Hi Rowland,
Thank you for replying. Please find the output here below. Just a
possible tip:
_kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com.
output is present on the new machine but if we issue a host -t SRV
_kerberos._tcp.example.com on addc2 it does not appear in the list.
Kind regards.
Collected config? --- 2019-12-18-20:30 -----------
Hostname: addc-new
DNS Domain: example.com
FQDN: addc-new.example.com
ipaddress: 192.168.20.22 10.0.103.13
-----------
Kerberos SRV _kerberos._tcp.example.com record verified ok, sample output:
Server:??? ??? 192.168.20.22
Address:??? 192.168.20.22#53
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub1.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc2.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc3.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub2.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub3.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com.
Samba is running as an AD DC
-----------
?????? Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
??? inet 127.0.0.1/8 scope host lo
??? inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
??? link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff
??? inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3
??? inet6 fe80::5054:ff:fe86:8aba/64 scope link
3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
??? link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff
??? inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10
??? inet6 fe80::5054:ff:fe43:10d2/64 scope link
-----------
?????? Checking file: /etc/hosts
127.0.0.1??? localhost
192.168.20.22??? addc-new.example.com??? addc-new
#list of heartbeat network hosts
#
10.0.103.11 ctdb1.heartbeat.example??? ctdb1
10.0.103.21 ctdb2.heartbeat.example??? ctdb2
10.0.103.13 ad1.heartbeat.example ad1
10.0.103.42 jumpi.heartbeat.example jumpi
10.0.103.12 gluster1.heartbeat.example gluster1
10.0.103.22 gluster2.heartbeat.example gluster2
10.0.103.23 ad2.heartbeat.example ad2
# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
?????? Checking file: /etc/resolv.conf
domain example.com
search example.com
nameserver 192.168.20.22
-----------
?????? Checking file: /etc/krb5.conf
[libdefaults]
??? default_realm = example.com
??? dns_lookup_realm = false
??? dns_lookup_kdc = true
-----------
?????? Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd:???????? compat winbind
group:????????? compat winbind
shadow:???????? compat
gshadow:??????? files
hosts:????????? files dns
networks:?????? files
protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files
netgroup:?????? nis
-----------
?????? Checking file: /etc/samba/smb.conf
# Global parameters
[global]
??? netbios name = ADDC-new
??? realm = example.com
??? server role = active directory domain controller
??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
??? workgroup = ZFD
??? wins support = yes
[netlogon]
??? path = /var/lib/samba/sysvol/example.com/scripts
??? read only = yes
[sysvol]
??? path = /var/lib/samba/sysvol
??? read only = yes
-----------
Detected bind DLZ enabled..
?????? Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
?????? Checking file: /etc/bind/named.conf.options
options {
??? directory "/var/cache/bind";
??? // If there is a firewall between you and nameservers you want
??? // to talk to, you may need to fix the firewall to allow multiple
??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113
??? // If your ISP provided one or more IP addresses for stable
??? // nameservers, you probably want to use them as forwarders.?
??? // Uncomment the following block, and insert the addresses replacing
??? // the all-0's placeholder.
??? forwarders {
??? ??? 192.168.20.1;
??? };
??? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
???
//=======================================================================??? //
If BIND logs error messages about the root key being expired,
??? // you will need to update your keys.? See https://www.isc.org/bind-keys
???
//=======================================================================???
dnssec-validation no;
??? dnssec-enable no;
??? dnssec-lookaside no;
??? auth-nxdomain no;??? # conform to RFC1035
??? allow-recursion { any; };
??? allow-query { any; };
??? allow-query-cache { any; };
??? listen-on-v6 { any; };
};
-----------
?????? Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/bind-dns/named.conf";
-----------
?????? Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
??? type hint;
??? file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
??? type master;
??? file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.255";
};
-----------
Samba DNS zone list:?? 9 zone(s) found
? pszZoneName???????????????? : 40.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 168.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 20.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 50.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 169.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 167.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : example.com
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 10.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : _msdcs.example.com
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : ForestDnsZones.example.com
Samba DNS zone list Automated check :
zone : 40.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 168.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 20.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 50.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 169.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 167.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : example.com ok, no Bind flat-files found
-----------
zone : 10.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.example.com ok, no Bind flat-files found
-----------
Installed packages:
ii? bind9??????????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? Internet Domain Name Server
ii? bind9-host?????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? DNS lookup utility (deprecated)
ii? bind9utils?????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? Utilities for BIND
ii? krb5-config????????????????????? 2.6????????????????????????
