samba - Sep 2020 - Bind9 issue

Yesterday I had an issue with Samba v 4.13.0.

Went to backup and discovered backup computer has a drive failure and
backup is gone.

Only resort is to rebuild the DC.

I cannot figure out why bind9 will not "host -t SRV _ldap._
tcp.ad.dtntwk.work." or "host -t SRV
_kerberos._udp.ad.dtntwk.work."

root at dc1:~# host -t SRV
_ldap._tcp.subdom.example.com.
> _ldap._tcp.subdom.example.com has no SRV record
>
root at dc1:~# host -t SRV
_kerberos._udp.subdom.example.com.
> _ldap._tcp.subdom.example.com has no SRV record
>
root at dc1:~# host -t A dc1.subdom.example.com.
> dc1.subdom.example.com has address 164.98.xxx.xxx
>
This ip address is my external ip provided from the ISP. It should be a
local ip (192.168.0.xx)

root at dc1:~# cat /etc/bind/named.conf
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on
> the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
 root at dc1:~# cat /etc/bind/named.conf.local
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> // adding the dlopen ( Bind DLZ ) module for samba.
> // at install debian already sets the correct bind9.XX version in this
> file below.
> include "/var/lib/samba/bind-dns/named.conf";
>
root at dc1:~# cat /etc/bind/named.conf.options
> // Defined ACL Begin
>         // define only ONE ip for thisserverip.
>         acl thisserverip {
>               // IF DC1
>                 192.168.0.41;
>               //
>                 };
>
>         acl all-networks {
>         // defines which networks are allowed to access/querie this server.
>         // add/remove networks if needed.
>                 192.168.0.0/24;
>                 };
>         // Defined ACL End
>
>         options {
>                 directory "/var/cache/bind";
>                 version "0.0.7";  // James Bond its DNS server
>
>                 // My ISP dns servers, change to you needs. (optional),
> test without it enabled.
>                 forwarders {  8.8.8.8; 8.8.4.4; };
>
>
>
//=======================================================================>   
// If BIND logs error messages about the root key being
> expired,
>                 // you will need to update your keys.  See
> https://www.isc.org/bind-keys
>
>
//=======================================================================>   
dnssec-validation no;  // i forgot why i set it to no.
> Sorry..
>
>                 auth-nxdomain yes;    // Because this server is an
> Authoritive server for domain. your.domain.tld
>                 listen-on-v6 { "none"; };  // I disabled Ipv6, i
dont use
> it yet
>                 listen-on port 53 { "thisserverip"; 127.0.0.1; };
>                 notify no;
>                 // Added Per Debian buster.
>                 // due to : resolver: info: resolver priming query complete
>                 //
>
https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42
>                 minimal-responses yes;
>
>                 // security: warning: client 127.0.0.1#47583: RFC 1918
> response from Internet for xx.xx.xx.xx.in-addr.arpa
>                 empty-zones-enable no;
>
>                 //  Add any subnets or hosts you want to allow to use this
> DNS server
>                 allow-query { "all-networks"; 127.0.0.1/32; };
>                 allow-query-cache { "all-networks"; 127.0.0.1/32;
};
>
>                 //  Add any subnets or hosts you want to allow to use
> recursive queries
>                 allow-recursion {  "all-networks"; 127.0.0.1/32;
};
>
>                 // https://wiki.samba.org/index.php/Dns-backend_bind
>                 // DNS dynamic updates via Kerberos (optional, but
> recommended)
>               // the OLD location of dns.keytab
>                 //tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>               // the NEW location of dns.keytab
>                 tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
>               // ! This part, one of the 2 DC's does not have the file
in
> the correct place.
>                 // that needs extra attention.
>                 // and if needed review :
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
>                 // section : setting up BIND9 options and keytab for
> Kerberos
>
>               // Extra's
>                 // Caching settings
>                 max-cache-size 100m;
>                 //cleaning-interval 1;    // clean cache every 1 minutes
>                 //max-cache-ttl 120;        // limit cached record to a
> 60s TTL
>
>         };
>
>         // rndc.key is installed by default on debian. Just a matter of
> enableing it.
>         include "/etc/bind/rndc.key";
>             controls {
>              inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
>         //     inet ::1 allow { ::1; } keys { rndc-key; };
>         };
>
root at dc1:~# cat /etc/resolv.conf
> search subdom.example.com
> nameserver 192.168.0.41
>
 root at dc1:~# cat /etc/krb5.conf
> [libdefaults]
>      default_realm = SUBDOM.EXAMPLE.COM
>      dns_lookup_kdc = true
>      dns_lookup_realm = false
> ;   forwardable = true
> ;   proxiable = true
> ;    ticket_lifetime = 24h
> ;    renew_lifetime = 7d
> ;    ccache_type = 4
>
>
> ; A note: This is not used for nfs4 but cifs uses it.
> ; for Windows 2003
> ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ;
> ; for Windows 2008 with AES
>      default_tgs_enctypes =  aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      default_tkt_enctypes = aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
>      permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
And "dpkg-reconfigure krb5-user" will not reconfigure.

