samba - Sep 2019 - DNS question

Dear list,

we use debian stretch with Louis's 4.10.5 packages and bind9_dlz
backend. There are two AD DCs with redundant ISC DHCP servers on them.
The DHCP servers are updating the DNS along the lines of

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

but with nsupdate commands replaced by suitable calls to "samba-tool"
(I
had problems getting the nsupdate approach to work with the redundant
dhcp servers on the second server). I am trying to debug some strange
network issues right now. For example, when I ssh to the DCs, the login
process sometimes stalls for extended periods of time without even
asking for the username. Could DNS be part of the mix? Is using the
calls to samba-tool a bad idea? Could this be related to the "lockup
problem"?

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lockup_Problem

Would that be different if I use nsupdate vs samba-tool? Would I be
better off with the internal DNS? If I switch to the internal DNS, are
existing zones and entries transferred? Thanks for any insights and best
wishes,

Christian

Hai, 

Post me for both DC the debug output of: 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh

Anynomize it where needed. 

The problem your are having is due to.. "Something it not right."
But what? That is not impossible to tell because we see any config.. 
And why? Because this setup should work fine. We know it should work fine. 

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian via samba
> Verzonden: donderdag 5 september 2019 10:01
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] DNS question
> 
> Dear list,
> 
> we use debian stretch with Louis's 4.10.5 packages and bind9_dlz
> backend. There are two AD DCs with redundant ISC DHCP servers on them.
> The DHCP servers are updating the DNS along the lines of
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
> 
> but with nsupdate commands replaced by suitable calls to 
> "samba-tool" (I
> had problems getting the nsupdate approach to work with the redundant
> dhcp servers on the second server). I am trying to debug some strange
> network issues right now. For example, when I ssh to the DCs, 
> the login
> process sometimes stalls for extended periods of time without even
> asking for the username. Could DNS be part of the mix? Is using the
> calls to samba-tool a bad idea? Could this be related to the "lockup
> problem"?
> 
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
> ckup_Problem
> 
> Would that be different if I use nsupdate vs samba-tool? Would I be
> better off with the internal DNS? If I switch to the internal DNS, are
> existing zones and entries transferred? Thanks for any 
> insights and best
> wishes,
> 
> Christian
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 05/09/2019 09:01, Christian via samba wrote:
> Dear list,
>
> we use debian stretch with Louis's 4.10.5 packages and bind9_dlz
> backend. There are two AD DCs with redundant ISC DHCP servers on them.
> The DHCP servers are updating the DNS along the lines of
>
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
> but with nsupdate commands replaced by suitable calls to
"samba-tool" (I
> had problems getting the nsupdate approach to work with the redundant
> dhcp servers on the second server).
You as well ;-)

Just in case it was just myself, I haven't update the wikipage, but I 
will now.

>   I am trying to debug some strange
> network issues right now. For example, when I ssh to the DCs, the login
> process sometimes stalls for extended periods of time without even
> asking for the username. Could DNS be part of the mix?
Shouldn't be unless you are doing something strange like using a dhcp 
address on the DC.

> Is using the
> calls to samba-tool a bad idea? Could this be related to the "lockup
> problem"?
It isn't for myself.
>
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lockup_Problem
>
> Would that be different if I use nsupdate vs samba-tool? Would I be
> better off with the internal DNS? If I switch to the internal DNS, are
> existing zones and entries transferred? Thanks for any insights and best
> wishes,
>
> Christian
>
If it is the problem (it has never happened to myself, but then I do not 
have a large domain) , then you may wish to follow the suggestion of 
using an external bind9 dns server, but it would have been nice if the 
guy who added the 'The Lockup Problem' to the wiki had also added 
instructions on how to do this ;-)

Changing to the internal dns server shouldn't change AD (which is where 
the records are stored) much.

I do not know if samba-tool will update the records if using the 
internal dns server, I presume it would, but I do know that I couldn't 
get the old way with nsupdate to work with the internal dns server, but 
this was quite a while ago.

