Steven Monai
2023-May-20 18:30 UTC
[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
On 2023-05-20 1:43 a.m., Rowland Penny via samba wrote:> On 20/05/2023 04:44, Steven Monai via samba wrote:>> I found an open bug in bugzilla that reports a very similar assertion >> failure: "Bug 14030 - named crashes on DLZ zone update" >> (https://bugzilla.samba.org/show_bug.cgi?id=14030). Any chance this >> Bug is related to what I'm seeing? > > That appears to be a Samba problem, whilst yours appears to possibly be > a Bind9 problem.Maybe. But nevermind that Bug; it appears to be FreeBSD-specific, and I am using Linux (more specifically Debian, on amd64 architecture). To clarify my context: I have an AD domain setup---currently working on Debian Bullseye (and Buster)---which consists of two Samba DCs that use the BIND9_DLZ backend for DNS. This setup is deployed in production and is functioning well at numerous sites in my organization right now. Unfortunately, my "known good" Bullseye/Buster AD setup fails to work when applied to Bookworm servers. That specific failure is what I've been trying to describe in this thread so far (possibly not adequately, but I'm doing my best to answer all questions). Ultimately, I would like to arrive at a fully-functioning Bookworm setup, since it is my organization's policy to run its systems on Debian Stable, and Bookworm is due to become Stable very soon (on June 10th, about 3 weeks from now). Anyway, the requested configuration files are pasted inline below.> /etc/bind/named.conf------------------------------------------------------------------------ // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/bind-dns/named.conf"; ------------------------------------------------------------------------> /etc/bind/named.conf.options------------------------------------------------------------------------ options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; listen-on-v6 { any; }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; minimal-responses yes; allow-transfer { localhost; }; allow-query { localhost; localnets; !10.150.40.0/22; 10.150.0.0/16; }; }; ------------------------------------------------------------------------> /etc/bind/named.conf.local------------------------------------------------------------------------ // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; ------------------------------------------------------------------------> /etc/bind/named.conf.default-zones------------------------------------------------------------------------ // prime the server with knowledge of the root servers zone "." { type hint; file "/usr/share/dns/root.hints"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; ------------------------------------------------------------------------> /etc/samba/smb.conf------------------------------------------------------------------------ # Global parameters [global] bind interfaces only = Yes disable netbios = Yes dns zone transfer clients allow = 127.0.0.0/8 ::1/128 interfaces = lo enp1s0 log level = 1 auth_json_audit:5 netbios name = DC34 ntlm auth = mschapv2-and-ntlmv2-only realm = TTWO.AD.EXAMPLE.ORG server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate winbind separator = / workgroup = TTWO idmap_ldb:use rfc2307 = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/ttwo.ad.example.org/scripts read only = No ------------------------------------------------------------------------ -- Thanks, -S.M.
Rowland Penny
2023-May-21 08:52 UTC
[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
On 20/05/2023 19:30, Steven Monai via samba wrote:> On 2023-05-20 1:43 a.m., Rowland Penny via samba wrote: >> On 20/05/2023 04:44, Steven Monai via samba wrote: > >>> I found an open bug in bugzilla that reports a very similar assertion >>> failure: "Bug 14030 - named crashes on DLZ zone update" >>> (https://bugzilla.samba.org/show_bug.cgi?id=14030). Any chance this >>> Bug is related to what I'm seeing? >> >> That appears to be a Samba problem, whilst yours appears to possibly >> be a Bind9 problem. > > Maybe. But nevermind that Bug; it appears to be FreeBSD-specific, and I > am using Linux (more specifically Debian, on amd64 architecture). > > To clarify my context: I have an AD domain setup---currently working on > Debian Bullseye (and Buster)---which consists of two Samba DCs that use > the BIND9_DLZ backend for DNS. This setup is deployed in production and > is functioning well at numerous sites in my organization right now. > > Unfortunately, my "known good" Bullseye/Buster AD setup fails to work > when applied to Bookworm servers. That specific failure is what I've > been trying to describe in this thread so far (possibly not adequately, > but I'm doing my best to answer all questions). > > Ultimately, I would like to arrive at a fully-functioning Bookworm > setup, since it is my organization's policy to run its systems on Debian > Stable, and Bookworm is due to become Stable very soon (on June 10th, > about 3 weeks from now). > > Anyway, the requested configuration files are pasted inline below. > >> /etc/bind/named.conf > > ------------------------------------------------------------------------ > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/bind-dns/named.conf"; > ------------------------------------------------------------------------ > >> /etc/bind/named.conf.options > > ------------------------------------------------------------------------ > options { > ????directory "/var/cache/bind"; > > ????// If there is a firewall between you and nameservers you want > ????// to talk to, you may need to fix the firewall to allow multiple > ????// ports to talk.? See http://www.kb.cert.org/vuls/id/800113 > > ????// If your ISP provided one or more IP addresses for stable > ????// nameservers, you probably want to use them as forwarders. > ????// Uncomment the following block, and insert the addresses replacing > ????// the all-0's placeholder. > > ????// forwarders { > ????//???? 0.0.0.0; > ????// }; > > ????//=======================================================================> ????// If BIND logs error messages about the root key being expired, > ????// you will need to update your keys.? See > https://www.isc.org/bind-keys > ????//=======================================================================> ????dnssec-validation auto; > > ????listen-on-v6 { any; }; > ????tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > ????minimal-responses yes; > ????allow-transfer { localhost; }; > ????allow-query { localhost; localnets; !10.150.40.0/22; 10.150.0.0/16; }; > }; > ------------------------------------------------------------------------ > >> /etc/bind/named.conf.local > > ------------------------------------------------------------------------ > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > ------------------------------------------------------------------------ > >> /etc/bind/named.conf.default-zones > > ------------------------------------------------------------------------ > // prime the server with knowledge of the root servers > zone "." { > ????type hint; > ????file "/usr/share/dns/root.hints"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > ????type master; > ????file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > ????type master; > ????file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > ????type master; > ????file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > ????type master; > ????file "/etc/bind/db.255"; > }; > > > ------------------------------------------------------------------------ > >> /etc/samba/smb.conf > > ------------------------------------------------------------------------ > # Global parameters > [global] > ????bind interfaces only = Yes > ????disable netbios = Yes > ????dns zone transfer clients allow = 127.0.0.0/8 ::1/128 > ????interfaces = lo enp1s0 > ????log level = 1 auth_json_audit:5 > ????netbios name = DC34 > ????ntlm auth = mschapv2-and-ntlmv2-only > ????realm = TTWO.AD.EXAMPLE.ORG > ????server role = active directory domain controller > ????server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > ????winbind separator = / > ????workgroup = TTWO > ????idmap_ldb:use rfc2307? = yes > > [sysvol] > ????path = /var/lib/samba/sysvol > ????read only = No > > [netlogon] > ????path = /var/lib/samba/sysvol/ttwo.ad.example.org/scripts > ????read only = No > ------------------------------------------------------------------------After reading all that, my first thought was, 'Why is he doing zone transfers and why is he doing them to the DC itself ?' So, why are you ? I am not at the moment using Bind9 (for reasons that I will not go into, nothing to do with Samba) but when I do (in the future), I will use these named.conf files: /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; /etc/bind/named.conf.options options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation auto; auth-nxdomain yes; listen-on-v6 { none; }; listen-on port 53 { 192.168.0.24; 127.0.0.1; }; notify no; empty-zones-enable no; minimal-responses yes; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; nano /etc/bind/named.conf.local // adding the Samba dlopen ( Bind DLZ ) module include "/var/lib/samba/private/named.conf"; As for your smb.conf: I am not entirely sure that this is how you turn off NetBIOS on DC: disable netbios = Yes But I would also remove 'nbt' from the server services line. I would remove the 'dns zone transfer clients allow' line, unless you are running another dns server on the DC that you haven't told us about. Rowland
Robert Grimm
2023-May-22 09:15 UTC
[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
Steven Monai via samba <samba at lists.samba.org> wrote:> On 2023-05-20 1:43 a.m., Rowland Penny via samba wrote: >> On 20/05/2023 04:44, Steven Monai via samba wrote:>>> I found an open bug in bugzilla that reports a very similar assertion >>> failure: "Bug 14030 - named crashes on DLZ zone update" >>> (https://bugzilla.samba.org/show_bug.cgi?id=14030). Any chance this >>> Bug is related to what I'm seeing? >> >> That appears to be a Samba problem, whilst yours appears to possibly be >> a Bind9 problem.It is a samba problem that causes bind9 to crash.> Maybe. But nevermind that Bug; it appears to be FreeBSD-specific, and I > am using Linux (more specifically Debian, on amd64 architecture).I use the patch from the bug on debian and the chrashes of named I had constantly are gone. Rob -- In C we had to code our own bugs. In C++ we can inherit them.
Seemingly Similar Threads
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz