Hi All, A while ago I replaced a Samba AD on old hardware with a another AD on newer hardware. Everything went smoothly including the demotion of the old AD. However after I did some cleanup DNS records and turned off the old hardware I noticed that there still was a NS record associated with the old AD. So I went to the wiki page https://wiki.samba.org/index.php/DNS_Administration and followed the instructions on how to remove an old NS record: # samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS So I followed the instructions. Here is the sequence of commands that demonstrates the problem (some of the command responses were redacted to remove unnecessary lines): > dig nikita.myhome.nurdog.com ;; ANSWER SECTION: nikita.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.11 ;; AUTHORITY SECTION: myhome.nurdog.com.??? 900??? IN??? NS nureyev.myhome.nurdog.com. <- Old NS myhome.nurdog.com.??? 900??? IN??? NS??? nikita.myhome.nurdog.com. > samba-tool dns delete nureyev.myhome.nurdog.com myhome.nurdog.com @ NS nikita.myhome.nurdog.com Record deleted successfully > dig nikita.myhome.nurdog.com ;; ANSWER SECTION: nikita.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.11 ;; AUTHORITY SECTION: myhome.nurdog.com.??? 900??? IN??? NS??? nikita.myhome.nurdog.com. myhome.nurdog.com.??? 900??? IN??? NS nureyev.myhome.nurdog.com. ;; ADDITIONAL SECTION: nureyev.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.8 If I try to remove the NS again using the same samba-tool command I receive a python error indicating 9701, 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST'. So why can I not get rid of the NS nikita.myhome.nurdog.com? That hardware that used to run the AD is physically gone. But for some reason it seems that Samba still thinks nikita.myhome.nurdog.com is a NS for the domain, I would love to clean this up. It seems to me that DNS is trying to use nikita first and then nureyev but nikita shouldn't be there at all. I am running the Sernet Samba packages 4-11.4-9 on a CentOS Linux release 7.7.1908 with bind-9.11.4-9, Are there any suggestions to to fix the problem? -- Paul (ganci at nurdog.com) Cell: (303)257-5208
On 12/22/19 11:20 AM, Paul R. Ganci via samba wrote:> Hi All, > > A while ago I replaced a Samba AD on old hardware with a another AD on > newer hardware. Everything went smoothly including the demotion of the > old AD. However after I did some cleanup DNS records and turned off > the old hardware I noticed that there still was a NS record associated > with the old AD. So I went to the wiki page > https://wiki.samba.org/index.php/DNS_Administration and followed the > instructions on how to remove an old NS record: > > # samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> > samdom.example.com @ NS > > So I followed the instructions. Here is the sequence of commands that > demonstrates the problem (some of the command responses were redacted > to remove unnecessary lines): > > > dig nikita.myhome.nurdog.com > > ;; ANSWER SECTION: > nikita.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.11 > > ;; AUTHORITY SECTION: > myhome.nurdog.com.??? 900??? IN??? NS nureyev.myhome.nurdog.com. <- > Old NS > myhome.nurdog.com.??? 900??? IN??? NS??? nikita.myhome.nurdog.com. > > > samba-tool dns delete nureyev.myhome.nurdog.com myhome.nurdog.com @ > NS nikita.myhome.nurdog.com > Record deleted successfully > > > dig nikita.myhome.nurdog.com > > ;; ANSWER SECTION: > nikita.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.11 > > ;; AUTHORITY SECTION: > myhome.nurdog.com.??? 900??? IN??? NS??? nikita.myhome.nurdog.com. > myhome.nurdog.com.??? 900??? IN??? NS nureyev.myhome.nurdog.com. > > ;; ADDITIONAL SECTION: > nureyev.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.8 > > If I try to remove the NS again using the same samba-tool command I > receive a python error indicating 9701, > 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST'. So why can I not get rid of > the NS nikita.myhome.nurdog.com? That hardware that used to run the AD > is physically gone. But for some reason it seems that Samba still > thinks nikita.myhome.nurdog.com is a NS for the domain, I would love > to clean this up. It seems to me that DNS is trying to use nikita > first and then nureyev but nikita shouldn't be there at all. I am > running the Sernet Samba packages 4-11.4-9 on a CentOS Linux release > 7.7.1908 with bind-9.11.4-9, > > Are there any suggestions to to fix the problem? >I noticed something strange when listing all the DNS records (again I removed a lot of unnecessary response): > samba-tool dns query nureyev.myhome.nurdog.com myhome.nurdog.com @ all ? Name=, Records=5, Children=0 ??? SOA: serial=362, refresh=900, retry=600, expire=86400, minttl=0, ns=nureyev.myhome.nurdog.com., email=hostmaster.myhome.nurdog.com. (flags=600000f0, serial=362, ttl=3600) ??? NS: nureyev.myhome.nurdog.com. (flags=600000f0, serial=278, ttl=900) ??? A: 192.168.1.11 (flags=600000f0, serial=278, ttl=900) ??? A: 192.168.1.8 (flags=600000f0, serial=278, ttl=900) ??? MX: nureyev.myhome.nurdog.com. (10) (flags=600000f0, serial=283, ttl=900) ? Name=_msdcs, Records=0, Children=0 ? Name=_sites, Records=0, Children=1 ? Name=_tcp, Records=0, Children=4 ? Name=_udp, Records=0, Children=2 ? Name=ap, Records=1, Children=0 There is that A: 192.168.1.11 (flags=600000f0, serial=278, ttl=900) just under the NS: result. Do I have to delete the A: record for 192.168.1.11 to completely remove the reference to nikita? And if I add it back afterwards will the DNS think it is still a NS for the domain? -- Paul (ganci at nurdog.com) Cell: (303)257-5208
On 22/12/2019 18:20, Paul R. Ganci via samba wrote:> Hi All, > > A while ago I replaced a Samba AD on old hardware with a another AD on > newer hardware. Everything went smoothly including the demotion of the > old AD. However after I did some cleanup DNS records and turned off > the old hardware I noticed that there still was a NS record associated > with the old AD. So I went to the wiki page > https://wiki.samba.org/index.php/DNS_Administration and followed the > instructions on how to remove an old NS record: > > # samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> > samdom.example.com @ NS > > So I followed the instructions. Here is the sequence of commands that > demonstrates the problem (some of the command responses were redacted > to remove unnecessary lines): > > > dig nikita.myhome.nurdog.com > > ;; ANSWER SECTION: > nikita.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.11 > > ;; AUTHORITY SECTION: > myhome.nurdog.com.??? 900??? IN??? NS nureyev.myhome.nurdog.com. <- > Old NS > myhome.nurdog.com.??? 900??? IN??? NS??? nikita.myhome.nurdog.com. > > > samba-tool dns delete nureyev.myhome.nurdog.com myhome.nurdog.com @ > NS nikita.myhome.nurdog.com > Record deleted successfully > > > dig nikita.myhome.nurdog.com > > ;; ANSWER SECTION: > nikita.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.11 > > ;; AUTHORITY SECTION: > myhome.nurdog.com.??? 900??? IN??? NS??? nikita.myhome.nurdog.com. > myhome.nurdog.com.??? 900??? IN??? NS nureyev.myhome.nurdog.com. > > ;; ADDITIONAL SECTION: > nureyev.myhome.nurdog.com. 900??? IN??? A??? 192.168.1.8 > > If I try to remove the NS again using the same samba-tool command I > receive a python error indicating 9701, > 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST'. So why can I not get rid of > the NS nikita.myhome.nurdog.com? That hardware that used to run the AD > is physically gone. But for some reason it seems that Samba still > thinks nikita.myhome.nurdog.com is a NS for the domain, I would love > to clean this up. It seems to me that DNS is trying to use nikita > first and then nureyev but nikita shouldn't be there at all. I am > running the Sernet Samba packages 4-11.4-9 on a CentOS Linux release > 7.7.1908 with bind-9.11.4-9, > > Are there any suggestions to to fix the problem? >Cached record somewhere ? You seem to have done everything correctly. Rowland
On 12/22/19 12:07 PM, Rowland penny via samba wrote:>> >> Are there any suggestions to to fix the problem? >> > Cached record somewhere ? > > You seem to have done everything correctly. >Okay I discovered that any changes to my DNS are not being seeing by bind.? So exploring the Wiki https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End I found this entry: If you create new DNS records in the directory and are not able to resolve them using the |nslookup|, |host| or other DNS lookup tools, the database hard links can got lost. This happens, for example, if you move the databases across mount points. To verify that the domain and forest partition as well as the |metadata.tdb| database are hard linked in both directories, run # ls -lai /usr/local/samba/private/sam.ldb.d/ # ls -lai /usr/local/samba/private/dns/sam.ldb.d/ The same files must have the same inode number in the first column of the output in the both directories. If they differ, the hard link got lost and Samba and BIND use separate database files and thus DNS updates in the directory are not resolveable through the BIND DNS server. So I did the procedure on my system and much to my chagrin I found: > ls -lai /var/lib/samba/private/sam.ldb.d/ total 83720 67868145 drwxr-x--- 2 root named????? 296 Dec 21 17:54 . ? 810580 drwxr-x--- 8 root named???? 4096 Jan? 1 15:31 .. 67868196 -rw------- 1 root root? 29609984 Nov? 7 09:29 CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb 67868195 -rw------- 1 root root? 33222656 Nov? 7 09:29 CN=SCHEMA,CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb 67868192 -rw-rw---- 1 root named? 6950912 Jan? 1 14:30 DC=DOMAINDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb 67868194 -rw-rw---- 1 root named? 4247552 Nov? 7 09:29 DC=FORESTDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb 67868202 -rw------- 1 root root? 10862592 Jan? 1 15:20 DC=MYHOME,DC=NURDOG,DC=COM.ldb 67868159 -rw-rw---- 1 root named?? 831488 Jan? 1 14:30 metadata.tdb root at nureyev> ls -lai /var/lib/samba/private/dns/sam.ldb.d/ total 74520 34684505 drwxrwx--- 2 root named????? 296 Dec 21 17:54 . ? 810835 drwxrwx--- 3 root named?????? 38 Dec 21 17:54 .. 34685771 -rw-rw---- 1 root named 27410432 Jan? 1 15:04 CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb 34684600 -rw-rw---- 1 root named 32534528 Jan? 1 15:04 CN=SCHEMA,CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb 34684570 -rw-rw---- 1 root named? 6950912 Jan? 1 15:04 DC=DOMAINDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb 34684597 -rw-rw---- 1 root named? 4247552 Jan? 1 15:04 DC=FORESTDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb 34684507 -rw-rw---- 1 root named? 4333568 Jan? 1 15:04 DC=MYHOME,DC=NURDOG,DC=COM.ldb 34685651 -rw-rw---- 1 root named?? 831488 Dec? 2? 2018 metadata.tdb Unfortunately the inode numbers do not match. I also found this entry in the Wiki: To auto-repair the hard linking, see Reconfiguring the BIND9_DLZ Back End <https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End>. So I ran the auto-repair > samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/MYHOME.NURDOG.COM.zone DNS records will be automatically created DNS partitions already exist dns-nureyev account already exists Failed to create link /var/lib/samba/private/dns.keytab -> /var/lib/samba/bind-dns/dns.keytab: No such file or directory Failed to chown /var/lib/samba/bind-dns to bind gid 25 Failed to chown /var/lib/samba/bind-dns/dns.keytab to bind gid 25 Traceback (most recent call last): ? File "/sbin/samba_upgradedns", line 533, in <module> ??? create_dns_dir(logger, paths) ? File "/usr/lib64/python3.6/site-packages/samba/provision/sambadns.py", line 704, in create_dns_dir ??? os.mkdir(dns_dir, 0o770) FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/samba/bind-dns/dns' I have been running this domain for quite a while and don't quite understand why this problem would occur. What is somewhat strange is the location of certain files. For example my dns.keytab is located here: > ls /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab Does anyone have an idea how to fix the problem? Can I just create /var/lib/samba/bind-dns/ and re-run? Suggestions are appreciated. Thanks. -- Paul (ganci at nurdog.com) Cell: (303)257-5208
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Paul > R. Ganci via samba > Verzonden: woensdag 1 januari 2020 23:49 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Cannot remove old NS record > > On 12/22/19 12:07 PM, Rowland penny via samba wrote: > >> > >> Are there any suggestions to to fix the problem? > >> > > Cached record somewhere ? > > > > You seem to have done everything correctly. > > > Okay I discovered that any changes to my DNS are not being seeing by > bind.? So exploring the Wiki > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End> > I found this entry: > > If you create new DNS records in the directory and are not able to > resolve them using the |nslookup|, |host| or other DNS lookup > tools, the > database hard links can got lost. This happens, for example, > if you move > the databases across mount points. > > To verify that the domain and forest partition as well as the > |metadata.tdb| database are hard linked in both directories, run > > # ls -lai /usr/local/samba/private/sam.ldb.d/ > > # ls -lai /usr/local/samba/private/dns/sam.ldb.d/ > > The same files must have the same inode number in the first column of > the output in the both directories. If they differ, the hard link got > lost and Samba and BIND use separate database files and thus > DNS updates > in the directory are not resolveable through the BIND DNS server. > > So I did the procedure on my system and much to my chagrin I found: > > > ls -lai /var/lib/samba/private/sam.ldb.d/ > total 83720 > 67868145 drwxr-x--- 2 root named????? 296 Dec 21 17:54 . > ? 810580 drwxr-x--- 8 root named???? 4096 Jan? 1 15:31 .. > 67868196 -rw------- 1 root root? 29609984 Nov? 7 09:29 > CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 67868195 -rw------- 1 root root? 33222656 Nov? 7 09:29 > CN=SCHEMA,CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 67868192 -rw-rw---- 1 root named? 6950912 Jan? 1 14:30 > DC=DOMAINDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 67868194 -rw-rw---- 1 root named? 4247552 Nov? 7 09:29 > DC=FORESTDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 67868202 -rw------- 1 root root? 10862592 Jan? 1 15:20 > DC=MYHOME,DC=NURDOG,DC=COM.ldb > 67868159 -rw-rw---- 1 root named?? 831488 Jan? 1 14:30 metadata.tdb > > root at nureyev> ls -lai /var/lib/samba/private/dns/sam.ldb.d/ > total 74520 > 34684505 drwxrwx--- 2 root named????? 296 Dec 21 17:54 . > ? 810835 drwxrwx--- 3 root named?????? 38 Dec 21 17:54 .. > 34685771 -rw-rw---- 1 root named 27410432 Jan? 1 15:04 > CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 34684600 -rw-rw---- 1 root named 32534528 Jan? 1 15:04 > CN=SCHEMA,CN=CONFIGURATION,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 34684570 -rw-rw---- 1 root named? 6950912 Jan? 1 15:04 > DC=DOMAINDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 34684597 -rw-rw---- 1 root named? 4247552 Jan? 1 15:04 > DC=FORESTDNSZONES,DC=MYHOME,DC=NURDOG,DC=COM.ldb > 34684507 -rw-rw---- 1 root named? 4333568 Jan? 1 15:04 > DC=MYHOME,DC=NURDOG,DC=COM.ldb > 34685651 -rw-rw---- 1 root named?? 831488 Dec? 2? 2018 metadata.tdb > > Unfortunately the inode numbers do not match. > > I also found this entry in the Wiki: > > To auto-repair the hard linking, see Reconfiguring the BIND9_DLZ Back > End > <https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End>.> > > So I ran the auto-repair > > > samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/MYHOME.NURDOG.COM.zone > DNS records will be automatically created > DNS partitions already exist > dns-nureyev account already exists > Failed to create link /var/lib/samba/private/dns.keytab -> > /var/lib/samba/bind-dns/dns.keytab: No such file or directory > Failed to chown /var/lib/samba/bind-dns to bind gid 25 > Failed to chown /var/lib/samba/bind-dns/dns.keytab to bind gid 25 > Traceback (most recent call last): > ? File "/sbin/samba_upgradedns", line 533, in <module> > ??? create_dns_dir(logger, paths) > ? File > "/usr/lib64/python3.6/site-packages/samba/provision/sambadns.py", line> 704, in create_dns_dir > ??? os.mkdir(dns_dir, 0o770) > FileNotFoundError: [Errno 2] No such file or directory: > '/var/lib/samba/bind-dns/dns' > > I have been running this domain for quite a while and don't quite > understand why this problem would occur. What is somewhat > strange is the > location of certain files. For example my dns.keytab is located here: > > > > ls /var/lib/samba/private/dns.keytab > /var/lib/samba/private/dns.keytab > > Does anyone have an idea how to fix the problem? Can I just create > /var/lib/samba/bind-dns/ and re-run? Suggestions are > appreciated. Thanks.Yes, you can use : install -d /var/lib/samba/bind-dns/ -o root -g bind -m 770 And rerun it. Just dont forget to adjust the bind config files also. Greetz, Louis