samba - Sep 2019 - DNS question

This does not look bad, pretty ok. 

But im do have a question here. 
> ipaddress: 10.103.1.6 X.X.103.1
This indicated that the primary interface is eno2
> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> ??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> ??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
Since im not seeing the routing table that could be a point of improvement. 
Check the default with : route |grep default

Hostfile only has
> X.X.103.1??? dc1.xxx.yyy.zzz??? dc1
Kerberos points to : X.X.103.1 

Smb.conf point to eno1 ( X.X.103.1 ) 
> ??? interfaces = lo eno1
That the first what is see. 

To that is the ptr record set of dc1 ? Ip off eno1 or eno2? 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Christian [mailto:chanlists at googlemail.com] 
> Verzonden: donderdag 5 september 2019 11:43
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS question
> 
> OK... Voil?... Thanks,
> 
> Christian
> 
> Collected config? --- 2019-09-05-11:33 -----------
> 
> Hostname: dc1
> DNS Domain: xxx.yyy.zzz
> FQDN: dc1.xxx.yyy.zzz
> ipaddress: 10.103.1.6 X.X.103.1
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.xxx.yyy.zzz record verified ok, 
> sample output:
> Server:??? ??? X.X.103.1
> Address:??? X.X.103.1#53
> 
> _kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc1.xxx.yyy.zzz.
> _kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc2.xxx.yyy.zzz.
> Samba is running as an AD DC
> 
> -----------
> ?????? Checking file: /etc/os-release
> 
> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
> NAME="Debian GNU/Linux"
> VERSION_ID="9"
> VERSION="9 (stretch)"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
> 
> -----------
> 
> 
> This computer is running Debian 9.9 x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
> ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> ??? inet 127.0.0.1/8 scope host lo
> ??? inet6 ::1/128 scope host
> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
> ??? link/ether 4c:ed:fb:91:aa:41 brd ff:ff:ff:ff:ff:ff
> ??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
> ??? inet6 fe80::4eed:fbff:fe91:aa41/64 scope link
> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
> group default qlen 1000
> ??? link/ether 4c:ed:fb:91:aa:42 brd ff:ff:ff:ff:ff:ff
> ??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
> ??? inet6 fe80::4eed:fbff:fe91:aa42/64 scope link
> 
> -----------
> ?????? Checking file: /etc/hosts
> 
> 127.0.0.1??? localhost
> X.X.103.1??? dc1.xxx.yyy.zzz??? dc1
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1???? ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
> ?????? Checking file: /etc/resolv.conf
> 
> nameserver X.X.103.1
> search xxx.yyy.zzz
> 
> -----------
> 
> ?????? Checking file: /etc/krb5.conf
> 
> [libdefaults]
> ??? default_realm = YYY.XXX.ZZZ
> ??? dns_lookup_kdc = true
> ??? dns_lookup_realm = false
> ??? forwardable = true
> ??? proxiable = true
> ??? ticket_lifetime = 24h
> ??? renew_lifetime = 7d
> ??? ccache_type = 4
> 
> ??? default_tgs_enctypes =? aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ??? default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ??? permitted_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
> 
> -----------
> 
> ?????? Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:???????? compat
> group:????????? compat
> shadow:???????? compat
> gshadow:??????? files
> 
> hosts:????????? files dns
> networks:?????? files
> 
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
> 
> netgroup:?????? nis
> 
> -----------
> 
> ?????? Checking file: /etc/samba/smb.conf
> 
> # Global parameters
> [global]
> ??? bind interfaces only = Yes
> ??? interfaces = lo eno1
> ??? netbios name = DC1
> ??? realm = YYY.XXX.ZZZ
> ??? server role = active directory domain controller
> ??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> ??? workgroup = XXX
> ??? idmap_ldb:use rfc2307 = yes
> ??? winbind expand groups = 2
> ??? wins support = yes
> ??? ntlm auth = yes
> ??? allow dns updates = disabled
> ??? kdc:service ticket lifetime = 24
> ??? kdc:user ticket lifetime = 24
> ??? kdc:renewal lifetime = 168
> 
> [netlogon]
> ??? path = /var/lib/samba/sysvol/xxx.yyy.zzz/scripts
> ??? read only = No
> 
> [sysvol]
> ??? path = /var/lib/samba/sysvol
> ??? read only = No
> 
> -----------
> 
> Detected bind DLZ enabled..
> ?????? Checking file: /etc/bind/named.conf
> 
> // This is the primary configuration file for the BIND DNS 
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information on the
> // structure of BIND configuration files in Debian, *BEFORE* 
