samba - Sep 2020 - DNS problems when adding samba DC to win2008R2

Hello all,I'm trying to add a self compiled samba 4.12 DC to a Windows
2008R2 domain.Adding the samba DC was troublesome but successful (I had to
modify join.py as I swa in another thread "Join Samba to a Windows AD
ERR_DS_NO_CROSSREF_FOR_NC". After that I could join the samba DC and
everything seemed ok.
But now, when I check the DNS server on the samba DC using the windows DNS
manager, I get "Zone not loaded by DNS server. The zone data may not be
available in ADor the zone data is corrupt". I cannot access that specific
zone._msdcs seems ok and also reverse zone seems to work.
samba_dnsupdate --verbose --all-names gives no error.
But syslog complains that (MyDomain is just a bogus name)
Sep 13 16:18:07 DC2 samba[16975]:   UpdateRefs failed with
WERR_DS_DRA_BUSY/NT code 0xc00020f6 for
541b7f45-3e95-4e74-be56-37fc37338fb9._msdcs.MyDomain.lx.pt
CN=Configuration,DC=MyDomain,DC=lx,DC=pt
Sep 13 16:24:23 DC2 samba[16970]: [2020/09/13 16:24:23.129173,  0]
../../source4/rpc_server/dnsserver/dnsdata.c:409(dnsp_to_dns_copy)
Sep 13 16:24:23 DC2 samba[16970]:   dnsserver: Found Unhandled DNS record
type=49ndr_push_DNS_RPC_DATA: ndr_push_error(Bad Switch): Bad switch value
49 at librpc/gen_ndr/ndr_dnsserver.c:548

and bind.log says13-Sep-2020 16:19:52.315 notify: notice: client
@0x7f21640a9f20 192.168.59.111#55998: received notify for zone
'59.168.192.in-addr.arpa': not authoritative
13-Sep-2020 16:20:28.656 notify: notice: client @0x7f21640a9f20
192.168.59.111#56617: received notify for zone
'59.168.192.in-addr.arpa':
not authoritative
13-Sep-2020 16:20:56.836 notify: notice: client @0x7f21640a9f20
192.168.59.111#56531: received notify for zone
'59.168.192.in-addr.arpa':
not authoritative
13-Sep-2020 16:22:03.949 notify: notice: client @0x7f21640a9f20
192.168.59.111#55973: received notify for zone
'59.168.192.in-addr.arpa':
not authoritative
I've setup bind according to "
https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server"
Recreating the zone works for a while. Restarting bind gives no error.
Any help on getting the DNS working would be very much appreciated.

Best regards,
Carlos

Some details on my setup:
DC1 - windows server 2008R2 +DNS +DHCP (IP=192.168.59.111)
DC2 - debian Buster +DNS (bind 9.11.5) Samba 4.12.6 (192.168.59.112)  - no
DHCP

resolv.conf:
domain MyDomain.lx.pt
search MyDomain.lx.pt
nameserver 192.168.59.112

my named.conf.options:
acl internals { 127.0.0.0/8; 192.168.59.0/24; };
options {
      directory "/var/cache/bind";
      version "Go Away 0.0.7";
      notify no;
      empty-zones-enable no;
      auth-nxdomain yes;
      forwarders { 8.8.8.8; 8.8.4.4; };
      allow-transfer { none; };
      listen-on-v6 { none; };
      listen-on port 53 { 192.168.59.112; 127.0.0.1; ::1; };

      dnssec-validation no;
      dnssec-enable no;
      dnssec-lookaside no;
      minimal-responses yes;

      allow-query {
          127.0.0.1;
          192.168.59.0/24;
      };
       allow-query-cache {
          127.0.0.1;
192.168.59.0/24;
      };
      recursion yes;
      allow-recursion {
          127.0.0.1;
          192.168.59.0/24;
      };
 tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
 };

zone "." {
   type hint;
   file "named.root";
};
zone "localhost" {
    type master;
    file "master/localhost.zone";
};
zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

my smb.conf
[global]
        netbios name = DC2
        realm = MyDomain.LX.PT
        server role = active directory domain controller
        workgroup = MyDomain
        idmap_ldb:use rfc2307 = yes
        log level = 1 auth_json_audit:2@/var/log/samba/auth.log sam:2@
/var/log/$
        log file = /var/log/samba/samba.log
        server services = -dns
        template shell = /bin/bash
        template homedir = /home/%U

On 13/09/2020 16:46, Carlos Jesus via samba wrote:
> Hello all,I'm trying to add a self compiled samba 4.12 DC to a Windows
> 2008R2 domain.Adding the samba DC was troublesome but successful (I had to
> modify join.py as I swa in another thread "Join Samba to a Windows AD
> ERR_DS_NO_CROSSREF_FOR_NC". After that I could join the samba DC and
> everything seemed ok.
Could you provide a link to that thread ?
> my named.conf.options:
> acl internals { 127.0.0.0/8; 192.168.59.0/24; };
> options {
>        directory "/var/cache/bind";
>        version "Go Away 0.0.7";
>        notify no;
>        empty-zones-enable no;
>        auth-nxdomain yes;
>        forwarders { 8.8.8.8; 8.8.4.4; };
>        allow-transfer { none; };
>        listen-on-v6 { none; };
>        listen-on port 53 { 192.168.59.112; 127.0.0.1; ::1; };
>
>        dnssec-validation no;
>        dnssec-enable no;
>        dnssec-lookaside no;
>        minimal-responses yes;
>
>        allow-query {
>            127.0.0.1;
>            192.168.59.0/24;
>        };
>         allow-query-cache {
>            127.0.0.1;
> 192.168.59.0/24;
>        };
>        recursion yes;
>        allow-recursion {
>            127.0.0.1;
>            192.168.59.0/24;
>        };
>   tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
>   };
>
> zone "." {
>     type hint;
>     file "named.root";
> };
> zone "localhost" {
>      type master;
>      file "master/localhost.zone";
> };
> zone "0.0.127.in-addr.arpa" {
>      type master;
>      file "master/0.0.127.zone";
> };
You are missing "include
"/var/lib/samba/bind-dns/named.conf";" in your
named.conf file.

Rowland

Hi Rowland, thank you for your help.
I've added the include "/var/lib/samba/bind-dns/named.conf in
/etc/bind/named.conf instead of named.conf.options.

As for the link, here it goes.
https://lists.samba.org/archive/samba/2019-July/224546.html

Best regards

Rowland penny via samba <samba at lists.samba.org> escreveu no dia
domingo,
13/09/2020 ?(s) 17:11:
> On 13/09/2020 16:46, Carlos Jesus via samba wrote:
> > Hello all,I'm trying to add a self compiled samba 4.12 DC to a
Windows
> > 2008R2 domain.Adding the samba DC was troublesome but successful (I
had
> to
> > modify join.py as I swa in another thread "Join Samba to a
Windows AD
> > ERR_DS_NO_CROSSREF_FOR_NC". After that I could join the samba DC
and
> > everything seemed ok.
> Could you provide a link to that thread ?
> > my named.conf.options:
> > acl internals { 127.0.0.0/8; 192.168.59.0/24; };
> > options {
> >        directory "/var/cache/bind";
> >        version "Go Away 0.0.7";
> >        notify no;
> >        empty-zones-enable no;
> >        auth-nxdomain yes;
> >        forwarders { 8.8.8.8; 8.8.4.4; };
> >        allow-transfer { none; };
> >        listen-on-v6 { none; };
> >        listen-on port 53 { 192.168.59.112; 127.0.0.1; ::1; };
> >
> >        dnssec-validation no;
> >        dnssec-enable no;
> >        dnssec-lookaside no;
> >        minimal-responses yes;
> >
> >        allow-query {
> >            127.0.0.1;
> >            192.168.59.0/24;
> >        };
> >         allow-query-cache {
> >            127.0.0.1;
> > 192.168.59.0/24;
> >        };
> >        recursion yes;
> >        allow-recursion {
> >            127.0.0.1;
> >            192.168.59.0/24;
> >        };
> >   tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
> >   };
> >
> > zone "." {
> >     type hint;
> >     file "named.root";
> > };
> > zone "localhost" {
> >      type master;
> >      file "master/localhost.zone";
> > };
> > zone "0.0.127.in-addr.arpa" {
> >      type master;
> >      file "master/0.0.127.zone";
> > };
>
> You are missing "include
"/var/lib/samba/bind-dns/named.conf";" in your
> named.conf file.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>