Hello everybody,
last weeks I started upgrading our DC from Centos 7 to Centos 8. After
having read this
(https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC#Updating_Multiple_Samba_Domain_Controllers)
and especially this "Joining a DC to domain can be a troublesome process
for some users, and it can be difficult to recover your DC if something
goes wrong". I really looked forward to this ... :-| So this is a bit of
a long read...
This Domain was "classic upgraded" from an NT Style domain with Samba
version 4.4. All upgrades until now where done "in place".
We have 4 DCs. 3 VMs and one physical Server. Samba version is 4.12.3 on
all the DCs before and after the upgrade. We are using the Sernet
packages. I was very careful and went step by step. Here is the general
outline.
-- Demote old DC
-- check if all entries are gone as listed on the wiki
-- run "samba-tool dbcheck --cross-ncs --fix" to remove deleted
objects
etc.
-- Install new dc as per Wiki and my notes (Same Name same IP)
-- Join DC
-- run checks (samba-tool drs showrepl,samba-tool dbcheck --cross-ncs)
-- Check DNS Updates (samba_dnsupdate --verbose --all-names)
Now here is how it worked out...
-- First DC demote and rejoin with the same name and IP (after
installing a new VM) went fine. No Errors! Great now to the next one I
thought.... (actually I waited a few days)
-- Second DC demote went fine. After the Rejoin bind would not start
because it complained about empty zones. I read about this on this list.
So I deleted those Zones and the entries (just a view so no big
problem). Now bind did start and all checks (samba-tool drs showrepl;
samba-tool dbcheck --cross-ncs --fix,samba_dnsupdate --verbose
--all-names) are fine. DNS Updates work. So on to the next one...
-- Third DC. This was the FSMO holder so I transferred the roles to DC2.
After the Join Bind complained on ALL zone except the primary AD zone
that they were empty and would not start. So I again deleted them and
recreated the zone and the entries. All worked OK. No errors after I
fixed the zones.
-- The last DC (this one a physical server) I demoted and reinstalled on
the same hardware. I followed my notes and because a read some more in
the meant time I added NS records for all DCs in all zones (they are
only added automatically to the AD zone not any reverse zones etc).
After the Join every check worked (samba-tool drs showrepl; samba-tool
dbcheck --cross-ncs --fix,samba_dnsupdate --verbose --all-names).
However, there is one problem Windows clients can not update there DNS
records on this DC. All the others work.
So here are my questions:
-- On two of the new joins I did. the KCC Objects appeared only after
running samba_kcc. Is this normal or should I have waited a bit longre?
-- Do any of you manually add NS records for all DCs into all your zones
(specificall the reverse zones) or should this be done by samba?
-- Is the file "/var/lib/samba/bind-dns/named.conf.update.static"
still
needed? I needed this to get DNS updates from the clients working with
Samba 4.4 (when this Domain was provisioned the current version). I
moved it from the private dir to bind-dns dir. But named.conf.update
does not get created (on all DCs).
-- Last question does any one have an Idea how to fix this? At the
moment I am inclined to just remove the offending DC and join it again.
Here is the logentry with debug level 5 from the dlz module from the
faulty DC:
27-Jun-2020 21:02:46.144 samba_dlz: DSDB Transaction [rollback] at [Sat,
27 Jun 2020 21:02:46.144303 CEST] duration [3618]
27-Jun-2020 21:02:46.144 samba_dlz: {"timestamp":
"2020-06-27T21:02:46.144494+0200", "type":
"dsdbTransaction",
"dsdbTransaction": {"version": {"major": 1,
"minor": 0}, "action":
"rollback", "transactionId":
"9cb08a1a-01d2-467c-a582-616185189020",
"duration": 3618}}
27-Jun-2020 21:02:46.144 samba_dlz: cancelling transaction on zone
ad.domain.de
Here from a working DC:
27-Jun-2020 21:04:24.308 samba_dlz: starting transaction on zone
ad.domain.de
27-Jun-2020 21:04:24.311 client @0x7f5ab01c88f0 192.168.0.113#63319:
update 'ad.domain.de/IN' denied
27-Jun-2020 21:04:24.311 samba_dlz: DSDB Transaction [rollback] at [Sat,
27 Jun 2020 21:04:24.311712 CEST] duration [2575]
27-Jun-2020 21:04:24.311 samba_dlz: {"timestamp":
"2020-06-27T21:04:24.311817+0200", "type":
"dsdbTransaction",
"dsdbTransaction": {"version": {"major": 1,
"minor": 0}, "action":
"rollback", "transactionId":
"cfaf0fd3-3bd5-47e6-a3ba-5523b
4dea6f8", "duration": 2575}}
27-Jun-2020 21:04:24.312 samba_dlz: cancelling transaction on zone
ad.domain.de
27-Jun-2020 21:04:24.466 samba_dlz: starting transaction on zone
ad.domain.de
27-Jun-2020 21:04:24.468 samba_dlz: Starting GENSEC mechanism spnego
27-Jun-2020 21:04:24.468 samba_dlz: Starting GENSEC submechanism gssapi_krb5
27-Jun-2020 21:04:24.470 samba_dlz: gensec_gssapi: NO credentials were
delegated
27-Jun-2020 21:04:24.470 samba_dlz: GSSAPI Connection will be
cryptographically signed
27-Jun-2020 21:04:24.470 samba_dlz: Successful AuthZ: [(null),krb5] user
[BRAIN-02]\[LANSWEEPER$]
[S-1-5-21-773202902-494389186-2375354597-132211] at [Sat, 27 Jun 2020
21:04:24.470917 CEST] Remote host [NULL] local host [NULL]
27-Jun-2020 21:04:24.471 samba_dlz: {"timestamp":
"2020-06-27T21:04:24.471156+0200", "type":
"Authorization",
"Authorization": {"version": {"major": 1,
"minor": 1}, "localAddress":
null, "remoteAddress": null, "serviceDescription": null,
"authType": "krb5", "domain":
"BRAIN-02", "account": "LANSWEEPER$",
"sid": "S-1-5-21-773202902-494389186-2375354597-132211",
"sessionId":
"9887dc0f-41b2-4cb7-a7e8-b885ae239ac3", "logonServer":
"DC2",
"transportProtection": "SIGN", "accoun
tFlags": "0x00000080"}}
27-Jun-2020 21:04:24.474 samba_dlz: allowing update of
signer=LANSWEEPER\$\@ad.domain.DE name=lansweeper.ad.domain.de
tcpaddr=192.168.0.113 type=AAAA
key=1080-ms-7.257-1bf1c173.234c263c-b466-11ea-e081-96f66ddcca4a/160/0
Here are the relevant configs:
---smb.conf---
[global]
netbios name = DC1
realm = AD.DOMAIN.DE
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN-02
log level = 1 auth_audit:4 dsdb_password_audit:5
dsdb_transaction_audit:5 dsdb_group_audit:5
#log level = 10
logging =syslog
server role = active directory domain controller
dns zone scavenging = yes
prefork children = 8
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
#ntlm auth = yes
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
smb ports = 445
server min protocol = SMB2
client min protocol = SMB2
tls enabled = yes
tls keyfile = tls/server_de.key
tls certfile = tls/server.pem
tls cafile = tls/ca.pem
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
[netlogon]
path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
----/etc/named.conf------
# Global BIND configuration options
include "/var/lib/samba/bind-dns/named.conf";
options {
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;
allow-query {
127.0.0.1;
10.0.8.0/24;
# add other networks you want to allow to query your DNS
};
allow-recursion {
10.0.8.0/24;
# add other networks you want to allow to do recursive queries
};
forwarders {
# Google public DNS server here - replace with your own if necessary
8.8.8.8;
};
allow-transfer {
# this config is for a single master DNS server
none;
};
};
# Root servers (required zone for recursive queries)
zone "." {
type hint;
file "named.root";
};
# Required localhost forward-/reverse zones
zone "localhost" {
type master;
file "master/localhost.zone";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
---/var/lib/samba/bind-dns/named.conf---
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";
};
---/etc/krb5.conf---
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.DOMAIN.DE
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
Thanks for any help!
