Hi Rowland, I've decided to roll back samba on DC1 to the state from a couple of weeks ago, before I started all this mess... Since the email subject change :) Stopped bind9 and sernet-samba-ad and copied /var/lib/samba aside. Restored samba folder from backup, started sernet-samba-ad but bind9 fails to start: Jul 22 14:39:39 dc1 named[27846]: generating session key for dynamic DNS Jul 22 14:39:39 dc1 named[27846]: sizing zone task pool based on 5 zones Jul 22 14:39:39 dc1 named[27846]: Loading 'AD DNS Zone' using driver dlopen Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb Jul 22 14:39:39 dc1 named[27846]: dlz_dlopen of 'AD DNS Zone' failed Jul 22 14:39:39 dc1 named[27846]: SDLZ driver failed to load. Jul 22 14:39:39 dc1 named[27846]: DLZ driver failed to load. Jul 22 14:39:39 dc1 named[27846]: loading configuration: failure Jul 22 14:39:39 dc1 named[27846]: exiting (due to fatal error) Initially I thought permissions / ownership issues but the current and the backup copy looks identical: dc1:/# getfacl var/lib/samba/private/dns/sam.ldb # file: var/lib/samba/private/dns/sam.ldb # owner: root # group: bind user::rw- group::rw- other::--- dc1:/# getfacl var/tmp/bacula-restores/var/lib/samba/private/dns/sam.ldb # file: var/tmp/bacula-restores/var/lib/samba/private/dns/sam.ldb # owner: root # group: bind user::rw- group::rw- other::--- Files have the same size and time stamps, both last modified in 2013. Also no difference in ownership and permissions for the parent samba/private/dns folders. After rolling back /var/lib/samba and restarting services DNS and AD are working again. Any ideas? Thanks, Adam
Following deeper analysis I have found some permission differences in
sysvol policies files, e.g:
WORKING:
# file:
samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI
# owner: 3000000
# group: Domain\040Users
user::rwx
group::---
group:Domain\040Users:---
group:3000000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---
RESTORED:
# file:
samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI
# owner: 3000000
# group: Domain\040Users
user::rwx
group::rwx
other::---
Would it be enough to justify the error below and cause a complete DNS
failure?
Adam
On 22/07/19 15:28, Adam Weremczuk via samba wrote:> Hi Rowland,
>
> I've decided to roll back samba on DC1 to the state from a couple of
> weeks ago, before I started all this mess...
>
> Since the email subject change :)
>
> Stopped bind9 and sernet-samba-ad and copied /var/lib/samba aside.
>
> Restored samba folder from backup, started sernet-samba-ad but bind9
> fails to start:
>
> Jul 22 14:39:39 dc1 named[27846]: generating session key for dynamic DNS
> Jul 22 14:39:39 dc1 named[27846]: sizing zone task pool based on 5 zones
> Jul 22 14:39:39 dc1 named[27846]: Loading 'AD DNS Zone' using
driver
> dlopen
> Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to
> /var/lib/samba/private/dns/sam.ldb
> Jul 22 14:39:39 dc1 named[27846]: dlz_dlopen of 'AD DNS Zone'
failed
> Jul 22 14:39:39 dc1 named[27846]: SDLZ driver failed to load.
> Jul 22 14:39:39 dc1 named[27846]: DLZ driver failed to load.
> Jul 22 14:39:39 dc1 named[27846]: loading configuration: failure
> Jul 22 14:39:39 dc1 named[27846]: exiting (due to fatal error)
>
> Initially I thought permissions / ownership issues but the current and
> the backup copy looks identical:
>
> dc1:/# getfacl var/lib/samba/private/dns/sam.ldb
> # file: var/lib/samba/private/dns/sam.ldb
> # owner: root
> # group: bind
> user::rw-
> group::rw-
> other::---
>
> dc1:/# getfacl var/tmp/bacula-restores/var/lib/samba/private/dns/sam.ldb
> # file: var/tmp/bacula-restores/var/lib/samba/private/dns/sam.ldb
> # owner: root
> # group: bind
> user::rw-
> group::rw-
> other::---
>
> Files have the same size and time stamps, both last modified in 2013.
>
> Also no difference in ownership and permissions for the parent
> samba/private/dns folders.
>
> After rolling back /var/lib/samba and restarting services DNS and AD
> are working again.
>
> Any ideas?
>
> Thanks,
> Adam
>
On 22/07/2019 16:12, Adam Weremczuk via samba wrote:> Following deeper analysis I have found some permission differences in > sysvol policies files, e.g: > > WORKING: > > # file: > samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI > # owner: 3000000 > # group: Domain\040Users > user::rwx > group::--- > group:Domain\040Users:--- > group:3000000:rwx > group:3000002:rwx > group:3000003:r-x > group:3000006:rwx > group:3000008:rwx > group:3000010:r-x > mask::rwx > other::--- > > RESTORED: > > # file: > samba/sysvol/company.co.uk/Policies/{274B7BA8-3DBA-43A6-8AC2-D45B5E4054FF}/GPT.INI > # owner: 3000000 > # group: Domain\040Users > user::rwx > group::rwx > other::--- > > Would it be enough to justify the error below and cause a complete DNS > failure?I wouldn't have thought so.> > Adam > > > On 22/07/19 15:28, Adam Weremczuk via samba wrote: >> Hi Rowland, >> >> I've decided to roll back samba on DC1 to the state from a couple of >> weeks ago, before I started all this mess... >> >> Since the email subject change :) >> >> Stopped bind9 and sernet-samba-ad and copied /var/lib/samba aside. >> >> Restored samba folder from backup, started sernet-samba-ad but bind9 >> fails to start: >> >> Jul 22 14:39:39 dc1 named[27846]: generating session key for dynamic DNS >> Jul 22 14:39:39 dc1 named[27846]: sizing zone task pool based on 5 zones >> Jul 22 14:39:39 dc1 named[27846]: Loading 'AD DNS Zone' using driver >> dlopen >> Jul 22 14:39:39 dc1 named[27846]: samba_dlz: Failed to connect to >> /var/lib/samba/private/dns/sam.ldbDoes /var/lib/samba/private/dns/sam.ldb exist, or is it (like mine now) /var/lib/samba/bind-dns/dns/sam.ldb ? Rowland
On 23/07/19 2:28 AM, Adam Weremczuk via samba wrote:> Restored samba folder from backup, started sernet-samba-ad but bind9 > fails to start: >Just to clarify regarding this restore step, were you using the 'samba-tool domain backup restore' command? Or were you manually copying across files from some kind of folder backup you made manually?
On 22/07/19 22:14, Tim Beale via samba wrote:> On 23/07/19 2:28 AM, Adam Weremczuk via samba wrote: >> Restored samba folder from backup, started sernet-samba-ad but bind9 >> fails to start: >> > Just to clarify regarding this restore step, were you using the > 'samba-tool domain backup restore' command? Or were you manually copying > across files from some kind of folder backup you made manually? >Manually copied the entire /var/lib/samba folder from a tape backup taken about a month ago.