Hello,
I'm running an AD Domain using Samba 4.9.5 on Debian 10. I recently
encountered
an issue where a DNS record started acting funny. I'll call the record
`sw1.example.com`.
We're not sure of the exact sequence, but it involved changing a CNAME and
ended like this:
- Admin 1 deleted the DNS record using Windows RSAT DNS Manager.
- Admin 2 recreated a DNS record (with that name), but it would not resolve. He
was surprised to see that Admin 1 was the owner on the new record (in DNS
Manager).
- Admin 2 deleted the record again.
I started investigating and confirmed that the record was not present in DNS
Manager.
When I queried the whole zone, I would see sw1 with 0 Records:
dc1:~$ samba-tool dns query dc1 example.com '@' ALL | grep sw1
Name=sw1, Records=0, Children=0
Oddly, when I query for `sw1`, it shows up with weird results:
dc1:~$ samba-tool dns query dc1 example.com 'sw1' ALL
Name=, Records=0, Children=0
Why is `Name=` empty?! And if there are no Records and no Children then it
shouldn't exist at all, right?
So then I dug into the DNS LDAP objects using ADSI Edit
(DC=DomainDnsZones,DC=example,DC=com). I was surprised to see an object:
DC=sw1,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
It had one dnsRecord [1] attribute with the following (modified/redacted) data:
2A 00 05 00 05 00 00 00 BD 00 00 00 00 00 0E 10 00 00 00 00 00 00 00 00 ...
Decoding this manually, I found:
dnsRecord:
DataLength: 42
Type: 5 (DNS_TYPE_CNAME)
Version: 5
Rank: 0 (No RANK_* flags set!)
Flags: 0
Serial: 189
TtlSeconds: 3600
Reserved: 0
TimeStamp: 0
Data: ...
Note that Rank is 0, which means none of the RANK_* flags are set!
In other funtional records, I see Rank=0xF0 (RANK_ZONE, which means "The
record
comes from an authoritative zone.")
So this "stale" dnsRecord attribute with Rank=0:
- Somehow prevents the "good" dnsRecord from working
- Does not appear in any DNS "views" (a DNS query, samba-tool, or DNS
Manager)
- Keeps the owning LDAP `dnsNode` object alive/around
- Which is why Admin 1 continually showed up as the owner, even though
Admin 2 thought he re-created the record
To fix this, I:
- Deleted the `sw1` A record in DNS Manager
- Renamed the `sw1` dnsNode object in ADSI Edit to `xxx-broken-sw1`
- Confirmed that `samba-tool dns query` gave the expected non-results.
- Created the record as usual.
So of course, the big question is: "How the hell did Rank get set to 0x00
on
this dnsRecord?"
I can't find anywhere in the samba source code that would ever set Rank=0.
But there is plenty of code (e.g. `dns_fill_records_array`) that explicitly
checks for DNS_RANK_ZONE.
I have to assume that the Windows "DNS Manager" RSAT tool did this
(via LDAP),
but I have no idea why, nor can I recreate this.
I still have the xxx-broken-sw1 record for forensic purposes, although I'd
like to delete it soon.
Has anyone ever seen anything like this?