all????????? Configuration files for Kerberos Version 5
ii? krb5-locales???????????????????? 1.17-3?????????????????????
all????????? internationalization support for MIT Kerberos
ii? libacl1:amd64??????????????????? 2.2.53-4???????????????????
amd64??????? access control list - shared library
ii? libattr1:amd64?????????????????? 1:2.4.48-4?????????????????
amd64??????? extended attribute handling - shared library
ii? libbind9-161:amd64?????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? BIND9 Shared Library used by BIND
ii? libgssapi-krb5-2:amd64?????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-26-heimdal:amd64???????? 7.5.0+dfsg-3???????????????
amd64??????? Heimdal Kerberos - libraries
ii? libkrb5-3:amd64????????????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries
ii? libkrb5support0:amd64??????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - Support library
ii? libwbclient0:amd64?????????????? 99:4.10.11-10??????????????
amd64??????? Glue package for sernet-samba-libs.
ii? sernet-samba???????????????????? 99:4.10.11-10??????????????
amd64??????? SMB/CIFS file, print, and login server for Unix
ii? sernet-samba-ad????????????????? 99:4.10.11-10??????????????
amd64??????? Samba Active Directory Domain Controller
ii? sernet-samba-client????????????? 99:4.10.11-10??????????????
amd64??????? a LanManager-like simple client for Unix
ii? sernet-samba-common????????????? 99:4.10.11-10??????????????
all????????? Samba common files used by both the server and the client
ii? sernet-samba-keyring???????????? 1.8????????????????????????
all????????? GnuPG archive keys of the SerNet Samba archive
ii? sernet-samba-libs:amd64????????? 99:4.10.11-10??????????????
amd64??????? Samba common library files used by both the server and the
client
ii? sernet-samba-libsmbclient0:amd64 99:4.10.11-10??????????????
amd64??????? Shared library that allows applications to talk to SMB servers
ii? sernet-samba-winbind???????????? 99:4.10.11-10??????????????
amd64??????? Samba nameservice integration server
-----------
On 18.12.19 14:20, Rowland penny via samba wrote:> On 18/12/2019 13:07, Ilias Chasapakis forumZFD via samba wrote:
>> Hello,
>>
>> We are setting up 2 AD machines:
>>
>> New machine with subnet 192.168.1.21: Version
>> 4.10.11-SerNet-Debian-10.buster Bind version 9.11.5
>>
>> Existing machine 1 with subnet 192.168.2.21 Version
>> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>>
>> Existing machine 2 with subnet 192.168.3.21? Version
>> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>>
>> All with BIND_DLZ backend, same /etc/bind/named.conf.options,
>> /etc/bind/named.conf.local
>>
>> This is an extract from /etc/bind/named.conf.options allowing querying:
>
> Yes, I know you were trying to be brief, but posting extracts of a
> file doesn't really help, can you go here:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Download the script and run it on your new DC, post the output into a
> reply to this post, do not attach it, this list strips attachments. Do
> not post it somewhere on the internet and then post the link, they
> have an habit of disappearing.
>
> Rowland
>
>
>
--
?forumZFD
Entschieden f?r Frieden|Committed to Peace
Ilias Chasapakis
IT-Systemadministrator
Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany
Tel 0221 91273233 | Fax 0221 91273299 |
http://www.forumZFD.de
Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz
VR 17651 Amtsgericht K?ln
Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX