samba - Aug 2020 - Samba DNS fails when queried with nslookup commands

Hai James, 

Thanks, thats exactly what we needed. 
I'll comment below. 

> -----Oorspronkelijk bericht-----
> Van: James Atwell [mailto:james.atwell365 at gmail.com] 
> Verzonden: donderdag 13 augustus 2020 14:46
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Samba DNS fails when queried with 
> nslookup commands
> 
> Hi Louis and Rowland,
> 
>  ?????? Thanks for the help. Below is the information 
> requested before I change anything.
> 
> nameserver 172.16.23.30	
> nameserver 172.16.23.28	
> nameserver 127.0.0.53		< or on top or remove.. 
Now its never used. Best. Remove it. 

  And if its used, then its because the 2 above are failing 
  and 127.0.0.53 most probely will query them or root servers on the internet. 
  Resulting in both will fail.. 
> search domain.local? (I know)
At least you know ;-) 

> 
> 
> @soldc4:~$ cat /etc/hosts
> 127.0.0.1 localhost
> #127.0.1.1 soldc4		# you can remove this line. 
> 172.16.23.30??? soldc4.domain.local?????? soldc4
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1???? ip6-localhost ip6-loopback  # re-add localhost i front.  
  ::1???? localhost ip6-localhost ip6-loopback 
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
Because some internal service do run in ::1 
this is fine. 

This.. 
> #127.0.1.1 soldc4		# you can remove this line.  
Verify the DNS A and PTR for the servername. 
If this was there at startup, then this might be the source of your problems. 


> 
> 
> @soldc4:~$ cat /etc/network/interfaces
> # ifupdown has been replaced by netplan(5) on this system.? See
> # /etc/netplan for current configuration.
> # To re-enable ifupdown on this system, you can run:
> #??? sudo apt install ifupdown
> 
> 
> @soldc4:~$ cat /etc/netplan/50-cloud-init.yaml
> # This file is generated from information provided by
> # the datasource.? Changes to it will not persist across an instance.
> # To disable cloud-init's network configuration capabilities, 
> write a file
> # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with 
> the following:
> # network: {config: disabled}
> network:
>  ??? ethernets:
>  ??????? enp0s3:
>  ??????????? addresses: [172.16.23.30/24]
>  ??????????? gateway4: 172.16.23.201
>  ??????????? dhcp4: no
>  ??????????? nameservers:
>  ??????????????????? addresses: [172.16.23.30,172.16.23.28]
>  ??????????????????? search: [domain.local]
> 
>  ??? version: 2
> 
Great that looks fine. 
Not using : /etc/netplan/01-netcfg.yaml ? 
That ok if not.. 
> 
> @soldc4:~$ ls -la /etc/systemd/network/
> total 8
> drwxr-xr-x 2 root root 4096 Apr 20? 2018 .
> drwxr-xr-x 5 root root 4096 Jun 29 09:54 ..
> 
> 
> @soldc4:~$ cat /etc/systemd/resolved.conf
> #? This file is part of systemd.
> #
> #? systemd is free software; you can redistribute it and/or modify it
> #? under the terms of the GNU Lesser General Public License 
> as published by
> #? the Free Software Foundation; either version 2.1 of the License, or
> #? (at your option) any later version.
> #
> # Entries in this file show the compile time defaults.
> # You can change settings by editing this file.
> # Defaults can be restored by simply deleting this file.
> #
> # See resolved.conf(5) for details
> 
> [Resolve]
> #DNS> #FallbackDNS> #Domains> #LLMNR=no
> #MulticastDNS=no
> #DNSSEC=no
> #Cache=yes
> #DNSStubListener=yes
> 
> 
> 1 at soldc4:~$ cat /usr/local/samba/etc/smb.conf
> # Global parameters
> [global]
>  ??????? netbios name = SOLDC4
>  ??????? realm = DOMAIN.LOCAL
>  ??????? server role = active directory domain controller
>  ??????? workgroup = DOMAIN
>  ??????? dns forwarder = 75.75.75.75 208.67.222.222
>  ??????? idmap_ldb:use rfc2307 = Yes
> 
>  ??????? log file = /usr/local/samba/var/log.samba
>  ??????? log level = 1 auth_audit:3 auth_json_audit:3
>  ??????? debug timestamp = Yes
>  ??????? debug uid = Yes
>  ??????? debug pid = Yes
> 
>  ??????? ldap server require strong auth = no
> 
> 
> [sysvol]
>  ??????? path = /usr/local/samba/var/locks/sysvol
>  ??????? read only = No
> 
> [netlogon]
>  ??????? path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>  ??????? read only = No
> 
> 
> Thanks again for any help.
Remove the DNS forwarders in smb.conf 
Reboot
Test again. 
Then if it now works. Re-add the dns forwarders. 


Beside the few points your config look fine. 
Im guessing the hostname was set to 127.0.1.1 when you started the ad-dc for the
first time.

Greetz, 

Louis


> 
> On 8/13/2020 3:19 AM, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > Only the forwarder is running in this systemd setup.
> > This :  127.0.0.53:53 does NOT conflict with normaly 
> resolv.conf setting
> > Because samba or any dns server does not run on 127.0.0.53
> > Dont make the mistake to see this for : 127.0.0.1
> >
> > Please show :
> > /etc/hosts
> > /etc/resolv.conf
> >
> > Depending on which one your using:
> >
> > /etc/network/interfaces and/or
> >
> >
> > /etc/netplan/01-netcfg.yaml
> > /etc/systemd/network/..  Output of all files in this folder.
> > /etc/systemd/resolved.conf
> >
> > On one (or more)  of these files is a misconfiguration.
> >
> > Greetz,
> >
> > Louis
> >   
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Rowland penny via samba
> >> Verzonden: donderdag 13 augustus 2020 8:19
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Samba DNS fails when queried with
> >> nslookup commands
> >>
> >> On 12/08/2020 21:49, James Atwell via samba wrote:
> >>> Hello,
> >>>
> >>>  ???? Having issues with a DC not responding to DNS 
> requests. OS is
> >>> Ubuntu 18.04.4 LTS. Samba version 4.12.2 compiled from source.
> >>> Checking to see what is listening on port 53 reports;
> >>>
> >>> @soldc4:~# netstat -tulpn | grep ":53"
> >>> tcp??????? 0????? 0 127.0.0.53:53 0.0.0.0:* LISTEN
> >>> 2935/systemd-resolv
> >>> tcp6?????? 0????? 0 :::53 :::*??????????????????? LISTEN
> >> 2694/samba:
> >>> task[dn
> >>> udp??????? 0????? 0 127.0.0.53:53 0.0.0.0:*
> >>            
> >>> 2935/systemd-resolv
> >>> udp6?????? 0????? 0 :::53 :::* 2694/samba: task[dn
> >>>
> >>>
> >>> How do I disable systemd-resolve and ensure only samba is
> >> listening on
> >>> port 53 for DNS requests?? You can see below nslookup 
> succeeds when
> >>> querying another server in the network but fails on this one.
> >>>
> >>> root at soldc4:~# nslookup google.com soldc1
> >>> Server:???????? soldc1
> >>> Address:??????? 172.16.23.28#53
> >>>
> >>> Non-authoritative answer:
> >>> Name:?? google.com
> >>> Address: 172.217.7.238
> >>> Name:?? google.com
> >>> Address: 2607:f8b0:4004:806::200e
> >>>
> >>> root at soldc4:~# nslookup google.com soldc4
> >>> ;; connection timed out; no servers could be reached
> >>>
> >> Last time I set up a DC on 18.04 I did this:
> >>
> >> sudo systemctl stop systemd-resolved
> >> sudo systemctl disable systemd-resolved.service
> >>
> >> Rowland
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> 
>

On 8/13/2020 9:57 AM, L.P.H. van Belle via samba wrote:
> Hai James,
>
> Thanks, thats exactly what we needed.
> I'll comment below.
>
>
> ** SNIP **

Louis,

 ????? Couldn't figure out how to remove 127.0.0.53 from resolv.conf so 
I removed systemd-resolve per Rowlands post.? I then removed the 
forwarders from my smb.conf and rebooted. Nslookup partially worked as 
it used the other DC in the network to resolve and complained soldc4 
couldn't do recursive queries.? I added back in the forwarders and dns 
resolution appeared to work correctly except on soldc4. Except for one 
minor issue still remains. See output below.

@soldc4:~# nslookup soldc4
Server:???????? 172.16.23.30
Address:??????? 172.16.23.30#53

Non-authoritative answer:
*** Can't find soldc4: No answer

root at soldc4:~# nslookup soldc4.domain.local
Server:???????? 172.16.23.30
Address:??????? 172.16.23.30#53

Name:?? soldc4.domain.local
Address: 172.16.23.30


The issue now is since I disabled systemd-resolve it also removed my 
search domain from resolv.conf.

@soldc4:~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
resolvconf(8)
#???? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual 
nameservers.
nameserver 172.16.23.30
nameserver 172.16.23.28


Where do I need to add my search domain as I already added to my netplan 
config and 50-cloud.init.yaml is the only file to config.

 ?ls -la /etc/netplan/
total 12
drwxr-xr-x?? 2 root root 4096 Aug 13 10:03 .
drwxr-xr-x 113 root root 4096 Aug 13 10:04 ..
-rw-r--r--?? 1 root root? 584 May 28 19:36 50-cloud-init.yaml

Thanks.


-James

> -----Oorspronkelijk bericht-----
> Van: James Atwell [mailto:james.atwell365 at gmail.com] 
> Verzonden: donderdag 13 augustus 2020 16:48
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Samba DNS fails when queried with 
> nslookup commands
> 
> 
> On 8/13/2020 9:57 AM, L.P.H. van Belle via samba wrote:
> > Hai James,
> >
> > Thanks, thats exactly what we needed.
> > I'll comment below.
> >
> >
> > ** SNIP **
> 
> 
> Louis,
> 
>  ????? Couldn't figure out how to remove 127.0.0.53 from 
> resolv.conf so 
> I removed systemd-resolve per Rowlands post.? I then removed the 
> forwarders from my smb.conf and rebooted. Nslookup partially 
> worked as 
> it used the other DC in the network to resolve and complained soldc4 
> couldn't do recursive queries.? I added back in the 
> forwarders and dns 
> resolution appeared to work correctly except on soldc4. 
> Except for one minor issue still remains. See output below.
This is sufficient. 

systemctl disable systemd-resolved 
systemctl mask systemd-resolved 

And it wont start again.

> 
> @soldc4:~# nslookup soldc4
> Server:???????? 172.16.23.30
> Address:??????? 172.16.23.30#53
nslookup $(hostname -f) 
Should work. 

> 
> Non-authoritative answer:
> *** Can't find soldc4: No answer
This is a correct reply. 
> 
> root at soldc4:~# nslookup soldc4.domain.local
> Server:???????? 172.16.23.30
> Address:??????? 172.16.23.30#53
> 
> Name:?? soldc4.domain.local
> Address: 172.16.23.30
So its in fqdn correct. 

If you want nslookup soldc4 to work, then you need the search line in
resolv.conf

> 
> 
> The issue now is since I disabled systemd-resolve it also removed my 
> search domain from resolv.conf.
> 
> @soldc4:~$ cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
> resolvconf(8)
> #???? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE 
> OVERWRITTEN
> # 127.0.0.53 is the systemd-resolved stub resolver.
> # run "systemd-resolve --status" to see details about the actual 
> nameservers.
> nameserver 172.16.23.30
> nameserver 172.16.23.28
rm /etc/resolv.conf 
editor /etc/resolv.conf 
search domain.local
nameserver 172.16.23.30
nameserver 172.16.23.28

Also one tip here, if you setup resolv.conf manualy 
Add : 
search domain.local
nameserver 172.16.23.28
nameserver 172.16.23.30

Reboot
Check the dns. 
If ok, then change : 
search domain.local
nameserver 172.16.23.30
nameserver 172.16.23.28
# Note, ad join DC1 is first, after join, you can switch the nameserver lines. 

> 
> 
> Where do I need to add my search domain as I already added to 
> my netplan 
> config and 50-cloud.init.yaml is the only file to config.
> 
>  ?ls -la /etc/netplan/
> total 12
> drwxr-xr-x?? 2 root root 4096 Aug 13 10:03 .
> drwxr-xr-x 113 root root 4096 Aug 13 10:04 ..
> -rw-r--r--?? 1 root root? 584 May 28 19:36 50-cloud-init.yaml
> 
> Thanks.
If you config through netplan is/was correct, then and you use systemd-resolved 
It should always be correct. 

But thats a choice, set resolv.conf manualy or set it in you network config. 

Currently, i preffer through systemd-networked its config.  ( on debian ) 
Ubuntu its default is netplan.


So far, 

Greetz, 

Louis

On 8/13/2020 11:06 AM, L.P.H. van Belle via samba wrote:
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: James Atwell [mailto:james.atwell365 at gmail.com]
>> Verzonden: donderdag 13 augustus 2020 16:48
>> Aan: samba at lists.samba.org
>> CC: L.P.H. van Belle
>> Onderwerp: Re: [Samba] Samba DNS fails when queried with
>> nslookup commands
>>
>>
>> On 8/13/2020 9:57 AM, L.P.H. van Belle via samba wrote:
>>> Hai James,
>>>
>>> Thanks, thats exactly what we needed.
>>> I'll comment below.
>>>
>>>
>>> ** SNIP **
>>
>> Louis,
>>
>>   ????? Couldn't figure out how to remove 127.0.0.53 from
>> resolv.conf so
>> I removed systemd-resolve per Rowlands post.? I then removed the
>> forwarders from my smb.conf and rebooted. Nslookup partially
>> worked as
>> it used the other DC in the network to resolve and complained soldc4
>> couldn't do recursive queries.? I added back in the
>> forwarders and dns
>> resolution appeared to work correctly except on soldc4.
>> Except for one minor issue still remains. See output below.
> This is sufficient.
>
> systemctl disable systemd-resolved
> systemctl mask systemd-resolved
>
> And it wont start again.
>
>
>> @soldc4:~# nslookup soldc4
>> Server:???????? 172.16.23.30
>> Address:??????? 172.16.23.30#53
> nslookup $(hostname -f)
> Should work.
>
>
>> Non-authoritative answer:
>> *** Can't find soldc4: No answer
> This is a correct reply.
>
>> root at soldc4:~# nslookup soldc4.domain.local
>> Server:???????? 172.16.23.30
>> Address:??????? 172.16.23.30#53
>>
>> Name:?? soldc4.domain.local
>> Address: 172.16.23.30
> So its in fqdn correct.
>
> If you want nslookup soldc4 to work, then you need the search line in
resolv.conf
>
>
>>
>> The issue now is since I disabled systemd-resolve it also removed my
>> search domain from resolv.conf.
>>
>> @soldc4:~$ cat /etc/resolv.conf
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>> resolvconf(8)
>> #???? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
>> OVERWRITTEN
>> # 127.0.0.53 is the systemd-resolved stub resolver.
>> # run "systemd-resolve --status" to see details about the
actual
>> nameservers.
>> nameserver 172.16.23.30
>> nameserver 172.16.23.28
> rm /etc/resolv.conf
> editor /etc/resolv.conf
> search domain.local
> nameserver 172.16.23.30
> nameserver 172.16.23.28
>
> Also one tip here, if you setup resolv.conf manualy
> Add :
> search domain.local
> nameserver 172.16.23.28
> nameserver 172.16.23.30
>
> Reboot
> Check the dns.
> If ok, then change :
> search domain.local
> nameserver 172.16.23.30
> nameserver 172.16.23.28
> # Note, ad join DC1 is first, after join, you can switch the nameserver
lines.
>
>
>>
>> Where do I need to add my search domain as I already added to
>> my netplan
>> config and 50-cloud.init.yaml is the only file to config.
>>
>>   ?ls -la /etc/netplan/
>> total 12
>> drwxr-xr-x?? 2 root root 4096 Aug 13 10:03 .
>> drwxr-xr-x 113 root root 4096 Aug 13 10:04 ..
>> -rw-r--r--?? 1 root root? 584 May 28 19:36 50-cloud-init.yaml
>>
>> Thanks.
> If you config through netplan is/was correct, then and you use
systemd-resolved
> It should always be correct.
>
> But thats a choice, set resolv.conf manualy or set it in you network
config.
>
> Currently, i preffer through systemd-networked its config.  ( on debian )
> Ubuntu its default is netplan.
>
>
> So far,
>
> Greetz,
>
> Louis
>
Everything is working as it should now.? One thing I will add that I did 
do differently is I remember from previous Ubuntu OS's I could modify 
the following file to permanently change resolv.conf

/etc/resolvconf/resolv.conf.d/head

I added the search domain there and resolv.conf shows my search domain.

 From my perspective nslookup is now resolving correctly and I believe 
the issue is resolved. Thanks again for yours and Rowlands help.

-James