I've been working on this problem for a few hours. Here are some updates:
Many of the domains I listed are duplicates of domains managed by other DNS
servers on my network. There was no point in having them in Samba AD, so I
deleted the zones in Windows DNS Manager and created slaves in my
named.conf.local folder, so that they'd pull the records from my
authoritative BIND DNS server, which runs on good old fashioned flat files (the
SOA for zones like mycompany.net and the PTR zones for all my subnets). I'm
now down to two zones:
Able to be edited: _msdcs.samdom.mycompany.net
NOT able to be edited:?samdom.mycompany.net
I believe these two zones to be the bare minimum I need to have everything
working correctly.
Closer inspection shows that I have no NS records and no SOA record in the
"samdom.mycompany.net" zone.
# samba_dnsupdate --verbose
IPs: ['192.168.3.203']
Looking for DNS entry A umbriel.samdom.mycompany.net?192.168.3.203 as
umbriel.samdom.mycompany.net.
Looking for DNS entry
NS?samdom.mycompany.net?umbriel.samdom.mycompany.net?as?samdom.mycompany.net.
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name
? ? ans = check_one_dns_name(normalised_name, d.type, d)
? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name
? ? ans = resolver.query(name, name_type)
? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in
query
? ? raise NoNameservers
dns.resolver.NoNameservers
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 851, in <module>
? ? elif not check_dns_name(d):
? File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name
? ? raise Exception("Unable to contact a working DNS server while looking
for %s as %s" % (d, normalised_name))
Exception: Unable to contact a working DNS server while looking for NS
orbital.samdom.mycompany.net
umbriel.samdom.mycompany.net?as?samdom.mycompany.net.
So, let's make those records, right? All attempts to add this info in the
Properties window of DNS Manager end in a very unfriendly message:
"Failure to write NS record <umbriel.samdom.mycompany.net.>
The local security authority database contains an internal inconsistency."
I try from samba-tool:
# samba-tool dns add localhost samdom.mycompany.net?samdom.mycompany.net?NS
umbriel.samdom.mycompany.net?-U"Administrator"
Password for [ORBITAL\Administrator]:
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185, in _run
? ? return self.run(*args, **kwargs)
? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944,
in run
? ? raise e
? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940,
in run
? ? 0, server, zone, name, add_rec_buf, None)
Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword,
plus 7 against DNS problems! Unsheathed by Matthew like And?ril by Aragorn:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone
DNS records will be automatically created
DNS partitions already exist
dns-umbriel account already exists
See /var/lib/samba/bind-dns/named.conf for an example configuration include file
for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for
secure DNS updates
Finished upgrading DNS
Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same
results on every test.
I'm feeling lonely here.
Thanks,
Matthew
From: Matthew Delfino via samba <samba at lists.samba.org>
To: L.P.H. van Belle <belle at bazuin.nl>, "samba at
lists.samba.org" <samba at lists.samba.org>
Sent: 6/20/2019 1:40 PM
Subject: Re: [Samba] DLZ Backend DNS Hosed
And, BTW, right now, I am able to see my problem via the following 3 ways...
1) Through Windows DNS Manager, I cannot add, change or delete any DNS records
from:
mycompany.loc
samdom.mycompany.net
mycompany.net
I *can* add, change and delete DNS records from:
_msdcs.samdom.mycompany.net
mycompany.com
7.168.192.in-addr.arpa
5.168.192.in-addr.arpa
3.168.192.in-addr.arpa
2.168.192.in-addr.arpa
11.168.192.in-addr.arpa
2) Running the following command always ends with an error:
# samba_dnsupdate --verbos --all-names
IPs: ['192.168.3.203']
force update: A umbriel.samdom.mycompany.net 192.168.3.203
force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net
force update: NS _msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net
force update: A samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net
389
force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV _kerberos._tcp.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kerberos._udp.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kerberos._tcp.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV _kpasswd._tcp.samdom.mycompany.net
umbriel.samdom.mycompany.net 464
force update: SRV _kpasswd._udp.samdom.mycompany.net
umbriel.samdom.mycompany.net 464
force update: CNAME
a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 88
force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203
force update: SRV _gc._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net
3268
force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.mycompany.net
umbriel.samdom.mycompany.net 3268
force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.DomainDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203
force update: SRV _ldap._tcp.ForestDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.mycompany.net
umbriel.samdom.mycompany.net 389
28 DNS updates and 0 DNS deletes needed
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 886, in <module>
? ? creds = get_credentials(lp)
? File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials
? ? get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.')
? File "/usr/sbin/samba_dnsupdate", line 161, in
get_krb5_rw_dns_server
? ? rw_dns_servers = get_possible_rw_dns_server(creds, domain)
? File "/usr/sbin/samba_dnsupdate", line 136, in
get_possible_rw_dns_server
? ? ans_soa = check_one_dns_name(domain, 'SOA')
? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name
? ? ans = resolver.query(name, name_type)
? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in
query
? ? raise NoNameservers
dns.resolver.NoNameservers
3) We have a mail server that occasionally rejects passwords from end users.
This is the problem end users see that started the whole investigation.
Also, this may be obvious from the output of your script, but in case it's
not... we do not have DHCP server running on our DCs, nor do we have any sort of
dynamic dhcp setup. It's just Samba and BIND (and kerberos, and ntp...).
Thank you!
Matthew
From: ? Matthew Delfino via samba <samba at lists.samba.org>
To: ? L.P.H. van Belle <belle at bazuin.nl>, "samba at
lists.samba.org" <samba at lists.samba.org>
Sent: ? 6/20/2019 1:00 PM
Subject: ? Re: [Samba] DLZ Backend DNS Hosed
Nice shell script,?Louis. Here are the results:
Collected config ?--- 2019-06-20-12:46 -----------
Hostname: umbriel
DNS Domain: samdom.mycompany.net
FQDN: umbriel.samdom.mycompany.net
ipaddress: 192.168.3.203?
-----------
Samba is running as an AD DC
-----------
? ? ? ?Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
-----------
This computer is running Ubuntu 16.04.6 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
? ? inet 127.0.0.1/8 scope host lo
? ? inet6 ::1/128 scope host?
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
? ? link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff
? ? inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32
? ? inet6 fe80::250:56ff:fea5:50b3/64 scope link?
-----------
? ? ? ?Checking file: /etc/hosts
127.0.0.1 localhost
192.168.3.203 umbriel.samdom.mycompany.net umbriel
# The following lines are desirable for IPv6 capable hosts
::1 ? ? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
? ? ? ?Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.3.201
nameserver 192.168.3.202
search samdom.mycompany.net mycompany.net mycompany.com
-----------
? ? ? ?Checking file: /etc/krb5.conf
[logging]
? ? ? ? default = FILE:/var/log/krb5libs.log
? ? ? ? kdc = FILE:/var/log/krb5kdc.log
? ? ? ? admin_server = FILE:/var/log/kadmin.log
[libdefaults]
? ? ? ? default_realm = SAMDOM.MYCOMPANY.NET
? ? ? ? dns_lookup_realm = false
? ? ? ? dns_lookup_kdc = true
? ? ? ? ticket_lifetime = 24h
? ? ? ? renew_lifetime = 7d
? ? ? ? forwardable = true
-----------
? ? ? ?Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: ? ? ? ? compat
group: ? ? ? ? ?compat
shadow: ? ? ? ? compat
gshadow: ? ? ? ?files
hosts: ? ? ? ? ?files dns
networks: ? ? ? files
protocols: ? ? ?db files
services: ? ? ? db files
ethers: ? ? ? ? db files
rpc: ? ? ? ? ? ?db files
netgroup: ? ? ? nis
-----------
? ? ? ?Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = UMBRIEL
realm = SAMDOM.MYCOMPANY.NET
server role = active directory domain controller
#server services = -dns
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
#dns forwarder = 8.8.4.4
#dns forwarder = 8.8.8.8
allow dns updates = disabled
dsdb:schema update allowed = true
printcap name = /dev/null
load printers = no
printing = bsd?
ldap server require strong auth = no?
ldap ssl = start tls
tls enabled ?= yes
tls keyfile ?= tls/myKey.pem
tls certfile = tls/umbriel_samdom_mycompany_net.pem
tls cafile ? = tls/umbriel_samdom_mycompany_net.ca-bundle.pem
#log file = /var/log/samba/%a.%M.log
max log size = 2048
log level = 1 auth_audit:3
apply group policies = yes
mdns name = mdns
[netlogon]
path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
Detected bind DLZ enabled..
? ? ? ?Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the?
// structure of BIND configuration files in Debian, *BEFORE* you customize?
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.options
options {
auth-nxdomain yes;
directory "/var/cache/bind";
dnssec-validation auto;
empty-zones-enable no;
managed-keys-directory "/var/cache/bind/";
notify yes; // Not recommended.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For
Dynamic DNS
allow-query {
any;
};
allow-recursion {
any;
};
?
allow-transfer {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
also-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
allow-notify {
192.168.3.47; ? // DNS2
192.168.3.48; ? // DNS1
192.168.5.47; ? // Opal
192.168.5.48; ? // Pyrite
192.168.0.8; ? ?// DNS3
192.168.0.9; ? ?// DNS4
};
forwarders {
9.9.9.9;
1.1.1.1;
8.8.8.8;
8.8.4.4;
};
};
-----------
? ? ? ?Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------
? ? ? ?Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "7.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: ? 10 zone(s) found
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.com
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 7.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 3.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 2.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 11.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.loc
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : 5.168.192.in-addr.arpa
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
? pszZoneName ? ? ? ? ? ? ? ? : _msdcs.samdom.mycompany.net
? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE?
? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
? Version ? ? ? ? ? ? ? ? ? ? : 50
? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED?
? pszDpFqdn ? ? ? ? ? ? ? ? ? : ForestDnsZones.samdom.mycompany.net
Samba DNS zone list Automated check :?
zone : mycompany.com ok, no Bind flat-files found
-----------
zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.loc ok, no Bind flat-files found
-----------
zone : samdom.mycompany.net ok, no Bind flat-files found
-----------
zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : mycompany.net ok, no Bind flat-files found
-----------
zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found
-----------
Installed packages:
ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list utilities
ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for manipulating filesystem extended attributes
hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Internet Domain Name Server
ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ?
? ? all ? ? ? ? ?Documentation for BIND
ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Version of 'host' bundled with BIND 9.X
ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?Utilities for BIND
ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? ?all ? ? ? ? ?Configuration files for Kerberos Version 5
ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? all ? ? ? ? ?Internationalization support for MIT Kerberos
ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Development files for MIT Kerberos without Heimdal conflict
ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Basic programs to authenticate using MIT Kerberos
ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list shared library
ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Access control list static libraries and headers
ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute shared library
ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Extended attribute static libraries and headers
ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ?
? ? amd64 ? ? ? ?BIND9 Shared Library used by BIND
ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?1.7~git20150920+dfsg-4ubuntu1.16.04.1
? ? ?amd64 ? ? ? ?Heimdal Kerberos - libraries
ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries
ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?Headers and development libraries for MIT Kerberos
ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ?
? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library
-----------
From: ? L.P.H. van Belle via samba <samba at lists.samba.org> ?
To: ? "samba at lists.samba.org" <samba at lists.samba.org> ?
Sent: ? 6/19/2019 1:48 AM ?
Subject: ? Re: [Samba] DLZ Backend DNS Hosed ?