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> -----------
> 
> ?????? Checking file: /etc/bind/named.conf.options
> 
> options {
> ??? directory "/var/cache/bind";
> 
> ??? // If there is a firewall between you and nameservers you want
> ??? // to talk to, you may need to fix the firewall to allow multiple
> ??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113
> 
> ??? // If your ISP provided one or more IP addresses for stable
> ??? // nameservers, you probably want to use them as forwarders.?
> ??? // Uncomment the following block, and insert the 
> addresses replacing
> ??? // the all-0's placeholder.
> 
> ??? forwarders {
> ??? ???? X.X.1.32;
> ??? ??? X.X.1.40;
> ??? };
> 
> ???
> //===========================================================>
===========> ??? // If BIND logs error messages about the root key being
expired,
> ??? // you will need to update your keys.? See 
> https://www.isc.org/bind-keys
> ???
> //===========================================================>
===========> ??? dnssec-validation auto;
> 
> ??? auth-nxdomain yes;??? # conform to RFC1035 is no
> ??? listen-on-v6 { any; };
> ??????? empty-zones-enable no;
> ??????? // https://wiki.samba.org/index.php/Dns-backend_bind
> ??????? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> -----------
> 
> ?????? Checking file: /etc/bind/named.conf.local
> 
> //
> // Do any local configuration here
> //
> 
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> 
> // adding the dlopen ( Bind DLZ ) module for samba.
> // at install debian already sets the correct bind9.XX version in this
> file below.
> include "/var/lib/samba/bind-dns/named.conf";
> 
> -----------
> 
> ?????? Checking file: /etc/bind/named.conf.default-zones
> 
> // prime the server with knowledge of the root servers
> zone "." {
> ??? type hint;
> ??? file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse 
> zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
> ??? type master;
> ??? file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
> ??? type master;
> ??? file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
> ??? type master;
> ??? file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
> ??? type master;
> ??? file "/etc/bind/db.255";
> };
> 
> -----------
> 
> Samba DNS zone list:?? 5 zone(s) found
> 
> ? pszZoneName???????????????? : xxx.yyy.zzz
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : 103.X.X.in-addr.arpa
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : 102.X.X.in-addr.arpa
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : 1.103.10.in-addr.arpa
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
> 
> ? pszZoneName???????????????? : _msdcs.xxx.yyy.zzz
> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
> ? Version???????????????????? : 50
> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> ? pszDpFqdn?????????????????? : ForestDnsZones.xxx.yyy.zzz
> 
> Samba DNS zone list Automated check :
> zone : xxx.yyy.zzz ok, no Bind flat-files found
> -----------
> zone : 103.X.X.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 102.X.X.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 1.103.10.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : _msdcs.xxx.yyy.zzz ok, no Bind flat-files found
> -----------
> 
> Installed packages:
> ii? acl?????????????????????????????? 2.2.52-3+b1???????????????????
> amd64??????? Access control list utilities
> ii? attr????????????????????????????? 1:2.4.47-2+b2?????????????????
> amd64??????? Utilities for manipulating filesystem extended attributes
> ii? bind9???????????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? Internet Domain Name Server
> ii? bind9-host??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? Version of 'host' bundled with BIND 9.X
> ii? bind9utils??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? Utilities for BIND
> ii? exim4-daemon-heavy??????????????? 4.89-2+deb9u5?????????????????
> amd64??????? Exim MTA (v4) daemon with extended features, including
> exiscan-acl
> ii? krb5-config?????????????????????? 2.6???????????????????????????
> all????????? Configuration files for Kerberos Version 5
> ii? krb5-locales????????????????????? 1.15-1+deb9u1?????????????????
> all????????? internationalization support for MIT Kerberos
> ii? krb5-user???????????????????????? 1.15-1+deb9u1?????????????????
> amd64??????? basic programs to authenticate using MIT Kerberos
> ii? libacl1:amd64???????????????????? 2.2.52-3+b1???????????????????
> amd64??????? Access control list shared library
> ii? libacl1-dev?????????????????????? 2.2.52-3+b1???????????????????
