Well, If you running with bind9_DLZ, you also should enable it. Based on what i see below, its not enable, you installed it your not done yet. ;-) Verify the settings ( debianize the paths ) https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End Then then its all done, reboot the server. Run this script, anonimized it and post the content to the list. Then i know all i want to know. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Greetz, Louis> -----Oorspronkelijk bericht----- > Van: von Obernitz, Daniel > [mailto:daniel.vonobernitz at uni-greifswald.de] > Verzonden: woensdag 22 april 2020 14:50 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] pad length mismatch error message > > Hi Louis, > > it happens on the AC-DC nodes on Debian 10, running with > BIND9_DLZ backend... > > dpkg -l |grep bind9 > ii bind9 1:9.11.5.P4+dfsg-5.1 > amd64 Internet Domain Name Server > ii bind9-host 1:9.11.5.P4+dfsg-5.1 > amd64 DNS lookup utility (deprecated) > ii bind9utils 1:9.11.5.P4+dfsg-5.1 > amd64 Utilities for BIND > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 > amd64 BIND9 Shared Library used by BIND > > > smb.conf: > > # Global parameters > [global] > netbios name = DC3 > realm = AD.EXAMPLE.NET > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = AD > interfaces = IP > bind interfaces only = yes > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log > ldap server require strong auth = no > tls verify peer = no_check > tls enabled = yes > tls keyfile = /path/key.pem > tls certfile = /path/fullcert.pem > tls cafile = /etc/ssl/certs/ca-certificates.crt > > [sysvol] > path = /var/lib/samba/sysvol > read only = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.example.net/scripts > read only = yes > > > Best regards > Daniel > > > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle > via samba: > > Hai, > > > > I might be handy to tell us a bit more. > > > > Like AD-DC or member. > > content smb.conf ? > > If AD-DC, are you running with or without bind. > > with bind? show : dpkg -l |grep bind9 > > > > Greetz, > > > > Louis > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > > Obernitz, Daniel via samba > > > Verzonden: woensdag 22 april 2020 14:18 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] pad length mismatch error message > > > > > > Hi, > > > > > > I found the following error message in the log.samba: > > > > > > [2020/04/20 16:32:33.168921, 1] > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer) > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length > > > mismatch. Calculated 44 got 0 > > > > > > It happens on all nodes on different times, but unfortunately > > > I have no specific situation or action which causes this. > > > > > > We are currently using Samba version > 4.12.1-SerNet-Debian-5.buster. > > > > > > Do you have any idea what could cause this so I can try to > > > replicate it? > > > > > > Best regards > > > Daniel > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >
Hi, bind9_DLZ is enabled and running, DNS in general is working absolutely fine. --dns-backend=BIND9_DLZ was used during provision and your collect script also says it's enabled. Like I said in the other issue, the AC-DC in general is working fine... the posted error message is just something I can't explain, where it comes from... Best regards Daniel ----------- Collected config --- 2020-04-22-15:15 ----------- Hostname: dc3 DNS Domain: ad.example.de FQDN: dc3.ad.example.de ipaddress: XX.XX.XX.53 ----------- Kerberos SRV _kerberos._tcp.ad.example.de record verified ok, sample output: Server: XX.XX.XX.53 Address: XX.XX.XX.53#53 _kerberos._tcp.ad.example.de service = 0 100 88 dc2.ad.example.de. _kerberos._tcp.ad.example.de service = 0 100 88 dc4.ad.example.de. _kerberos._tcp.ad.example.de service = 0 100 88 dc3.ad.example.de. _kerberos._tcp.ad.example.de service = 0 100 88 dc1.ad.example.de. Samba is running as an AD DC ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.3 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18 ----------- Checking file: /etc/hosts 127.0.0.1 localhost XX.XX.XX.53 dc3.ad.example.de dc3 # The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf # This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients directly to # all known uplink DNS servers. This file lists all configured search domains. # # Third party programs must not access this file directly, but only through the # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, # replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver XX.XX.XX.53 search ad.example.de ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = AD.EXAMPLE.DE