samba - Mar 2020 - samba_dnsupdate

On 02/03/2020 11:51, Paul Littlefield via samba wrote:
> On 02/03/2020 10:49, Rowland penny via samba wrote:
>> Does your DC have a fixed IP and if not, why not ?
>
> Yes, using netplan in Ubuntu 18.04...
>
> network:
> ? ethernets:
> ??? ens18:
> ????? addresses:
> ????? - 130.130.0.218/16
> ????? gateway4: 130.130.0.1
> ????? nameservers:
> ??????? addresses:
> ??????? - 130.130.0.218
> ??????? - 130.130.0.219
> ??????? search:
> ??????? - mydomain.com
> ????? optional: true
> ? version: 2
Samba runs samba_dnsupgrade on a regular basis, using dns_update_list as 
a template. Amongst the list of dns entries is this:

AAAA ${HOSTNAME}?????????????????????????????????????????? $IP
>
>
>
> It's just happened AGAIN... the main servers A records have gone and 
> replaced by IPv6 ones.
I am unsure why it is doing this, I have never seen this happening, but 
then again I do not use IPv6 or netplan.
>
> I'm using the Samba 4 Internal DNS and ISC DHCP Server and have 
> 'ddns-update-style none;' in the DHCP server config.
>
> Questions...
>
> 1. How do I turn on Samba 4 AD DC logging for DNS updates?
add 'log level = 4' to the smb.conf on the DC
>
> 2. Can I watch for DNS requests in tcpdump?
I do not see why you couldn't.
>
>
> 3. I have another DC which is replicating fine with this DC and after 
> I have REMOVED the AAAA IPv6 entries + ADDED the A records in _either_ 
> DC it lasts for a while then they get removed again!
Fairly sure this is samba_dnsupgrade doing this, but why is another 
question.

Rowland

On 02/03/2020 13:16, Rowland Penny via samba wrote:
> 
> Samba runs samba_dnsupgrade on a regular basis, using dns_update_list as a
template. Amongst the list of dns entries is this:
> 
> AAAA ${HOSTNAME}?????????????????????????????????????????? $IP
> 
Hi Rowland,

Thanks for replying so quickly.

OK, is there a way to pause this process for the purposes of debugging?

Can I change any of these which will not break my AD DC?

allow dns updates = secure only
dns update command = /usr/sbin/samba_dnsupdate

> I am unsure why it is doing this, I have never seen this happening, but
then again I do not use IPv6 or netplan.
OK, so is it safe to (maybe at a future date) turn off IPv6 on Ubuntu and change
to ifupdown if I want to?

> add 'log level = 4' to the smb.conf on the DC
Thanks.

>> 2. Can I watch for DNS requests in tcpdump?
> I do not see why you couldn't.
Done. Here are a few lines of santised output...

13:25:35.264891 IP 130.130.0.252.63006 > 130.130.0.218.53: 29782 update [1a]
[3n] SOA? mydomain.com. (108)
13:25:35.265196 IP 130.130.0.218.53 > 130.130.0.252.63006: 29782 update
Refused- 1/3/0 (Class 254) CNAME V-RDS02.mydomain.com. (108)
13:25:35.274443 IP 130.130.0.252.55001 > 130.130.0.218.53: 64781 update [1a]
[3n] [1au] SOA? mydomain.com. (239)
13:25:35.354349 IP 130.130.0.218.53 > 130.130.0.252.55001: 64781 update 1/3/1
(Class 254) CNAME V-RDS02.mydomain.com. (224)

...what IS that Windows server trying to do?!

> Fairly sure this is samba_dnsupgrade doing this, but why is another
question.
Oooo, goody... I've prompted a head scratching bug finding session!

Joking aside... to be honest, I really wish I didn't have people moaning at
me because they keep getting kicked out of Sage but that's I.T. for you.

I look forward to your replies!

As always... thanks,

:)

Paully

On 02/03/2020 13:16, Rowland penny via samba wrote:
> On 02/03/2020 11:51, Paul Littlefield via samba wrote:
>> On 02/03/2020 10:49, Rowland penny via samba wrote:
>>> Does your DC have a fixed IP and if not, why not ?
>>
>> Yes, using netplan in Ubuntu 18.04...
>>
>> network:
>> ? ethernets:
>> ??? ens18:
>> ????? addresses:
>> ????? - 130.130.0.218/16
>> ????? gateway4: 130.130.0.1
>> ????? nameservers:
>> ??????? addresses:
>> ??????? - 130.130.0.218
>> ??????? - 130.130.0.219
>> ??????? search:
>> ??????? - mydomain.com
>> ????? optional: true
>> ? version: 2
>
> Samba runs samba_dnsupgrade on a regular basis, using dns_update_list 
> as a template. Amongst the list of dns entries is this:
>
> AAAA ${HOSTNAME}?????????????????????????????????????????? $IP
>
>>
>>
>>
>> It's just happened AGAIN... the main servers A records have gone
and
>> replaced by IPv6 ones.
> I am unsure why it is doing this, I have never seen this happening, 
> but then again I do not use IPv6 or netplan.
>>
>> I'm using the Samba 4 Internal DNS and ISC DHCP Server and have 
>> 'ddns-update-style none;' in the DHCP server config.
>>
>> Questions...
>>
>> 1. How do I turn on Samba 4 AD DC logging for DNS updates?
> add 'log level = 4' to the smb.conf on the DC
>>
>> 2. Can I watch for DNS requests in tcpdump?
> I do not see why you couldn't.
>>
>>
>> 3. I have another DC which is replicating fine with this DC and after 
>> I have REMOVED the AAAA IPv6 entries + ADDED the A records in 
>> _either_ DC it lasts for a while then they get removed again!
>
> Fairly sure this is samba_dnsupgrade doing this, but why is another 
> question.
>
> Rowland
>
>
And of course 'samba_dnsupgrade' should have been
'samba_dnsupdate' :-(

Rowland

On 02/03/2020 13:16, Rowland Penny via samba wrote:
> add 'log level = 4' to the smb.conf on the DC
Which file do I look in for DNS logging?

:)

Paully

On 02/03/2020 13:36, Paul Littlefield wrote:
> On 02/03/2020 13:16, Rowland Penny via samba wrote:
>>
>> Samba runs samba_dnsupgrade on a regular basis, using dns_update_list 
>> as a template. Amongst the list of dns entries is this:
>>
>> AAAA ${HOSTNAME}?????????????????????????????????????????? $IP
>>
>
> Hi Rowland,
>
> Can I change any of these which will not break my AD DC?
You could try commenting out the line in
dns_update_list.
> dns update command = /usr/sbin/samba_dnsupdate
Write another script that does nothing and use that instead (just for 
testing) ?
>
> OK, so is it safe to (maybe at a future date) turn off IPv6 on Ubuntu 
> and change to ifupdown if I want to?
Yes, this is what I did when testing Ubuntu 18.04, but perhaps Louis has 
further comments ?
>
> 13:25:35.264891 IP 130.130.0.252.63006 > 130.130.0.218.53: 29782 
> update [1a] [3n] SOA? mydomain.com. (108)
> 13:25:35.265196 IP 130.130.0.218.53 > 130.130.0.252.63006: 29782 
> update Refused- 1/3/0 (Class 254) CNAME V-RDS02.mydomain.com. (108)
> 13:25:35.274443 IP 130.130.0.252.55001 > 130.130.0.218.53: 64781 
> update [1a] [3n] [1au] SOA? mydomain.com. (239)
> 13:25:35.354349 IP 130.130.0.218.53 > 130.130.0.252.55001: 64781 
> update 1/3/1 (Class 254) CNAME V-RDS02.mydomain.com. (224)
>
> ...what IS that Windows server trying to do?!
It looks like it is trying to update its own dns records and if you are 
using dhcp to update the records in AD they shouldn't be.

Rowland

On 02/03/2020 13:56, Paul Littlefield wrote:
> On 02/03/2020 13:16, Rowland Penny via samba wrote:
>> add 'log level = 4' to the smb.conf on the DC
>
> Which file do I look in for DNS logging?
>
> :)
>
> Paully
/var/log/samba/log.samba

Rowland

Guys, what i noticed. 

Look at this. 

Refused- 1/3/0 (Class 254)   ( /24 ) 
Paully used /16 

update 1/3/1 (Class 254) CNAME V-RDS02.mydomain.com 
CNAME ?  

And, if he uses in his example 
samba-tool dns add dc3 mydomain.com V-RDS02 A 130.130.0.252 
A record was used. 

Is resolv.conf checked and it is sure in pointing to the correct DNS of the AD
first?

       addresses:
       - 130.130.0.218/16
       gateway4: 130.130.0.1
       nameservers:
         addresses:
         - 130.130.0.218
         - 130.130.0.219


What are these AD-DC's ? 
         - 130.130.0.218
         - 130.130.0.219


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: maandag 2 maart 2020 15:17
> Aan: sambalist
> Onderwerp: Re: [Samba] samba_dnsupdate
> 
> On 02/03/2020 13:36, Paul Littlefield wrote:
> > On 02/03/2020 13:16, Rowland Penny via samba wrote:
> >>
> >> Samba runs samba_dnsupgrade on a regular basis, using 
> dns_update_list 
> >> as a template. Amongst the list of dns entries is this:
> >>
> >> AAAA ${HOSTNAME}?????????????????????????????????????????? $IP
> >>
> >
> > Hi Rowland,
> >
> > Can I change any of these which will not break my AD DC?
> You could try commenting out the line in dns_update_list.
> > dns update command = /usr/sbin/samba_dnsupdate
> Write another script that does nothing and use that instead (just for 
> testing) ?
> >
> > OK, so is it safe to (maybe at a future date) turn off IPv6 
> on Ubuntu 
> > and change to ifupdown if I want to?
> Yes, this is what I did when testing Ubuntu 18.04, but 
> perhaps Louis has 
> further comments ?
> >
> > 13:25:35.264891 IP 130.130.0.252.63006 > 130.130.0.218.53: 29782 
> > update [1a] [3n] SOA? mydomain.com. (108)
> > 13:25:35.265196 IP 130.130.0.218.53 > 130.130.0.252.63006: 29782 
> > update Refused- 1/3/0 (Class 254) CNAME V-RDS02.mydomain.com. (108)
> > 13:25:35.274443 IP 130.130.0.252.55001 > 130.130.0.218.53: 64781 
> > update [1a] [3n] [1au] SOA? mydomain.com. (239)
> > 13:25:35.354349 IP 130.130.0.218.53 > 130.130.0.252.55001: 64781 
> > update 1/3/1 (Class 254) CNAME V-RDS02.mydomain.com. (224)
> >
> > ...what IS that Windows server trying to do?!
> It looks like it is trying to update its own dns records and 
> if you are 
> using dhcp to update the records in AD they shouldn't be.
> 
> Rowland
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>