Rowland

OK... Voil?... Thanks,

Christian

Collected config? --- 2019-09-05-11:33 -----------

Hostname: dc1
DNS Domain: xxx.yyy.zzz
FQDN: dc1.xxx.yyy.zzz
ipaddress: 10.103.1.6 X.X.103.1

-----------

Kerberos SRV _kerberos._tcp.xxx.yyy.zzz record verified ok, sample output:
Server:??? ??? X.X.103.1
Address:??? X.X.103.1#53

_kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc1.xxx.yyy.zzz.
_kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc2.xxx.yyy.zzz.
Samba is running as an AD DC

-----------
?????? Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 9.9 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
??? inet 127.0.0.1/8 scope host lo
??? inet6 ::1/128 scope host
2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
??? link/ether 4c:ed:fb:91:aa:41 brd ff:ff:ff:ff:ff:ff
??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
??? inet6 fe80::4eed:fbff:fe91:aa41/64 scope link
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
??? link/ether 4c:ed:fb:91:aa:42 brd ff:ff:ff:ff:ff:ff
??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
??? inet6 fe80::4eed:fbff:fe91:aa42/64 scope link

-----------
?????? Checking file: /etc/hosts

127.0.0.1??? localhost
X.X.103.1??? dc1.xxx.yyy.zzz??? dc1

# The following lines are desirable for IPv6 capable hosts
::1???? ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

?????? Checking file: /etc/resolv.conf

nameserver X.X.103.1
search xxx.yyy.zzz

-----------

?????? Checking file: /etc/krb5.conf

[libdefaults]
??? default_realm = YYY.XXX.ZZZ
??? dns_lookup_kdc = true
??? dns_lookup_realm = false
??? forwardable = true
??? proxiable = true
??? ticket_lifetime = 24h
??? renew_lifetime = 7d
??? ccache_type = 4

??? default_tgs_enctypes =? aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
??? default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
??? permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5

-----------

?????? Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? compat
group:????????? compat
shadow:???????? compat
gshadow:??????? files

hosts:????????? files dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

?????? Checking file: /etc/samba/smb.conf

# Global parameters
[global]
??? bind interfaces only = Yes
??? interfaces = lo eno1
??? netbios name = DC1
??? realm = YYY.XXX.ZZZ
??? server role = active directory domain controller
??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
??? workgroup = XXX
??? idmap_ldb:use rfc2307 = yes
??? winbind expand groups = 2
??? wins support = yes
??? ntlm auth = yes
??? allow dns updates = disabled
??? kdc:service ticket lifetime = 24
??? kdc:user ticket lifetime = 24
??? kdc:renewal lifetime = 168

[netlogon]
??? path = /var/lib/samba/sysvol/xxx.yyy.zzz/scripts
??? read only = No

[sysvol]
??? path = /var/lib/samba/sysvol
??? read only = No

-----------

Detected bind DLZ enabled..
?????? Checking file: /etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

-----------

?????? Checking file: /etc/bind/named.conf.options

options {
??? directory "/var/cache/bind";

??? // If there is a firewall between you and nameservers you want
??? // to talk to, you may need to fix the firewall to allow multiple
??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113

??? // If your ISP provided one or more IP addresses for stable
??? // nameservers, you probably want to use them as forwarders.?
??? // Uncomment the following block, and insert the addresses replacing
??? // the all-0's placeholder.

??? forwarders {
??? ???? X.X.1.32;
??? ??? X.X.1.40;
??? };

???
//=======================================================================??? //
If BIND logs error messages about the root key being expired,
??? // you will need to update your keys.? See https://www.isc.org/bind-keys
???
//=======================================================================???
dnssec-validation auto;

??? auth-nxdomain yes;??? # conform to RFC1035 is no
??? listen-on-v6 { any; };
??????? empty-zones-enable no;
??????? // https://wiki.samba.org/index.php/Dns-backend_bind
??????? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

-----------

?????? Checking file: /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// adding the dlopen ( Bind DLZ ) module for samba.
// at install debian already sets the correct bind9.XX version in this
file below.
include "/var/lib/samba/bind-dns/named.conf";

-----------

?????? Checking file: /etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
??? type hint;
??? file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
??? type master;
??? file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.255";
};

-----------

Samba DNS zone list:?? 5 zone(s) found

? pszZoneName???????????????? : xxx.yyy.zzz
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz

? pszZoneName???????????????? : 103.X.X.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz

? pszZoneName???????????????? : 102.X.X.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz

? pszZoneName???????????????? : 1.103.10.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz

? pszZoneName???????????????? : _msdcs.xxx.yyy.zzz
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : ForestDnsZones.xxx.yyy.zzz

Samba DNS zone list Automated check :
zone : xxx.yyy.zzz ok, no Bind flat-files found
-----------
zone : 103.X.X.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 102.X.X.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 1.103.10.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.xxx.yyy.zzz ok, no Bind flat-files found
-----------

Installed packages:
ii? acl?????????????????????????????? 2.2.52-3+b1???????????????????
amd64??????? Access control list utilities
ii? attr????????????????????????????? 1:2.4.47-2+b2?????????????????
amd64??????? Utilities for manipulating filesystem extended attributes
ii? bind9???????????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
amd64??????? Internet Domain Name Server
ii? bind9-host??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
amd64??????? Version of 'host' bundled with BIND 9.X
ii? bind9utils??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
amd64??????? Utilities for BIND
ii? exim4-daemon-heavy??????????????? 4.89-2+deb9u5?????????????????
amd64??????? Exim MTA (v4) daemon with extended features, including
exiscan-acl
ii? krb5-config?????????????????????? 2.6???????????????????????????
all????????? Configuration files for Kerberos Version 5
ii? krb5-locales????????????????????? 1.15-1+deb9u1?????????????????
all????????? internationalization support for MIT Kerberos
ii? krb5-user???????????????????????? 1.15-1+deb9u1?????????????????
amd64??????? basic programs to authenticate using MIT Kerberos
ii? libacl1:amd64???????????????????? 2.2.52-3+b1???????????????????
amd64??????? Access control list shared library
ii? libacl1-dev?????????????????????? 2.2.52-3+b1???????????????????
amd64??????? Access control list static libraries and headers
ii? libattr1:amd64??????????????????? 1:2.4.47-2+b2?????????????????
amd64??????? Extended attribute shared library
ii? libattr1-dev:amd64??????????????? 1:2.4.47-2+b2?????????????????
amd64??????? Extended attribute static libraries and headers
ii? libbind9-140:amd64??????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
amd64??????? BIND9 Shared Library used by BIND
ii? libgssapi-krb5-2:amd64??????????? 1.15-1+deb9u1?????????????????
amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-26-heimdal:amd64????????? 7.1.0+dfsg-13+deb9u3??????????
amd64??????? Heimdal Kerberos - libraries
ii? libkrb5-3:amd64?????????????????? 1.15-1+deb9u1?????????????????
amd64??????? MIT Kerberos runtime libraries
ii? libkrb5support0:amd64???????????? 1.15-1+deb9u1?????????????????
amd64??????? MIT Kerberos runtime libraries - Support library
ii? libnss-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Samba nameservice integration plugins
ii? libpam-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Windows domain authentication integration plugin
ii? libsmbclient:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? shared library for communication with SMB/CIFS servers
ii? libwbclient0:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Samba winbind client library
ii? openafs-krb5????????????????????? 1.6.20-2+deb9u2???????????????
amd64??????? AFS distributed filesystem Kerberos 5 integration
ii? python3-samba???????????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Python 3 bindings for Samba
ii? samba???????????????????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? SMB/CIFS file, print, and login server for Unix
ii? samba-common????????????????????? 2:4.10.5+nmu-0debian0?????????
all????????? common files used by both the Samba server and client
ii? samba-common-bin????????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Samba common files used by both the server and the client
ii? samba-dsdb-modules:amd64????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Samba Directory Services Database
ii? samba-libs:amd64????????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Samba core libraries
ii? samba-vfs-modules:amd64?????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? Samba Virtual FileSystem plugins
ii? smbclient???????????????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? command-line SMB/CIFS clients for Unix
ii? winbind?????????????????????????? 2:4.10.5+nmu-0debian0?????????
amd64??????? service to resolve user and group information from Windows
NT servers

-----------

Am 05.09.2019 um 10:07 schrieb L.P.H. van Belle:
> Hai, 
>
> Post me for both DC the debug output of: 
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Anynomize it where needed. 
>
> The problem your are having is due to.. "Something it not right."
> But what? That is not impossible to tell because we see any config.. 
> And why? Because this setup should work fine. We know it should work fine. 
>
> Greetz, 
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Christian via samba
>> Verzonden: donderdag 5 september 2019 10:01
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] DNS question
>>
>> Dear list,
>>
>> we use debian stretch with Louis's 4.10.5 packages and bind9_dlz
>> backend. There are two AD DCs with redundant ISC DHCP servers on them.
>> The DHCP servers are updating the DNS along the lines of
>>
>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
>> records_with_BIND9
>>
>> but with nsupdate commands replaced by suitable calls to 
>> "samba-tool" (I
>> had problems getting the nsupdate approach to work with the redundant
>> dhcp servers on the second server). I am trying to debug some strange
>> network issues right now. For example, when I ssh to the DCs, 
>> the login
>> process sometimes stalls for extended periods of time without even
>> asking for the username. Could DNS be part of the mix? Is using the
>> calls to samba-tool a bad idea? Could this be related to the
"lockup
>> problem"?
>>
>> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
>> ckup_Problem
>>
>> Would that be different if I use nsupdate vs samba-tool? Would I be
>> better off with the internal DNS? If I switch to the internal DNS, are
>> existing zones and entries transferred? Thanks for any 
>> insights and best
>> wishes,
>>
>> Christian
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

This does not look bad, pretty ok. 

But im do have a question here. 
> ipaddress: 10.103.1.6 X.X.103.1
This indicated that the primary interface is eno2
> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> ??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> ??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
Since im not seeing the routing table that could be a point of improvement. 
Check the default with : route |grep default

Hostfile only has
> X.X.103.1??? dc1.xxx.yyy.zzz??? dc1
Kerberos points to : X.X.103.1 

Smb.conf point to eno1 ( X.X.103.1 ) 
> ??? interfaces = lo eno1
That the first what is see. 

