Hi Rowland,
Thank you for replying. Please find the output here below. Just a
possible tip:
_kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com.
output is present on the new machine but if we issue a host -t SRV
_kerberos._tcp.example.com on addc2 it does not appear in the list.
Kind regards.
Collected config? --- 2019-12-18-20:30 -----------
Hostname: addc-new
DNS Domain: example.com
FQDN: addc-new.example.com
ipaddress: 192.168.20.22 10.0.103.13
-----------
Kerberos SRV _kerberos._tcp.example.com record verified ok, sample output:
Server:??? ??? 192.168.20.22
Address:??? 192.168.20.22#53
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub1.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc2.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc3.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub2.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-sub3.example.com.
_kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com.
Samba is running as an AD DC
-----------
?????? Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
??? inet 127.0.0.1/8 scope host lo
??? inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
??? link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff
??? inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3
??? inet6 fe80::5054:ff:fe86:8aba/64 scope link
3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
??? link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff
??? inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10
??? inet6 fe80::5054:ff:fe43:10d2/64 scope link
-----------
?????? Checking file: /etc/hosts
127.0.0.1??? localhost
192.168.20.22??? addc-new.example.com??? addc-new
#list of heartbeat network hosts
#
10.0.103.11 ctdb1.heartbeat.example??? ctdb1
10.0.103.21 ctdb2.heartbeat.example??? ctdb2
10.0.103.13 ad1.heartbeat.example ad1
10.0.103.42 jumpi.heartbeat.example jumpi
10.0.103.12 gluster1.heartbeat.example gluster1
10.0.103.22 gluster2.heartbeat.example gluster2
10.0.103.23 ad2.heartbeat.example ad2
# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
?????? Checking file: /etc/resolv.conf
domain example.com
search example.com
nameserver 192.168.20.22
-----------
?????? Checking file: /etc/krb5.conf
[libdefaults]
??? default_realm = example.com
??? dns_lookup_realm = false
??? dns_lookup_kdc = true
-----------
?????? Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd:???????? compat winbind
group:????????? compat winbind
shadow:???????? compat
gshadow:??????? files
hosts:????????? files dns
networks:?????? files
protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files
netgroup:?????? nis
-----------
?????? Checking file: /etc/samba/smb.conf
# Global parameters
[global]
??? netbios name = ADDC-new
??? realm = example.com
??? server role = active directory domain controller
??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
??? workgroup = ZFD
??? wins support = yes
[netlogon]
??? path = /var/lib/samba/sysvol/example.com/scripts
??? read only = yes
[sysvol]
??? path = /var/lib/samba/sysvol
??? read only = yes
-----------
Detected bind DLZ enabled..
?????? Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
?????? Checking file: /etc/bind/named.conf.options
options {
??? directory "/var/cache/bind";
??? // If there is a firewall between you and nameservers you want
??? // to talk to, you may need to fix the firewall to allow multiple
??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113
??? // If your ISP provided one or more IP addresses for stable
??? // nameservers, you probably want to use them as forwarders.?
??? // Uncomment the following block, and insert the addresses replacing
??? // the all-0's placeholder.
??? forwarders {
??? ??? 192.168.20.1;
??? };
??? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
???
//=======================================================================??? //
If BIND logs error messages about the root key being expired,
??? // you will need to update your keys.? See https://www.isc.org/bind-keys
???
//=======================================================================???
dnssec-validation no;
??? dnssec-enable no;
??? dnssec-lookaside no;
??? auth-nxdomain no;??? # conform to RFC1035
??? allow-recursion { any; };
??? allow-query { any; };
??? allow-query-cache { any; };
??? listen-on-v6 { any; };
};
-----------
?????? Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/bind-dns/named.conf";
-----------
?????? Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
??? type hint;
??? file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
??? type master;
??? file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
??? type master;
??? file "/etc/bind/db.255";
};
-----------
Samba DNS zone list:?? 9 zone(s) found
? pszZoneName???????????????? : 40.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 168.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 20.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 50.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 169.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 167.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : example.com
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : 10.168.192.in-addr.arpa
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.example.com
? pszZoneName???????????????? : _msdcs.example.com
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : ForestDnsZones.example.com
Samba DNS zone list Automated check :
zone : 40.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 168.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 20.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 50.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 169.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : 167.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : example.com ok, no Bind flat-files found
-----------
zone : 10.168.192.in-addr.arpa ok, no Bind flat-files found
-----------
zone : _msdcs.example.com ok, no Bind flat-files found
-----------
Installed packages:
ii? bind9??????????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? Internet Domain Name Server
ii? bind9-host?????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? DNS lookup utility (deprecated)
ii? bind9utils?????????????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? Utilities for BIND
ii? krb5-config????????????????????? 2.6????????????????????????
all????????? Configuration files for Kerberos Version 5
ii? krb5-locales???????????????????? 1.17-3?????????????????????
all????????? internationalization support for MIT Kerberos
ii? libacl1:amd64??????????????????? 2.2.53-4???????????????????
amd64??????? access control list - shared library
ii? libattr1:amd64?????????????????? 1:2.4.48-4?????????????????
amd64??????? extended attribute handling - shared library
ii? libbind9-161:amd64?????????????? 1:9.11.5.P4+dfsg-5.1???????
amd64??????? BIND9 Shared Library used by BIND
ii? libgssapi-krb5-2:amd64?????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-26-heimdal:amd64???????? 7.5.0+dfsg-3???????????????
amd64??????? Heimdal Kerberos - libraries
ii? libkrb5-3:amd64????????????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries
ii? libkrb5support0:amd64??????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - Support library
ii? libwbclient0:amd64?????????????? 99:4.10.11-10??????????????
amd64??????? Glue package for sernet-samba-libs.
ii? sernet-samba???????????????????? 99:4.10.11-10??????????????
amd64??????? SMB/CIFS file, print, and login server for Unix
ii? sernet-samba-ad????????????????? 99:4.10.11-10??????????????
amd64??????? Samba Active Directory Domain Controller
ii? sernet-samba-client????????????? 99:4.10.11-10??????????????
amd64??????? a LanManager-like simple client for Unix
ii? sernet-samba-common????????????? 99:4.10.11-10??????????????
all????????? Samba common files used by both the server and the client
ii? sernet-samba-keyring???????????? 1.8????????????????????????
all????????? GnuPG archive keys of the SerNet Samba archive
ii? sernet-samba-libs:amd64????????? 99:4.10.11-10??????????????
amd64??????? Samba common library files used by both the server and the
client
ii? sernet-samba-libsmbclient0:amd64 99:4.10.11-10??????????????
amd64??????? Shared library that allows applications to talk to SMB servers
ii? sernet-samba-winbind???????????? 99:4.10.11-10??????????????
amd64??????? Samba nameservice integration server
-----------
On 18.12.19 14:20, Rowland penny via samba wrote:> On 18/12/2019 13:07, Ilias Chasapakis forumZFD via samba wrote:
>> Hello,
>>
>> We are setting up 2 AD machines:
>>
>> New machine with subnet 192.168.1.21: Version
>> 4.10.11-SerNet-Debian-10.buster Bind version 9.11.5
>>
>> Existing machine 1 with subnet 192.168.2.21 Version
>> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>>
>> Existing machine 2 with subnet 192.168.3.21? Version
>> 4.10.11-SerNet-Debian-10.stretch Bind version 9.10.3
>>
>> All with BIND_DLZ backend, same /etc/bind/named.conf.options,
>> /etc/bind/named.conf.local
>>
>> This is an extract from /etc/bind/named.conf.options allowing querying:
>
> Yes, I know you were trying to be brief, but posting extracts of a
> file doesn't really help, can you go here:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Download the script and run it on your new DC, post the output into a
> reply to this post, do not attach it, this list strips attachments. Do
> not post it somewhere on the internet and then post the link, they
> have an habit of disappearing.
>
> Rowland
>
>
>
--
?forumZFD
Entschieden f?r Frieden|Committed to Peace
Ilias Chasapakis
IT-Systemadministrator
Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany
Tel 0221 91273233 | Fax 0221 91273299 |
http://www.forumZFD.de
Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz
VR 17651 Amtsgericht K?ln
Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
On 18/12/2019 14:07, Ilias Chasapakis forumZFD via samba wrote:> Hi Rowland, > > Thank you for replying. Please find the output here below. Just a > possible tip: > > _kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com. > > output is present on the new machine but if we issue a host -t SRV > _kerberos._tcp.example.com on addc2 it does not appear in the list. > > Kind regards. > > Collected config? --- 2019-12-18-20:30 ----------- > > Hostname: addc-new > DNS Domain: example.com > FQDN: addc-new.example.com > ipaddress: 192.168.20.22 10.0.103.13 > > ----------- > > Kerberos SRV _kerberos._tcp.example.com record verified ok, sample output: > Server:??? ??? 192.168.20.22 > Address:??? 192.168.20.22#53 > > _kerberos._tcp.example.com??? service = 0 100 88 addc-sub1.example.com. > _kerberos._tcp.example.com??? service = 0 100 88 addc2.example.com. > _kerberos._tcp.example.com??? service = 0 100 88 addc3.example.com. > _kerberos._tcp.example.com??? service = 0 100 88 addc-sub2.example.com. > _kerberos._tcp.example.com??? service = 0 100 88 addc-sub3.example.com. > _kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com. > Samba is running as an AD DC > > ----------- > ?????? Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.2 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > ??? inet 127.0.0.1/8 scope host lo > ??? inet6 ::1/128 scope host > 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > ??? link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff > ??? inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3 > ??? inet6 fe80::5054:ff:fe86:8aba/64 scope link > 3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > ??? link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff > ??? inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10 > ??? inet6 fe80::5054:ff:fe43:10d2/64 scope link > > ----------- > ?????? Checking file: /etc/hosts > > 127.0.0.1??? localhost > 192.168.20.22??? addc-new.example.com??? addc-new > #list of heartbeat network hosts > # > 10.0.103.11 ctdb1.heartbeat.example??? ctdb1 > 10.0.103.21 ctdb2.heartbeat.example??? ctdb2 > 10.0.103.13 ad1.heartbeat.example ad1 > 10.0.103.42 jumpi.heartbeat.example jumpi > 10.0.103.12 gluster1.heartbeat.example gluster1 > 10.0.103.22 gluster2.heartbeat.example gluster2 > 10.0.103.23 ad2.heartbeat.example ad2I would remove all the heartbeat hosts from /etc/hosts, they shouldn't be there and CTDB and AD DC are incompatible.> > # The following lines are desirable for IPv6 capable hosts > ::1???? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > ?????? Checking file: /etc/resolv.conf > > domain example.com > search example.com > nameserver 192.168.20.22 > > ----------- > > ?????? Checking file: /etc/krb5.conf > > [libdefaults] > ??? default_realm = example.comThe realm 'example.com' should be in uppercase 'EXAMPLE.COM'> ??? dns_lookup_realm = false > ??? dns_lookup_kdc = true > > ----------- > > ?????? Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd:???????? compat winbind > group:????????? compat winbind > shadow:???????? compat > gshadow:??????? files > > hosts:????????? files dns > networks:?????? files > > protocols:????? db files > services:?????? db files > ethers:???????? db files > rpc:??????????? db files > > netgroup:?????? nis > > ----------- > > ?????? Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > ??? netbios name = ADDC-new > ??? realm = example.com > ??? server role = active directory domain controller > ??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > ??? workgroup = ZFD > ??? wins support = yes'wins support' on an AD DC ????> > [netlogon] > ??? path = /var/lib/samba/sysvol/example.com/scripts > ??? read only = yes > > [sysvol] > ??? path = /var/lib/samba/sysvol > ??? read only = yes > > ----------- > > Detected bind DLZ enabled.. > ?????? Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > ----------- > > ?????? Checking file: /etc/bind/named.conf.options > > options { > ??? directory "/var/cache/bind"; > > ??? // If there is a firewall between you and nameservers you want > ??? // to talk to, you may need to fix the firewall to allow multiple > ??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113 > > ??? // If your ISP provided one or more IP addresses for stable > ??? // nameservers, you probably want to use them as forwarders. > ??? // Uncomment the following block, and insert the addresses replacing > ??? // the all-0's placeholder. > > ??? forwarders { > ??? ??? 192.168.20.1; > ??? }; > ??? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > //=======================================================================> ??? // If BIND logs error messages about the root key being expired, > ??? // you will need to update your keys.? See https://www.isc.org/bind-keys > > //=======================================================================> ??? dnssec-validation no; > ??? dnssec-enable no; > ??? dnssec-lookaside no; > > ??? auth-nxdomain no;??? # conform to RFC1035 > > ??? allow-recursion { any; }; > ??? allow-query { any; }; > ??? allow-query-cache { any; }; > > > ??? listen-on-v6 { any; }; > };I would add these to named.conf.options: ??? notify no; ??? empty-zones-enable no; ??? allow-transfer { none; }; ??? listen-on port 53 { any; }; Also, I think you will find the dns.keytab here: /var/lib/samba/bind-dns/dns.keytab Rowland
And that keytab file Rowland pointed to will most probley fix the replication problem. And as Rowland pointed,> I would remove all the heartbeat hosts from /etc/hosts, they > shouldn't be there and CTDB and AD DC are incompatible.If your DNS/resolving setup is correct, this should be in the dns. Also,> ?? ?auth-nxdomain yes;???# Your AD-DC DNS is the Authoritive server of you domain. So set it to yes. Last, Your package list is missing acl xattr you need these for your AD-DC, (obligated), but unrelated to the DNS replication problems. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: woensdag 18 december 2019 15:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DNS replication issue > > On 18/12/2019 14:07, Ilias Chasapakis forumZFD via samba wrote: > > Hi Rowland, > > > > Thank you for replying. Please find the output here below. Just a > > possible tip: > > > > _kerberos._tcp.example.com??? service = 0 100 88 > addc-new.example.com. > > > > output is present on the new machine but if we issue a host -t SRV > > _kerberos._tcp.example.com on addc2 it does not appear in the list. > > > > Kind regards. > > > > Collected config? --- 2019-12-18-20:30 ----------- > > > > Hostname: addc-new > > DNS Domain: example.com > > FQDN: addc-new.example.com > > ipaddress: 192.168.20.22 10.0.103.13 > > > > ----------- > > > > Kerberos SRV _kerberos._tcp.example.com record verified ok, > sample output: > > Server:??? ??? 192.168.20.22 > > Address:??? 192.168.20.22#53 > > > > _kerberos._tcp.example.com??? service = 0 100 88 > addc-sub1.example.com. > > _kerberos._tcp.example.com??? service = 0 100 88 addc2.example.com. > > _kerberos._tcp.example.com??? service = 0 100 88 addc3.example.com. > > _kerberos._tcp.example.com??? service = 0 100 88 > addc-sub2.example.com. > > _kerberos._tcp.example.com??? service = 0 100 88 > addc-sub3.example.com. > > _kerberos._tcp.example.com??? service = 0 100 88 > addc-new.example.com. > > Samba is running as an AD DC > > > > ----------- > > ?????? Checking file: /etc/os-release > > > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > > NAME="Debian GNU/Linux" > > VERSION_ID="10" > > VERSION="10 (buster)" > > VERSION_CODENAME=buster > > ID=debian > > HOME_URL="https://www.debian.org/" > > SUPPORT_URL="https://www.debian.org/support" > > BUG_REPORT_URL="https://bugs.debian.org/" > > > > ----------- > > > > > > This computer is running Debian 10.2 x86_64 > > > > ----------- > > running command : ip a > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > group default qlen 1000 > > ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > ??? inet 127.0.0.1/8 scope host lo > > ??? inet6 ::1/128 scope host > > 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP group default qlen 1000 > > ??? link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff > > ??? inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3 > > ??? inet6 fe80::5054:ff:fe86:8aba/64 scope link > > 3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast > > state UP group default qlen 1000 > > ??? link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff > > ??? inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10 > > ??? inet6 fe80::5054:ff:fe43:10d2/64 scope link > > > > ----------- > > ?????? Checking file: /etc/hosts > > > > 127.0.0.1??? localhost > > 192.168.20.22??? addc-new.example.com??? addc-new > > #list of heartbeat network hosts > > # > > 10.0.103.11 ctdb1.heartbeat.example??? ctdb1 > > 10.0.103.21 ctdb2.heartbeat.example??? ctdb2 > > 10.0.103.13 ad1.heartbeat.example ad1 > > 10.0.103.42 jumpi.heartbeat.example jumpi > > 10.0.103.12 gluster1.heartbeat.example gluster1 > > 10.0.103.22 gluster2.heartbeat.example gluster2 > > 10.0.103.23 ad2.heartbeat.example ad2 > I would remove all the heartbeat hosts from /etc/hosts, they > shouldn't > be there and CTDB and AD DC are incompatible. > > > > # The following lines are desirable for IPv6 capable hosts > > ::1???? localhost ip6-localhost ip6-loopback > > ff02::1 ip6-allnodes > > ff02::2 ip6-allrouters > > > > ----------- > > > > ?????? Checking file: /etc/resolv.conf > > > > domain example.com > > search example.com > > nameserver 192.168.20.22 > > > > ----------- > > > > ?????? Checking file: /etc/krb5.conf > > > > [libdefaults] > > ??? default_realm = example.com > The realm 'example.com' should be in uppercase 'EXAMPLE.COM' > > ??? dns_lookup_realm = false > > ??? dns_lookup_kdc = true > > > > ----------- > > > > ?????? Checking file: /etc/nsswitch.conf > > > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd:???????? compat winbind > > group:????????? compat winbind > > shadow:???????? compat > > gshadow:??????? files > > > > hosts:????????? files dns > > networks:?????? files > > > > protocols:????? db files > > services:?????? db files > > ethers:???????? db files > > rpc:??????????? db files > > > > netgroup:?????? nis > > > > ----------- > > > > ?????? Checking file: /etc/samba/smb.conf > > > > # Global parameters > > [global] > > ??? netbios name = ADDC-new > > ??? realm = example.com > > ??? server role = active directory domain controller > > ??? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > ??? workgroup = ZFD > > ??? wins support = yes > 'wins support' on an AD DC ???? > > > > [netlogon] > > ??? path = /var/lib/samba/sysvol/example.com/scripts > > ??? read only = yes > > > > [sysvol] > > ??? path = /var/lib/samba/sysvol > > ??? read only = yes > > > > ----------- > > > > Detected bind DLZ enabled.. > > ?????? Checking file: /etc/bind/named.conf > > > > // This is the primary configuration file for the BIND DNS > server named. > > // > > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > > // structure of BIND configuration files in Debian, > *BEFORE* you customize > > // this configuration file. > > // > > // If you are just adding zones, please do that in > > /etc/bind/named.conf.local > > > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/named.conf.local"; > > include "/etc/bind/named.conf.default-zones"; > > > > ----------- > > > > ?????? Checking file: /etc/bind/named.conf.options > > > > options { > > ??? directory "/var/cache/bind"; > > > > ??? // If there is a firewall between you and nameservers you want > > ??? // to talk to, you may need to fix the firewall to > allow multiple > > ??? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113 > > > > ??? // If your ISP provided one or more IP addresses for stable > > ??? // nameservers, you probably want to use them as forwarders. > > ??? // Uncomment the following block, and insert the > addresses replacing > > ??? // the all-0's placeholder. > > > > ??? forwarders { > > ??? ??? 192.168.20.1; > > ??? }; > > ??? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > > > > //===========================================================> ===========> > ??? // If BIND logs error messages about the root key > being expired, > > ??? // you will need to update your keys.? See > https://www.isc.org/bind-keys > > > > > //===========================================================> ===========> > ??? dnssec-validation no; > > ??? dnssec-enable no; > > ??? dnssec-lookaside no; > > > > ??? auth-nxdomain no;??? # conform to RFC1035 > > > > ??? allow-recursion { any; }; > > ??? allow-query { any; }; > > ??? allow-query-cache { any; }; > > > > > > ??? listen-on-v6 { any; }; > > }; > > I would add these to named.conf.options: > > ??? notify no; > ??? empty-zones-enable no; > ??? allow-transfer { none; }; > ??? listen-on port 53 { any; }; > > Also, I think you will find the dns.keytab here: > > /var/lib/samba/bind-dns/dns.keytab > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Rowland, thanks for the tip. We modified configuration files as suggested, without a result. On the working machines we actually have a /var/lib/samba/bind-dns/dns.keytab but not on the failing one. On the working one the /etc/bind/named.conf.options the /var/lib/samba/private/dns.keytab is referenced. We also obtain the following error when issuing systemctl status sernet-samba-ad: Dec 18 23:03:24 addc-new samba[494]:?? /usr/sbin/samba_kcc: RuntimeError: (12, 'Allocation Error') Kind regards. Ilias root at addc-new:/var/lib/samba# systemctl status sernet-samba-ad ? sernet-samba-ad.service - LSB: initscript for the SAMBA AD services ?? Loaded: loaded (/etc/init.d/sernet-samba-ad; generated) ?? Active: active (running) since Wed 2019-12-18 22:38:07 +07; 26min ago ???? Docs: man:systemd-sysv-generator(8) ? Process: 428 ExecStart=/etc/init.d/sernet-samba-ad start (code=exited, status=0/SUCCESS) ??? Tasks: 23 (limit: 4701) ?? Memory: 179.8M ?? CGroup: /system.slice/sernet-samba-ad.service ?????????? ??470 /usr/sbin/samba -D ?????????? ??480 /usr/sbin/samba -D ?????????? ??481 /usr/sbin/samba -D ?????????? ??482 /usr/sbin/samba -D ?????????? ??483 /usr/sbin/samba -D ?????????? ??484 /usr/sbin/samba -D ?????????? ??485 /usr/sbin/samba -D ?????????? ??486 /usr/sbin/samba -D ?????????? ??487 /usr/sbin/samba -D ?????????? ??488 /usr/sbin/samba -D ?????????? ??489 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ?????????? ??490 /usr/sbin/samba -D ?????????? ??491 /usr/sbin/samba -D ?????????? ??492 /usr/sbin/samba -D ?????????? ??493 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ?????????? ??494 /usr/sbin/samba -D ?????????? ??495 /usr/sbin/samba -D ?????????? ??503 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ?????????? ??504 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ?????????? ??505 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ?????????? ??506 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ?????????? ??507 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ?????????? ??508 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.304371,? 0] ../../lib/util/util_runcmd.c:327( Dec 18 23:03:24 addc-new samba[494]:?? /usr/sbin/samba_kcc:???? self.schedule = ndr_unpack(drsblobs.sch Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.304607,? 0] ../../lib/util/util_runcmd.c:327( Dec 18 23:03:24 addc-new samba[494]:?? /usr/sbin/samba_kcc:?? File "/usr/lib/python2.7/dist-packages/sa Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.304841,? 0] ../../lib/util/util_runcmd.c:327( Dec 18 23:03:24 addc-new samba[494]:?? /usr/sbin/samba_kcc:???? ndr_unpack(data, allow_remaining=allow_ Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.305101,? 0] ../../lib/util/util_runcmd.c:327( Dec 18 23:03:24 addc-new samba[494]:?? /usr/sbin/samba_kcc: RuntimeError: (12, 'Allocation Error') Dec 18 23:03:24 addc-new samba[494]: [2019/12/18 23:03:24.316847,? 0] ../../source4/dsdb/kcc/kcc_period Dec 18 23:03:24 addc-new samba[494]:?? ../../source4/dsdb/kcc/kcc_periodic.c:768: Failed samba_kcc - NT On 18.12.19 15:31, Rowland penny via samba wrote:> On 18/12/2019 14:07, Ilias Chasapakis forumZFD via samba wrote: >> Hi Rowland, >> >> Thank you for replying. Please find the output here below. Just a >> possible tip: >> >> _kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com. >> >> output is present on the new machine but if we issue a host -t SRV >> _kerberos._tcp.example.com on addc2 it does not appear in the list. >> >> Kind regards. >> >> Collected config? --- 2019-12-18-20:30 ----------- >> >> Hostname: addc-new >> DNS Domain: example.com >> FQDN: addc-new.example.com >> ipaddress: 192.168.20.22 10.0.103.13 >> >> ----------- >> >> Kerberos SRV _kerberos._tcp.example.com record verified ok, sample >> output: >> Server:??? ??? 192.168.20.22 >> Address:??? 192.168.20.22#53 >> >> _kerberos._tcp.example.com??? service = 0 100 88 addc-sub1.example.com. >> _kerberos._tcp.example.com??? service = 0 100 88 addc2.example.com. >> _kerberos._tcp.example.com??? service = 0 100 88 addc3.example.com. >> _kerberos._tcp.example.com??? service = 0 100 88 addc-sub2.example.com. >> _kerberos._tcp.example.com??? service = 0 100 88 addc-sub3.example.com. >> _kerberos._tcp.example.com??? service = 0 100 88 addc-new.example.com. >> Samba is running as an AD DC >> >> ----------- >> ??????? Checking file: /etc/os-release >> >> PRETTY_NAME="Debian GNU/Linux 10 (buster)" >> NAME="Debian GNU/Linux" >> VERSION_ID="10" >> VERSION="10 (buster)" >> VERSION_CODENAME=buster >> ID=debian >> HOME_URL="https://www.debian.org/" >> SUPPORT_URL="https://www.debian.org/support" >> BUG_REPORT_URL="https://bugs.debian.org/" >> >> ----------- >> >> >> This computer is running Debian 10.2 x86_64 >> >> ----------- >> running command : ip a >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN >> group default qlen 1000 >> ???? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> ???? inet 127.0.0.1/8 scope host lo >> ???? inet6 ::1/128 scope host >> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> ???? link/ether 52:54:00:86:8a:ba brd ff:ff:ff:ff:ff:ff >> ???? inet 192.168.20.22/24 brd 192.168.20.255 scope global ens3 >> ???? inet6 fe80::5054:ff:fe86:8aba/64 scope link >> 3: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> ???? link/ether 52:54:00:43:10:d2 brd ff:ff:ff:ff:ff:ff >> ???? inet 10.0.103.13/24 brd 10.0.103.255 scope global ens10 >> ???? inet6 fe80::5054:ff:fe43:10d2/64 scope link >> >> ----------- >> ??????? Checking file: /etc/hosts >> >> 127.0.0.1??? localhost >> 192.168.20.22??? addc-new.example.com??? addc-new >> #list of heartbeat network hosts >> # >> 10.0.103.11 ctdb1.heartbeat.example??? ctdb1 >> 10.0.103.21 ctdb2.heartbeat.example??? ctdb2 >> 10.0.103.13 ad1.heartbeat.example ad1 >> 10.0.103.42 jumpi.heartbeat.example jumpi >> 10.0.103.12 gluster1.heartbeat.example gluster1 >> 10.0.103.22 gluster2.heartbeat.example gluster2 >> 10.0.103.23 ad2.heartbeat.example ad2 > I would remove all the heartbeat hosts from /etc/hosts, they shouldn't > be there and CTDB and AD DC are incompatible. >> >> # The following lines are desirable for IPv6 capable hosts >> ::1???? localhost ip6-localhost ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> ----------- >> >> ??????? Checking file: /etc/resolv.conf >> >> domain example.com >> search example.com >> nameserver 192.168.20.22 >> >> ----------- >> >> ??????? Checking file: /etc/krb5.conf >> >> [libdefaults] >> ???? default_realm = example.com > The realm 'example.com' should be in uppercase 'EXAMPLE.COM' >> ???? dns_lookup_realm = false >> ???? dns_lookup_kdc = true >> >> ----------- >> >> ??????? Checking file: /etc/nsswitch.conf >> >> # /etc/nsswitch.conf >> # >> # Example configuration of GNU Name Service Switch functionality. >> # If you have the `glibc-doc-reference' and `info' packages >> installed, try: >> # `info libc "Name Service Switch"' for information about this file. >> >> passwd:???????? compat winbind >> group:????????? compat winbind >> shadow:???????? compat >> gshadow:??????? files >> >> hosts:????????? files dns >> networks:?????? files >> >> protocols:????? db files >> services:?????? db files >> ethers:???????? db files >> rpc:??????????? db files >> >> netgroup:?????? nis >> >> ----------- >> >> ??????? Checking file: /etc/samba/smb.conf >> >> # Global parameters >> [global] >> ???? netbios name = ADDC-new >> ???? realm = example.com >> ???? server role = active directory domain controller >> ???? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> ???? workgroup = ZFD >> ???? wins support = yes > 'wins support' on an AD DC ???? >> >> [netlogon] >> ???? path = /var/lib/samba/sysvol/example.com/scripts >> ???? read only = yes >> >> [sysvol] >> ???? path = /var/lib/samba/sysvol >> ???? read only = yes >> >> ----------- >> >> Detected bind DLZ enabled.. >> ??????? Checking file: /etc/bind/named.conf >> >> // This is the primary configuration file for the BIND DNS server named. >> // >> // Please read /usr/share/doc/bind9/README.Debian.gz for information >> on the >> // structure of BIND configuration files in Debian, *BEFORE* you >> customize >> // this configuration file. >> // >> // If you are just adding zones, please do that in >> /etc/bind/named.conf.local >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> >> ----------- >> >> ??????? Checking file: /etc/bind/named.conf.options >> >> options { >> ???? directory "/var/cache/bind"; >> >> ???? // If there is a firewall between you and nameservers you want >> ???? // to talk to, you may need to fix the firewall to allow multiple >> ???? // ports to talk.? See http://www.kb.cert.org/vuls/id/800113 >> >> ???? // If your ISP provided one or more IP addresses for stable >> ???? // nameservers, you probably want to use them as forwarders. >> ???? // Uncomment the following block, and insert the addresses >> replacing >> ???? // the all-0's placeholder. >> >> ???? forwarders { >> ???? ??? 192.168.20.1; >> ???? }; >> ???? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> ??? >> //=======================================================================>> ???? // If BIND logs error messages about the root key being expired, >> ???? // you will need to update your keys.? See >> https://www.isc.org/bind-keys >> ??? >> //=======================================================================>> ???? dnssec-validation no; >> ???? dnssec-enable no; >> ???? dnssec-lookaside no; >> >> ???? auth-nxdomain no;??? # conform to RFC1035 >> >> ???? allow-recursion { any; }; >> ???? allow-query { any; }; >> ???? allow-query-cache { any; }; >> >> >> ???? listen-on-v6 { any; }; >> }; > > I would add these to named.conf.options: > > ??? notify no; > ??? empty-zones-enable no; > ??? allow-transfer { none; }; > ??? listen-on port 53 { any; }; > > Also, I think you will find the dns.keytab here: > > /var/lib/samba/bind-dns/dns.keytab > > Rowland > > >-- ?forumZFD Entschieden f?r Frieden|Committed to Peace Ilias Chasapakis IT-Systemadministrator Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service Am K?lner Brett 8 | 50825 K?ln | Germany Tel 0221 91273233 | Fax 0221 91273299 | http://www.forumZFD.de Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board: Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz VR 17651 Amtsgericht K?ln Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX