samba - Dec 2019 - DNS replication issue

Hello,

We are setting up 2 AD machines:

New machine with subnet 192.168.1.21: Version
4.10.11-SerNet-Debian-10.buster Bind version 9.11.5

Existing machine 1 with subnet 192.168.2.21 Version
4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3

Existing machine 2 with subnet 192.168.3.21? Version
4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3

All with BIND_DLZ backend, same /etc/bind/named.conf.options,
/etc/bind/named.conf.local

This is an extract from /etc/bind/named.conf.options allowing querying:

dnssec-validation no;
?? ?dnssec-enable no;
?? ?dnssec-lookaside no;

?? ?auth-nxdomain no;??? # conform to RFC1035

?? ?allow-recursion { any; };
?? ?allow-query { any; };
?? ?allow-query-cache { any; };


?? ?listen-on-v6 { any; };

The only difference between them is in the file
/var/lib/samba/bind-dbs/named.conf

?[...]

?# For BIND 9.11.x
???? database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";

?# For BIND 9.10.x
??? # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

# For BIND 9.10.x
??? # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";


[...]

We created the A and PTR records on the new one and they don?t appear on
the existing ones. If we create them on an existing one instead they
appear on the new one.

Updating an existing machine to debian buster doesn?t help.

Could it be that the versions of bind are different what actually
prevent the new one from being visible i.e. the DNS from
propagating/replicating?

Best regards.

-- 
?forumZFD
Entschieden f?r Frieden|Committed to Peace

Ilias Chasapakis
IT-Systemadministrator

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany

Tel 0221 91273233 | Fax 0221 91273299 |
http://www.forumZFD.de

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX

On 18/12/2019 13:07, Ilias Chasapakis forumZFD via samba
wrote:
> Hello,
>
> We are setting up 2 AD machines:
>
> New machine with subnet 192.168.1.21: Version
> 4.10.11-SerNet-Debian-10.buster Bind version 9.11.5
>
> Existing machine 1 with subnet 192.168.2.21 Version
> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>
> Existing machine 2 with subnet 192.168.3.21? Version
> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>
> All with BIND_DLZ backend, same /etc/bind/named.conf.options,
> /etc/bind/named.conf.local
>
> This is an extract from /etc/bind/named.conf.options allowing querying:
Yes, I know you were trying to be brief, but posting extracts of a file 
doesn't really help, can you go here:

https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh

Download the script and run it on your new DC, post the output into a 
reply to this post, do not attach it, this list strips attachments. Do 
not post it somewhere on the internet and then post the link, they have 
an habit of disappearing.

Rowland

Hi Rowland,

Thank you for replying. Please find the output here below. Just a
possible tip:

_kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com.

output is present on the new machine but if we issue a host -t SRV
_kerberos._tcp.example.com on addc2 it does not appear in the list.

Kind regards.

Collected config? --- 2019-12-18-20:30 -----------

Hostname: addc-new
DNS Domain: example.com
FQDN: addc-new.example.com
ipaddress: 192.168.20.22 10.0.103.13

-----------

Kerberos SRV _kerberos._tcp.example.com record verified ok, sample output:
Server:??? ??? 192.168.20.22
Address:??? 192.168.20.22#53

_kerberos._tcp.example.com??? service = 0 100 88 addc-sub1.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc2.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc3.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub2.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub3.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com.
Samba is running as an AD DC

-----------
?????? Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.2 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
??? inet 127.0.0.1/8 scope host lo
??? inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
??? link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff
??? inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3
??? inet6 fe80::5054:ff:fe86:8aba/64 scope link
3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
??? link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff
??? inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10
??? inet6 fe80::5054:ff:fe43:10d2/64 scope link

-----------
?????? Checking file: /etc/hosts

127.0.0.1??? localhost
192.168.20.22??? addc-new.example.com??? addc-new
#list of heartbeat network hosts
#
10.0.103.11 ctdb1.heartbeat.example??? ctdb1
10.0.103.21 ctdb2.heartbeat.example??? ctdb2
10.0.103.13 ad1.heartbeat.example ad1
10.0.103.42 jumpi.heartbeat.example jumpi
10.0.103.12 gluster1.heartbeat.example gluster1
10.0.103.22 gluster2.heartbeat.example gluster2
10.0.103.23 ad2.heartbeat.example ad2

# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

?????? Checking file: /etc/resolv.conf

domain example.com
search example.com
nameserver 192.168.20.22

-----------

?????? Checking file: /etc/krb5.conf

[libdefaults]
??? default_realm = example.com
??? dns_lookup_realm = false
??? dns_lookup_kdc = true

-----------

?????? Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? compat winbind
group:????????? compat winbind
shadow:???????? compat
gshadow:??????? files

hosts:????????? files dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

?????? Checking file: /etc/samba/smb.conf

# Global parameters
[global]
??? netbios name = ADDC-new
??? realm = example.com
??? server role = active directory domain controller
??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
??? workgroup = ZFD
??? wins support = yes

[netlogon]
??? path = /var/lib/samba/sysvol/example.com/scripts
??? read only = yes

[sysvol]
??? path = /var/lib/samba/sysvol
??? read only = yes

-----------

Detected bind DLZ enabled..
?????? Checking file: /etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

-----------

?????? Checking file: /etc/bind/named.conf.options

options {
??? directory "/var/cache/bind";

??? // If there is a firewall between you and nameservers you want
??? // to talk to, you may need to fix the firewall to allow multiple
??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113

??? // If your ISP provided one or more IP addresses for stable
??? // nameservers, you probably want to use them as forwarders.?
??? // Uncomment the following block, and insert the addresses replacing
??? // the all-0's placeholder.

??? forwarders {
??? ??? 192.168.20.1;
??? };
??? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
???
//=======================================================================??? //
If BIND logs error messages about the root key being expired,
??? // you will need to update your keys.? See https://www.isc.org/bind-keys
???
//=======================================================================???
dnssec-validation no;
??? dnssec-enable no;
??? dnssec-lookaside no;

??? auth-nxdomain no;??? # conform to RFC1035

??? allow-recursion { any; };
??? allow-query { any; };
??? allow-query-cache { any; };


??? listen-on-v6 { any; };
};

-----------

?????? Checking file: /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/bind-dns/named.conf";

-----------

?????? Checking file: /etc/bind/named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
??? type hint;
??? file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
??? type master;
??? file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.255";
};

-----------

Samba DNS zone list:?? 9 zone(s) found

? pszZoneName???????????????? : 40.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : 168.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : 20.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : 50.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : 169.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : 167.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : example.com
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : 10.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com

? pszZoneName???????????????? : _msdcs.example.com
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : ForestDnsZones.example.com

Samba DNS zone list Automated check :
zone : 40.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 168.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 20.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 50.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 169.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 167.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : example.com ok, no Bind flat-files found
-----------
zone : 10.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.example.com ok, no Bind flat-files found
-----------

Installed packages:
ii? bind9??????????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? Internet Domain Name Server
ii? bind9-host?????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? DNS lookup utility (deprecated)
ii? bind9utils?????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? Utilities for BIND
ii? krb5-config????????????????????? 2.6????????????????????????
all????????? Configuration files for Kerberos Version 5
ii? krb5-locales???????????????????? 1.17-3?????????????????????
all????????? internationalization support for MIT Kerberos
ii? libacl1:amd64??????????????????? 2.2.53-4???????????????????
amd64??????? access control list - shared library
ii? libattr1:amd64?????????????????? 1:2.4.48-4?????????????????
amd64??????? extended attribute handling - shared library
ii? libbind9-161:amd64?????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? BIND9 Shared Library used by BIND
ii? libgssapi-krb5-2:amd64?????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-26-heimdal:amd64???????? 7.5.0+dfsg-3???????????????
amd64??????? Heimdal Kerberos - libraries
ii? libkrb5-3:amd64????????????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries
ii? libkrb5support0:amd64??????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - Support library
ii? libwbclient0:amd64?????????????? 99:4.10.11-10??????????????
amd64??????? Glue package for sernet-samba-libs.
ii? sernet-samba???????????????????? 99:4.10.11-10??????????????
amd64??????? SMB/CIFS file, print, and login server for Unix
ii? sernet-samba-ad????????????????? 99:4.10.11-10??????????????
amd64??????? Samba Active Directory Domain Controller
ii? sernet-samba-client????????????? 99:4.10.11-10??????????????
amd64??????? a LanManager-like simple client for Unix
ii? sernet-samba-common????????????? 99:4.10.11-10??????????????
all????????? Samba common files used by both the server and the client
ii? sernet-samba-keyring???????????? 1.8????????????????????????
all????????? GnuPG archive keys of the SerNet Samba archive
ii? sernet-samba-libs:amd64????????? 99:4.10.11-10??????????????
amd64??????? Samba common library files used by both the server and the
client
ii? sernet-samba-libsmbclient0:amd64 99:4.10.11-10??????????????
amd64??????? Shared library that allows applications to talk to SMB servers
ii? sernet-samba-winbind???????????? 99:4.10.11-10??????????????
amd64??????? Samba nameservice integration server

-----------


On 18.12.19 14:20, Rowland penny via samba wrote:
> On 18/12/2019 13:07, Ilias Chasapakis forumZFD via samba wrote:
>> Hello,
>>
>> We are setting up 2 AD machines:
>>
>> New machine with subnet 192.168.1.21: Version
>> 4.10.11-SerNet-Debian-10.buster Bind version 9.11.5
>>
>> Existing machine 1 with subnet 192.168.2.21 Version
>> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>>
>> Existing machine 2 with subnet 192.168.3.21? Version
>> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>>
>> All with BIND_DLZ backend, same /etc/bind/named.conf.options,
>> /etc/bind/named.conf.local
>>
>> This is an extract from /etc/bind/named.conf.options allowing querying:
>
> Yes, I know you were trying to be brief, but posting extracts of a
> file doesn't really help, can you go here:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Download the script and run it on your new DC, post the output into a
> reply to this post, do not attach it, this list strips attachments. Do
> not post it somewhere on the internet and then post the link, they
> have an habit of disappearing.
>
> Rowland
>
>
>
-- 
?forumZFD
Entschieden f?r Frieden|Committed to Peace

Ilias Chasapakis
IT-Systemadministrator

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany

Tel 0221 91273233 | Fax 0221 91273299 |
http://www.forumZFD.de

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX