list > static libraries and headers > > ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? > ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Extended attribute > shared library > > ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? > ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Extended attribute > static libraries and headers > > ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ? > 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?BIND9 > Shared Library used by BIND > > ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ? > 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT > Kerberos runtime libraries - krb5 GSS-API Mechanism > > ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ? > 1.7~git20150920+dfsg-4ubuntu1.16.04.1 ? ? ?amd64 ? ? ? ? > Heimdal Kerberos - libraries > > ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? > 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT > Kerberos runtime libraries > > ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? > 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ? > Headers and development libraries for MIT Kerberos > > ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? > 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT > Kerberos runtime libraries - Support library > > > > > > ----------- > > > > > > > > > > ?From: ? L.P.H. van Belle via samba <samba at lists.samba.org> > > ?To: ? "samba at lists.samba.org" <samba at lists.samba.org> > > ?Sent: ? 6/19/2019 1:48 AM > > ?Subject: ? Re: [Samba] DLZ Backend DNS Hosed > > > > Hai, > > > > > > For bind, please to add this for bind if you use bind_DLZ. > > How : systemctl edit bind9, or create the file manualy and > run systemctl daemon-reload after. > > The edit command already does the reload. > > > > # /etc/systemd/system/bind9.service.d/override.conf > > [Service] > > ExecReload= > > > > > > But same for you. ?;-) as the other list message today. > ([Samba] Reverse DNS) > > Can you run this for me on the DC's. > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > ollect-debug-info.sh > > And post the output > > > > It tells me almost all i need to know to help you fix this. > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Matthew Delfino via samba > >> Verzonden: woensdag 19 juni 2019 5:00 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] DLZ Backend DNS Hosed > >> > >> > >> Hello, > >> > >> > >> I'm in trouble here with what appears to be a total meltdown > >> of my DNS on my Domain Controllers. > >> > >> > >> I only have two DCs right now and I cannot resolve anything > >> on either of them. I am on Ubuntu 16.04 with a compiled > >> version of Samba 4.10.4. > >> > >> > >> I also have a compiled version of BIND 9.10.3-P4-Ubuntu > <id:ebd72b3> > >> > >> > >> # service bind9 status > >> ??? bind9.service - BIND Domain Name Server > >> ? ?Loaded: loaded (/lib/systemd/system/bind9.service; > >> enabled; vendor preset: enabled) > >> ? Drop-In: /run/systemd/generator/bind9.service.d > >> ? ? ? ? ? ???????50-insserv.conf-$named.conf > >> ? ?Active: failed (Result: exit-code) since Tue 2019-06-18 > >> 21:14:39 CDT; 27min ago > >> ? ? ?Docs: man:named(8) > >> ? Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, > >> status=1/FAILURE) > >> ? Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS > >> (code=exited, status=1/FAILURE) > >> ?Main PID: 28329 (code=exited, status=1/FAILURE) > >> > >> > >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting > configure > >> Jun 18 21:14:39 cordelia named[28329]: zone > >> mydomain.com/NONE: has no NS records > >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to > >> configure zone 'mydomain.com' > >> Jun 18 21:14:39 cordelia named[28329]: loading > configuration: bad zone > >> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error) > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main > >> process exited, code=exited, status=1/FAILURE > >> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: > >> 127.0.0.1#953: connection refused > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control > >> process exited, code=exited status=1 > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit > >> entered failed state. > >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed > >> with result 'exit-code'. > >> > >> > >> It appears that somehow I lost my NS records for one of my > >> zones. It seems that I cannot get BIND up long enough to edit > >> anything. > >> > >> > >> I've been able to delete my non-essential zones with samba-tool: > >> > >> > >> > >> ?# ?samba-tool dns zonedelete localhost mydomain.com > >> ?# ?samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa > >> ?# ?samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa > >> ?# ?samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa > >> ?# ?samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa > >> ?# ?samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa > >> > >> > >> But now my error is "zone _msdcs.samdom.mydomain.net/NONE: > >> has no NS records" and I am real nervous to delete that zone. > >> > >> > >> Does anyone know what I can do to get my samba DC to have NS > >> records that my BIND DNS server will understand and therefore load? > >> > >> > >> > >> Thanks, > >> Matthew > >> > >> > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: ?https://lists.samba.org/mailman/options/samba > > > > > > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a > registered trademark of KNOCK, inc. This message and any > attachments contain information, which is confidential and/or > privileged. If you are not the intended recipient, please > refrain from any disclosure, copying, distribution or use of > this information. Please be aware that such actions are > prohibited. If you have received this transmission in error, > kindly notify the sender by e-mail. Your cooperation is appreciated. > > > > -- > Denis Cardon > Tranquil IT > 12 avenue Jules Verne (Bat. A) > 44230 Saint S?bastien sur Loire (FRANCE) > tel : +33 (0) 240 975 755 > http://www.tranquil.it > > Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ > Samba install wiki for Frenchies : https://dev.tranquil.it > WAPT, software deployment made easy : https://wapt.fr > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: ?https://lists.samba.org/mailman/options/samba ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.