Hai, ?
?
?
For bind, please to add this for bind if you use bind_DLZ. ?
How : systemctl edit bind9, or create the file manualy and run systemctl
daemon-reload after. ?
The edit command already does the reload. ?
?
# /etc/systemd/system/bind9.service.d/override.conf ?
[Service] ?
ExecReload= ?
?
?
But same for you. ?;-) as the other list message today. ([Samba] Reverse DNS) ?
Can you run this for me on the DC's. ?
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
?
And post the output ?
?
It tells me almost all i need to know to help you fix this. ?
?
Greetz, ?
?
Louis ?
? > -----Oorspronkelijk bericht----- ?
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens ?
> Matthew Delfino via samba ?
> Verzonden: woensdag 19 juni 2019 5:00 ?
> Aan: samba at lists.samba.org ?
> Onderwerp: [Samba] DLZ Backend DNS Hosed ?
> ?
> ?
> Hello, ?
> ?
> ?
> I'm in trouble here with what appears to be a total meltdown ?
> of my DNS on my Domain Controllers. ?
> ?
> ?
> I only have two DCs right now and I cannot resolve anything ?
> on either of them. I am on Ubuntu 16.04 with a compiled ?
> version of Samba 4.10.4. ?
> ?
> ?
> I also have a compiled version of BIND 9.10.3-P4-Ubuntu <id:ebd72b3>
?
> ?
> ?
> # service bind9 status ?
> ??? bind9.service - BIND Domain Name Server ?
> ? ?Loaded: loaded (/lib/systemd/system/bind9.service; ?
> enabled; vendor preset: enabled) ?
> ? Drop-In: /run/systemd/generator/bind9.service.d ?
> ? ? ? ? ? ???????50-insserv.conf-$named.conf ?
> ? ?Active: failed (Result: exit-code) since Tue 2019-06-18 ?
> 21:14:39 CDT; 27min ago ?
> ? ? ?Docs: man:named(8) ?
> ? Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, ?
> status=1/FAILURE) ?
> ? Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS ?
> (code=exited, status=1/FAILURE) ?
> ?Main PID: 28329 (code=exited, status=1/FAILURE) ?
> ?
> ?
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting configure ?
> Jun 18 21:14:39 cordelia named[28329]: zone ?
> mydomain.com/NONE: has no NS records ?
> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to ?
> configure zone 'mydomain.com' ?
> Jun 18 21:14:39 cordelia named[28329]: loading configuration: bad zone ?
> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error) ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main ?
> process exited, code=exited, status=1/FAILURE ?
> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: ?
> 127.0.0.1#953: connection refused ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control ?
> process exited, code=exited status=1 ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit ?
> entered failed state. ?
> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed ?
> with result 'exit-code'. ?
> ?
> ?
> It appears that somehow I lost my NS records for one of my ?
> zones. It seems that I cannot get BIND up long enough to edit ?
> anything. ?
> ?
> ?
> I've been able to delete my non-essential zones with samba-tool: ?
> ?
> ?
> ?
> ?# ?samba-tool dns zonedelete localhost mydomain.com ?
> ?# ?samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa ?
> ?# ?samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa ?
> ?
> ?
> But now my error is "zone _msdcs.samdom.mydomain.net/NONE: ?
> has no NS records" and I am real nervous to delete that zone. ?
> ?
> ?
> Does anyone know what I can do to get my samba DC to have NS ?
> records that my BIND DNS server will understand and therefore load? ?
> ?
> ?
> ?
> Thanks, ?
> Matthew ? ?
> ?
> ?
?
?
-- ?
To unsubscribe from this list go to the following URL and read the ?
instructions: ?https://lists.samba.org/mailman/options/samba?
? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.
On 20/06/2019 23:19, Matthew Delfino via samba wrote:> I've been working on this problem for a few hours. Here are some updates: > > > Many of the domains I listed are duplicates of domains managed by other DNS servers on my network. There was no point in having them in Samba AD, so I deleted the zones in Windows DNS Manager and created slaves in my named.conf.local folder, so that they'd pull the records from my authoritative BIND DNS server, which runs on good old fashioned flat files (the SOA for zones like mycompany.net and the PTR zones for all my subnets). I'm now down to two zones: > > > Able to be edited: _msdcs.samdom.mycompany.net > NOT able to be edited:?samdom.mycompany.netI read the output of Louis's script you posted and my first thought was, 'why has he got dns domains that have nothing to do with AD ?' In my opinion, you should only have the dns records for your Samba AD domain in AD, this should include any reverse zones.> > > I believe these two zones to be the bare minimum I need to have everything working correctly. > > > Closer inspection shows that I have no NS records and no SOA record in the "samdom.mycompany.net" zone. > > > > # samba_dnsupdate --verbose > IPs: ['192.168.3.203'] > Looking for DNS entry A umbriel.samdom.mycompany.net?192.168.3.203 as umbriel.samdom.mycompany.net. > Looking for DNS entry NS?samdom.mycompany.net?umbriel.samdom.mycompany.net?as?samdom.mycompany.net. > Traceback (most recent call last): > ? File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name > ? ? ans = check_one_dns_name(normalised_name, d.type, d) > ? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name > ? ? ans = resolver.query(name, name_type) > ? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query > ? ? raise NoNameservers > dns.resolver.NoNameservers > > > During handling of the above exception, another exception occurred: > > > Traceback (most recent call last): > ? File "/usr/sbin/samba_dnsupdate", line 851, in <module> > ? ? elif not check_dns_name(d): > ? File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name > ? ? raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name)) > Exception: Unable to contact a working DNS server while looking for NS orbital.samdom.mycompany.net umbriel.samdom.mycompany.net?as?samdom.mycompany.net. > > > So, let's make those records, right? All attempts to add this info in the Properties window of DNS Manager end in a very unfriendly message: > > > "Failure to write NS record <umbriel.samdom.mycompany.net.> > The local security authority database contains an internal inconsistency." > > > I try from samba-tool: > > > > # samba-tool dns add localhost samdom.mycompany.net?samdom.mycompany.net?NS umbriel.samdom.mycompany.net?-U"Administrator" > Password for [ORBITAL\Administrator]: > ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') > ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run > ? ? return self.run(*args, **kwargs) > ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run > ? ? raise e > ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run > ? ? 0, server, zone, name, add_rec_buf, None) > > > Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! Unsheathed by Matthew like And?ril by Aragorn: > > > > # samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone > DNS records will be automatically created > DNS partitions already exist > dns-umbriel account already exists > See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND > and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates > Finished upgrading DNS > > > Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same results on every test. > > > I'm feeling lonely here.Do you have a backup ? I have had something similar happen, but with the reverse zone and I just deleted the zone and recreated it with samba-tool and then let the records be recreated. In your case, I would be tempted to 'upgrade' to the internal dns server and then 'upgrade' to the Bind9 server. This should recreate all the required zones and records.> ----------- > > > ? ? ? ?Checking file: /etc/resolv.conf > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.201 > nameserver 192.168.3.202 > search samdom.mycompany.net mycompany.net mycompany.comI would remove any domains that are not the Samba dns domain> > ? ? ? ?Checking file: /etc/samba/smb.conf > > > # Global parameters > [global] > netbios name = UMBRIEL > realm = SAMDOM.MYCOMPANY.NET > server role = active directory domain controller > #server services = -dns > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = SAMDOM > idmap_ldb:use rfc2307 = yes > #dns forwarder = 8.8.4.4 > #dns forwarder = 8.8.8.8 > allow dns updates = disabledBad move, something needs to be able to upgrade your dns records.> dsdb:schema update allowed = trueRemove this, it is only needed to extend the schema and can be used on the ldbmodify command line.> > ----------- > > > Detected bind DLZ enabled.. > ? ? ? ?Checking file: /etc/bind/named.conf > > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/bind-dns/named.conf"; > > > ----------- > > > ? ? ? ?Checking file: /etc/bind/named.conf.options > > > options { > > > auth-nxdomain yes; > directory "/var/cache/bind"; > dnssec-validation auto; > empty-zones-enable no; > managed-keys-directory "/var/cache/bind/"; > notify yes; // Not recommended. > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For Dynamic DNS > > > allow-query { > any; > }; > > > allow-recursion { > any; > }; > > allow-transfer { > 192.168.3.47; ? // DNS2 > 192.168.3.48; ? // DNS1 > 192.168.5.47; ? // Opal > 192.168.5.48; ? // Pyrite > 192.168.0.8; ? ?// DNS3 > 192.168.0.9; ? ?// DNS4 > }; > > > also-notify { > 192.168.3.47; ? // DNS2 > 192.168.3.48; ? // DNS1 > 192.168.5.47; ? // Opal > 192.168.5.48; ? // Pyrite > 192.168.0.8; ? ?// DNS3 > 192.168.0.9; ? ?// DNS4 > }; > > > allow-notify { > 192.168.3.47; ? // DNS2 > 192.168.3.48; ? // DNS1 > 192.168.5.47; ? // Opal > 192.168.5.48; ? // Pyrite > 192.168.0.8; ? ?// DNS3 > 192.168.0.9; ? ?// DNS4 > }; >Please set your dns up correctly, first remove the 3 blocks above, forward anything outside your Samba dns domain to another external dns server and inform any other, non AD dns servers that you have, where your AD domain is> > Installed packages: > ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list utilities > ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Utilities for manipulating filesystem extended attributes > hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Internet Domain Name Server > ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ? ? ? all ? ? ? ? ?Documentation for BIND > ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Version of 'host' bundled with BIND 9.X > ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?Utilities for BIND > ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?Configuration files for Kerberos Version 5 > ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ?Internationalization support for MIT Kerberos > ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Development files for MIT Kerberos without Heimdal conflict > ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Basic programs to authenticate using MIT Kerberos > ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list shared library > ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Access control list static libraries and headers > ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Extended attribute shared library > ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Extended attribute static libraries and headers > ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?BIND9 Shared Library used by BIND > ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?1.7~git20150920+dfsg-4ubuntu1.16.04.1 ? ? ?amd64 ? ? ? ?Heimdal Kerberos - libraries > ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries > ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Headers and development libraries for MIT Kerberos > ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ? 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT Kerberos runtime libraries - Support library > > >Something not quite right there, you do not seem to have Samba installed. Rowland