To that is the ptr record set of dc1 ? Ip off eno1 or eno2? 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Christian [mailto:chanlists at googlemail.com] 
> Verzonden: donderdag 5 september 2019 11:43
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS question
> 
> OK... Voil?... Thanks,
> 
> Christian
> 
> Collected config? --- 2019-09-05-11:33 -----------
> 
> Hostname: dc1
> DNS Domain: xxx.yyy.zzz
> FQDN: dc1.xxx.yyy.zzz
> ipaddress: 10.103.1.6 X.X.103.1
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.xxx.yyy.zzz record verified ok, 
> sample output:
> Server:??? ??? X.X.103.1
> Address:??? X.X.103.1#53
> 
> _kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc1.xxx.yyy.zzz.
> _kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc2.xxx.yyy.zzz.
> Samba is running as an AD DC
> 
> -----------
> ?????? Checking file: /etc/os-release
> 
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
> 
> -----------
> 
> 
> This computer is running Debian 9.9 x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
> ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> ??? inet 127.0.0.1/8 scope host lo
> ??? inet6 ::1/128 scope host
> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
> ??? link/ether 4c:ed:fb:91:aa:41 brd ff:ff:ff:ff:ff:ff
> ??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
> ??? inet6 fe80::4eed:fbff:fe91:aa41/64 scope link
> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
> ??? link/ether 4c:ed:fb:91:aa:42 brd ff:ff:ff:ff:ff:ff
> ??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
> ??? inet6 fe80::4eed:fbff:fe91:aa42/64 scope link
> 
> -----------
> ?????? Checking file: /etc/hosts
> 
> 127.0.0.1??? localhost
> X.X.103.1??? dc1.xxx.yyy.zzz??? dc1
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1???? ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
> ?????? Checking file: /etc/resolv.conf
> 
> nameserver X.X.103.1
> search xxx.yyy.zzz
> 
> -----------
> 
> ?????? Checking file: /etc/krb5.conf
> 
> [libdefaults]
> ??? default_realm = YYY.XXX.ZZZ
> ??? dns_lookup_kdc = true
> ??? dns_lookup_realm = false
> ??? forwardable = true
> ??? proxiable = true
> ??? ticket_lifetime = 24h
> ??? renew_lifetime = 7d
> ??? ccache_type = 4
> 
> ??? default_tgs_enctypes =? aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ??? default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ??? permitted_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
> 
> -----------
> 
> ?????? Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:???????? compat
> group:????????? compat
> shadow:???????? compat
> gshadow:??????? files
> 
> hosts:????????? files dns
> networks:?????? files
> 
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
> 
> netgroup:?????? nis
> 
> -----------
> 
> ?????? Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
> ??? bind interfaces only = Yes
> ??? interfaces = lo eno1
> ??? netbios name = DC1
> ??? realm = YYY.XXX.ZZZ
> ??? server role = active directory domain controller
> ??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> ??? workgroup = XXX
> ??? idmap_ldb:use rfc2307 = yes
> ??? winbind expand groups = 2
> ??? wins support = yes
> ??? ntlm auth = yes
> ??? allow dns updates = disabled
> ??? kdc:service ticket lifetime = 24
> ??? kdc:user ticket lifetime = 24
> ??? kdc:renewal lifetime = 168
> 
> [netlogon]
> ??? path = /var/lib/samba/sysvol/xxx.yyy.zzz/scripts
> ??? read only = No
> 
> [sysvol]
> ??? path = /var/lib/samba/sysvol
> ??? read only = No
> 
> -----------
> 
> Detected bind DLZ enabled..
> ?????? Checking file: /etc/bind/named.conf
> 
> // This is the primary configuration file for the BIND DNS 
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information on the
> // structure of BIND configuration files in Debian, *BEFORE* 
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> -----------
> 
> ?????? Checking file: /etc/bind/named.conf.options
> 
> options {
> ??? directory "/var/cache/bind";
> 
> ??? // If there is a firewall between you and nameservers you want
> ??? // to talk to, you may need to fix the firewall to allow multiple
> ??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113
> 
> ??? // If your ISP provided one or more IP addresses for stable
> ??? // nameservers, you probably want to use them as forwarders.?
> ??? // Uncomment the following block, and insert the 
> addresses replacing
> ??? // the all-0's placeholder.
> 
> ??? forwarders {
> ??? ???? X.X.1.32;
> ??? ??? X.X.1.40;
> ??? };
> 
> ???
> //===========================================================>
===========> ??? // If BIND logs error messages about the root key being
expired,
> ??? // you will need to update your keys.? See 
> https://www.isc.org/bind-keys
> ???
> //===========================================================>
===========> ??? dnssec-validation auto;
> 
> ??? auth-nxdomain yes;??? # conform to RFC1035 is no
> ??? listen-on-v6 { any; };
> ??????? empty-zones-enable no;
> ??????? // https://wiki.samba.org/index.php/Dns-backend_bind
> ??????? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> -----------
> 
> ?????? Checking file: /etc/bind/named.conf.local
> 
> //
> // Do any local configuration here
> //
> 
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> 
> // adding the dlopen ( Bind DLZ ) module for samba.
> // at install debian already sets the correct bind9.XX version in this
> file below.
> include "/var/lib/samba/bind-dns/named.conf";
> 
> -----------
> 
> ?????? Checking file: /etc/bind/named.conf.default-zones
> 
> // prime the server with knowledge of the root servers
> zone "." {
> ??? type hint;
> ??? file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
> ??? type master;
> ??? file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
> ??? type master;
> ??? file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
> ??? type master;
> ??? file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
> ??? type master;
> ??? file "/etc/bind/db.255";
> };
> 
> -----------
> 
> Samba DNS zone list:?? 5 zone(s) found
> 
> ? pszZoneName???????????????? : xxx.yyy.zzz
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : 103.X.X.in-addr.arpa
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : 102.X.X.in-addr.arpa
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : 1.103.10.in-addr.arpa
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : _msdcs.xxx.yyy.zzz
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : ForestDnsZones.xxx.yyy.zzz
> 
> Samba DNS zone list Automated check :
> zone : xxx.yyy.zzz ok, no Bind flat-files found
> -----------
> zone : 103.X.X.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 102.X.X.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 1.103.10.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : _msdcs.xxx.yyy.zzz ok, no Bind flat-files found
> -----------
> 
> Installed packages:
> ii? acl?????????????????????????????? 2.2.52-3+b1???????????????????
> amd64??????? Access control list utilities
> ii? attr????????????????????????????? 1:2.4.47-2+b2?????????????????
> amd64??????? Utilities for manipulating filesystem extended attributes
> ii? bind9???????????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? Internet Domain Name Server
> ii? bind9-host??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? Version of 'host' bundled with BIND 9.X
> ii? bind9utils??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? Utilities for BIND
> ii? exim4-daemon-heavy??????????????? 4.89-2+deb9u5?????????????????
> amd64??????? Exim MTA (v4) daemon with extended features, including
> exiscan-acl
> ii? krb5-config?????????????????????? 2.6???????????????????????????
> all????????? Configuration files for Kerberos Version 5
> ii? krb5-locales????????????????????? 1.15-1+deb9u1?????????????????
> all????????? internationalization support for MIT Kerberos
> ii? krb5-user???????????????????????? 1.15-1+deb9u1?????????????????
> amd64??????? basic programs to authenticate using MIT Kerberos
> ii? libacl1:amd64???????????????????? 2.2.52-3+b1???????????????????
> amd64??????? Access control list shared library
> ii? libacl1-dev?????????????????????? 2.2.52-3+b1???????????????????
> amd64??????? Access control list static libraries and headers
> ii? libattr1:amd64??????????????????? 1:2.4.47-2+b2?????????????????
> amd64??????? Extended attribute shared library
> ii? libattr1-dev:amd64??????????????? 1:2.4.47-2+b2?????????????????
> amd64??????? Extended attribute static libraries and headers
> ii? libbind9-140:amd64??????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? BIND9 Shared Library used by BIND
> ii? libgssapi-krb5-2:amd64??????????? 1.15-1+deb9u1?????????????????
> amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii? libkrb5-26-heimdal:amd64????????? 7.1.0+dfsg-13+deb9u3??????????
> amd64??????? Heimdal Kerberos - libraries
> ii? libkrb5-3:amd64?????????????????? 1.15-1+deb9u1?????????????????
> amd64??????? MIT Kerberos runtime libraries
> ii? libkrb5support0:amd64???????????? 1.15-1+deb9u1?????????????????
> amd64??????? MIT Kerberos runtime libraries - Support library
> ii? libnss-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba nameservice integration plugins
> ii? libpam-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Windows domain authentication integration plugin
> ii? libsmbclient:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? shared library for communication with SMB/CIFS servers
> ii? libwbclient0:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba winbind client library
> ii? openafs-krb5????????????????????? 1.6.20-2+deb9u2???????????????
> amd64??????? AFS distributed filesystem Kerberos 5 integration
> ii? python3-samba???????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Python 3 bindings for Samba
> ii? samba???????????????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? SMB/CIFS file, print, and login server for Unix
> ii? samba-common????????????????????? 2:4.10.5+nmu-0debian0?????????
> all????????? common files used by both the Samba server and client
> ii? samba-common-bin????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba common files used by both the server and the client
> ii? samba-dsdb-modules:amd64????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba Directory Services Database
> ii? samba-libs:amd64????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba core libraries
> ii? samba-vfs-modules:amd64?????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba Virtual FileSystem plugins
> ii? smbclient???????????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? command-line SMB/CIFS clients for Unix
> ii? winbind?????????????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? service to resolve user and group information 
> from Windows
> NT servers
> 
> -----------
> 
> Am 05.09.2019 um 10:07 schrieb L.P.H. van Belle:
> > Hai, 
> >
> > Post me for both DC the debug output of: 
> > 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh 
> >
> > Anynomize it where needed. 
> >
> > The problem your are having is due to.. "Something it not
right."
> > But what? That is not impossible to tell because we see any 
> config.. 
> > And why? Because this setup should work fine. We know it 
> should work fine. 
> >
> > Greetz, 
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> >> Christian via samba
> >> Verzonden: donderdag 5 september 2019 10:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] DNS question
> >>
> >> Dear list,
> >>
> >> we use debian stretch with Louis's 4.10.5 packages and
bind9_dlz
> >> backend. There are two AD DCs with redundant ISC DHCP 
> servers on them.
> >> The DHCP servers are updating the DNS along the lines of
> >>
> >> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> >> records_with_BIND9
> >>
> >> but with nsupdate commands replaced by suitable calls to 
> >> "samba-tool" (I
> >> had problems getting the nsupdate approach to work with 
> the redundant
> >> dhcp servers on the second server). I am trying to debug 
> some strange
> >> network issues right now. For example, when I ssh to the DCs, 
> >> the login
> >> process sometimes stalls for extended periods of time without even
> >> asking for the username. Could DNS be part of the mix? Is using
the
> >> calls to samba-tool a bad idea? Could this be related to 
> the "lockup
> >> problem"?
> >>
> >> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
> >> ckup_Problem
> >>
> >> Would that be different if I use nsupdate vs samba-tool? Would I
be
> >> better off with the internal DNS? If I switch to the 
> internal DNS, are
> >> existing zones and entries transferred? Thanks for any 
> >> insights and best
> >> wishes,
> >>
> >> Christian
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> 
>