Well, If you running with bind9_DLZ, you also should enable it. Based on what i see below, its not enable, you installed it your not done yet. ;-) Verify the settings ( debianize the paths ) https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End Then then its all done, reboot the server. Run this script, anonimized it and post the content to the list. Then i know all i want to know. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Greetz, Louis> -----Oorspronkelijk bericht----- > Van: von Obernitz, Daniel > [mailto:daniel.vonobernitz at uni-greifswald.de] > Verzonden: woensdag 22 april 2020 14:50 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] pad length mismatch error message > > Hi Louis, > > it happens on the AC-DC nodes on Debian 10, running with > BIND9_DLZ backend... > > dpkg -l |grep bind9 > ii bind9 1:9.11.5.P4+dfsg-5.1 > amd64 Internet Domain Name Server > ii bind9-host 1:9.11.5.P4+dfsg-5.1 > amd64 DNS lookup utility (deprecated) > ii bind9utils 1:9.11.5.P4+dfsg-5.1 > amd64 Utilities for BIND > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 > amd64 BIND9 Shared Library used by BIND > > > smb.conf: > > # Global parameters > [global] > netbios name = DC3 > realm = AD.EXAMPLE.NET > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = AD > interfaces = IP > bind interfaces only = yes > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log > ldap server require strong auth = no > tls verify peer = no_check > tls enabled = yes > tls keyfile = /path/key.pem > tls certfile = /path/fullcert.pem > tls cafile = /etc/ssl/certs/ca-certificates.crt > > [sysvol] > path = /var/lib/samba/sysvol > read only = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.example.net/scripts > read only = yes > > > Best regards > Daniel > > > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle > via samba: > > Hai, > > > > I might be handy to tell us a bit more. > > > > Like AD-DC or member. > > content smb.conf ? > > If AD-DC, are you running with or without bind. > > with bind? show : dpkg -l |grep bind9 > > > > Greetz, > > > > Louis > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > > Obernitz, Daniel via samba > > > Verzonden: woensdag 22 april 2020 14:18 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] pad length mismatch error message > > > > > > Hi, > > > > > > I found the following error message in the log.samba: > > > > > > [2020/04/20 16:32:33.168921, 1] > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer) > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length > > > mismatch. Calculated 44 got 0 > > > > > > It happens on all nodes on different times, but unfortunately > > > I have no specific situation or action which causes this. > > > > > > We are currently using Samba version > 4.12.1-SerNet-Debian-5.buster. > > > > > > Do you have any idea what could cause this so I can try to > > > replicate it? > > > > > > Best regards > > > Daniel > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >
Hi,
bind9_DLZ is enabled and running, DNS in general is working absolutely fine.
--dns-backend=BIND9_DLZ was used during provision and your collect script also
says it's enabled.
Like I said in the other issue, the AC-DC in general is working fine... the
posted error message is just something I can't explain, where it comes
from...
Best regards
Daniel
-----------
Collected config --- 2020-04-22-15:15 -----------
Hostname: dc3
DNS Domain: ad.example.de
FQDN: dc3.ad.example.de
ipaddress: XX.XX.XX.53
-----------
Kerberos SRV _kerberos._tcp.ad.example.de record verified ok, sample output:
Server: XX.XX.XX.53
Address: XX.XX.XX.53#53
_kerberos._tcp.ad.example.de service = 0 100 88 dc2.ad.example.de.
_kerberos._tcp.ad.example.de service = 0 100 88 dc4.ad.example.de.
_kerberos._tcp.ad.example.de service = 0 100 88 dc3.ad.example.de.
_kerberos._tcp.ad.example.de service = 0 100 88 dc1.ad.example.de.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.3 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff
inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
XX.XX.XX.53 dc3.ad.example.de dc3
# The following lines are desirable for IPv6 capable hosts
#::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver XX.XX.XX.53
search ad.example.de
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = AD.EXAMPLE.DE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files
group: files
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC3
realm = AD.EXAMPLE.DE
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = AD
interfaces = XX.XX.XX.53
bind interfaces only = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
ldap server require strong auth = no
tls verify peer = no_check
tls enabled = yes
tls keyfile = /path/key.pem
tls certfile = /path/fullcert.pem
tls cafile = /etc/ssl/certs/ca-certificates.crt
[sysvol]
path = /var/lib/samba/sysvol
read only = yes
[netlogon]
path = /var/lib/samba/sysvol/ad.example.de/scripts
read only = yes
-----------
Detected bind DLZ enabled..
Checking file: /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
-----------
Checking file: /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
YY.YY.YY.4; YY.YY.YY.5; // we use the AC-DC-DNS only for AD internal hosts
};
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
//======================================================================= // If
BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
-----------
Checking file: /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
include "/var/lib/samba/bind-dns/named.conf";
-----------
Checking file: /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-----------
Samba DNS zone list: 2 zone(s) found
pszZoneName : ad.example.de
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.ad.example.de
pszZoneName : _msdcs.ad.example.de
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.ad.example.de
Samba DNS zone list Automated check :
zone : ad.example.de ok, no Bind flat-files found
-----------
zone : _msdcs.ad.example.de ok, no Bind flat-files found
-----------
Installed packages:
ii acl 2.2.53-4 amd64
access control list - utilities
ii bind9 1:9.11.5.P4+dfsg-5.1 amd64
Internet Domain Name Server
ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64
DNS lookup utility (deprecated)
ii bind9utils 1:9.11.5.P4+dfsg-5.1 amd64
Utilities for BIND
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64
access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64
extended attribute handling - shared library
ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 amd64
BIND9 Shared Library used by BIND
ii libgssapi-krb5-2:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3 amd64
Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-3 amd64
MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64
MIT Kerberos runtime libraries - Support library
ii libwbclient0:amd64 99:4.12.1-5 amd64
Glue package for sernet-samba-libs.
ii sernet-samba 99:4.12.1-5 amd64
SMB/CIFS file, print, and login server for Unix
ii sernet-samba-ad 99:4.12.1-5 amd64
Samba Active Directory Domain Controller
ii sernet-samba-client 99:4.12.1-5 amd64 a
LanManager-like simple client for Unix
ii sernet-samba-common 99:4.12.1-5 all
Samba common files used by both the server and the client
ii sernet-samba-keyring 1.9 all
GnuPG archive keys of the SerNet Samba archive
ii sernet-samba-libs:amd64 99:4.12.1-5 amd64
Samba common library files used by both the server and the client
ii sernet-samba-libsmbclient0:amd64 99:4.12.1-5 amd64
Shared library that allows applications to talk to SMB servers
ii sernet-samba-winbind 99:4.12.1-5 amd64
Samba nameservice integration server
-----------
Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle via
samba:> Well,
>
> If you running with bind9_DLZ, you also should enable it.
>
> Based on what i see below, its not enable, you installed it your not done
yet. ;-)
> Verify the settings ( debianize the paths )
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>
> Then then its all done, reboot the server.
> Run this script, anonimized it and post the content to the list.
>
> Then i know all i want to know.
>
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: von Obernitz, Daniel
> > [mailto:daniel.vonobernitz at uni-greifswald.de]
> > Verzonden: woensdag 22 april 2020 14:50
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: Re: [Samba] pad length mismatch error message
> >
> > Hi Louis,
> >
> > it happens on the AC-DC nodes on Debian 10, running with
> > BIND9_DLZ backend...
> >
> > dpkg -l |grep bind9
> > ii bind9 1:9.11.5.P4+dfsg-5.1
> > amd64 Internet Domain Name Server
> > ii bind9-host 1:9.11.5.P4+dfsg-5.1
> > amd64 DNS lookup utility (deprecated)
> > ii bind9utils 1:9.11.5.P4+dfsg-5.1
> > amd64 Utilities for BIND
> > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1
> > amd64 BIND9 Shared Library used by BIND
> >
> >
> > smb.conf:
> >
> > # Global parameters
> > [global]
> > netbios name = DC3
> > realm = AD.EXAMPLE.NET
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = AD
> > interfaces = IP
> > bind interfaces only = yes
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
> > ldap server require strong auth = no
> > tls verify peer = no_check
> > tls enabled = yes
> > tls keyfile = /path/key.pem
> > tls certfile = /path/fullcert.pem
> > tls cafile = /etc/ssl/certs/ca-certificates.crt
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = yes
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/ad.example.net/scripts
> > read only = yes
> >
> >
> > Best regards
> > Daniel
> >
> >
> > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle
> > via samba:
> > > Hai,
> > >
> > > I might be handy to tell us a bit more.
> > >
> > > Like AD-DC or member.
> > > content smb.conf ?
> > > If AD-DC, are you running with or without bind.
> > > with bind? show : dpkg -l |grep bind9
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
von
> > > > Obernitz, Daniel via samba
> > > > Verzonden: woensdag 22 april 2020 14:18
> > > > Aan: samba at lists.samba.org
> > > > Onderwerp: [Samba] pad length mismatch error message
> > > >
> > > > Hi,
> > > >
> > > > I found the following error message in the log.samba:
> > > >
> > > > [2020/04/20 16:32:33.168921, 1]
> > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer)
> > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length
> > > > mismatch. Calculated 44 got 0
> > > >
> > > > It happens on all nodes on different times, but
unfortunately
> > > > I have no specific situation or action which causes this.
> > > >
> > > > We are currently using Samba version
> > 4.12.1-SerNet-Debian-5.buster.
> > > >
> > > > Do you have any idea what could cause this so I can try to
> > > > replicate it?
> > > >
> > > > Best regards
> > > > Daniel
> > > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6098 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200422/855c68f1/smime.bin>
On 22/04/2020 15:32, von Obernitz, Daniel via samba wrote:> Hi, > > bind9_DLZ is enabled and running, DNS in general is working absolutely fine. > > --dns-backend=BIND9_DLZ was used during provision and your collect script also says it's enabled. > > > Like I said in the other issue, the AC-DC in general is working fine... the posted error message is just something I can't explain, where it comes from... >Is the 'attr' package installed ? Why do you not have a reverse zone ? Could the padding have anything to do with 'dnssec' ? This is my 'named.conf.options': options { ??????? directory "/var/cache/bind"; ??????? notify no; ??????? empty-zones-enable no; ??????? allow-query { 127.0.0.1; 192.168.0.0/24; }; ??????? allow-recursion { 192.168.0.0/24;? 127.0.0.1/32; }; ??????? forwarders { 8.8.8.8; 8.8.4.4; }; ??????? allow-transfer { none; }; ??????? dnssec-validation no; ??????? dnssec-enable no; ??????? dnssec-lookaside no; ??????? listen-on-v6 { none; }; ??????? listen-on port 53 { 192.168.0.8; 127.0.0.1; }; ??????? tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; Try modifying to your IP's and see if that cures the problem. Rowland
I see multiple things that are off.. ( see Rowland message also and .. ) Dns https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server Now look at the example config here and change yours acording. Smb.conf change that or add -dns server services = -dns As far i can see your dns is using samba internal dns. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: von Obernitz, Daniel > [mailto:daniel.vonobernitz at uni-greifswald.de] > Verzonden: woensdag 22 april 2020 16:33 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] pad length mismatch error message > > Hi, > > bind9_DLZ is enabled and running, DNS in general is working > absolutely fine. > > --dns-backend=BIND9_DLZ was used during provision and your > collect script also says it's enabled. > > > Like I said in the other issue, the AC-DC in general is > working fine... the posted error message is just something I > can't explain, where it comes from... > > Best regards > Daniel > > > > ----------- > > Collected config --- 2020-04-22-15:15 ----------- > > Hostname: dc3 > DNS Domain: ad.example.de > FQDN: dc3.ad.example.de > ipaddress: XX.XX.XX.53 > > ----------- > > Kerberos SRV _kerberos._tcp.ad.example.de record verified ok, > sample output: > Server: XX.XX.XX.53 > Address: XX.XX.XX.53#53 > > _kerberos._tcp.ad.example.de service = 0 100 88 dc2.ad.example.de. > _kerberos._tcp.ad.example.de service = 0 100 88 dc4.ad.example.de. > _kerberos._tcp.ad.example.de service = 0 100 88 dc3.ad.example.de. > _kerberos._tcp.ad.example.de service = 0 100 88 dc1.ad.example.de. > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.3 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast state UP group default qlen 1000 > link/ether 10:23:4c:7e:05:3f brd ff:ff:ff:ff:ff:ff > inet XX.XX.XX.53/24 brd XX.XX.XX.255 scope global ens18 > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > XX.XX.XX.53 dc3.ad.example.de dc3 > > # The following lines are desirable for IPv6 capable hosts > #::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # This file is managed by man:systemd-resolved(8). Do not edit. > # > # This is a dynamic resolv.conf file for connecting local > clients directly to > # all known uplink DNS servers. This file lists all > configured search domains. > # > # Third party programs must not access this file directly, > but only through the > # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) > in a different way, > # replace this symlink by a static file or a different symlink. > # > # See man:systemd-resolved.service(8) for details about the > supported modes of > # operation for /etc/resolv.conf. > > nameserver XX.XX.XX.53 > search ad.example.de > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = AD.EXAMPLE.DE > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files > group: files > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = DC3 > realm = AD.EXAMPLE.DE > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = AD > interfaces = XX.XX.XX.53 > bind interfaces only = yes > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log > ldap server require strong auth = no > tls verify peer = no_check > tls enabled = yes > tls keyfile = /path/key.pem > tls certfile = /path/fullcert.pem > tls cafile = /etc/ssl/certs/ca-certificates.crt > > [sysvol] > path = /var/lib/samba/sysvol > read only = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.example.de/scripts > read only = yes > > ----------- > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > // This is the primary configuration file for the BIND DNS > server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > // structure of BIND configuration files in Debian, *BEFORE* > you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > ----------- > > Checking file: /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to > allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the > addresses replacing > // the all-0's placeholder. > > forwarders { > YY.YY.YY.4; YY.YY.YY.5; // we use the > AC-DC-DNS only for AD internal hosts > }; > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > > //===========================================================> ===========> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > > //===========================================================> ===========> dnssec-validation auto; > > listen-on-v6 { any; }; > }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > include "/var/lib/samba/bind-dns/named.conf"; > > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/usr/share/dns/root.hints"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list: 2 zone(s) found > > pszZoneName : ad.example.de > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.ad.example.de > > pszZoneName : _msdcs.ad.example.de > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : ForestDnsZones.ad.example.de > > Samba DNS zone list Automated check : > zone : ad.example.de ok, no Bind flat-files found > ----------- > zone : _msdcs.ad.example.de ok, no Bind flat-files found > ----------- > > Installed packages: > ii acl 2.2.53-4 > amd64 access control list - utilities > ii bind9 1:9.11.5.P4+dfsg-5.1 > amd64 Internet Domain Name Server > ii bind9-host 1:9.11.5.P4+dfsg-5.1 > amd64 DNS lookup utility (deprecated) > ii bind9utils 1:9.11.5.P4+dfsg-5.1 > amd64 Utilities for BIND > ii krb5-config 2.6 > all Configuration files for Kerberos Version 5 > ii krb5-locales 1.17-3 > all internationalization support for MIT Kerberos > ii libacl1:amd64 2.2.53-4 > amd64 access control list - shared library > ii libattr1:amd64 1:2.4.48-4 > amd64 extended attribute handling - shared library > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 > amd64 BIND9 Shared Library used by BIND > ii libgssapi-krb5-2:amd64 1.17-3 > amd64 MIT Kerberos runtime libraries - krb5 GSS-API > Mechanism > ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3 > amd64 Heimdal Kerberos - libraries > ii libkrb5-3:amd64 1.17-3 > amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.17-3 > amd64 MIT Kerberos runtime libraries - Support library > ii libwbclient0:amd64 99:4.12.1-5 > amd64 Glue package for sernet-samba-libs. > ii sernet-samba 99:4.12.1-5 > amd64 SMB/CIFS file, print, and login server for Unix > ii sernet-samba-ad 99:4.12.1-5 > amd64 Samba Active Directory Domain Controller > ii sernet-samba-client 99:4.12.1-5 > amd64 a LanManager-like simple client for Unix > ii sernet-samba-common 99:4.12.1-5 > all Samba common files used by both the server > and the client > ii sernet-samba-keyring 1.9 > all GnuPG archive keys of the SerNet Samba archive > ii sernet-samba-libs:amd64 99:4.12.1-5 > amd64 Samba common library files used by both the > server and the client > ii sernet-samba-libsmbclient0:amd64 99:4.12.1-5 > amd64 Shared library that allows applications to > talk to SMB servers > ii sernet-samba-winbind 99:4.12.1-5 > amd64 Samba nameservice integration server > > ----------- > > > > Am Mittwoch, den 22.04.2020 um 14:56 schrieb L.P.H. van Belle > via samba: > > Well, > > > > If you running with bind9_DLZ, you also should enable it. > > > > Based on what i see below, its not enable, you installed it > your not done yet. ;-) > > Verify the settings ( debianize the paths ) > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End > > > > Then then its all done, reboot the server. > > Run this script, anonimized it and post the content to the list. > > > > Then i know all i want to know. > > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > ollect-debug-info.sh > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: von Obernitz, Daniel > > > [mailto:daniel.vonobernitz at uni-greifswald.de] > > > Verzonden: woensdag 22 april 2020 14:50 > > > Aan: L.P.H. van Belle; samba at lists.samba.org > > > Onderwerp: Re: [Samba] pad length mismatch error message > > > > > > Hi Louis, > > > > > > it happens on the AC-DC nodes on Debian 10, running with > > > BIND9_DLZ backend... > > > > > > dpkg -l |grep bind9 > > > ii bind9 1:9.11.5.P4+dfsg-5.1 > > > amd64 Internet Domain Name Server > > > ii bind9-host 1:9.11.5.P4+dfsg-5.1 > > > amd64 DNS lookup utility (deprecated) > > > ii bind9utils 1:9.11.5.P4+dfsg-5.1 > > > amd64 Utilities for BIND > > > ii libbind9-161:amd64 1:9.11.5.P4+dfsg-5.1 > > > amd64 BIND9 Shared Library used by BIND > > > > > > > > > smb.conf: > > > > > > # Global parameters > > > [global] > > > netbios name = DC3 > > > realm = AD.EXAMPLE.NET > > > server role = active directory domain controller > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > > > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > > workgroup = AD > > > interfaces = IP > > > bind interfaces only = yes > > > load printers = no > > > printing = bsd > > > printcap name = /dev/null > > > disable spoolss = yes > > > log level = 1 auth_audit:2@/var/log/samba/auth-audit.log > > > ldap server require strong auth = no > > > tls verify peer = no_check > > > tls enabled = yes > > > tls keyfile = /path/key.pem > > > tls certfile = /path/fullcert.pem > > > tls cafile = /etc/ssl/certs/ca-certificates.crt > > > > > > [sysvol] > > > path = /var/lib/samba/sysvol > > > read only = yes > > > > > > [netlogon] > > > path = /var/lib/samba/sysvol/ad.example.net/scripts > > > read only = yes > > > > > > > > > Best regards > > > Daniel > > > > > > > > > Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle > > > via samba: > > > > Hai, > > > > > > > > I might be handy to tell us a bit more. > > > > > > > > Like AD-DC or member. > > > > content smb.conf ? > > > > If AD-DC, are you running with or without bind. > > > > with bind? show : dpkg -l |grep bind9 > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von > > > > > Obernitz, Daniel via samba > > > > > Verzonden: woensdag 22 april 2020 14:18 > > > > > Aan: samba at lists.samba.org > > > > > Onderwerp: [Samba] pad length mismatch error message > > > > > > > > > > Hi, > > > > > > > > > > I found the following error message in the log.samba: > > > > > > > > > > [2020/04/20 16:32:33.168921, 1] > > > > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer) > > > > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length > > > > > mismatch. Calculated 44 got 0 > > > > > > > > > > It happens on all nodes on different times, but unfortunately > > > > > I have no specific situation or action which causes this. > > > > > > > > > > We are currently using Samba version > > > 4.12.1-SerNet-Debian-5.buster. > > > > > > > > > > Do you have any idea what could cause this so I can try to > > > > > replicate it? > > > > > > > > > > Best regards > > > > > Daniel > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL > and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > >
On 22/04/2020 16:09, L.P.H. van Belle via samba wrote:> I see multiple things that are off.. ( see Rowland message also and .. ) > > Dns https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server > Now look at the example config here and change yours acording. > > Smb.conf change that or add -dns > > server services = -dns > > As far i can see your dns is using samba internal dns.No he isn't ;-) 'server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate' is the same as: 'server services = -dns' Rowland