Regards
Christian
--
--
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Manfred Bender, Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Hello all, to answer this question myself. The Problem was in front of the computer... While copying the commands from my notes I missed one line of the firewall configuration. So port 53/tcp was still blocked. So I learned that DNS still works as this is udp which was not blocked. Also local updates by samba_dnsupdate work as the firewall does not play a role there. But my other questions are still open: Am 29.06.20 um 12:31 schrieb Christian Naumer via samba:> So here are my questions: > > -- On two of the new joins I did. the KCC Objects appeared only after > running samba_kcc. Is this normal or should I have waited a bit longre? > > -- Do any of you manually add NS records for all DCs into all your zones > (specificall the reverse zones) or should this be done by samba? > > -- Is the file "/var/lib/samba/bind-dns/named.conf.update.static" still > needed? I needed this to get DNS updates from the clients working with > Samba 4.4 (when this Domain was provisioned the current version). I > moved it from the private dir to bind-dns dir. But named.conf.update > does not get created (on all DCs).> Here are the relevant configs: > > ---smb.conf--- > [global] > netbios name = DC1 > realm = AD.DOMAIN.DE > server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = DOMAIN-02 > log level = 1 auth_audit:4 dsdb_password_audit:5 > dsdb_transaction_audit:5 dsdb_group_audit:5 > #log level = 10 > logging =syslog > server role = active directory domain controller > dns zone scavenging = yes > prefork children = 8 > idmap_ldb:use rfc2307 = yes > template shell = /bin/bash > template homedir = /home/%U > #ntlm auth = yes > ntlm auth = mschapv2-and-ntlmv2-only > disable netbios = yes > smb ports = 445 > server min protocol = SMB2 > client min protocol = SMB2 > tls enabled = yes > tls keyfile = tls/server_de.key > tls certfile = tls/server.pem > tls cafile = tls/ca.pem > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > > [netlogon] > path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > ----/etc/named.conf------ > # Global BIND configuration options > include "/var/lib/samba/bind-dns/named.conf"; > options { > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > minimal-responses yes; > auth-nxdomain yes; > directory "/var/named"; > notify no; > empty-zones-enable no; > > allow-query { > 127.0.0.1; > 10.0.8.0/24; > # add other networks you want to allow to query your DNS > }; > > allow-recursion { > 10.0.8.0/24; > # add other networks you want to allow to do recursive queries > }; > > forwarders { > # Google public DNS server here - replace with your own if necessary > 8.8.8.8; > }; > > allow-transfer { > # this config is for a single master DNS server > none; > }; > > }; > # Root servers (required zone for recursive queries) > zone "." { > type hint; > file "named.root"; > }; > > # Required localhost forward-/reverse zones > zone "localhost" { > type master; > file "master/localhost.zone"; > }; > > zone "0.0.127.in-addr.arpa" { > type master; > file "master/0.0.127.zone"; > }; > > ---/var/lib/samba/bind-dns/named.conf--- > dlz "AD DNS Zone" { > # For BIND 9.8.x > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; > > # For BIND 9.9.x > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so"; > > # For BIND 9.10.x > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so"; > > # For BIND 9.11.x > database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so"; > # For BIND 9.12.x > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so"; > }; > > > ---/etc/krb5.conf--- > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = AD.DOMAIN.DE > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > > Thanks for any help! > > Regards > > Christian > > > -- >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Hai Christian,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian Naumer via samba > Verzonden: donderdag 2 juli 2020 9:46 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DNS Updates after upgrade [SOLVED] > > Hello all, > to answer this question myself. The Problem was in front of > the computer...Thats one big problem we all face ;-)> > While copying the commands from my notes I missed one line of the > firewall configuration. So port 53/tcp was still blocked. > > So I learned that DNS still works as this is udp which was > not blocked. > Also local updates by samba_dnsupdate work as the firewall > does not play > a role there. > But my other questions are still open: > > > Am 29.06.20 um 12:31 schrieb Christian Naumer via samba: > > So here are my questions: > > > > -- On two of the new joins I did. the KCC Objects appeared > only after > > running samba_kcc. Is this normal or should I have waited a > bit longre?Yes, its normal, i just reboot my DC's with a 5min waiting between it So it has chance to replicate. Stop/Start should also help, but i prefer a reboot.> > > > -- Do any of you manually add NS records for all DCs into > all your zones > > (specificall the reverse zones) or should this be done by samba?I did add manualy, but .. That was in 4.4-4.6 when i did that. Verifying the NS and PTR entries is always good, not everything is added by samba. But again, i need an update on this, which im going todo soon now..> > > > -- Is the file > "/var/lib/samba/bind-dns/named.conf.update.static" still > > needed? I needed this to get DNS updates from the clients > working with Samba 4.4 (when this Domain was provisioned the current version). > > I > > moved it from the private dir to bind-dns dir. But named.conf.update > > does not get created (on all DCs).Hm, good one, if i look into that file, i also still have them, i only makes sure The server needed users has the needed rights by policy. I would keep it, but maybe Rowland has an better answer here.> > > Here are the relevant configs:Config looks fine. Greetz, Louis> > > > ---smb.conf--- > > [global] > > netbios name = DC1 > > realm = AD.DOMAIN.DE > > server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > workgroup = DOMAIN-02 > > log level = 1 auth_audit:4 dsdb_password_audit:5 > > dsdb_transaction_audit:5 dsdb_group_audit:5 > > #log level = 10 > > logging =syslog > > server role = active directory domain controller > > dns zone scavenging = yes > > prefork children = 8 > > idmap_ldb:use rfc2307 = yes > > template shell = /bin/bash > > template homedir = /home/%U > > #ntlm auth = yes > > ntlm auth = mschapv2-and-ntlmv2-only > > disable netbios = yes > > smb ports = 445 > > server min protocol = SMB2 > > client min protocol = SMB2 > > tls enabled = yes > > tls keyfile = tls/server_de.key > > tls certfile = tls/server.pem > > tls cafile = tls/ca.pem > > kerberos method = secrets and keytab > > dedicated keytab file = /etc/krb5.keytab > > > > [netlogon] > > path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > ----/etc/named.conf------ > > # Global BIND configuration options > > include "/var/lib/samba/bind-dns/named.conf"; > > options { > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > minimal-responses yes; > > auth-nxdomain yes; > > directory "/var/named"; > > notify no; > > empty-zones-enable no; > > > > allow-query { > > 127.0.0.1; > > 10.0.8.0/24; > > # add other networks you want to allow to query your DNS > > }; > > > > allow-recursion { > > 10.0.8.0/24; > > # add other networks you want to allow to do > recursive queries > > }; > > > > forwarders { > > # Google public DNS server here - replace with your > own if necessary > > 8.8.8.8; > > }; > > > > allow-transfer { > > # this config is for a single master DNS server > > none; > > }; > > > > }; > > # Root servers (required zone for recursive queries) > > zone "." { > > type hint; > > file "named.root"; > > }; > > > > # Required localhost forward-/reverse zones > > zone "localhost" { > > type master; > > file "master/localhost.zone"; > > }; > > > > zone "0.0.127.in-addr.arpa" { > > type master; > > file "master/0.0.127.zone"; > > }; > > > > ---/var/lib/samba/bind-dns/named.conf--- > > dlz "AD DNS Zone" { > > # For BIND 9.8.x > > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; > > > > # For BIND 9.9.x > > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so"; > > > > # For BIND 9.10.x > > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so"; > > > > # For BIND 9.11.x > > database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so"; > > # For BIND 9.12.x > > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so"; > > }; > > > > > > ---/etc/krb5.conf--- > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = AD.DOMAIN.DE > > dns_lookup_realm = true > > dns_lookup_kdc = true > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > > > > > Thanks for any help! > > > > Regards > > > > Christian > > > > > > -- > > > > -- > Dr. Christian Naumer > Unit Head Bioprocess Development > > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.com, homepage www.brain-biotech.com > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Adriaan Moelker (Vorstandsvorsitzender), > Manfred Bender, Ludger Roedder > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 03/07/2020 08:51, L.P.H. van Belle via samba wrote:>>> -- Is the file >> "/var/lib/samba/bind-dns/named.conf.update.static" still >>> needed? I needed this to get DNS updates from the clients >> > Hm, good one, if i look into that file, i also still have them, i only makes sure > The server needed users has the needed rights by policy. > > I would keep it, but maybe Rowland has an better answer here.You rang ;-) No, you do not need it, 'named.conf.update.static' is only required if you are using Bind9 with static files (aka flatfiles), something you shouldn't be doing at all. Rowland
THUMPS UP! Thanks :-) Collective minds work best :-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 3 juli 2020 10:06 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DNS Updates after upgrade [SOLVED] > > On 03/07/2020 08:51, L.P.H. van Belle via samba wrote: > >>> -- Is the file > >> "/var/lib/samba/bind-dns/named.conf.update.static" still > >>> needed? I needed this to get DNS updates from the clients > >> > > Hm, good one, if i look into that file, i also still have > them, i only makes sure > > The server needed users has the needed rights by policy. > > > > I would keep it, but maybe Rowland has an better answer here. > > You rang ;-) > > No, you do not need it, 'named.conf.update.static' is only > required if > you are using Bind9 with static files (aka flatfiles), something you > shouldn't be doing at all. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >