On 15/06/2021 13:32, Marco Gaiarin via samba wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > Sorry, i come back on this. > >> You really should do this differenly.. >> Because.. >> A working DNS domain should be established with forward and >> reverse mappings to at least the Kerberos KDC (Samba-DC's) >> and application servers you intend to Kerberize. > OK. But why in AD reverse zone get not created automatically, and need > to be created by hand?Because it isn't strictly required, but it works better with it.> Why forward zone get prpulated automatically directly by joined > clients, while reverse need DHCP?No, you don't need dhcp for reverse records on Windows clients, you just need to configure them to update their reverse records.> > >> If you use bind_DLZ as your doing and you want other zones sync to >> an other domain and you have bind running, as your have.. >> Why not use master/slave setup of bind9 todo that. >> So that keeps the question, why is "suddenly" differently. > But i've clerly master/slave setup, all DC have a 'standard' conf using > bind_DLZ, as wiki suggest.No you haven't, all AD DC's running a dns server are masters, it is known as multimaster, there are no 'slaves'.> > For now, i'm simply asking a rather simple question. > > 1) client boot and register itself on 'VDCSV1'; i see no error on logs: > > Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=AAAA key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0 > Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0 > Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: allowing update of signer=GAUNT\$\@AD.FVG.LNF.IT name=gaunt.ad.fvg.lnf.it tcpaddr= type=A key=1680-ms-7.3-de501.7ad51d36-cdc7-11eb-b81d-0068ebb3f3ef/160/0 > Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'gaunt.ad.fvg.lnf.it' AAAA > Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'gaunt.ad.fvg.lnf.it' A > Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: subtracted rdataset gaunt.ad.fvg.lnf.it 'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6' > Jun 15 13:00:13 vdcsv1 named[679]: client 10.5.2.6#49344/key GAUNT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'gaunt.ad.fvg.lnf.it' A 10.5.2.6 > Jun 15 13:00:13 vdcsv1 named[679]: samba_dlz: added rdataset gaunt.ad.fvg.lnf.it 'gaunt.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.6' > > if i query that DC DNS, i got the correct result: > > gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it @vdcsv1.ad.fvg.lnf.it | grep ^gaunt > gaunt.ad.fvg.lnf.it. 1200 IN A 10.5.2.6 > > if i query the other DC DNS in the same site, i got: > > gaio at hermione:~/conf/samba/manage$ dig a gaunt.ad.fvg.lnf.it @vdcsv2.ad.fvg.lnf.it | grep ^gaunt > gaunt.ad.fvg.lnf.it. 1200 IN A 10.5.2.33 > > a different result.You appear to have replication errors> > Because DNS data are in AD/LDAP, i suppose that a 'samba-tool drs > showrepl' or a 'samba-tool ldapcmp' will return some differences, but > data seems replicated correctly around all DCs. > > > Why domains seamsd healty but does not replicate DNS data?!No idea, but you do seem to have replication problems, my DC's always produce the same result.> > >> My "guess" is, latest change "security fix" of bind fixed something, >> Which now is your problem. >> See Debian LTS: DLA-2647-1: bind9 > Mmmhh... interesting... I've land to: > > https://kb.isc.org/docs/cve-2021-25216 > > that stated: > > In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. > > effectively as suggested by samda docs, i've adedd: > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";Aha, wrong path, it is now '/var/lib/samba/bind-dns/dns.keytab' Can you provide a link to where it says to use the 'old' path ?> > I've tried to lookup at debian patch for 9.10, but i've not found that. > > > Setting: > dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool > > in smb,conf could be a useful workaround?That only works for the default dns records, not the client records. Rowland
On 15/06/2021 14:01, Rowland penny via samba wrote:> On 15/06/2021 13:32, Marco Gaiarin via samba wrote: >> Mandi! L.P.H. van Belle via samba >> ?? In chel di` si favelave... >> >> Sorry, i come back on this. >> >>> You really should do this differenly.. >>> Because.. >>> A working DNS domain should be established with forward and >>> reverse mappings to at least the Kerberos KDC (Samba-DC's) >>> and application servers you intend to Kerberize. >> OK. But why in AD reverse zone get not created automatically, and need >> to be created by hand? > > > Because it isn't strictly required, but it works better with it. > >> Why forward zone get prpulated automatically directly by joined >> clients, while reverse need DHCP? > > > No, you don't need dhcp for reverse records on Windows clients, you > just need to configure them to update their reverse records.Strange, part of that sentence seems to have disappeared, it should have been: No, you don't need dhcp for reverse records on Windows clients, but it will work better with them, if you do want to use reverse records, you just need to configure them to update their reverse records. Rowland
Mandi! Rowland penny via samba In chel di` si favelave...> Because it isn't strictly required, but it works better with it.Ok, this sounds better to me. Supposing i'm not using it. ;-)> > But i've clerly master/slave setup, all DC have a 'standard' conf using > > bind_DLZ, as wiki suggest. > No you haven't, all AD DC's running a dns server are masters, it is known as > multimaster, there are no 'slaves'.Sorry, i've misunderstood/miswritten: i meant i've integrated (via glue record and forward zones) my 'primary' DNS setup and my AD DNS setup. They are not isolated and speaks between them.> > Why domains seamsd healty but does not replicate DNS data?! > No idea, but you do seem to have replication problems, my DC's always > produce the same result.OK. How can i test/debug DNS replication issue?> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > Aha, wrong path, it is now '/var/lib/samba/bind-dns/dns.keytab' > Can you provide a link to where it says to use the 'old' path ?No, docs is good, is me that i'm using an old samba version (4.10) that still use 'private' dir also for DNS: root at vdcsv1:~# LANG=C ls -la /var/lib/samba/private/dns.keytab /var/lib/samba/bind-dns/dns.keytab ls: cannot access '/var/lib/samba/bind-dns/dns.keytab': No such file or directory -rw-r----- 1 root bind 777 Sep 20 2017 /var/lib/samba/private/dns.keytab> > Setting: > > dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool > > in smb,conf could be a useful workaround? > That only works for the default dns records, not the client records.OK, thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: dinsdag 15 juni 2021 15:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Strange DNS issue... > > Mandi! Rowland penny via samba > In chel di` si favelave... > > > Because it isn't strictly required, but it works better with it. > > Ok, this sounds better to me. Supposing i'm not using it. ;-)Then i really recommend you read this : https://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html Especialy the part : Service principal canonicalization My advice is to have for your server and system runing services you use in the network. Servers A/AAAA and PTR Workstations, A/AAAA Sure you can do without, untill you hit problems. But, again, its not obligated.. Just.. I use it since 2016 ( since start of my AD-DC ) If i have problems, then its often a typo i made.. :-/ I would re-check all the servers its resolving setups in your case, at least thats first i would do. Greetz, Louis
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: dinsdag 15 juni 2021 15:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Strange DNS issue... > > Mandi! Rowland penny via samba > In chel di` si favelave... > > > Because it isn't strictly required, but it works better with it. > > Ok, this sounds better to me. Supposing i'm not using it. ;-) > > > > > But i've clerly master/slave setup, all DC have a > 'standard' conf using > > > bind_DLZ, as wiki suggest. > > No you haven't, all AD DC's running a dns server are > masters, it is known as > > multimaster, there are no 'slaves'. > > Sorry, i've misunderstood/miswritten: i meant i've integrated > (via glue > record and forward zones) my 'primary' DNS setup and my AD DNS setup. > They are not isolated and speaks between them. > > > > > Why domains seamsd healty but does not replicate DNS data?! > > No idea, but you do seem to have replication problems, my > DC's always > > produce the same result. > > OK. How can i test/debug DNS replication issue?A simple start is, get my debug script, run it on all servers and diff the outputs. Most quick and simple way to find differences in you system and there setup. https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Greetz, Louis