dns_lookup_realm = false dns_lookup_kdc = true ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files group: files shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # Global parameters [global] netbios name = DC3 realm = AD.EXAMPLE.DE server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = AD interfaces = XX.XX.XX.53 bind interfaces only = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log level = 1 auth_audit:2@/var/log/samba/auth-audit.log ldap server require strong auth = no tls verify peer = no_check tls enabled = yes tls keyfile = /path/key.pem tls certfile = /path/fullcert.pem tls cafile = /etc/ssl/certs/ca-certificates.crt [sysvol] path = /var/lib/samba/sysvol read only = yes [netlogon] path = /var/lib/samba/sysvol/ad.example.de/scripts read only = yes ----------- Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------- Checking file: /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { YY.YY.YY.4; YY.YY.YY.5; // we use the AC-DC-DNS only for AD internal hosts }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; listen-on-v6 { any; }; }; ----------- Checking file: /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; include "/var/lib/samba/bind-dns/named.conf"; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/usr/share/dns/root.hints"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ----------- Samba DNS zone list: 2 zone(s) found pszZoneName : ad.example.de Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.ad.example.de pszZoneName : _msdcs.ad.example.de Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.ad.example.de Samba DNS zone list Automated check : zone : ad.example.de ok, no Bind flat-files found ----------- zone : _msdcs.ad.example.de ok, no Bind flat-files found ----------- Installed packages: ii acl 2.2.53-4 amd64 access control list - utilities ii bind9 1:9.11.5.P4+dfsg-5.1 amd64 Internet Domain Name Server ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64 DNS lookup utility (deprecated) ii bind9utils 1:9.11.5.P4+dfsg-5.1 amd64 Utilities for BIND ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 amd64 BIND9 Shared Library used by BIND ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3 amd64 Heimdal Kerberos - libraries ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library ii libwbclient0:amd64 99:4.12.1-5 amd64 Glue package for sernet-samba-libs. ii sernet-samba 99:4.12.1-5 amd64 SMB/CIFS file, print, and login server for Unix ii sernet-samba-ad 99:4.12.1-5 amd64 Samba Active Directory Domain Controller ii sernet-samba-client 99:4.12.1-5 amd64 a LanManager-like simple client for Unix ii sernet-samba-common 99:4.12.1-5 all Samba common files used by both the server and the client ii sernet-samba-keyring 1.9 all GnuPG archive keys of the SerNet Samba archive ii sernet-samba-libs:amd64 99:4.12.1-5 amd64 Samba common library files used by both the server and the client ii sernet-samba-libsmbclient0:amd64 99:4.12.1-5 amd64 Shared library that allows applications to talk to SMB servers ii sernet-samba-winbind 99:4.12.1-5 amd64 Samba nameservice integration server ----------- Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle via samba:> Well, > > If you running with bind9_DLZ, you also should enable it. > > Based on what i see below, its not enable, you installed it your not done yet. ;-) > Verify the settings ( debianize the paths ) > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End > > Then then its all done, reboot the server. > Run this script, anonimized it and post the content to the list. > > Then i know all i want to know. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: von Obernitz, Daniel > > [mailto:daniel.vonobernitz at uni-greifswald.de] > > Verzonden: woensdag 22 april 2020 14:50 > > Aan: L.P.H. van Belle; samba at lists.samba.org > > Onderwerp: Re: [Samba] pad length mismatch error message > > > > Hi Louis, > > > > it happens on the AC-DC nodes on Debian 10, running with > > BIND9_DLZ backend... > > > > dpkg -l |grep bind9 > > ii bind9 1:9.11.5.P4+dfsg-5.1 > > amd64 Internet Domain Name Server > > ii bind9-host 1:9.11.5.P4+dfsg-5.1 > > amd64 DNS lookup utility (deprecated) > > ii bind9utils 1:9.11.5.P4+dfsg-5.1 > > amd64 Utilities for BIND > > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 > > amd64 BIND9 Shared Library used by BIND > > > > > > smb.conf: > > > > # Global parameters > > [global] > > netbios name = DC3 > > realm = AD.EXAMPLE.NET > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = AD > > interfaces = IP > > bind interfaces only = yes > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log > > ldap server require strong auth = no > > tls verify peer = no_check > > tls enabled = yes > > tls keyfile = /path/key.pem > > tls certfile = /path/fullcert.pem > > tls cafile = /etc/ssl/certs/ca-certificates.crt > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/ad.example.net/scripts > > read only = yes > > > > > > Best regards > > Daniel > > > > > > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle > > via samba: > > > Hai, > > > > > > I might be handy to tell us a bit more. > > > > > > Like AD-DC or member. > > > content smb.conf ? > > > If AD-DC, are you running with or without bind. > > > with bind? show : dpkg -l |grep bind9 > > > > > > Greetz, > > > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > > > Obernitz, Daniel via samba > > > > Verzonden: woensdag 22 april 2020 14:18 > > > > Aan: samba at lists.samba.org > > > > Onderwerp: [Samba] pad length mismatch error message > > > > > > > > Hi, > > > > > > > > I found the following error message in the log.samba: > > > > > > > > [2020/04/20 16:32:33.168921, 1] > > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer) > > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length > > > > mismatch. Calculated 44 got 0 > > > > > > > > It happens on all nodes on different times, but unfortunately > > > > I have no specific situation or action which causes this. > > > > > > > > We are currently using Samba version > > 4.12.1-SerNet-Debian-5.buster. > > > > > > > > Do you have any idea what could cause this so I can try to > > > > replicate it? > > > > > > > > Best regards > > > > Daniel > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6098 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20200422/855c68f1/smime.bin>
On 22/04/2020 15:32, von Obernitz, Daniel via samba wrote:> Hi, > > bind9_DLZ is enabled and running, DNS in general is working absolutely fine. > > --dns-backend=BIND9_DLZ was used during provision and your collect script also says it's enabled. > > > Like I said in the other issue, the AC-DC in general is working fine... the posted error message is just something I can't explain, where it comes from... >Is the 'attr' package installed ? Why do you not have a reverse zone ? Could the padding have anything to do with 'dnssec' ? This is my 'named.conf.options': options { ??????? directory "/var/cache/bind"; ??????? notify no; ??????? empty-zones-enable no; ??????? allow-query { 127.0.0.1; 192.168.0.0/24; }; ??????? allow-recursion { 192.168.0.0/24;? 127.0.0.1/32; }; ??????? forwarders { 8.8.8.8; 8.8.4.4; }; ??????? allow-transfer { none; }; ??????? dnssec-validation no; ??????? dnssec-enable no; ??????? dnssec-lookaside no; ??????? listen-on-v6 { none; }; ??????? listen-on port 53 { 192.168.0.8; 127.0.0.1; }; ??????? tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; Try modifying to your IP's and see if that cures the problem. Rowland
I see multiple things that are off.. ( see Rowland message also and .. ) Dns https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server Now look at the example config here and change yours acording. Smb.conf change that or add -dns server services = -dns As far i can see your dns is using samba internal dns. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: von Obernitz, Daniel > [mailto:daniel.vonobernitz at uni-greifswald.de] > Verzonden: woensdag 22 april 2020 16:33 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] pad length mismatch error message > > Hi, > > bind9_DLZ is enabled and running, DNS in general is working > absolutely fine. > > --dns-backend=BIND9_DLZ was used during provision and your > collect script also says it's enabled. > > > Like I said in the other issue, the AC-DC in general is > working fine... the posted error message is just something I > can't explain, where it comes from... > > Best regards > Daniel > > > > ----------- > > Collected config --- 2020-04-22-15:15 ----------- > > Hostname: dc3 > DNS Domain: ad.example.de > FQDN: dc3.ad.example.de > ipaddress: XX.XX.XX.53 > > ----------- > > Kerberos SRV _kerberos._tcp.ad.example.de record verified ok, > sample output: > Server: XX.XX.XX.53 > Address: XX.XX.XX.53#53 > > _kerberos._tcp.ad.example.de service = 0 100 88 dc2.ad.example.de. > _kerberos._tcp.ad.example.de service = 0 100 88 dc4.ad.example.de. > _kerberos._tcp.ad.example.de service = 0 100 88 dc3.ad.example.de. > _kerberos._tcp.ad.example.de service = 0 100 88 dc1.ad.example.de. > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.3 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast state UP group default qlen 1000 > link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff > inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18 > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > XX.XX.XX.53 dc3.ad.example.de dc3 > > # The following lines are desirable for IPv6 capable hosts > #::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # This file is managed by man:systemd-resolved(8). Do not edit. > # > # This is a dynamic resolv.conf file for connecting local > clients directly to > # all known uplink DNS servers. This file lists all > configured search domains. > # > # Third party programs must not access this file directly, > but only through the > # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) > in a different way, > # replace this symlink by a static file or a different symlink. > # > # See man:systemd-resolved.service(8) for details about the > supported modes of > # operation for /etc/resolv.conf. > > nameserver XX.XX.XX.53 > search ad.example.de > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = AD.EXAMPLE.DE > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files > group: files > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = DC3 > realm = AD.EXAMPLE.DE > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = AD > interfaces = XX.XX.XX.53 > bind interfaces only = yes > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log > ldap server require strong auth = no > tls verify peer = no_check > tls enabled = yes > tls keyfile = /path/key.pem > tls certfile = /path/fullcert.pem > tls cafile = /etc/ssl/certs/ca-certificates.crt > > [sysvol] > path = /var/lib/samba/sysvol > read only = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.example.de/scripts > read only = yes > > ----------- > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS > server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > // structure of BIND configuration files in Debian, *BEFORE* > you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > ----------- > > Checking file: /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to > allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the > addresses replacing > // the all-0's placeholder. > > forwarders { > YY.YY.YY.4; YY.YY.YY.5; // we use the > AC-DC-DNS only for AD internal hosts > }; > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > > //===========================================================> ===========> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > > //===========================================================> ===========> dnssec-validation auto; > > listen-on-v6 { any; }; > }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > include "/var/lib/samba/bind-dns/named.conf"; > > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/usr/share/dns/root.hints"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list: 2 zone(s) found > > pszZoneName : ad.example.de > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.ad.example.de > > pszZoneName : _msdcs.ad.example.de > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.ad.example.de > > Samba DNS zone list Automated check : > zone : ad.example.de ok, no Bind flat-files found > ----------- > zone : _msdcs.ad.example.de ok, no Bind flat-files found > ----------- > > Installed packages: > ii acl 2.2.53-4 > amd64 access control list - utilities > ii bind9 1:9.11.5.P4+dfsg-5.1 > amd64 Internet Domain Name Server > ii bind9-host 1:9.11.5.P4+dfsg-5.1 > amd64 DNS lookup utility (deprecated) > ii bind9utils 1:9.11.5.P4+dfsg-5.1 > amd64 Utilities for BIND > ii krb5-config 2.6 > all Configuration files for Kerberos Version 5 > ii krb5-locales 1.17-3 > all internationalization support for MIT Kerberos > ii libacl1:amd64 2.2.53-4 > amd64 access control list - shared library > ii libattr1:amd64 1:2.4.48-4 > amd64 extended attribute handling - shared library > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 > amd64 BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.17-3 > amd64 MIT Kerberos runtime libraries - krb5 GSS-API > Mechanism > ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3 > amd64 Heimdal Kerberos - libraries > ii libkrb5-3:amd64 1.17-3 > amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.17-3 > amd64 MIT Kerberos runtime libraries - Support library > ii libwbclient0:amd64 99:4.12.1-5 > amd64 Glue package for sernet-samba-libs. > ii sernet-samba 99:4.12.1-5 > amd64 SMB/CIFS file, print, and login server for Unix > ii sernet-samba-ad 99:4.12.1-5 > amd64 Samba Active Directory Domain Controller > ii sernet-samba-client 99:4.12.1-5 > amd64 a LanManager-like simple client for Unix > ii sernet-samba-common 99:4.12.1-5 > all Samba common files used by both the server > and the client > ii sernet-samba-keyring 1.9 > all GnuPG archive keys of the SerNet Samba archive > ii sernet-samba-libs:amd64 99:4.12.1-5 > amd64 Samba common library files used by both the > server and the client > ii sernet-samba-libsmbclient0:amd64 99:4.12.1-5 > amd64 Shared library that allows applications to > talk to SMB servers > ii sernet-samba-winbind 99:4.12.1-5 > amd64 Samba nameservice integration server > > ----------- > > > > Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle > via samba: > > Well, > > > > If you running with bind9_DLZ, you also should enable it. > > > > Based on what i see below, its not enable, you installed it > your not done yet. ;-) > > Verify the settings ( debianize the paths ) > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End > > > > Then then its all done, reboot the server. > > Run this script, anonimized it and post the content to the list. > > > > Then i know all i want to know. > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > ollect-debug-info.sh > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: von Obernitz, Daniel > > > [mailto:daniel.vonobernitz at uni-greifswald.de] > > > Verzonden: woensdag 22 april 2020 14:50 > > > Aan: L.P.H. van Belle; samba at lists.samba.org > > > Onderwerp: Re: [Samba] pad length mismatch error message > > > > > > Hi Louis, > > > > > > it happens on the AC-DC nodes on Debian 10, running with > > > BIND9_DLZ backend... > > > > > > dpkg -l |grep bind9 > > > ii bind9 1:9.11.5.P4+dfsg-5.1 > > > amd64 Internet Domain Name Server > > > ii bind9-host 1:9.11.5.P4+dfsg-5.1 > > > amd64 DNS lookup utility (deprecated) > > > ii bind9utils 1:9.11.5.P4+dfsg-5.1 > > > amd64 Utilities for BIND > > > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 > > > amd64 BIND9 Shared Library used by BIND > > > > > > > > > smb.conf: > > > > > > # Global parameters > > > [global] > > > netbios name = DC3 > > > realm = AD.EXAMPLE.NET > > > server role = active directory domain controller > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > > > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > > workgroup = AD > > > interfaces = IP > > > bind interfaces only = yes > > > load printers = no > > > printing = bsd > > > printcap name = /dev/null > > > disable spoolss = yes > > > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log > > > ldap server require strong auth = no > > > tls verify peer = no_check > > > tls enabled = yes > > > tls keyfile = /path/key.pem > > > tls certfile = /path/fullcert.pem > > > tls cafile = /etc/ssl/certs/ca-certificates.crt > > > > > > [sysvol] > > > path = /var/lib/samba/sysvol > > > read only = yes > > > > > > [netlogon] > > > path = /var/lib/samba/sysvol/ad.example.net/scripts > > > read only = yes > > > > > > > > > Best regards > > > Daniel > > > > > > > > > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle > > > via samba: > > > > Hai, > > > > > > > > I might be handy to tell us a bit more. > > > > > > > > Like AD-DC or member. > > > > content smb.conf ? > > > > If AD-DC, are you running with or without bind. > > > > with bind? show : dpkg -l |grep bind9 > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > > > > Obernitz, Daniel via samba > > > > > Verzonden: woensdag 22 april 2020 14:18 > > > > > Aan: samba at lists.samba.org > > > > > Onderwerp: [Samba] pad length mismatch error message > > > > > > > > > > Hi, > > > > > > > > > > I found the following error message in the log.samba: > > > > > > > > > > [2020/04/20 16:32:33.168921, 1] > > > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer) > > > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length > > > > > mismatch. Calculated 44 got 0 > > > > > > > > > > It happens on all nodes on different times, but unfortunately > > > > > I have no specific situation or action which causes this. > > > > > > > > > > We are currently using Samba version > > > 4.12.1-SerNet-Debian-5.buster. > > > > > > > > > > Do you have any idea what could cause this so I can try to > > > > > replicate it? > > > > > > > > > > Best regards > > > > > Daniel > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL > and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >
On 22/04/2020 16:09, L.P.H. van Belle via samba wrote:> I see multiple things that are off.. ( see Rowland message also and .. ) > > Dns https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server > Now look at the example config here and change yours acording. > > Smb.conf change that or add -dns > > server services = -dns > > As far i can see your dns is using samba internal dns.No he isn't ;-) 'server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate' is the same as: 'server services = -dns' Rowland