> amd64??????? Access control list static libraries and headers
> ii? libattr1:amd64??????????????????? 1:2.4.47-2+b2?????????????????
> amd64??????? Extended attribute shared library
> ii? libattr1-dev:amd64??????????????? 1:2.4.47-2+b2?????????????????
> amd64??????? Extended attribute static libraries and headers
> ii? libbind9-140:amd64??????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
> amd64??????? BIND9 Shared Library used by BIND
> ii? libgssapi-krb5-2:amd64??????????? 1.15-1+deb9u1?????????????????
> amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii? libkrb5-26-heimdal:amd64????????? 7.1.0+dfsg-13+deb9u3??????????
> amd64??????? Heimdal Kerberos - libraries
> ii? libkrb5-3:amd64?????????????????? 1.15-1+deb9u1?????????????????
> amd64??????? MIT Kerberos runtime libraries
> ii? libkrb5support0:amd64???????????? 1.15-1+deb9u1?????????????????
> amd64??????? MIT Kerberos runtime libraries - Support library
> ii? libnss-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba nameservice integration plugins
> ii? libpam-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Windows domain authentication integration plugin
> ii? libsmbclient:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? shared library for communication with SMB/CIFS servers
> ii? libwbclient0:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba winbind client library
> ii? openafs-krb5????????????????????? 1.6.20-2+deb9u2???????????????
> amd64??????? AFS distributed filesystem Kerberos 5 integration
> ii? python3-samba???????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Python 3 bindings for Samba
> ii? samba???????????????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? SMB/CIFS file, print, and login server for Unix
> ii? samba-common????????????????????? 2:4.10.5+nmu-0debian0?????????
> all????????? common files used by both the Samba server and client
> ii? samba-common-bin????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba common files used by both the server and the client
> ii? samba-dsdb-modules:amd64????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba Directory Services Database
> ii? samba-libs:amd64????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba core libraries
> ii? samba-vfs-modules:amd64?????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? Samba Virtual FileSystem plugins
> ii? smbclient???????????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? command-line SMB/CIFS clients for Unix
> ii? winbind?????????????????????????? 2:4.10.5+nmu-0debian0?????????
> amd64??????? service to resolve user and group information 
> from Windows
> NT servers
> 
> -----------
> 
> Am 05.09.2019 um 10:07 schrieb L.P.H. van Belle:
> > Hai, 
> >
> > Post me for both DC the debug output of: 
> > 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-info.sh 
> >
> > Anynomize it where needed. 
> >
> > The problem your are having is due to.. "Something it not
right."
> > But what? That is not impossible to tell because we see any 
> config.. 
> > And why? Because this setup should work fine. We know it 
> should work fine. 
> >
> > Greetz, 
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> >> Christian via samba
> >> Verzonden: donderdag 5 september 2019 10:01
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] DNS question
> >>
> >> Dear list,
> >>
> >> we use debian stretch with Louis's 4.10.5 packages and
bind9_dlz
> >> backend. There are two AD DCs with redundant ISC DHCP 
> servers on them.
> >> The DHCP servers are updating the DNS along the lines of
> >>
> >> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> >> records_with_BIND9
> >>
> >> but with nsupdate commands replaced by suitable calls to 
> >> "samba-tool" (I
> >> had problems getting the nsupdate approach to work with 
> the redundant
> >> dhcp servers on the second server). I am trying to debug 
> some strange
> >> network issues right now. For example, when I ssh to the DCs, 
> >> the login
> >> process sometimes stalls for extended periods of time without even
> >> asking for the username. Could DNS be part of the mix? Is using
the
> >> calls to samba-tool a bad idea? Could this be related to 
> the "lockup
> >> problem"?
> >>
> >> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
> >> ckup_Problem
> >>
> >> Would that be different if I use nsupdate vs samba-tool? Would I
be
> >> better off with the internal DNS? If I switch to the 
> internal DNS, are
> >> existing zones and entries transferred? Thanks for any 
> >> insights and best
> >> wishes,
> >>
> >> Christian
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> 
>