Hi Matthew,> # samba-tool dns add localhost samdom.mycompany.net samdom.mycompany.net NS umbriel.samdom.mycompany.net -U"Administrator" > Password for [ORBITAL\Administrator]: > ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944, in run > raise e > File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940, in run > 0, server, zone, name, add_rec_buf, None)Like you have figured out, in more recent version of Bind-DLZ it is required to have a NS field for it to start. Please try with the following command line syntax to add it: samba-tool dns add umbriel samdom.mycompany.net @ NS umbriel.samdom.mycompany.net -P For you DNS field update, if you get some TSIG error, you may try to add the DNS entries directly in the local database. samba_dnsupdate --verbose --use-samba-tool Cheers, Denis> > > Then, I remember my "samba_upgradedns --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems! Unsheathed by Matthew like And?ril by Aragorn: > > > > # samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone > DNS records will be automatically created > DNS partitions already exist > dns-umbriel account already exists > See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND > and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates > Finished upgrading DNS > > > Take that, DNS problems! Right? Oh.... no... it didn't help AT ALL. Same results on every test. > > > I'm feeling lonely here. > > > > Thanks, > Matthew > > > > From: Matthew Delfino via samba <samba at lists.samba.org> > To: L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> > Sent: 6/20/2019 1:40 PM > Subject: Re: [Samba] DLZ Backend DNS Hosed > > And, BTW, right now, I am able to see my problem via the following 3 ways... > > 1) Through Windows DNS Manager, I cannot add, change or delete any DNS records from: > > mycompany.loc > samdom.mycompany.net > mycompany.net > > I *can* add, change and delete DNS records from: > > _msdcs.samdom.mycompany.net > mycompany.com > 7.168.192.in-addr.arpa > 5.168.192.in-addr.arpa > 3.168.192.in-addr.arpa > 2.168.192.in-addr.arpa > 11.168.192.in-addr.arpa > > 2) Running the following command always ends with an error: > > # samba_dnsupdate --verbos --all-names > IPs: ['192.168.3.203'] > force update: A umbriel.samdom.mycompany.net 192.168.3.203 > force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net > force update: NS _msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net > force update: A samdom.mycompany.net 192.168.3.203 > force update: SRV _ldap._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _kerberos._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kerberos._udp.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kerberos._tcp.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kpasswd._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 464 > force update: SRV _kpasswd._udp.samdom.mycompany.net umbriel.samdom.mycompany.net 464 > force update: CNAME a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 88 > force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203 > force update: SRV _gc._tcp.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.mycompany.net umbriel.samdom.mycompany.net 3268 > force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203 > force update: SRV _ldap._tcp.DomainDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203 > force update: SRV _ldap._tcp.ForestDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.mycompany.net umbriel.samdom.mycompany.net 389 > 28 DNS updates and 0 DNS deletes needed > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 886, in <module> > creds = get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 204, in get_credentials > get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.') > File "/usr/sbin/samba_dnsupdate", line 161, in get_krb5_rw_dns_server > rw_dns_servers = get_possible_rw_dns_server(creds, domain) > File "/usr/sbin/samba_dnsupdate", line 136, in get_possible_rw_dns_server > ans_soa = check_one_dns_name(domain, 'SOA') > File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name > ans = resolver.query(name, name_type) > File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in query > raise NoNameservers > dns.resolver.NoNameservers > > 3) We have a mail server that occasionally rejects passwords from end users. This is the problem end users see that started the whole investigation. > > Also, this may be obvious from the output of your script, but in case it's not... we do not have DHCP server running on our DCs, nor do we have any sort of dynamic dhcp setup. It's just Samba and BIND (and kerberos, and ntp...). > > Thank you! > Matthew > > > > > From: Matthew Delfino via samba <samba at lists.samba.org> > To: L.P.H. van Belle <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> > Sent: 6/20/2019 1:00 PM > Subject: Re: [Samba] DLZ Backend DNS Hosed > > Nice shell script, Louis. Here are the results: > > > > Collected config --- 2019-06-20-12:46 ----------- > > > Hostname: umbriel > DNS Domain: samdom.mycompany.net > FQDN: umbriel.samdom.mycompany.net > ipaddress: 192.168.3.203 > > > ----------- > > > Samba is running as an AD DC > > > ----------- > Checking file: /etc/os-release > > > NAME="Ubuntu" > VERSION="16.04.6 LTS (Xenial Xerus)" > ID=ubuntu > ID_LIKE=debian > PRETTY_NAME="Ubuntu 16.04.6 LTS" > VERSION_ID="16.04" > HOME_URL="http://www.ubuntu.com/" > SUPPORT_URL="http://help.ubuntu.com/" > BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" > VERSION_CODENAME=xenial > UBUNTU_CODENAME=xenial > > > ----------- > > > > > This computer is running Ubuntu 16.04.6 LTS x86_64 > > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 > link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff > inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32 > inet6 fe80::250:56ff:fea5:50b3/64 scope link > > > ----------- > Checking file: /etc/hosts > > > 127.0.0.1 localhost > 192.168.3.203 umbriel.samdom.mycompany.net umbriel > > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > > ----------- > > > Checking file: /etc/resolv.conf > > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.3.201 > nameserver 192.168.3.202 > search samdom.mycompany.net mycompany.net mycompany.com > > > ----------- > > > Checking file: /etc/krb5.conf > > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > > > [libdefaults] > default_realm = SAMDOM.MYCOMPANY.NET > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > > ----------- > > > Checking file: /etc/nsswitch.conf > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > > passwd: compat > group: compat > shadow: compat > gshadow: files > > > hosts: files dns > networks: files > > > protocols: db files > services: db files > ethers: db files > rpc: db files > > > netgroup: nis > > > ----------- > > > Checking file: /etc/samba/smb.conf > > > # Global parameters > [global] > netbios name = UMBRIEL > realm = SAMDOM.MYCOMPANY.NET > server role = active directory domain controller > #server services = -dns > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = SAMDOM > idmap_ldb:use rfc2307 = yes > #dns forwarder = 8.8.4.4 > #dns forwarder = 8.8.8.8 > allow dns updates = disabled > dsdb:schema update allowed = true > printcap name = /dev/null > load printers = no > printing = bsd > ldap server require strong auth = no > ldap ssl = start tls > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/umbriel_samdom_mycompany_net.pem > tls cafile = tls/umbriel_samdom_mycompany_net.ca-bundle.pem > #log file = /var/log/samba/%a.%M.log > max log size = 2048 > log level = 1 auth_audit:3 > apply group policies = yes > mdns name = mdns > > > [netlogon] > path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts > read only = No > > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > ----------- > > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in /etc/bind/named.conf.local > > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/bind-dns/named.conf"; > > > ----------- > > > Checking file: /etc/bind/named.conf.options > > > options { > > > auth-nxdomain yes; > directory "/var/cache/bind"; > dnssec-validation auto; > empty-zones-enable no; > managed-keys-directory "/var/cache/bind/"; > notify yes; // Not recommended. > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; // For Dynamic DNS > > > allow-query { > any; > }; > > > allow-recursion { > any; > }; > > allow-transfer { > 192.168.3.47; // DNS2 > 192.168.3.48; // DNS1 > 192.168.5.47; // Opal > 192.168.5.48; // Pyrite > 192.168.0.8; // DNS3 > 192.168.0.9; // DNS4 > }; > > > also-notify { > 192.168.3.47; // DNS2 > 192.168.3.48; // DNS1 > 192.168.5.47; // Opal > 192.168.5.48; // Pyrite > 192.168.0.8; // DNS3 > 192.168.0.9; // DNS4 > }; > > > allow-notify { > 192.168.3.47; // DNS2 > 192.168.3.48; // DNS1 > 192.168.5.47; // Opal > 192.168.5.48; // Pyrite > 192.168.0.8; // DNS3 > 192.168.0.9; // DNS4 > }; > > > forwarders { > 9.9.9.9; > 1.1.1.1; > 8.8.8.8; > 8.8.4.4; > }; > }; > > > ----------- > > > Checking file: /etc/bind/named.conf.local > > > // > // Do any local configuration here > // > > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > > ----------- > > > Checking file: /etc/bind/named.conf.default-zones > > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > > zone "7.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > > ----------- > > > Samba DNS zone list: 10 zone(s) found > > > pszZoneName : mycompany.com > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 7.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 3.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 2.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 11.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : mycompany.loc > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : samdom.mycompany.net > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : 5.168.192.in-addr.arpa > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : mycompany.net > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.samdom.mycompany.net > > > pszZoneName : _msdcs.samdom.mycompany.net > Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.samdom.mycompany.net > > > Samba DNS zone list Automated check : > zone : mycompany.com ok, no Bind flat-files found > ----------- > zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : mycompany.loc ok, no Bind flat-files found > ----------- > zone : samdom.mycompany.net ok, no Bind flat-files found > ----------- > zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found > ----------- > zone : mycompany.net ok, no Bind flat-files found > ----------- > zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found > ----------- > > > Installed packages: > ii acl 2.2.52-3 amd64 Access control list utilities > ii attr 1:2.4.47-2 amd64 Utilities for manipulating filesystem extended attributes > hi bind9 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Internet Domain Name Server > ii bind9-doc 1:9.10.3.dfsg.P4-8ubuntu1.14 all Documentation for BIND > ii bind9-host 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Version of 'host' bundled with BIND 9.X > ii bind9utils 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 Utilities for BIND > ii krb5-config 2.3 all Configuration files for Kerberos Version 5 > ii krb5-locales 1.13.2+dfsg-5ubuntu2.1 all Internationalization support for MIT Kerberos > ii krb5-multidev 1.13.2+dfsg-5ubuntu2.1 amd64 Development files for MIT Kerberos without Heimdal conflict > ii krb5-user 1.13.2+dfsg-5ubuntu2.1 amd64 Basic programs to authenticate using MIT Kerberos > ii libacl1:amd64 2.2.52-3 amd64 Access control list shared library > ii libacl1-dev 2.2.52-3 amd64 Access control list static libraries and headers > ii libattr1:amd64 1:2.4.47-2 amd64 Extended attribute shared library > ii libattr1-dev:amd64 1:2.4.47-2 amd64 Extended attribute static libraries and headers > ii libbind9-140:amd64 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii libkrb5-26-heimdal:amd64 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 Heimdal Kerberos - libraries > ii libkrb5-3:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries > ii libkrb5-dev 1.13.2+dfsg-5ubuntu2.1 amd64 Headers and development libraries for MIT Kerberos > ii libkrb5support0:amd64 1.13.2+dfsg-5ubuntu2.1 amd64 MIT Kerberos runtime libraries - Support library > > > ----------- > > > > > From: L.P.H. van Belle via samba <samba at lists.samba.org> > To: "samba at lists.samba.org" <samba at lists.samba.org> > Sent: 6/19/2019 1:48 AM > Subject: Re: [Samba] DLZ Backend DNS Hosed > > Hai, > > > For bind, please to add this for bind if you use bind_DLZ. > How : systemctl edit bind9, or create the file manualy and run systemctl daemon-reload after. > The edit command already does the reload. > > # /etc/systemd/system/bind9.service.d/override.conf > [Service] > ExecReload> > > But same for you. ;-) as the other list message today. ([Samba] Reverse DNS) > Can you run this for me on the DC's. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > And post the output > > It tells me almost all i need to know to help you fix this. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Matthew Delfino via samba >> Verzonden: woensdag 19 juni 2019 5:00 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] DLZ Backend DNS Hosed >> >> >> Hello, >> >> >> I'm in trouble here with what appears to be a total meltdown >> of my DNS on my Domain Controllers. >> >> >> I only have two DCs right now and I cannot resolve anything >> on either of them. I am on Ubuntu 16.04 with a compiled >> version of Samba 4.10.4. >> >> >> I also have a compiled version of BIND 9.10.3-P4-Ubuntu <id:ebd72b3> >> >> >> # service bind9 status >> ??? bind9.service - BIND Domain Name Server >> Loaded: loaded (/lib/systemd/system/bind9.service; >> enabled; vendor preset: enabled) >> Drop-In: /run/systemd/generator/bind9.service.d >> ??????50-insserv.conf-$named.conf >> Active: failed (Result: exit-code) since Tue 2019-06-18 >> 21:14:39 CDT; 27min ago >> Docs: man:named(8) >> Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited, >> status=1/FAILURE) >> Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS >> (code=exited, status=1/FAILURE) >> Main PID: 28329 (code=exited, status=1/FAILURE) >> >> >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting configure >> Jun 18 21:14:39 cordelia named[28329]: zone >> mydomain.com/NONE: has no NS records >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to >> configure zone 'mydomain.com' >> Jun 18 21:14:39 cordelia named[28329]: loading configuration: bad zone >> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal error) >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main >> process exited, code=exited, status=1/FAILURE >> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed: >> 127.0.0.1#953: connection refused >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control >> process exited, code=exited status=1 >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit >> entered failed state. >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed >> with result 'exit-code'. >> >> >> It appears that somehow I lost my NS records for one of my >> zones. It seems that I cannot get BIND up long enough to edit >> anything. >> >> >> I've been able to delete my non-essential zones with samba-tool: >> >> >> >> # samba-tool dns zonedelete localhost mydomain.com >> # samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa >> # samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa >> >> >> But now my error is "zone _msdcs.samdom.mydomain.net/NONE: >> has no NS records" and I am real nervous to delete that zone. >> >> >> Does anyone know what I can do to get my samba DC to have NS >> records that my BIND DNS server will understand and therefore load? >> >> >> >> Thanks, >> Matthew >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated. >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint S?bastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
No, this is not needed.
Solution here in this is simple.
search primary.domain.tld # optional extra search domains after the primary.
nameserver IP_AD-DC_OF_THIS_SERVER_FIRST
nameserver IP_AD-DC_others
Run : samba_upgradedns --dns-backend=BIND9_DLZ
And your done, all needed records are fixed/updated.
This goes wrong if the IP of the running server isnt the first and/or if search
is setup wrong.
So always keep ip of the server itself as first, yes i know about islanding dns
but that wont happen
If you setup correct and DONT use 127.0.0.1 because that is NOT the name of the
server.
Stimple trick.
HOSTNAME="$(hostname -s)"
PRIMARYDNSDOMAIN="$(hostname -d)"
FQDN="$(hostname -f)"
Netbiosname in smb.conf = echo "${HOSTNAME^^}"
To be added if its not there in /etc/hosts:
echo "$(hostname -i) $(hostname -f) $(hostname -s)"
ONLY one line should exist for the hostname add any alias as CNAME in the dns.
Resolv.conf :
echo "nameserver $(hostname -i)"
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Denis Cardon via samba
> Verzonden: vrijdag 21 juni 2019 10:30
> Aan: Matthew Delfino; samba at lists.samba.org
> Onderwerp: Re: [Samba] DLZ Backend DNS Hosed
>
> Hi Matthew,
>
> > # samba-tool dns add localhost samdom.mycompany.net
> samdom.mycompany.net NS umbriel.samdom.mycompany.net
-U"Administrator"
> > Password for [ORBITAL\Administrator]:
> > ERROR(runtime): uncaught exception - (1383,
> 'WERR_INTERNAL_DB_ERROR')
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 185, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944,
in run
> > raise e
> > File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940,
in run
> > 0, server, zone, name, add_rec_buf, None)
>
> Like you have figured out, in more recent version of Bind-DLZ it is
> required to have a NS field for it to start. Please try with the
> following command line syntax to add it:
>
> samba-tool dns add umbriel samdom.mycompany.net @ NS
> umbriel.samdom.mycompany.net -P
>
> For you DNS field update, if you get some TSIG error, you may
> try to add
> the DNS entries directly in the local database.
>
> samba_dnsupdate --verbose --use-samba-tool
>
> Cheers,
>
> Denis
>
> >
> >
> > Then, I remember my "samba_upgradedns
> --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems!
> Unsheathed by Matthew like And?ril by Aragorn:
> >
> >
> >
> > # samba_upgradedns --dns-backend=BIND9_DLZ
> > Reading domain information
> > DNS accounts already exist
> > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone
> > DNS records will be automatically created
> > DNS partitions already exist
> > dns-umbriel account already exists
> > See /var/lib/samba/bind-dns/named.conf for an example
> configuration include file for BIND
> > and /var/lib/samba/bind-dns/named.txt for further
> documentation required for secure DNS updates
> > Finished upgrading DNS
> >
> >
> > Take that, DNS problems! Right? Oh.... no... it didn't help
> AT ALL. Same results on every test.
> >
> >
> > I'm feeling lonely here.
> >
> >
> >
> > Thanks,
> > Matthew
> >
> >
> >
> > From: Matthew Delfino via samba <samba at lists.samba.org>
> > To: L.P.H. van Belle <belle at bazuin.nl>,
> "samba at lists.samba.org" <samba at lists.samba.org>
> > Sent: 6/20/2019 1:40 PM
> > Subject: Re: [Samba] DLZ Backend DNS Hosed
> >
> > And, BTW, right now, I am able to see my problem via the
> following 3 ways...
> >
> > 1) Through Windows DNS Manager, I cannot add, change or
> delete any DNS records from:
> >
> > mycompany.loc
> > samdom.mycompany.net
> > mycompany.net
> >
> > I *can* add, change and delete DNS records from:
> >
> > _msdcs.samdom.mycompany.net
> > mycompany.com
> > 7.168.192.in-addr.arpa
> > 5.168.192.in-addr.arpa
> > 3.168.192.in-addr.arpa
> > 2.168.192.in-addr.arpa
> > 11.168.192.in-addr.arpa
> >
> > 2) Running the following command always ends with an error:
> >
> > # samba_dnsupdate --verbos --all-names
> > IPs: ['192.168.3.203']
> > force update: A umbriel.samdom.mycompany.net 192.168.3.203
> > force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net
> > force update: NS _msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net
> > force update: A samdom.mycompany.net 192.168.3.203
> > force update: SRV _ldap._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs
> .samdom.mycompany.net umbriel.samdom.mycompany.net 389
> > force update: SRV _kerberos._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 88
> > force update: SRV _kerberos._udp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 88
> > force update: SRV
> _kerberos._tcp.dc._msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net 88
> > force update: SRV _kpasswd._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 464
> > force update: SRV _kpasswd._udp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 464
> > force update: CNAME
> a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.n
> et umbriel.samdom.mycompany.net
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.myc
> ompany.net umbriel.samdom.mycompany.net 389
> > force update: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany
> .net umbriel.samdom.mycompany.net 88
> > force update: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom
> .mycompany.net umbriel.samdom.mycompany.net 88
> > force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203
> > force update: SRV _gc._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 3268
> > force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net 3268
> > force update: SRV
> _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
> umbriel.samdom.mycompany.net 3268
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.myc
> ompany.net umbriel.samdom.mycompany.net 3268
> > force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203
> > force update: SRV
> _ldap._tcp.DomainDnsZones.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdo
> m.mycompany.net umbriel.samdom.mycompany.net 389
> > force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203
> > force update: SRV
> _ldap._tcp.ForestDnsZones.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdo
> m.mycompany.net umbriel.samdom.mycompany.net 389
> > 28 DNS updates and 0 DNS deletes needed
> > Traceback (most recent call last):
> > File "/usr/sbin/samba_dnsupdate", line 886, in
<module>
> > creds = get_credentials(lp)
> > File "/usr/sbin/samba_dnsupdate", line 204, in
get_credentials
> > get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] +
'.')
> > File "/usr/sbin/samba_dnsupdate", line 161, in
> get_krb5_rw_dns_server
> > rw_dns_servers = get_possible_rw_dns_server(creds, domain)
> > File "/usr/sbin/samba_dnsupdate", line 136, in
> get_possible_rw_dns_server
> > ans_soa = check_one_dns_name(domain, 'SOA')
> > File "/usr/sbin/samba_dnsupdate", line 296, in
check_one_dns_name
> > ans = resolver.query(name, name_type)
> > File "/usr/lib/python3/dist-packages/dns/resolver.py",
> line 821, in query
> > raise NoNameservers
> > dns.resolver.NoNameservers
> >
> > 3) We have a mail server that occasionally rejects
> passwords from end users. This is the problem end users see
> that started the whole investigation.
> >
> > Also, this may be obvious from the output of your script,
> but in case it's not... we do not have DHCP server running on
> our DCs, nor do we have any sort of dynamic dhcp setup. It's
> just Samba and BIND (and kerberos, and ntp...).
> >
> > Thank you!
> > Matthew
> >
> >
> >
> >
> > From: Matthew Delfino via samba <samba at lists.samba.org>
> > To: L.P.H. van Belle <belle at bazuin.nl>,
> "samba at lists.samba.org" <samba at lists.samba.org>
> > Sent: 6/20/2019 1:00 PM
> > Subject: Re: [Samba] DLZ Backend DNS Hosed
> >
> > Nice shell script, Louis. Here are the results:
> >
> >
> >
> > Collected config --- 2019-06-20-12:46 -----------
> >
> >
> > Hostname: umbriel
> > DNS Domain: samdom.mycompany.net
> > FQDN: umbriel.samdom.mycompany.net
> > ipaddress: 192.168.3.203
> >
> >
> > -----------
> >
> >
> > Samba is running as an AD DC
> >
> >
> > -----------
> > Checking file: /etc/os-release
> >
> >
> > NAME="Ubuntu"
> > VERSION="16.04.6 LTS (Xenial Xerus)"
> > ID=ubuntu
> > ID_LIKE=debian
> > PRETTY_NAME="Ubuntu 16.04.6 LTS"
> > VERSION_ID="16.04"
> > HOME_URL="http://www.ubuntu.com/"
> > SUPPORT_URL="http://help.ubuntu.com/"
> > BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
> > VERSION_CODENAME=xenial
> > UBUNTU_CODENAME=xenial
> >
> >
> > -----------
> >
> >
> >
> >
> > This computer is running Ubuntu 16.04.6 LTS x86_64
> >
> >
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group default qlen 1
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 scope host lo
> > inet6 ::1/128 scope host
> > 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast state UP group default qlen 1000
> > link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32
> > inet6 fe80::250:56ff:fea5:50b3/64 scope link
> >
> >
> > -----------
> > Checking file: /etc/hosts
> >
> >
> > 127.0.0.1 localhost
> > 192.168.3.203 umbriel.samdom.mycompany.net umbriel
> >
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> >
> > -----------
> >
> >
> > Checking file: /etc/resolv.conf
> >
> >
> > # Dynamic resolv.conf(5) file for glibc resolver(3)
> generated by resolvconf(8)
> > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN
> > nameserver 192.168.3.201
> > nameserver 192.168.3.202
> > search samdom.mycompany.net mycompany.net mycompany.com
> >
> >
> > -----------
> >
> >
> > Checking file: /etc/krb5.conf
> >
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmin.log
> >
> >
> > [libdefaults]
> > default_realm = SAMDOM.MYCOMPANY.NET
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> >
> >
> > -----------
> >
> >
> > Checking file: /etc/nsswitch.conf
> >
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> >
> > passwd: compat
> > group: compat
> > shadow: compat
> > gshadow: files
> >
> >
> > hosts: files dns
> > networks: files
> >
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> >
> > netgroup: nis
> >
> >
> > -----------
> >
> >
> > Checking file: /etc/samba/smb.conf
> >
> >
> > # Global parameters
> > [global]
> > netbios name = UMBRIEL
> > realm = SAMDOM.MYCOMPANY.NET
> > server role = active directory domain controller
> > #server services = -dns
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = SAMDOM
> > idmap_ldb:use rfc2307 = yes
> > #dns forwarder = 8.8.4.4
> > #dns forwarder = 8.8.8.8
> > allow dns updates = disabled
> > dsdb:schema update allowed = true
> > printcap name = /dev/null
> > load printers = no
> > printing = bsd
> > ldap server require strong auth = no
> > ldap ssl = start tls
> > tls enabled = yes
> > tls keyfile = tls/myKey.pem
> > tls certfile = tls/umbriel_samdom_mycompany_net.pem
> > tls cafile = tls/umbriel_samdom_mycompany_net.ca-bundle.pem
> > #log file = /var/log/samba/%a.%M.log
> > max log size = 2048
> > log level = 1 auth_audit:3
> > apply group policies = yes
> > mdns name = mdns
> >
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
> > read only = No
> >
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> > -----------
> >
> >
> > Detected bind DLZ enabled..
> > Checking file: /etc/bind/named.conf
> >
> >
> > // This is the primary configuration file for the BIND DNS
> server named.
> > //
> > // Please read /usr/share/doc/bind9/README.Debian.gz for
> information on the
> > // structure of BIND configuration files in Debian,
> *BEFORE* you customize
> > // this configuration file.
> > //
> > // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
> >
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> >
> > -----------
> >
> >
> > Checking file: /etc/bind/named.conf.options
> >
> >
> > options {
> >
> >
> > auth-nxdomain yes;
> > directory "/var/cache/bind";
> > dnssec-validation auto;
> > empty-zones-enable no;
> > managed-keys-directory "/var/cache/bind/";
> > notify yes; // Not recommended.
> > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> // For Dynamic DNS
> >
> >
> > allow-query {
> > any;
> > };
> >
> >
> > allow-recursion {
> > any;
> > };
> >
> > allow-transfer {
> > 192.168.3.47; // DNS2
> > 192.168.3.48; // DNS1
> > 192.168.5.47; // Opal
> > 192.168.5.48; // Pyrite
> > 192.168.0.8; // DNS3
> > 192.168.0.9; // DNS4
> > };
> >
> >
> > also-notify {
> > 192.168.3.47; // DNS2
> > 192.168.3.48; // DNS1
> > 192.168.5.47; // Opal
> > 192.168.5.48; // Pyrite
> > 192.168.0.8; // DNS3
> > 192.168.0.9; // DNS4
> > };
> >
> >
> > allow-notify {
> > 192.168.3.47; // DNS2
> > 192.168.3.48; // DNS1
> > 192.168.5.47; // Opal
> > 192.168.5.48; // Pyrite
> > 192.168.0.8; // DNS3
> > 192.168.0.9; // DNS4
> > };
> >
> >
> > forwarders {
> > 9.9.9.9;
> > 1.1.1.1;
> > 8.8.8.8;
> > 8.8.4.4;
> > };
> > };
> >
> >
> > -----------
> >
> >
> > Checking file: /etc/bind/named.conf.local
> >
> >
> > //
> > // Do any local configuration here
> > //
> >
> >
> > // Consider adding the 1918 zones here, if they are not used in your
> > // organization
> > //include "/etc/bind/zones.rfc1918";
> >
> >
> > -----------
> >
> >
> > Checking file: /etc/bind/named.conf.default-zones
> >
> >
> > // prime the server with knowledge of the root servers
> > zone "." {
> > type hint;
> > file "/etc/bind/db.root";
> > };
> >
> >
> > // be authoritative for the localhost forward and reverse
> zones, and for
> > // broadcast zones as per RFC 1912
> >
> >
> > zone "localhost" {
> > type master;
> > file "/etc/bind/db.local";
> > };
> >
> >
> > zone "7.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.127";
> > };
> >
> >
> > zone "0.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.0";
> > };
> >
> >
> > zone "255.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.255";
> > };
> >
> >
> > -----------
> >
> >
> > Samba DNS zone list: 10 zone(s) found
> >
> >
> > pszZoneName : mycompany.com
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : 7.168.192.in-addr.arpa
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : 3.168.192.in-addr.arpa
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : 2.168.192.in-addr.arpa
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : 11.168.192.in-addr.arpa
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : mycompany.loc
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : samdom.mycompany.net
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : 5.168.192.in-addr.arpa
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : mycompany.net
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.samdom.mycompany.net
> >
> >
> > pszZoneName : _msdcs.samdom.mycompany.net
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : ForestDnsZones.samdom.mycompany.net
> >
> >
> > Samba DNS zone list Automated check :
> > zone : mycompany.com ok, no Bind flat-files found
> > -----------
> > zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : mycompany.loc ok, no Bind flat-files found
> > -----------
> > zone : samdom.mycompany.net ok, no Bind flat-files found
> > -----------
> > zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : mycompany.net ok, no Bind flat-files found
> > -----------
> > zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found
> > -----------
> >
> >
> > Installed packages:
> > ii acl 2.2.52-3
> amd64 Access control list utilities
> > ii attr 1:2.4.47-2
> amd64 Utilities for
> manipulating filesystem extended attributes
> > hi bind9
> 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64
> Internet Domain Name Server
> > ii bind9-doc
> 1:9.10.3.dfsg.P4-8ubuntu1.14 all
> Documentation for BIND
> > ii bind9-host
> 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64
> Version of 'host' bundled with BIND 9.X
> > ii bind9utils
> 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64
> Utilities for BIND
> > ii krb5-config 2.3
> all Configuration files for
> Kerberos Version 5
> > ii krb5-locales
> 1.13.2+dfsg-5ubuntu2.1 all
> Internationalization support for MIT Kerberos
> > ii krb5-multidev
> 1.13.2+dfsg-5ubuntu2.1 amd64
> Development files for MIT Kerberos without Heimdal conflict
> > ii krb5-user
> 1.13.2+dfsg-5ubuntu2.1 amd64 Basic
> programs to authenticate using MIT Kerberos
> > ii libacl1:amd64 2.2.52-3
> amd64 Access control list
> shared library
> > ii libacl1-dev 2.2.52-3
> amd64 Access control list
> static libraries and headers
> > ii libattr1:amd64 1:2.4.47-2
> amd64 Extended attribute
> shared library
> > ii libattr1-dev:amd64 1:2.4.47-2
> amd64 Extended attribute
> static libraries and headers
> > ii libbind9-140:amd64
> 1:9.10.3.dfsg.P4-8ubuntu1.12 amd64 BIND9
> Shared Library used by BIND
> > ii libgssapi-krb5-2:amd64
> 1.13.2+dfsg-5ubuntu2.1 amd64 MIT
> Kerberos runtime libraries - krb5 GSS-API Mechanism
> > ii libkrb5-26-heimdal:amd64
> 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64
> Heimdal Kerberos - libraries
> > ii libkrb5-3:amd64
> 1.13.2+dfsg-5ubuntu2.1 amd64 MIT
> Kerberos runtime libraries
> > ii libkrb5-dev
> 1.13.2+dfsg-5ubuntu2.1 amd64
> Headers and development libraries for MIT Kerberos
> > ii libkrb5support0:amd64
> 1.13.2+dfsg-5ubuntu2.1 amd64 MIT
> Kerberos runtime libraries - Support library
> >
> >
> > -----------
> >
> >
> >
> >
> > From: L.P.H. van Belle via samba <samba at lists.samba.org>
> > To: "samba at lists.samba.org" <samba at
lists.samba.org>
> > Sent: 6/19/2019 1:48 AM
> > Subject: Re: [Samba] DLZ Backend DNS Hosed
> >
> > Hai,
> >
> >
> > For bind, please to add this for bind if you use bind_DLZ.
> > How : systemctl edit bind9, or create the file manualy and
> run systemctl daemon-reload after.
> > The edit command already does the reload.
> >
> > # /etc/systemd/system/bind9.service.d/override.conf
> > [Service]
> > ExecReload> >
> >
> > But same for you. ;-) as the other list message today.
> ([Samba] Reverse DNS)
> > Can you run this for me on the DC's.
> >
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh
> > And post the output
> >
> > It tells me almost all i need to know to help you fix this.
> >
> > Greetz,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Matthew Delfino via samba
> >> Verzonden: woensdag 19 juni 2019 5:00
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] DLZ Backend DNS Hosed
> >>
> >>
> >> Hello,
> >>
> >>
> >> I'm in trouble here with what appears to be a total meltdown
> >> of my DNS on my Domain Controllers.
> >>
> >>
> >> I only have two DCs right now and I cannot resolve anything
> >> on either of them. I am on Ubuntu 16.04 with a compiled
> >> version of Samba 4.10.4.
> >>
> >>
> >> I also have a compiled version of BIND 9.10.3-P4-Ubuntu
> <id:ebd72b3>
> >>
> >>
> >> # service bind9 status
> >> ??? bind9.service - BIND Domain Name Server
> >> Loaded: loaded (/lib/systemd/system/bind9.service;
> >> enabled; vendor preset: enabled)
> >> Drop-In: /run/systemd/generator/bind9.service.d
> >> ??????50-insserv.conf-$named.conf
> >> Active: failed (Result: exit-code) since Tue 2019-06-18
> >> 21:14:39 CDT; 27min ago
> >> Docs: man:named(8)
> >> Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited,
> >> status=1/FAILURE)
> >> Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS
> >> (code=exited, status=1/FAILURE)
> >> Main PID: 28329 (code=exited, status=1/FAILURE)
> >>
> >>
> >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting
> configure
> >> Jun 18 21:14:39 cordelia named[28329]: zone
> >> mydomain.com/NONE: has no NS records
> >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to
> >> configure zone 'mydomain.com'
> >> Jun 18 21:14:39 cordelia named[28329]: loading
> configuration: bad zone
> >> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal
error)
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main
> >> process exited, code=exited, status=1/FAILURE
> >> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed:
> >> 127.0.0.1#953: connection refused
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control
> >> process exited, code=exited status=1
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit
> >> entered failed state.
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed
> >> with result 'exit-code'.
> >>
> >>
> >> It appears that somehow I lost my NS records for one of my
> >> zones. It seems that I cannot get BIND up long enough to edit
> >> anything.
> >>
> >>
> >> I've been able to delete my non-essential zones with
samba-tool:
> >>
> >>
> >>
> >> # samba-tool dns zonedelete localhost mydomain.com
> >> # samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa
> >> # samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa
> >> # samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa
> >> # samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa
> >> # samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa
> >>
> >>
> >> But now my error is "zone _msdcs.samdom.mydomain.net/NONE:
> >> has no NS records" and I am real nervous to delete that zone.
> >>
> >>
> >> Does anyone know what I can do to get my samba DC to have NS
> >> records that my BIND DNS server will understand and therefore
load?
> >>
> >>
> >>
> >> Thanks,
> >> Matthew
> >>
> >>
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a
> registered trademark of KNOCK, inc. This message and any
> attachments contain information, which is confidential and/or
> privileged. If you are not the intended recipient, please
> refrain from any disclosure, copying, distribution or use of
> this information. Please be aware that such actions are
> prohibited. If you have received this transmission in error,
> kindly notify the sender by e-mail. Your cooperation is appreciated.
> >
>
> --
> Denis Cardon
> Tranquil IT
> 12 avenue Jules Verne (Bat. A)
> 44230 Saint S?bastien sur Loire (FRANCE)
> tel : +33 (0) 240 975 755
> http://www.tranquil.it
>
> Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
> Samba install wiki for Frenchies : https://dev.tranquil.it
> WAPT, software deployment made easy : https://wapt.fr
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Louis,
I appreciate your efforts with my predicament. I'm very sorry to say that
your advice hasn't gotten me to a solution. After updating my
/etc/network/interfaces to put my localhost IP address first (192.168.3.201, for
example), saving, restarting services, rebooting, running "samba_upgradedns
--dns-backend=BIND9_DLZ", saving, rebooting, etc., I still cannot add, edit
or remove records from the samdom.mycompany.net zone.
# samba_dnsupdate --verbose
IPs: ['192.168.3.201']
Looking for DNS entry A umbriel.samdom.mycompany.net 192.168.3.201 as
umbriel.samdom.mycompany.net.
Looking for DNS entry NS samdom.mycompany.net umbriel.samdom.mycompany.net as
samdom.mycompany.net.
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 320, in check_dns_name
? ? ans = check_one_dns_name(normalised_name, d.type, d)
? File "/usr/sbin/samba_dnsupdate", line 296, in check_one_dns_name
? ? ans = resolver.query(name, name_type)
? File "/usr/lib/python3/dist-packages/dns/resolver.py", line 821, in
query
? ? raise NoNameservers
dns.resolver.NoNameservers
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
? File "/usr/sbin/samba_dnsupdate", line 851, in <module>
? ? elif not check_dns_name(d):
? File "/usr/sbin/samba_dnsupdate", line 324, in check_dns_name
? ? raise Exception("Unable to contact a working DNS server while looking
for %s as %s" % (d, normalised_name))
Exception: Unable to contact a working DNS server while looking for NS
samdom.mycompany.net umbriel.samdom.mycompany.net as samdom.mycompany.net.
Denis,
I appreciate this email you sent. Running this command results in the following:
#samba-tool dns add umbriel?samdom.mycompany.net?@ NS
umbriel.samdom.mycompany.net?-P
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
185, in _run
? ? return self.run(*args, **kwargs)
? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944,
in run
? ? raise e
? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940,
in run
? ? 0, server, zone, name, add_rec_buf, None)
It just seems that my zone "samdom.mycompany.net" is completely hosed.
Rowland,
I always appreciate your tireless support. You made some comments, asked some
questions. Here are my responses:
>>?
>>?
>> Able to be edited: _msdcs.samdom.mycompany.net?
>> NOT able to be edited:?samdom.mycompany.net?
>
> I read the output of Louis's script you posted and my first thought
was,?
> 'why has he got dns domains that have nothing to do with AD ?'?
On the subject of Samba: Advice and how-tos on the Internet focus on telling us
what to do, often with only the most minimal context. It has taken me time to
learn and discover how the configurations advised can work best for my
environment. There are bits of configuration representing the legacy of that
evolution and there you saw one.
> In my opinion, you should only have the dns records for your Samba AD?>
domain in AD, this should include any reverse zones.?
So, do be clear, the bare minimum in my case would be:
samdom.mycompany.net
_msdcs.samdom.mycompany.net
3.168.192.in-addr.arpa
Do you concur?
>> I'm feeling lonely here.?
>?
>?Do you have a backup ??
Of course. But I'm confident the backups don't go far enough back to get
me past whatever hosed my zone. I suspect all this started with me being
ignorant of the change which moved many BIND DLZ backend stuff from
../samba/private/ to ../samba/bind-dns/. We make so few changes to the DNS on
the DCs that I didn't notice that bind had been unable to talk to samba for
goodness knows how long. Between my first email and my second email to the list,
I discovered that erroneous configuration and addressed it, which helped
immensely in terms of end user experience.
>?I have had something similar happen, but with the reverse zone and I?
>?just deleted the zone and recreated it with samba-tool and then let the?
>?records be recreated. In your case, I would be tempted to 'upgrade'
to?
>?the internal dns server and then 'upgrade' to the Bind9 server.
This?
>?should recreate all the required zones and records.?
This is the only thing I have not tried and it's the one that seems to make
the most sense to me. But I don't want to do it during business hours.
I'll need to stick around late tonight to give it a shot (including backups
before I attempt all this). I've never done a?maneuver?like that before - I
will report my results in several hours.
>> search samdom.mycompany.net mycompany.net mycompany.com?
>?I would remove any domains that are not the Samba dns domain?
Done.
>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate?
>> ? workgroup = SAMDOM?
>> ? idmap_ldb:use rfc2307 = yes?
>> ? #dns forwarder = 8.8.4.4?
>> ? #dns forwarder = 8.8.8.8?
>> ? allow dns updates = disabled?
>?Bad move, something needs to be able to upgrade your dns records.?
>> ? dsdb:schema update allowed = true?
>?Remove this, it is only needed to extend the schema and can be used on?
>?the ldbmodify command line.?
Done and done.
>?Please set your dns up correctly, first remove the 3 blocks above,?>
forward anything outside your Samba dns domain to another external dns?
>?server and inform any other, non AD dns servers that you have, where?
>?your AD domain is
I removed the 3 blocks above as they are unnecessary. Forwards to external DNS
servers were already there, the other DNS servers know about
samdom.mycompany.net by way of glue records in db.mycompany.net like this:
;;;;;;;;;;;;;;;;;;
;; Glue Records ;; For the SAMBA Active Directory Domain Controllers
;;;;;;;;;;;;;;;;;;
$ORIGIN samdom.mycompany.net.
@ 86400 IN NS samdom.mycompany.net.
86400 IN NS samdom.mycompany.net.
86400 IN NS samdom.mycompany.net.
cordelia.samdom.mycompany.net. IN A 192.168.3.201
hyperion.samdom.mycompany.net. IN A 192.168.3.202
umbriel.samdom.mycompany.net. IN A 192.168.3.203
Is this what you meant by "inform any other, non AD dns servers that you
have, where your AD domain is?"
Thanks again, there are no further comments from me below.
Matthew
From: L.P.H. van Belle via samba <samba at lists.samba.org>
To: "samba at lists.samba.org" <samba at lists.samba.org>
Sent: 6/21/2019 5:15 AM
Subject: Re: [Samba] DLZ Backend DNS Hosed
No, this is not needed.
Solution here in this is simple.
search primary.domain.tld # optional extra search domains after the primary.
nameserver IP_AD-DC_OF_THIS_SERVER_FIRST
nameserver IP_AD-DC_others
Run : samba_upgradedns --dns-backend=BIND9_DLZ ?
And your done, all needed records are fixed/updated.
This goes wrong if the IP of the running server isnt the first and/or if search
is setup wrong.
So always keep ip of the server itself as first, yes i know about islanding dns
but that wont happen
If you setup correct and DONT use 127.0.0.1 because that is NOT the name of the
server.
Stimple trick.
HOSTNAME="$(hostname -s)"
PRIMARYDNSDOMAIN="$(hostname -d)"
FQDN="$(hostname -f)"
Netbiosname in smb.conf = echo "${HOSTNAME^^}"
To be added if its not there in /etc/hosts:
echo "$(hostname -i) $(hostname -f) $(hostname -s)"
ONLY one line should exist for the hostname add any alias as CNAME in the dns.
Resolv.conf :
echo "nameserver $(hostname -i)"
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Denis Cardon via samba
> Verzonden: vrijdag 21 juni 2019 10:30
> Aan: Matthew Delfino; samba at lists.samba.org
> Onderwerp: Re: [Samba] DLZ Backend DNS Hosed
>
> Hi Matthew,
>
> > # samba-tool dns add localhost samdom.mycompany.net
> samdom.mycompany.net NS umbriel.samdom.mycompany.net
-U"Administrator"
> > Password for [ORBITAL\Administrator]:
> > ERROR(runtime): uncaught exception - (1383,
> 'WERR_INTERNAL_DB_ERROR')
> > ? File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 185, in _run
> > ? ? return self.run(*args, **kwargs)
> > ? File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 944,
in run
> > ? ? raise e
> > ? File
> "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 940,
in run
> > ? ? 0, server, zone, name, add_rec_buf, None)
>
> Like you have figured out, in more recent version of Bind-DLZ it is
> required to have a NS field for it to start. Please try with the
> following command line syntax to add it:
>
> samba-tool dns add umbriel ?samdom.mycompany.net @ NS
> umbriel.samdom.mycompany.net -P
>
> For you DNS field update, if you get some TSIG error, you may
> try to add
> the DNS entries directly in the local database.
>
> samba_dnsupdate --verbose --use-samba-tool
>
> Cheers,
>
> Denis
>
> >
> >
> > Then, I remember my "samba_upgradedns
> --dns-backend=BIND9_DLZ" sword, plus 7 against DNS problems!
> Unsheathed by Matthew like And?ril by Aragorn:
> >
> >
> >
> > # samba_upgradedns --dns-backend=BIND9_DLZ
> > Reading domain information
> > DNS accounts already exist
> > No zone file /var/lib/samba/bind-dns/dns/SAMDOM.MYCOMPANY.NET.zone
> > DNS records will be automatically created
> > DNS partitions already exist
> > dns-umbriel account already exists
> > See /var/lib/samba/bind-dns/named.conf for an example
> configuration include file for BIND
> > and /var/lib/samba/bind-dns/named.txt for further
> documentation required for secure DNS updates
> > Finished upgrading DNS
> >
> >
> > Take that, DNS problems! Right? Oh.... no... it didn't help
> AT ALL. Same results on every test.
> >
> >
> > I'm feeling lonely here.
> >
> >
> >
> > Thanks,
> > Matthew
> >
> >
> >
> > ?From: ? Matthew Delfino via samba <samba at lists.samba.org>
> > ?To: ? L.P.H. van Belle <belle at bazuin.nl>,
> "samba at lists.samba.org" <samba at lists.samba.org>
> > ?Sent: ? 6/20/2019 1:40 PM
> > ?Subject: ? Re: [Samba] DLZ Backend DNS Hosed
> >
> > And, BTW, right now, I am able to see my problem via the
> following 3 ways...
> >
> > 1) Through Windows DNS Manager, I cannot add, change or
> delete any DNS records from:
> >
> > mycompany.loc
> > samdom.mycompany.net
> > mycompany.net
> >
> > I *can* add, change and delete DNS records from:
> >
> > _msdcs.samdom.mycompany.net
> > mycompany.com
> > 7.168.192.in-addr.arpa
> > 5.168.192.in-addr.arpa
> > 3.168.192.in-addr.arpa
> > 2.168.192.in-addr.arpa
> > 11.168.192.in-addr.arpa
> >
> > 2) Running the following command always ends with an error:
> >
> > # samba_dnsupdate --verbos --all-names
> > IPs: ['192.168.3.203']
> > force update: A umbriel.samdom.mycompany.net 192.168.3.203
> > force update: NS samdom.mycompany.net umbriel.samdom.mycompany.net
> > force update: NS _msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net
> > force update: A samdom.mycompany.net 192.168.3.203
> > force update: SRV _ldap._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV _ldap._tcp.dc._msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.02418c22-7df8-4ea3-aee8-ad1ce0c03cd8.domains._msdcs
> .samdom.mycompany.net umbriel.samdom.mycompany.net 389
> > force update: SRV _kerberos._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 88
> > force update: SRV _kerberos._udp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 88
> > force update: SRV
> _kerberos._tcp.dc._msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net 88
> > force update: SRV _kpasswd._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 464
> > force update: SRV _kpasswd._udp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 464
> > force update: CNAME
> a51ac937-a293-485a-b851-252be672c41f._msdcs.samdom.mycompany.n
> et umbriel.samdom.mycompany.net
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
> ?umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.myc
> ompany.net umbriel.samdom.mycompany.net 389
> > force update: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.samdom.mycompany
> .net umbriel.samdom.mycompany.net 88
> > force update: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom
> .mycompany.net umbriel.samdom.mycompany.net 88
> > force update: A gc._msdcs.samdom.mycompany.net 192.168.3.203
> > force update: SRV _gc._tcp.samdom.mycompany.net
> umbriel.samdom.mycompany.net 3268
> > force update: SRV _ldap._tcp.gc._msdcs.samdom.mycompany.net
> umbriel.samdom.mycompany.net 3268
> > force update: SRV
> _gc._tcp.Default-First-Site-Name._sites.samdom.mycompany.net
> umbriel.samdom.mycompany.net 3268
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.myc
> ompany.net umbriel.samdom.mycompany.net 3268
> > force update: A DomainDnsZones.samdom.mycompany.net 192.168.3.203
> > force update: SRV
> _ldap._tcp.DomainDnsZones.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdo
> m.mycompany.net umbriel.samdom.mycompany.net 389
> > force update: A ForestDnsZones.samdom.mycompany.net 192.168.3.203
> > force update: SRV
> _ldap._tcp.ForestDnsZones.samdom.mycompany.net
> umbriel.samdom.mycompany.net 389
> > force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdo
> m.mycompany.net umbriel.samdom.mycompany.net 389
> > 28 DNS updates and 0 DNS deletes needed
> > Traceback (most recent call last):
> > ? File "/usr/sbin/samba_dnsupdate", line 886, in
<module>
> > ? ? creds = get_credentials(lp)
> > ? File "/usr/sbin/samba_dnsupdate", line 204, in
get_credentials
> > ? ? get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] +
'.')
> > ? File "/usr/sbin/samba_dnsupdate", line 161, in
> get_krb5_rw_dns_server
> > ? ? rw_dns_servers = get_possible_rw_dns_server(creds, domain)
> > ? File "/usr/sbin/samba_dnsupdate", line 136, in
> get_possible_rw_dns_server
> > ? ? ans_soa = check_one_dns_name(domain, 'SOA')
> > ? File "/usr/sbin/samba_dnsupdate", line 296, in
check_one_dns_name
> > ? ? ans = resolver.query(name, name_type)
> > ? File "/usr/lib/python3/dist-packages/dns/resolver.py",
> line 821, in query
> > ? ? raise NoNameservers
> > dns.resolver.NoNameservers
> >
> > 3) We have a mail server that occasionally rejects
> passwords from end users. This is the problem end users see
> that started the whole investigation.
> >
> > Also, this may be obvious from the output of your script,
> but in case it's not... we do not have DHCP server running on
> our DCs, nor do we have any sort of dynamic dhcp setup. It's
> just Samba and BIND (and kerberos, and ntp...).
> >
> > Thank you!
> > Matthew
> >
> >
> >
> >
> > ?From: ? Matthew Delfino via samba <samba at lists.samba.org>
> > ?To: ? L.P.H. van Belle <belle at bazuin.nl>,
> "samba at lists.samba.org" <samba at lists.samba.org>
> > ?Sent: ? 6/20/2019 1:00 PM
> > ?Subject: ? Re: [Samba] DLZ Backend DNS Hosed
> >
> > Nice shell script, Louis. Here are the results:
> >
> >
> >
> > Collected config ?--- 2019-06-20-12:46 -----------
> >
> >
> > Hostname: umbriel
> > DNS Domain: samdom.mycompany.net
> > FQDN: umbriel.samdom.mycompany.net
> > ipaddress: 192.168.3.203
> >
> >
> > -----------
> >
> >
> > Samba is running as an AD DC
> >
> >
> > -----------
> > ? ? ? ?Checking file: /etc/os-release
> >
> >
> > NAME="Ubuntu"
> > VERSION="16.04.6 LTS (Xenial Xerus)"
> > ID=ubuntu
> > ID_LIKE=debian
> > PRETTY_NAME="Ubuntu 16.04.6 LTS"
> > VERSION_ID="16.04"
> > HOME_URL="http://www.ubuntu.com/"
> > SUPPORT_URL="http://help.ubuntu.com/"
> > BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
> > VERSION_CODENAME=xenial
> > UBUNTU_CODENAME=xenial
> >
> >
> > -----------
> >
> >
> >
> >
> > This computer is running Ubuntu 16.04.6 LTS x86_64
> >
> >
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group default qlen 1
> > ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > ? ? inet 127.0.0.1/8 scope host lo
> > ? ? inet6 ::1/128 scope host
> > 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast state UP group default qlen 1000
> > ? ? link/ether 00:50:56:a5:50:b3 brd ff:ff:ff:ff:ff:ff
> > ? ? inet 192.168.3.203/24 brd 192.168.3.255 scope global ens32
> > ? ? inet6 fe80::250:56ff:fea5:50b3/64 scope link
> >
> >
> > -----------
> > ? ? ? ?Checking file: /etc/hosts
> >
> >
> > 127.0.0.1 localhost
> > 192.168.3.203 umbriel.samdom.mycompany.net umbriel
> >
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1 ? ? localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> >
> > -----------
> >
> >
> > ? ? ? ?Checking file: /etc/resolv.conf
> >
> >
> > # Dynamic resolv.conf(5) file for glibc resolver(3)
> generated by resolvconf(8)
> > # ? ? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN
> > nameserver 192.168.3.201
> > nameserver 192.168.3.202
> > search samdom.mycompany.net mycompany.net mycompany.com
> >
> >
> > -----------
> >
> >
> > ? ? ? ?Checking file: /etc/krb5.conf
> >
> >
> > [logging]
> > ? ? ? ? default = FILE:/var/log/krb5libs.log
> > ? ? ? ? kdc = FILE:/var/log/krb5kdc.log
> > ? ? ? ? admin_server = FILE:/var/log/kadmin.log
> >
> >
> > [libdefaults]
> > ? ? ? ? default_realm = SAMDOM.MYCOMPANY.NET
> > ? ? ? ? dns_lookup_realm = false
> > ? ? ? ? dns_lookup_kdc = true
> > ? ? ? ? ticket_lifetime = 24h
> > ? ? ? ? renew_lifetime = 7d
> > ? ? ? ? forwardable = true
> >
> >
> > -----------
> >
> >
> > ? ? ? ?Checking file: /etc/nsswitch.conf
> >
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> >
> > passwd: ? ? ? ? compat
> > group: ? ? ? ? ?compat
> > shadow: ? ? ? ? compat
> > gshadow: ? ? ? ?files
> >
> >
> > hosts: ? ? ? ? ?files dns
> > networks: ? ? ? files
> >
> >
> > protocols: ? ? ?db files
> > services: ? ? ? db files
> > ethers: ? ? ? ? db files
> > rpc: ? ? ? ? ? ?db files
> >
> >
> > netgroup: ? ? ? nis
> >
> >
> > -----------
> >
> >
> > ? ? ? ?Checking file: /etc/samba/smb.conf
> >
> >
> > # Global parameters
> > [global]
> > ?netbios name = UMBRIEL
> > ?realm = SAMDOM.MYCOMPANY.NET
> > ?server role = active directory domain controller
> > ?#server services = -dns
> > ?server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> > ?workgroup = SAMDOM
> > ?idmap_ldb:use rfc2307 = yes
> > ?#dns forwarder = 8.8.4.4
> > ?#dns forwarder = 8.8.8.8
> > ?allow dns updates = disabled
> > ?dsdb:schema update allowed = true
> > ?printcap name = /dev/null
> > ?load printers = no
> > ?printing = bsd
> > ?ldap server require strong auth = no
> > ?ldap ssl = start tls
> > ?tls enabled ?= yes
> > ?tls keyfile ?= tls/myKey.pem
> > ?tls certfile = tls/umbriel_samdom_mycompany_net.pem
> > ?tls cafile ? = tls/umbriel_samdom_mycompany_net.ca-bundle.pem
> > ?#log file = /var/log/samba/%a.%M.log
> > ?max log size = 2048
> > ?log level = 1 auth_audit:3
> > ?apply group policies = yes
> > ?mdns name = mdns
> >
> >
> > [netlogon]
> > ?path = /var/lib/samba/sysvol/samdom.mycompany.net/scripts
> > ?read only = No
> >
> >
> > [sysvol]
> > ?path = /var/lib/samba/sysvol
> > ?read only = No
> >
> >
> > -----------
> >
> >
> > Detected bind DLZ enabled..
> > ? ? ? ?Checking file: /etc/bind/named.conf
> >
> >
> > // This is the primary configuration file for the BIND DNS
> server named.
> > //
> > // Please read /usr/share/doc/bind9/README.Debian.gz for
> information on the
> > // structure of BIND configuration files in Debian,
> *BEFORE* you customize
> > // this configuration file.
> > //
> > // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
> >
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> >
> > -----------
> >
> >
> > ? ? ? ?Checking file: /etc/bind/named.conf.options
> >
> >
> > options {
> >
> >
> > ?auth-nxdomain yes;
> > ?directory "/var/cache/bind";
> > ?dnssec-validation auto;
> > ?empty-zones-enable no;
> > ?managed-keys-directory "/var/cache/bind/";
> > ?notify yes; // Not recommended.
> > ?tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> // For Dynamic DNS
> >
> >
> > ?allow-query {
> > ?any;
> > ?};
> >
> >
> > ?allow-recursion {
> > ?any;
> > ?};
> >
> > ?allow-transfer {
> > ?192.168.3.47; ? // DNS2
> > ?192.168.3.48; ? // DNS1
> > ?192.168.5.47; ? // Opal
> > ?192.168.5.48; ? // Pyrite
> > ?192.168.0.8; ? ?// DNS3
> > ?192.168.0.9; ? ?// DNS4
> > ?};
> >
> >
> > ?also-notify {
> > ?192.168.3.47; ? // DNS2
> > ?192.168.3.48; ? // DNS1
> > ?192.168.5.47; ? // Opal
> > ?192.168.5.48; ? // Pyrite
> > ?192.168.0.8; ? ?// DNS3
> > ?192.168.0.9; ? ?// DNS4
> > ?};
> >
> >
> > ?allow-notify {
> > ?192.168.3.47; ? // DNS2
> > ?192.168.3.48; ? // DNS1
> > ?192.168.5.47; ? // Opal
> > ?192.168.5.48; ? // Pyrite
> > ?192.168.0.8; ? ?// DNS3
> > ?192.168.0.9; ? ?// DNS4
> > ?};
> >
> >
> > ?forwarders {
> > ?9.9.9.9;
> > ?1.1.1.1;
> > ?8.8.8.8;
> > ?8.8.4.4;
> > ?};
> > };
> >
> >
> > -----------
> >
> >
> > ? ? ? ?Checking file: /etc/bind/named.conf.local
> >
> >
> > //
> > // Do any local configuration here
> > //
> >
> >
> > // Consider adding the 1918 zones here, if they are not used in your
> > // organization
> > //include "/etc/bind/zones.rfc1918";
> >
> >
> > -----------
> >
> >
> > ? ? ? ?Checking file: /etc/bind/named.conf.default-zones
> >
> >
> > // prime the server with knowledge of the root servers
> > zone "." {
> > ?type hint;
> > ?file "/etc/bind/db.root";
> > };
> >
> >
> > // be authoritative for the localhost forward and reverse
> zones, and for
> > // broadcast zones as per RFC 1912
> >
> >
> > zone "localhost" {
> > ?type master;
> > ?file "/etc/bind/db.local";
> > };
> >
> >
> > zone "7.in-addr.arpa" {
> > ?type master;
> > ?file "/etc/bind/db.127";
> > };
> >
> >
> > zone "0.in-addr.arpa" {
> > ?type master;
> > ?file "/etc/bind/db.0";
> > };
> >
> >
> > zone "255.in-addr.arpa" {
> > ?type master;
> > ?file "/etc/bind/db.255";
> > };
> >
> >
> > -----------
> >
> >
> > Samba DNS zone list: ? 10 zone(s) found
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.com
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : 7.168.192.in-addr.arpa
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : 3.168.192.in-addr.arpa
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : 2.168.192.in-addr.arpa
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : 11.168.192.in-addr.arpa
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.loc
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : samdom.mycompany.net
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : 5.168.192.in-addr.arpa
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : mycompany.net
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : DomainDnsZones.samdom.mycompany.net
> >
> >
> > ? pszZoneName ? ? ? ? ? ? ? ? : _msdcs.samdom.mycompany.net
> > ? Flags ? ? ? ? ? ? ? ? ? ? ? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> > ? ZoneType ? ? ? ? ? ? ? ? ? ?: DNS_ZONE_TYPE_PRIMARY
> > ? Version ? ? ? ? ? ? ? ? ? ? : 50
> > ? dwDpFlags ? ? ? ? ? ? ? ? ? : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> > ? pszDpFqdn ? ? ? ? ? ? ? ? ? : ForestDnsZones.samdom.mycompany.net
> >
> >
> > Samba DNS zone list Automated check :
> > zone : mycompany.com ok, no Bind flat-files found
> > -----------
> > zone : 7.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : 3.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : 2.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : 11.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : mycompany.loc ok, no Bind flat-files found
> > -----------
> > zone : samdom.mycompany.net ok, no Bind flat-files found
> > -----------
> > zone : 5.168.192.in-addr.arpa ok, no Bind flat-files found
> > -----------
> > zone : mycompany.net ok, no Bind flat-files found
> > -----------
> > zone : _msdcs.samdom.mycompany.net ok, no Bind flat-files found
> > -----------
> >
> >
> > Installed packages:
> > ii ?acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Access control list utilities
> > ii ?attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Utilities for
> manipulating filesystem extended attributes
> > hi ?bind9 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?
> Internet Domain Name Server
> > ii ?bind9-doc ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> 1:9.10.3.dfsg.P4-8ubuntu1.14 ? ? ? ? ? ? ? all ? ? ? ? ?
> Documentation for BIND
> > ii ?bind9-host ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?
> Version of 'host' bundled with BIND 9.X
> > ii ?bind9utils ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?
> Utilities for BIND
> > ii ?krb5-config ? ? ? ? ? ? ? ? ? ? ? ? ? 2.3 ? ? ? ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ?all ? ? ? ? ?Configuration files for
> Kerberos Version 5
> > ii ?krb5-locales ? ? ? ? ? ? ? ? ? ? ? ? ?
> 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? all ? ? ? ? ?
> Internationalization support for MIT Kerberos
> > ii ?krb5-multidev ? ? ? ? ? ? ? ? ? ? ? ?
> 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?
> Development files for MIT Kerberos without Heimdal conflict
> > ii ?krb5-user ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?Basic
> programs to authenticate using MIT Kerberos
> > ii ?libacl1:amd64 ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Access control list
> shared library
> > ii ?libacl1-dev ? ? ? ? ? ? ? ? ? ? ? ? ? 2.2.52-3 ? ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Access control list
> static libraries and headers
> > ii ?libattr1:amd64 ? ? ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Extended attribute
> shared library
> > ii ?libattr1-dev:amd64 ? ? ? ? ? ? ? ? ? ?1:2.4.47-2 ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ?amd64 ? ? ? ?Extended attribute
> static libraries and headers
> > ii ?libbind9-140:amd64 ? ? ? ? ? ? ? ? ? ?
> 1:9.10.3.dfsg.P4-8ubuntu1.12 ? ? ? ? ? ? ? amd64 ? ? ? ?BIND9
> Shared Library used by BIND
> > ii ?libgssapi-krb5-2:amd64 ? ? ? ? ? ? ? ?
> 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT
> Kerberos runtime libraries - krb5 GSS-API Mechanism
> > ii ?libkrb5-26-heimdal:amd64 ? ? ? ? ? ? ?
> 1.7~git20150920+dfsg-4ubuntu1.16.04.1 ? ? ?amd64 ? ? ? ?
> Heimdal Kerberos - libraries
> > ii ?libkrb5-3:amd64 ? ? ? ? ? ? ? ? ? ? ?
> 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT
> Kerberos runtime libraries
> > ii ?libkrb5-dev ? ? ? ? ? ? ? ? ? ? ? ? ?
> 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?
> Headers and development libraries for MIT Kerberos
> > ii ?libkrb5support0:amd64 ? ? ? ? ? ? ? ?
> 1.13.2+dfsg-5ubuntu2.1 ? ? ? ? ? ? ? ? ? ? amd64 ? ? ? ?MIT
> Kerberos runtime libraries - Support library
> >
> >
> > -----------
> >
> >
> >
> >
> > ?From: ? L.P.H. van Belle via samba <samba at lists.samba.org>
> > ?To: ? "samba at lists.samba.org" <samba at
lists.samba.org>
> > ?Sent: ? 6/19/2019 1:48 AM
> > ?Subject: ? Re: [Samba] DLZ Backend DNS Hosed
> >
> > Hai,
> >
> >
> > For bind, please to add this for bind if you use bind_DLZ.
> > How : systemctl edit bind9, or create the file manualy and
> run systemctl daemon-reload after.
> > The edit command already does the reload.
> >
> > # /etc/systemd/system/bind9.service.d/override.conf
> > [Service]
> > ExecReload=
> >
> >
> > But same for you. ?;-) as the other list message today.
> ([Samba] Reverse DNS)
> > Can you run this for me on the DC's.
> >
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh
> > And post the output
> >
> > It tells me almost all i need to know to help you fix this.
> >
> > Greetz,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Matthew Delfino via samba
> >> Verzonden: woensdag 19 juni 2019 5:00
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] DLZ Backend DNS Hosed
> >>
> >>
> >> Hello,
> >>
> >>
> >> I'm in trouble here with what appears to be a total meltdown
> >> of my DNS on my Domain Controllers.
> >>
> >>
> >> I only have two DCs right now and I cannot resolve anything
> >> on either of them. I am on Ubuntu 16.04 with a compiled
> >> version of Samba 4.10.4.
> >>
> >>
> >> I also have a compiled version of BIND 9.10.3-P4-Ubuntu
> <id:ebd72b3>
> >>
> >>
> >> # service bind9 status
> >> ??? bind9.service - BIND Domain Name Server
> >> ? ?Loaded: loaded (/lib/systemd/system/bind9.service;
> >> enabled; vendor preset: enabled)
> >> ? Drop-In: /run/systemd/generator/bind9.service.d
> >> ? ? ? ? ? ???????50-insserv.conf-$named.conf
> >> ? ?Active: failed (Result: exit-code) since Tue 2019-06-18
> >> 21:14:39 CDT; 27min ago
> >> ? ? ?Docs: man:named(8)
> >> ? Process: 28347 ExecStop=/usr/sbin/rndc stop (code=exited,
> >> status=1/FAILURE)
> >> ? Process: 28329 ExecStart=/usr/sbin/named -f $OPTIONS
> >> (code=exited, status=1/FAILURE)
> >> ?Main PID: 28329 (code=exited, status=1/FAILURE)
> >>
> >>
> >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: starting
> configure
> >> Jun 18 21:14:39 cordelia named[28329]: zone
> >> mydomain.com/NONE: has no NS records
> >> Jun 18 21:14:39 cordelia named[28329]: samba_dlz: Failed to
> >> configure zone 'mydomain.com'
> >> Jun 18 21:14:39 cordelia named[28329]: loading
> configuration: bad zone
> >> Jun 18 21:14:39 cordelia named[28329]: exiting (due to fatal
error)
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Main
> >> process exited, code=exited, status=1/FAILURE
> >> Jun 18 21:14:39 cordelia rndc[28347]: rndc: connect failed:
> >> 127.0.0.1#953: connection refused
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Control
> >> process exited, code=exited status=1
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Unit
> >> entered failed state.
> >> Jun 18 21:14:39 cordelia systemd[1]: bind9.service: Failed
> >> with result 'exit-code'.
> >>
> >>
> >> It appears that somehow I lost my NS records for one of my
> >> zones. It seems that I cannot get BIND up long enough to edit
> >> anything.
> >>
> >>
> >> I've been able to delete my non-essential zones with
samba-tool:
> >>
> >>
> >>
> >> ?# ?samba-tool dns zonedelete localhost mydomain.com
> >> ?# ?samba-tool dns zonedelete localhost 7.168.192.in-addr.arpa
> >> ?# ?samba-tool dns zonedelete localhost 3.168.192.in-addr.arpa
> >> ?# ?samba-tool dns zonedelete localhost 2.168.192.in-addr.arpa
> >> ?# ?samba-tool dns zonedelete localhost 11.168.192.in-addr.arpa
> >> ?# ?samba-tool dns zonedelete localhost 5.168.192.in-addr.arpa
> >>
> >>
> >> But now my error is "zone _msdcs.samdom.mydomain.net/NONE:
> >> has no NS records" and I am real nervous to delete that zone.
> >>
> >>
> >> Does anyone know what I can do to get my samba DC to have NS
> >> records that my BIND DNS server will understand and therefore
load?
> >>
> >>
> >>
> >> Thanks,
> >> Matthew
> >>
> >>
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: ?https://lists.samba.org/mailman/options/samba
> >
> >
> > ? 2019 KNOCK, inc. All rights reserved. KNOCK is a
> registered trademark of KNOCK, inc. This message and any
> attachments contain information, which is confidential and/or
> privileged. If you are not the intended recipient, please
> refrain from any disclosure, copying, distribution or use of
> this information. Please be aware that such actions are
> prohibited. If you have received this transmission in error,
> kindly notify the sender by e-mail. Your cooperation is appreciated.
> >
>
> --
> Denis Cardon
> Tranquil IT
> 12 avenue Jules Verne (Bat. A)
> 44230 Saint S?bastien sur Loire (FRANCE)
> tel : +33 (0) 240 975 755
> http://www.tranquil.it
>
> Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
> Samba install wiki for Frenchies : https://dev.tranquil.it
> WAPT, software deployment made easy : https://wapt.fr
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: ?https://lists.samba.org/mailman/options/samba
? 2019 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.