root at dc1:~# kinit administrator
> kinit: Cannot find KDC for realm "SUBDOM.EXAMPLE.COM" while
getting
> initial credentials
>
root at dc1:~# cat /etc/network/interfaces
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> source /etc/network/interfaces.d/*
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> allow-hotplug enp1s0
> iface enp1s0 inet static
> address 192.168.0.41/24
> gateway 192.168.0.106
> # dns-* options are implemented by the resolvconf package, if installed
> ## dns-nameservers 8.8.8.8
> dns-nameservers 192.168.0.41
> dns-search subdom.example.com
>
Additional info, my subdom is on a registered FQDN. Which is why I think I
am getting an external ip address.

Any suggestions would be greatly appreciated?

On 30/09/2020 13:22, Robert Wooden via samba wrote:
> Yesterday I had an issue with Samba v 4.13.0.
>
> I cannot figure out why bind9 will not "host -t SRV _ldap._
> tcp.ad.dtntwk.work." or "host -t SRV
_kerberos._udp.ad.dtntwk.work."
>
> root at dc1:~# host -t SRV _ldap._tcp.subdom.example.com.
Hmm, is 'subdom.example.com' really 'ad.dtntwk.work'
?
>> dc1.subdom.example.com has address 164.98.xxx.xxx
>>
> This ip address is my external ip provided from the ISP. It should be a
> local ip (192.168.0.xx)
How is your internal device getting an external IP ?
>
> root at dc1:~# cat /etc/bind/named.conf
Your bind files are the same as mine, except I have these in 'options' :

dnssec-enable no;
dnssec-lookaside no;
allow-transfer { none; };
>>          // rndc.key is installed by default on debian. Just a matter
of
>> enableing it.
>>          include "/etc/bind/rndc.key";
>>              controls {
>>               inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
>>          //     inet ::1 allow { ::1; } keys { rndc-key; };
>>          };
I also do not have the rndc lines, they are not required.
> And "dpkg-reconfigure krb5-user" will not reconfigure.
Strange.
>
> root at dc1:~# kinit administrator
>> kinit: Cannot find KDC for realm "SUBDOM.EXAMPLE.COM" while
getting
>> initial credentials
Are Samba and Bind9 running ?

Is 'subdom.example.com' a registered domain, or is 'example.com'
the
registered domain ?

Rowland

Is bind running? Im not seeing any thing on that part? 

systemctl status bind9 
If not run : 

systemctl start bind9 
cat /var/log/daemon.log |grep named

Post the log. 

I dont have much time atm, due to some "corona" preparations the
office is making.
But i'll keep an eye on the list on whats going on here. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: woensdag 30 september 2020 15:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Bind9 issue
> 
> On 30/09/2020 13:22, Robert Wooden via samba wrote:
> > Yesterday I had an issue with Samba v 4.13.0.
> >
> > I cannot figure out why bind9 will not "host -t SRV _ldap._
> > tcp.ad.dtntwk.work." or "host -t SRV
_kerberos._udp.ad.dtntwk.work."
> >
> > root at dc1:~# host -t SRV _ldap._tcp.subdom.example.com.
> Hmm, is 'subdom.example.com' really 'ad.dtntwk.work' ?
> >> dc1.subdom.example.com has address 164.98.xxx.xxx
> >>
> > This ip address is my external ip provided from the ISP. It 
> should be a
> > local ip (192.168.0.xx)
> How is your internal device getting an external IP ?
> >
> > root at dc1:~# cat /etc/bind/named.conf
> 
> Your bind files are the same as mine, except I have these in 
> 'options' :
> 
> dnssec-enable no;
> dnssec-lookaside no;
> allow-transfer { none; };
> 
> >>          // rndc.key is installed by default on debian. 
> Just a matter of
> >> enableing it.
> >>          include "/etc/bind/rndc.key";
> >>              controls {
> >>               inet 127.0.0.1 allow { localhost; } keys { 
> rndc-key; };
> >>          //     inet ::1 allow { ::1; } keys { rndc-key; };
> >>          };
> I also do not have the rndc lines, they are not required.
> 
> > And "dpkg-reconfigure krb5-user" will not reconfigure.
> Strange.
> >
> > root at dc1:~# kinit administrator
> >> kinit: Cannot find KDC for realm "SUBDOM.EXAMPLE.COM"
while getting
> >> initial credentials
> Are Samba and Bind9 running ?
> 
> Is 'subdom.example.com' a registered domain, or is
'example.com' the
> registered domain ?
> 
> Rowland
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Rowland,
To answer you first, my "example.com" registered host is a wildcat
" *.
example.com". Everything example.com returns my external ip address.

Both bind9 and samba are running.

Might add your "options" but for now, solving my problem, first.

Louis, your answer in a few minutes.

On Wed, Sep 30, 2020 at 8:09 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 30/09/2020 13:22, Robert Wooden via samba wrote:
> > Yesterday I had an issue with Samba v 4.13.0.
> >
> > I cannot figure out why bind9 will not "host -t SRV _ldap._
> > tcp.ad.dtntwk.work." or "host -t SRV
_kerberos._udp.ad.dtntwk.work."
> >
> > root at dc1:~# host -t SRV _ldap._tcp.subdom.example.com.
> Hmm, is 'subdom.example.com' really 'ad.dtntwk.work' ?
> >> dc1.subdom.example.com has address 164.98.xxx.xxx
> >>
> > This ip address is my external ip provided from the ISP. It should be
a
> > local ip (192.168.0.xx)
> How is your internal device getting an external IP ?
> >
> > root at dc1:~# cat /etc/bind/named.conf
>
> Your bind files are the same as mine, except I have these in
'options' :
>
> dnssec-enable no;
> dnssec-lookaside no;
> allow-transfer { none; };
>
> >>          // rndc.key is installed by default on debian. Just a
matter of
> >> enableing it.
> >>          include "/etc/bind/rndc.key";
> >>              controls {
> >>               inet 127.0.0.1 allow { localhost; } keys { rndc-key;
};
> >>          //     inet ::1 allow { ::1; } keys { rndc-key; };
> >>          };
> I also do not have the rndc lines, they are not required.
>
> > And "dpkg-reconfigure krb5-user" will not reconfigure.
> Strange.
> >
> > root at dc1:~# kinit administrator
> >> kinit: Cannot find KDC for realm "SUBDOM.EXAMPLE.COM"
while getting
> >> initial credentials
> Are Samba and Bind9 running ?
>
> Is 'subdom.example.com' a registered domain, or is
'example.com' the
> registered domain ?
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>