On 05/09/2019 11:14, L.P.H. van Belle via samba wrote:
> This does not look bad, pretty ok.
>
> But im do have a question here.
>
>> ipaddress: 10.103.1.6 X.X.103.1
> This indicated that the primary interface is eno2
>
>> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP
>>  ??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
>> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP
>>  ??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
> Since im not seeing the routing table that could be a point of improvement.
> Check the default with : route |grep default
>
> Hostfile only has
>> X.X.103.1??? dc1.xxx.yyy.zzz??? dc1
> Kerberos points to : X.X.103.1
>
> Smb.conf point to eno1 ( X.X.103.1 )
>>  ??? interfaces = lo eno1
> That the first what is see.
>
> To that is the ptr record set of dc1 ? Ip off eno1 or eno2?
>
>
> Greetz,
>
> Louis

At last, I saw something you didn't ;-)

in named.conf.options:

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

in named.conf.local:

include "/var/lib/samba/bind-dns/named.conf";

Shouldn't the 'private' in the first path be 'bind-dns' ?

I would also suggest the OP reads this:

https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server#Installing_.26_Configuring_BIND_on_Debian_based_distros

Rowland

Hi,

Am 05.09.2019 um 12:14 schrieb L.P.H. van Belle:
> This does not look bad, pretty ok. 
> 
> But im do have a question here. 
> 
>> ipaddress: 10.103.1.6 X.X.103.1
> This indicated that the primary interface is eno2
In your script, that output is generated using hostname -I. Not sure why
eno2 pops up first. eno1 is the main interface. eno1 is first in
/etc/network/interfaces, and the default route is on that. However, eno2
also appears first in the output of ip a (see below). Does this order
have any implications, or how is it set?
>> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP
>> ??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
>> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP
>> ??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
> 
> Since im not seeing the routing table that could be a point of improvement.
> Check the default with : route |grep default
default         gate-w1-0-vl103 0.0.0.0         UG    0      0        0 eno1

So seems OK
> Hostfile only has
>> X.X.103.1??? dc1.xxx.yyy.zzz??? dc1
> Kerberos points to : X.X.103.1 
> 
> Smb.conf point to eno1 ( X.X.103.1 ) 
>> ??? interfaces = lo eno1
> 
> That the first what is see. 
> 
> To that is the ptr record set of dc1 ? Ip off eno1 or eno2? 
eno1

Cheers

Christian
>> -----Oorspronkelijk bericht-----
>> Van: Christian [mailto:chanlists at googlemail.com] 
>> Verzonden: donderdag 5 september 2019 11:43
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] DNS question
>>
>> OK... Voil?... Thanks,
>>
>> Christian
>>
>> Collected config? --- 2019-09-05-11:33 -----------
>>
>> Hostname: dc1
>> DNS Domain: xxx.yyy.zzz
>> FQDN: dc1.xxx.yyy.zzz
>> ipaddress: 10.103.1.6 X.X.103.1
>>
>> -----------
>>
>> Kerberos SRV _kerberos._tcp.xxx.yyy.zzz record verified ok, 
>> sample output:
>> Server:??? ??? X.X.103.1
>> Address:??? X.X.103.1#53
>>
>> _kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc1.xxx.yyy.zzz.
>> _kerberos._tcp.xxx.yyy.zzz??? service = 0 100 88 dc2.xxx.yyy.zzz.
>> Samba is running as an AD DC
>>
>> -----------
>> ?????? Checking file: /etc/os-release
>>
>> PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
>> NAME="Debian GNU/Linux"
>> VERSION_ID="9"
>> VERSION="9 (stretch)"
>> ID=debian
>> HOME_URL="https://www.debian.org/"
>> SUPPORT_URL="https://www.debian.org/support"
>> BUG_REPORT_URL="https://bugs.debian.org/"
>>
>> -----------
>>
>>
>> This computer is running Debian 9.9 x86_64
>>
>> -----------
>> running command : ip a
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN
>> group default qlen 1
>> ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> ??? inet 127.0.0.1/8 scope host lo
>> ??? inet6 ::1/128 scope host
>> 2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP
>> group default qlen 1000
>> ??? link/ether 4c:ed:fb:91:aa:41 brd ff:ff:ff:ff:ff:ff
>> ??? inet 10.103.1.6/24 brd 10.103.1.255 scope global eno2
>> ??? inet6 fe80::4eed:fbff:fe91:aa41/64 scope link
>> 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP
>> group default qlen 1000
>> ??? link/ether 4c:ed:fb:91:aa:42 brd ff:ff:ff:ff:ff:ff
>> ??? inet X.X.103.1/22 brd X.X.103.255 scope global eno1
>> ??? inet6 fe80::4eed:fbff:fe91:aa42/64 scope link
>>
>> -----------
>> ?????? Checking file: /etc/hosts
>>
>> 127.0.0.1??? localhost
>> X.X.103.1??? dc1.xxx.yyy.zzz??? dc1
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1???? ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>> -----------
>>
>> ?????? Checking file: /etc/resolv.conf
>>
>> nameserver X.X.103.1
>> search xxx.yyy.zzz
>>
>> -----------
>>
>> ?????? Checking file: /etc/krb5.conf
>>
>> [libdefaults]
>> ??? default_realm = YYY.XXX.ZZZ
>> ??? dns_lookup_kdc = true
>> ??? dns_lookup_realm = false
>> ??? forwardable = true
>> ??? proxiable = true
>> ??? ticket_lifetime = 24h
>> ??? renew_lifetime = 7d
>> ??? ccache_type = 4
>>
>> ??? default_tgs_enctypes =? aes256-cts-hmac-sha1-96
>> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> ??? default_tkt_enctypes = aes256-cts-hmac-sha1-96
>> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>> ??? permitted_enctypes = aes256-cts-hmac-sha1-96 
>> aes128-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>>
>> -----------
>>
>> ?????? Checking file: /etc/nsswitch.conf
>>
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages 
>> installed, try:
>> # `info libc "Name Service Switch"' for information about
this file.
>>
>> passwd:???????? compat
>> group:????????? compat
>> shadow:???????? compat
>> gshadow:??????? files
>>
>> hosts:????????? files dns
>> networks:?????? files
>>
>> protocols:????? db files
>> services:?????? db files
>> ethers:???????? db files
>> rpc:??????????? db files
>>
>> netgroup:?????? nis
>>
>> -----------
>>
>> ?????? Checking file: /etc/samba/smb.conf
>>
>> # Global parameters
>> [global]
>> ??? bind interfaces only = Yes
>> ??? interfaces = lo eno1
>> ??? netbios name = DC1
>> ??? realm = YYY.XXX.ZZZ
>> ??? server role = active directory domain controller
>> ??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> ??? workgroup = XXX
>> ??? idmap_ldb:use rfc2307 = yes
>> ??? winbind expand groups = 2
>> ??? wins support = yes
>> ??? ntlm auth = yes
>> ??? allow dns updates = disabled
>> ??? kdc:service ticket lifetime = 24
>> ??? kdc:user ticket lifetime = 24
>> ??? kdc:renewal lifetime = 168
>>
>> [netlogon]
>> ??? path = /var/lib/samba/sysvol/xxx.yyy.zzz/scripts
>> ??? read only = No
>>
>> [sysvol]
>> ??? path = /var/lib/samba/sysvol
>> ??? read only = No
>>
>> -----------
>>
>> Detected bind DLZ enabled..
>> ?????? Checking file: /etc/bind/named.conf
>>
>> // This is the primary configuration file for the BIND DNS 
>> server named.
>> //
>> // Please read /usr/share/doc/bind9/README.Debian.gz for 
>> information on the
>> // structure of BIND configuration files in Debian, *BEFORE* 
>> you customize
>> // this configuration file.
>> //
>> // If you are just adding zones, please do that in
>> /etc/bind/named.conf.local
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> -----------
>>
>> ?????? Checking file: /etc/bind/named.conf.options
>>
>> options {
>> ??? directory "/var/cache/bind";
>>
>> ??? // If there is a firewall between you and nameservers you want
>> ??? // to talk to, you may need to fix the firewall to allow multiple
>> ??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113
>>
>> ??? // If your ISP provided one or more IP addresses for stable
>> ??? // nameservers, you probably want to use them as forwarders.?
>> ??? // Uncomment the following block, and insert the 
>> addresses replacing
>> ??? // the all-0's placeholder.
>>
>> ??? forwarders {
>> ??? ???? X.X.1.32;
>> ??? ??? X.X.1.40;
>> ??? };
>>
>> ???
>> //===========================================================>>
===========>> ??? // If BIND logs error messages about the root key being
expired,
>> ??? // you will need to update your keys.? See 
>> https://www.isc.org/bind-keys
>> ???
>> //===========================================================>>
===========>> ??? dnssec-validation auto;
>>
>> ??? auth-nxdomain yes;??? # conform to RFC1035 is no
>> ??? listen-on-v6 { any; };
>> ??????? empty-zones-enable no;
>> ??????? // https://wiki.samba.org/index.php/Dns-backend_bind
>> ??????? tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>> };
>>
>> -----------
>>
>> ?????? Checking file: /etc/bind/named.conf.local
>>
>> //
>> // Do any local configuration here
>> //
>>
>> // Consider adding the 1918 zones here, if they are not used in your
>> // organization
>> //include "/etc/bind/zones.rfc1918";
>>
>> // adding the dlopen ( Bind DLZ ) module for samba.
>> // at install debian already sets the correct bind9.XX version in this
>> file below.
>> include "/var/lib/samba/bind-dns/named.conf";
>>
>> -----------
>>
>> ?????? Checking file: /etc/bind/named.conf.default-zones
>>
>> // prime the server with knowledge of the root servers
>> zone "." {
>> ??? type hint;
>> ??? file "/etc/bind/db.root";
>> };
>>
>> // be authoritative for the localhost forward and reverse 
>> zones, and for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> ??? type master;
>> ??? file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> ??? type master;
>> ??? file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> ??? type master;
>> ??? file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> ??? type master;
>> ??? file "/etc/bind/db.255";
>> };
>>
>> -----------
>>
>> Samba DNS zone list:?? 5 zone(s) found
>>
>> ? pszZoneName???????????????? : xxx.yyy.zzz
>> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
>> ? Version???????????????????? : 50
>> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
>>
>> ? pszZoneName???????????????? : 103.X.X.in-addr.arpa
>> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
>> ? Version???????????????????? : 50
>> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
>>
>> ? pszZoneName???????????????? : 102.X.X.in-addr.arpa
>> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
>> ? Version???????????????????? : 50
>> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
>>
>> ? pszZoneName???????????????? : 1.103.10.in-addr.arpa
>> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
>> ? Version???????????????????? : 50
>> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
>> DNS_DP_DOMAIN_DEFAULT
>> DNS_DP_ENLISTED
>> ? pszDpFqdn?????????????????? : DomainDnsZones.xxx.yyy.zzz
>>
>> ? pszZoneName???????????????? : _msdcs.xxx.yyy.zzz
>> ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>> DNS_RPC_ZONE_UPDATE_SECURE
>> ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
>> ? Version???????????????????? : 50
>> ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED 
>> DNS_DP_FOREST_DEFAULT
>> DNS_DP_ENLISTED
>> ? pszDpFqdn?????????????????? : ForestDnsZones.xxx.yyy.zzz
>>
>> Samba DNS zone list Automated check :
>> zone : xxx.yyy.zzz ok, no Bind flat-files found
>> -----------
>> zone : 103.X.X.in-addr.arpa ok, no Bind flat-files found
>> -----------
>> zone : 102.X.X.in-addr.arpa ok, no Bind flat-files found
>> -----------
>> zone : 1.103.10.in-addr.arpa ok, no Bind flat-files found
>> -----------
>> zone : _msdcs.xxx.yyy.zzz ok, no Bind flat-files found
>> -----------
>>
>> Installed packages:
>> ii? acl?????????????????????????????? 2.2.52-3+b1???????????????????
>> amd64??????? Access control list utilities
>> ii? attr????????????????????????????? 1:2.4.47-2+b2?????????????????
>> amd64??????? Utilities for manipulating filesystem extended attributes
>> ii? bind9???????????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
>> amd64??????? Internet Domain Name Server
>> ii? bind9-host??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
>> amd64??????? Version of 'host' bundled with BIND 9.X
>> ii? bind9utils??????????????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
>> amd64??????? Utilities for BIND
>> ii? exim4-daemon-heavy??????????????? 4.89-2+deb9u5?????????????????
>> amd64??????? Exim MTA (v4) daemon with extended features, including
>> exiscan-acl
>> ii? krb5-config?????????????????????? 2.6???????????????????????????
>> all????????? Configuration files for Kerberos Version 5
>> ii? krb5-locales????????????????????? 1.15-1+deb9u1?????????????????
>> all????????? internationalization support for MIT Kerberos
>> ii? krb5-user???????????????????????? 1.15-1+deb9u1?????????????????
>> amd64??????? basic programs to authenticate using MIT Kerberos
>> ii? libacl1:amd64???????????????????? 2.2.52-3+b1???????????????????
>> amd64??????? Access control list shared library
>> ii? libacl1-dev?????????????????????? 2.2.52-3+b1???????????????????
>> amd64??????? Access control list static libraries and headers
>> ii? libattr1:amd64??????????????????? 1:2.4.47-2+b2?????????????????
>> amd64??????? Extended attribute shared library
>> ii? libattr1-dev:amd64??????????????? 1:2.4.47-2+b2?????????????????
>> amd64??????? Extended attribute static libraries and headers
>> ii? libbind9-140:amd64??????????????? 1:9.10.3.dfsg.P4-12.3+deb9u5??
>> amd64??????? BIND9 Shared Library used by BIND
>> ii? libgssapi-krb5-2:amd64??????????? 1.15-1+deb9u1?????????????????
>> amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
>> ii? libkrb5-26-heimdal:amd64????????? 7.1.0+dfsg-13+deb9u3??????????
>> amd64??????? Heimdal Kerberos - libraries
>> ii? libkrb5-3:amd64?????????????????? 1.15-1+deb9u1?????????????????
>> amd64??????? MIT Kerberos runtime libraries
>> ii? libkrb5support0:amd64???????????? 1.15-1+deb9u1?????????????????
>> amd64??????? MIT Kerberos runtime libraries - Support library
>> ii? libnss-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Samba nameservice integration plugins
>> ii? libpam-winbind:amd64????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Windows domain authentication integration plugin
>> ii? libsmbclient:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? shared library for communication with SMB/CIFS servers
>> ii? libwbclient0:amd64??????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Samba winbind client library
>> ii? openafs-krb5????????????????????? 1.6.20-2+deb9u2???????????????
>> amd64??????? AFS distributed filesystem Kerberos 5 integration
>> ii? python3-samba???????????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Python 3 bindings for Samba
>> ii? samba???????????????????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? SMB/CIFS file, print, and login server for Unix
>> ii? samba-common????????????????????? 2:4.10.5+nmu-0debian0?????????
>> all????????? common files used by both the Samba server and client
>> ii? samba-common-bin????????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Samba common files used by both the server and the client
>> ii? samba-dsdb-modules:amd64????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Samba Directory Services Database
>> ii? samba-libs:amd64????????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Samba core libraries
>> ii? samba-vfs-modules:amd64?????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? Samba Virtual FileSystem plugins
>> ii? smbclient???????????????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? command-line SMB/CIFS clients for Unix
>> ii? winbind?????????????????????????? 2:4.10.5+nmu-0debian0?????????
>> amd64??????? service to resolve user and group information 
>> from Windows
>> NT servers
>>
>> -----------
>>
>> Am 05.09.2019 um 10:07 schrieb L.P.H. van Belle:
>>> Hai, 
>>>
>>> Post me for both DC the debug output of: 
>>>
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
>> ollect-debug-info.sh 
>>>
>>> Anynomize it where needed. 
>>>
>>> The problem your are having is due to.. "Something it not
right."
>>> But what? That is not impossible to tell because we see any 
>> config.. 
>>> And why? Because this setup should work fine. We know it 
>> should work fine. 
>>>
>>> Greetz, 
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>>>> Christian via samba
>>>> Verzonden: donderdag 5 september 2019 10:01
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] DNS question
>>>>
>>>> Dear list,
>>>>
>>>> we use debian stretch with Louis's 4.10.5 packages and
bind9_dlz
>>>> backend. There are two AD DCs with redundant ISC DHCP 
>> servers on them.
>>>> The DHCP servers are updating the DNS along the lines of
>>>>
>>>> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
>>>> records_with_BIND9
>>>>
>>>> but with nsupdate commands replaced by suitable calls to 
>>>> "samba-tool" (I
>>>> had problems getting the nsupdate approach to work with 
>> the redundant
>>>> dhcp servers on the second server). I am trying to debug 
>> some strange
>>>> network issues right now. For example, when I ssh to the DCs, 
>>>> the login
>>>> process sometimes stalls for extended periods of time without
even
>>>> asking for the username. Could DNS be part of the mix? Is using
the
>>>> calls to samba-tool a bad idea? Could this be related to 
>> the "lockup
>>>> problem"?
>>>>
>>>> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#The_Lo
>>>> ckup_Problem
>>>>
>>>> Would that be different if I use nsupdate vs samba-tool? Would
I be
>>>> better off with the internal DNS? If I switch to the 
>> internal DNS, are
>>>> existing zones and entries transferred? Thanks for any 
>>>> insights and best
>>>> wishes,
>>>>
>>>> Christian
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>
>>
>

Hi,

Am 05.09.2019 um 12:25 schrieb Rowland penny via samba:
> [...]
> At last, I saw something you didn't ;-)
>
> in named.conf.options:
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
> in named.conf.local:
>
> include "/var/lib/samba/bind-dns/named.conf";
>
> Shouldn't the 'private' in the first path be 'bind-dns'
?
Had both files, and they were identical. Bad practice... Changed to the
bind-dns version. Thanks for the hint...
> I would also suggest the OP reads this:
>
>
https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server#Installing_.26_Configuring_BIND_on_Debian_based_distros
>
Thanks, made those changes. Let's see what we get. Best wishes,

Christian