Best regards,
Jonathon Reinhart
[1]:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/6912b338-5472-4f59-b912-0edb536b6ed8
You have 4 options.. 1, use sernet the packages and buy support with it. 2, use debian packages but 4.9.x is way to old. IF this is a minimal installed server, upgrade to bullseye. Then your on 4.13.3 3, Use my repo. Upgrade to at least 4.12.x 4, compile latest yourself. you've hitted old bugs. the only good fix is upgrade samba. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jonathon Reinhart > via samba > Verzonden: vrijdag 22 januari 2021 15:40 > Aan: samba > Onderwerp: [Samba] Bogus dnsRecord attribute with Rank==0 > > Hello, > > I'm running an AD Domain using Samba 4.9.5 on Debian 10. I recently > encountered > an issue where a DNS record started acting funny. I'll call the record > `sw1.example.com`. > > We're not sure of the exact sequence, but it involved changing a CNAME and > ended like this: > - Admin 1 deleted the DNS record using Windows RSAT DNS Manager. > - Admin 2 recreated a DNS record (with that name), but it would not > resolve. He > was surprised to see that Admin 1 was the owner on the new record (in > DNS > Manager). > - Admin 2 deleted the record again. > > I started investigating and confirmed that the record was not present in > DNS > Manager. > > When I queried the whole zone, I would see sw1 with 0 Records: > > dc1:~$ samba-tool dns query dc1 example.com '@' ALL | grep sw1 > Name=sw1, Records=0, Children=0 > > Oddly, when I query for `sw1`, it shows up with weird results: > > dc1:~$ samba-tool dns query dc1 example.com 'sw1' ALL > Name=, Records=0, Children=0 > > Why is `Name=` empty?! And if there are no Records and no Children then it > shouldn't exist at all, right? > > So then I dug into the DNS LDAP objects using ADSI Edit > (DC=DomainDnsZones,DC=example,DC=com). I was surprised to see an object: > DC=sw1,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com > > It had one dnsRecord [1] attribute with the following (modified/redacted) > data: > > 2A 00 05 00 05 00 00 00 BD 00 00 00 00 00 0E 10 00 00 00 00 00 00 00 > 00 ... > > Decoding this manually, I found: > > dnsRecord: > DataLength: 42 > Type: 5 (DNS_TYPE_CNAME) > Version: 5 > Rank: 0 (No RANK_* flags set!) > Flags: 0 > Serial: 189 > TtlSeconds: 3600 > Reserved: 0 > TimeStamp: 0 > Data: ... > > Note that Rank is 0, which means none of the RANK_* flags are set! > > In other funtional records, I see Rank=0xF0 (RANK_ZONE, which means "The > record > comes from an authoritative zone.") > > So this "stale" dnsRecord attribute with Rank=0: > - Somehow prevents the "good" dnsRecord from working > - Does not appear in any DNS "views" (a DNS query, samba-tool, or DNS > Manager) > - Keeps the owning LDAP `dnsNode` object alive/around > - Which is why Admin 1 continually showed up as the owner, even though > Admin 2 thought he re-created the record > > To fix this, I: > - Deleted the `sw1` A record in DNS Manager > - Renamed the `sw1` dnsNode object in ADSI Edit to `xxx-broken-sw1` > - Confirmed that `samba-tool dns query` gave the expected non-results. > - Created the record as usual. > > So of course, the big question is: "How the hell did Rank get set to 0x00 > on > this dnsRecord?" > > I can't find anywhere in the samba source code that would ever set Rank=0. > But there is plenty of code (e.g. `dns_fill_records_array`) that > explicitly > checks for DNS_RANK_ZONE. > > I have to assume that the Windows "DNS Manager" RSAT tool did this (via > LDAP), > but I have no idea why, nor can I recreate this. > > I still have the xxx-broken-sw1 record for forensic purposes, although I'd > like to delete it soon. > > Has anyone ever seen anything like this? > > Best regards, > Jonathon Reinhart > > > [1]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms- > dnsp/6912b338-5472-4f59-b912-0edb536b6ed8 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Fri, 2021-01-22 at 09:40 -0500, Jonathon Reinhart via samba wrote:> > I have to assume that the Windows "DNS Manager" RSAT tool did this > (via LDAP), > but I have no idea why, nor can I recreate this.We are not aware of any Microsoft clients directly modifying LDAP. Samba will, during the domain join, but only to change an ACL, we try to create the record over RPC to avoid trouble like this.> I still have the xxx-broken-sw1 record for forensic purposes, > although I'd > like to delete it soon.You might get come clues as to when that attribute was last modified (if that helps) in the replPropertyMetaData> Has anyone ever seen anything like this?Very, very strange. Yes, DNS is odd, particularly with tombstoned records and with the multiple records (attribute values) within a single LDAP record (which means that there is an owner for the full name, even in situations like this). Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba