samba - Jun 2021 - Strange DNS issue...

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

Sorry, i come back on this.
> You really should do this differenly.. 
> Because.. 
> A working DNS domain should be established with forward and 
> reverse mappings to at least the Kerberos KDC (Samba-DC's)
> and application servers you intend to Kerberize.
OK. But why in AD reverse zone get not created automatically, and need
to be created by hand?
Why forward zone get prpulated automatically directly by joined
clients, while reverse need DHCP?

> If you use bind_DLZ as your doing and you want other zones sync to 
> an other domain and you have bind running, as your have.. 
> Why not use master/slave setup of bind9 todo that. 
> So that keeps the question, why is "suddenly" differently. 
But i've clerly master/slave setup, all DC have a 'standard' conf
using
bind_DLZ, as wiki suggest.

For now, i'm simply asking a rather simple question.

1) client boot and register itself on 'VDCSV1'; i see no error on logs:

 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of
signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=AAAA
key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of
signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A
key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of
signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A
key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
 Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key
GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'gaunt.ad.fvg.lnf.it' AAAA
 Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key
GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'gaunt.ad.fvg.lnf.it' A
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: subtracted rdataset
gaunt.ad.fvg.lnf.it
'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'
 Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key
GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR
at 'gaunt.ad.fvg.lnf.it' A 10.5.2.6
 Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: added rdataset
gaunt.ad.fvg.lnf.it
'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'

if i query that DC DNS, i got the correct result:

 gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it
@vdcsv1.ad.fvg.lnf.it | grep ^gaunt
 gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.6

if i query the other DC DNS in the same site, i got:

 gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it
@vdcsv2.ad.fvg.lnf.it | grep ^gaunt
 gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.33

a different result.

Because DNS data are in AD/LDAP, i suppose that a 'samba-tool drs
showrepl' or a 'samba-tool ldapcmp' will return some differences,
but
data seems replicated correctly around all DCs.


Why domains seamsd healty but does not replicate DNS data?!

> My "guess" is, latest change "security fix" of bind
fixed something,
> Which now is your problem.
> See Debian LTS: DLA-2647-1: bind9 
Mmmhh... interesting... I've land to:

	https://kb.isc.org/docs/cve-2021-25216

that stated:

	In a configuration which uses BIND's default settings the vulnerable code
path is not exposed, but a server can be rendered vulnerable by explicitly
setting values for the tkey-gssapi-keytab or tkey-gssapi-credential
configuration options.

effectively as suggested by samda docs, i've adedd:

	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

I've tried to lookup at debian patch for 9.10, but i've not found that.


Setting:
	dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

in smb,conf could be a useful workaround?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 15/06/2021 13:32, Marco Gaiarin via samba wrote:
> Mandi! L.P.H. van Belle via samba
>    In chel di` si favelave...
>
> Sorry, i come back on this.
>
>> You really should do this differenly..
>> Because..
>> A working DNS domain should be established with forward and
>> reverse mappings to at least the Kerberos KDC (Samba-DC's)
>> and application servers you intend to Kerberize.
> OK. But why in AD reverse zone get not created automatically, and need
> to be created by hand?

Because it isn't strictly required, but it works better with it.
> Why forward zone get prpulated automatically directly by joined
> clients, while reverse need DHCP?

No, you don't need dhcp for reverse records on Windows clients, you just 
need to configure them to update their reverse records.
>
>
>> If you use bind_DLZ as your doing and you want other zones sync to
>> an other domain and you have bind running, as your have..
>> Why not use master/slave setup of bind9 todo that.
>> So that keeps the question, why is "suddenly" differently.
> But i've clerly master/slave setup, all DC have a 'standard'
conf using
> bind_DLZ, as wiki suggest.

No you haven't, all AD DC's running a dns server are masters, it is 
known as multimaster, there are no 'slaves'.
>
> For now, i'm simply asking a rather simple question.
>
> 1) client boot and register itself on 'VDCSV1'; i see no error on
logs:
>
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of
signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=AAAA
key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of
signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A
key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of
signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A
key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0
>   Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key
GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'gaunt.ad.fvg.lnf.it' AAAA
>   Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key
GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'gaunt.ad.fvg.lnf.it' A
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: subtracted rdataset
gaunt.ad.fvg.lnf.it
'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'
>   Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key
GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR
at 'gaunt.ad.fvg.lnf.it' A 10.5.2.6
>   Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: added rdataset
gaunt.ad.fvg.lnf.it
'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6'
>
> if i query that DC DNS, i got the correct result:
>
>   gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it
@vdcsv1.ad.fvg.lnf.it | grep ^gaunt
>   gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.6
>
> if i query the other DC DNS in the same site, i got:
>
>   gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it
@vdcsv2.ad.fvg.lnf.it | grep ^gaunt
>   gaunt.ad.fvg.lnf.it.	1200	IN	A	10.5.2.33
>
> a different result.

You appear to have replication errors
>
> Because DNS data are in AD/LDAP, i suppose that a 'samba-tool drs
> showrepl' or a 'samba-tool ldapcmp' will return some
differences, but
> data seems replicated correctly around all DCs.
>
>
> Why domains seamsd healty but does not replicate DNS data?!

No idea, but you do seem to have replication problems, my DC's always 
produce the same result.
>
>
>> My "guess" is, latest change "security fix" of bind
fixed something,
>> Which now is your problem.
>> See Debian LTS: DLA-2647-1: bind9
> Mmmhh... interesting... I've land to:
>
> 	https://kb.isc.org/docs/cve-2021-25216
>
> that stated:
>
> 	In a configuration which uses BIND's default settings the vulnerable
code path is not exposed, but a server can be rendered vulnerable by explicitly
setting values for the tkey-gssapi-keytab or tkey-gssapi-credential
configuration options.
>
> effectively as suggested by samda docs, i've adedd:
>
> 	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Aha, wrong path, it is now '/var/lib/samba/bind-dns/dns.keytab'

Can you provide a link to where it says to use the 'old' path ?
>
> I've tried to lookup at debian patch for 9.10, but i've not found
that.
>
>
> Setting:
> 	dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>
> in smb,conf could be a useful workaround?

That only works for the default dns records, not the client records.

Rowland