samba - Nov 2019 - Problems setting up samba bind9_dlz on Ubuntu 18.04

Hi,

I hope someone can help me with the following problem. I followed the following
guides to setup samba as an additional active directory server to my windows
server with bind9 dns:

https://www.tecmint.com/join-additio...r-replication/<https://www.tecmint.com/join-additional-ubuntu-dc-to-samba4-ad-dc-failover-replication/>
https://wiki.samba.org/index.php/BIN...roubleshooting<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting>

The active directory replication works, but the dns replication does not. When
I'm running "samba_dnsupdate --all-names" I get the following
output:

; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
update failed: REFUSED
; TSIG error with server: tsig verify failure
update failed: REFUSED
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
; TSIG error with server: tsig verify failure
Failed update of 19 entries

Here is a list of versions:

Ubuntu: 18.04
Samba: 4.7.6-Ubuntu
bind9: 9.11.3-1ubuntu1.11-Ubuntu

And this is my smb.conf:

[global]
netbios name = DC01
realm = DOMAIN.COM
server role = active directory domain controller
workgroup = DOMAIN.COM
dns forwarder = 172.17.1.1
idmap_ldb:use rfc2307 = yes

template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
server services = -dns

[netlogon]
path = /var/lib/samba/sysvol/domain.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

I'm not really sure if samba is even using bind9. I've enabled the
logging of bind9, but I cannot see any logs when running the dns update.

Did I miss a step to activate the bind9 module?

On 24/11/2019 12:36, David Masshardt via samba wrote:
> Hi,
>
> I hope someone can help me with the following problem. I followed the
following guides to setup samba as an additional active directory server to my
windows server with bind9 dns:
>
>
https://www.tecmint.com/join-additio...r-replication/<https://www.tecmint.com/join-additional-ubuntu-dc-to-samba4-ad-dc-failover-replication/>
You shouldn't need to add the first DCs data to /etc/resolv.conf, if you 
do need to, then your dns is broken. What you should ensure is there, is 
the data for the DC you are joining.

Sorry, but ntpdate is insufficient for time synchronisation between DCs, 
see here for more info:

https://wiki.samba.org/index.php/Time_Synchronisation

I would also install libpam-krb5

After the join, you need to copy the krb5.conf file created by the join 
to /etc/krb5.conf, do not symlink it.

At this point, you also need to edit /etc/resolv.conf so that the DC now 
points to itself as the nameserver, instead of the first DC. You can add 
the first DC as a secondary nameserver, if you wish, but if the DC goes 
down, there isn't much point.
>
https://wiki.samba.org/index.php/BIN...roubleshooting<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting>
>
> The active directory replication works, but the dns replication does not.
When I'm running "samba_dnsupdate --all-names" I get the following
output:
>
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> update failed: REFUSED
> ; TSIG error with server: tsig verify failure
> update failed: REFUSED
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> Failed update of 19 entries
This is probably because you are trying to change the second DCs info on 
the first DC with the wrong ticket
>
> Here is a list of versions:
>
> Ubuntu: 18.04
> Samba: 4.7.6-Ubuntu
4.7.6 is EOL from Samba's point of view, you can get later versions 
here: http://apt.van-belle.nl/
> bind9: 9.11.3-1ubuntu1.11-Ubuntu
>
> And this is my smb.conf:
>
> [global]
> netbios name = DC01
> realm = DOMAIN.COM
> server role = active directory domain controller
> workgroup = DOMAIN.COM
The workgroup CANNOT be the same as the realm
> dns forwarder = 172.17.1.1
> idmap_ldb:use rfc2307 = yes
>
> template shell = /bin/bash
> winbind use default domain = true
The line above does nothing on a DC
> winbind offline logon = false
The line above is a default setting and hence isn't
required
> winbind nss info = rfc2307
The line above should only be used on a Unix domain
member
> winbind enum users = yes
> winbind enum groups = yes
The lines above are not required, they only make 'getent passwd' & 
'getent group' work without specifying a user or group name, but they 
also slow things down.
> server services = -dns
>
> [netlogon]
> path = /var/lib/samba/sysvol/domain.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> I'm not really sure if samba is even using bind9. I've enabled the
logging of bind9, but I cannot see any logs when running the dns update.
No, you see any logs
>
> Did I miss a step to activate the bind9 module?
Probably not, but it might help if you post the named.conf files in 
/etc/bind

Rowland

Hi,

thanks for the quick reply. I've now installed libpam-krb5 and copied the
krb5.conf to /etc instead of the symlink.

I've also installed the ntp service, but I'm still getting the same
errors in the dns replication.

The /etc/resolv.conf is managed by netplan under Ubuntu 18:

	nameserver 127.0.0.53
	options edns0
	search domain.com

I've now changed the nameserver to localhost. This is the netplan yaml
config behind this:

	network:
	    ethernets:
	        ens18:
	           addresses: ['172.17.2.1/16']
	            gateway4: 172.17.1.1
	            nameservers:
	                addresses: [127.0.0.1]
	                search: [domain.com]
	    version: 2

And this is the content of the /etc/bind/named.conf:

	include "/etc/bind/named.conf.options";
	include "/etc/bind/named.conf.local";
	include "/etc/bind/named.conf.default-zones";
	include "/var/lib/samba/private/named.conf";

Any other ideas what could cause this problem?

Regards
David

Am 24.11.19, 14:31 schrieb "samba im Auftrag von Rowland penny via
samba" <samba-bounces at lists.samba.org im Auftrag von samba at
lists.samba.org>:

    On 24/11/2019 12:36, David Masshardt via samba wrote:
    > Hi,
    >
    > I hope someone can help me with the following problem. I followed the
following guides to setup samba as an additional active directory server to my
windows server with bind9 dns:
    >
    >
https://www.tecmint.com/join-additio...r-replication/<https://www.tecmint.com/join-additional-ubuntu-dc-to-samba4-ad-dc-failover-replication/>
    
    You shouldn't need to add the first DCs data to /etc/resolv.conf, if you
    do need to, then your dns is broken. What you should ensure is there, is
    the data for the DC you are joining.
    
    Sorry, but ntpdate is insufficient for time synchronisation between DCs,
    see here for more info:
    
    https://wiki.samba.org/index.php/Time_Synchronisation
    
    I would also install libpam-krb5
    
    After the join, you need to copy the krb5.conf file created by the join
    to /etc/krb5.conf, do not symlink it.
    
    At this point, you also need to edit /etc/resolv.conf so that the DC now
    points to itself as the nameserver, instead of the first DC. You can add
    the first DC as a secondary nameserver, if you wish, but if the DC goes
    down, there isn't much point.
    
    >
https://wiki.samba.org/index.php/BIN...roubleshooting<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting>
    >
    > The active directory replication works, but the dns replication does
not. When I'm running "samba_dnsupdate --all-names" I get the
following output:
    >
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > update failed: REFUSED
    > ; TSIG error with server: tsig verify failure
    > update failed: REFUSED
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > Failed update of 19 entries
    This is probably because you are trying to change the second DCs info on
    the first DC with the wrong ticket
    >
    > Here is a list of versions:
    >
    > Ubuntu: 18.04
    > Samba: 4.7.6-Ubuntu
    4.7.6 is EOL from Samba's point of view, you can get later versions
    here: http://apt.van-belle.nl/
    > bind9: 9.11.3-1ubuntu1.11-Ubuntu
    >
    > And this is my smb.conf:
    >
    > [global]
    > netbios name = DC01
    > realm = DOMAIN.COM
    > server role = active directory domain controller
    > workgroup = DOMAIN.COM
    The workgroup CANNOT be the same as the realm
    > dns forwarder = 172.17.1.1
    > idmap_ldb:use rfc2307 = yes
    >
    > template shell = /bin/bash
    > winbind use default domain = true
    The line above does nothing on a DC
    > winbind offline logon = false
    The line above is a default setting and hence isn't required
    > winbind nss info = rfc2307
    The line above should only be used on a Unix domain member
    > winbind enum users = yes
    > winbind enum groups = yes
    The lines above are not required, they only make 'getent passwd'
&
    'getent group' work without specifying a user or group name, but
they
    also slow things down.
    > server services = -dns
    >
    > [netlogon]
    > path = /var/lib/samba/sysvol/domain.com/scripts
    > read only = No
    >
    > [sysvol]
    > path = /var/lib/samba/sysvol
    > read only = No
    >
    > I'm not really sure if samba is even using bind9. I've enabled
the logging of bind9, but I cannot see any logs when running the dns update.
    No, you see any logs
    >
    > Did I miss a step to activate the bind9 module?
    
    Probably not, but it might help if you post the named.conf files in
    /etc/bind
    
    Rowland
    
    
    
    --
    To unsubscribe from this list go to the following URL and read the
    instructions:  https://lists.samba.org/mailman/options/samba

On 24/11/2019 14:53, David Masshardt wrote:
> Hi,
>
> thanks for the quick reply. I've now installed libpam-krb5 and copied
the krb5.conf to /etc instead of the symlink.
>
> I've also installed the ntp service, but I'm still getting the same
errors in the dns replication.
>
> The /etc/resolv.conf is managed by netplan under Ubuntu 18:
Perhaps I should have said that Samba has to be authoritative for the 
dns domain, so you really do not need anything else controlling anything 
to do with dns.

I tested joining a Ubuntu DC to a domain and I had to do this:

apt install ifupdown
apt purge nplan

Edit /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
 ??????? address 192.168.0.243 <-- replace this with your DCS IP
 ??????? netmask 255.255.255.0
 ??????? gateway 192.168.0.1 <-- replace this with your gateways IP

Replace 'enp0s3' with your interface name.

service systemd-resolved stop
systemctl disable systemd-resolved.service

rm -f /etc/resolv.conf

create new /etc/resolv.conf

search domain.com
nameserver 192.168.0.243 <-- replace this with your DCS IP

edit /etc/hosts

127.0.0.1?????? localhost
::1???????????? localhost6
192.168.0.243? ubutestdc.domain.com ubutestdc <-- replace this with your 
DCS data

# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

reboot
>
> 	nameserver 127.0.0.53
> 	options edns0
> 	search domain.com
>
> I've now changed the nameserver to localhost. This is the netplan yaml
config behind this:
The 'nameserver' should be the DCs IP, see above
>
> 	network:
> 	    ethernets:
> 	        ens18:
>   	           addresses: ['172.17.2.1/16']
> 	            gateway4: 172.17.1.1
> 	            nameservers:
> 	                addresses: [127.0.0.1]
> 	                search: [domain.com]
> 	    version: 2
>
> And this is the content of the /etc/bind/named.conf:
>
> 	include "/etc/bind/named.conf.options";
> 	include "/etc/bind/named.conf.local";
> 	include "/etc/bind/named.conf.default-zones";
> 	include "/var/lib/samba/private/named.conf";
I actually wanted to see the contents of the files, especially 
'named.conf.options' & 'named.conf.local'

Rowland

Hi,

I guess this solved the problem! I now get no errors when replicating the dns. I
also created a test entry on my windows server and it was replicated to the
linux server.

I will now test if everything still works when the windows server is shutdown.

Thanks again for the quick help!

Regards
David

?Am 24.11.19, 16:36 schrieb "samba im Auftrag von Rowland penny via
samba" <samba-bounces at lists.samba.org im Auftrag von samba at
lists.samba.org>:

    On 24/11/2019 14:53, David Masshardt wrote:
    > Hi,
    >
    > thanks for the quick reply. I've now installed libpam-krb5 and
copied the krb5.conf to /etc instead of the symlink.
    >
    > I've also installed the ntp service, but I'm still getting the
same errors in the dns replication.
    >
    > The /etc/resolv.conf is managed by netplan under Ubuntu 18:
    
    Perhaps I should have said that Samba has to be authoritative for the 
    dns domain, so you really do not need anything else controlling anything 
    to do with dns.
    
    I tested joining a Ubuntu DC to a domain and I had to do this:
    
    apt install ifupdown
    apt purge nplan
    
    Edit /etc/network/interfaces
    
    # The loopback network interface
    auto lo
    iface lo inet loopback
    
    auto enp0s3
    iface enp0s3 inet static
             address 192.168.0.243 <-- replace this with your DCS IP
             netmask 255.255.255.0
             gateway 192.168.0.1 <-- replace this with your gateways IP
    
    Replace 'enp0s3' with your interface name.
    
    service systemd-resolved stop
    systemctl disable systemd-resolved.service
    
    rm -f /etc/resolv.conf
    
    create new /etc/resolv.conf
    
    search domain.com
    nameserver 192.168.0.243 <-- replace this with your DCS IP
    
    edit /etc/hosts
    
    127.0.0.1       localhost
    ::1             localhost6
    192.168.0.243  ubutestdc.domain.com ubutestdc <-- replace this with your 
    DCS data
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     localhost ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts
    
    reboot
    
    >
    > 	nameserver 127.0.0.53
    > 	options edns0
    > 	search domain.com
    >
    > I've now changed the nameserver to localhost. This is the netplan
yaml config behind this:
    The 'nameserver' should be the DCs IP, see above
    >
    > 	network:
    > 	    ethernets:
    > 	        ens18:
    >   	           addresses: ['172.17.2.1/16']
    > 	            gateway4: 172.17.1.1
    > 	            nameservers:
    > 	                addresses: [127.0.0.1]
    > 	                search: [domain.com]
    > 	    version: 2
    >
    > And this is the content of the /etc/bind/named.conf:
    >
    > 	include "/etc/bind/named.conf.options";
    > 	include "/etc/bind/named.conf.local";
    > 	include "/etc/bind/named.conf.default-zones";
    > 	include "/var/lib/samba/private/named.conf";
    I actually wanted to see the contents of the files, especially 
    'named.conf.options' & 'named.conf.local'
    
    Rowland
    
    
    
    
    -- 
    To unsubscribe from this list go to the following URL and read the
    instructions:  https://lists.samba.org/mailman/options/samba