pavel.lisy at gmail.com
2024-Apr-05 15:18 UTC
[Samba] Strange problem with samba-tool dns query ...
On Fri, 2024-04-05 at 15:00 +0100, Rowland Penny via samba wrote:> On Fri, 05 Apr 2024 15:38:23 +0200 > pavel.lisy at gmail.com?wrote: > > > On Fri, 2024-04-05 at 08:04 +0100, Rowland Penny via samba wrote: > > > On Fri, 05 Apr 2024 08:06:10 +0200 > > > PaLi via samba <samba at lists.samba.org> wrote: > > > > > > > Hello > > > > > > > > I have a strange problem on a brand new installation of samba > > > > AD > > > > (samba-4.19.5 on Fedora 39). > > > > > > > > Domain controller is dc01.some.domain.org > > > > Secondary (replicated) controller is dc02.some.domain.org > > > > > > > > After clean installation all basic tests seams to be ok. > > > > > > > > All these command return correct responses: > > > > > > > > smbclient -L localhost -N > > > > smbclient //localhost/netlogon -U Administrator -c 'ls' > > > > > > > > host -t SRV _ldap._tcp.${HOSTNAME#*.}. > > > > host -t SRV _kerberos._udp.${HOSTNAME#*.}. > > > > host -t A ${HOSTNAME}. > > > > > > > > kinit Administrator > > > > klist > > > > > > > > sudo samba-tool drs showrepl > > > > > > > > sudo samba-tool user list --full-dn > > > > sudo samba-tool group list --full-dn > > > > sudo samba-tool computer list --full-dn > > > > > > > > > > > > Problem is on dc01.some.domain.org > > > > this command (and all other variants of "samba-tool dns"): > > > > > > > > sudo samba-tool dns zonelist $(hostname) -U Administrator > > > > > > > > gets stuck and returns nothing when parameter <server> is > > > > $(hostname)or$(hostname --short) > > > > > > > > when I change $(hostname) to localhost or ip address command is > > > > responding correctly. > > > > > > > > > > > > This problem is only on primary controller dc01. > > > > > > What primary controller ? > > > All DCs are equal, it is just some may have FSMO roles, this does > > > not make any a 'primary' . A 'Primary Domain Controller' is > > > something else > > > entirely. > > I mean DC installed first (dc01) by > > samba-tool domain provision ... > > > > other was joined only (dc02) by > > samba-tool domain join some.domain.org DC ... > > That just makes it the first DC and nothing special. > > > > > > > > > > > > > > The same commands works on?dc02.some.domain.org?without > > > > problems. > > They also work for myself on all three of my DCs. > > > > > > > > > > > > > Even when I run samba-tool dns on?dc02.some.domain.org?with > > > > <server> > > > > dc01 > > > > sudo samba-tool dns zonelist dc01 -U Administrator > > > > > > > > it returns correct results. > > > > > > > > How can I make samba-tool dns on dco1 work? > > > > What this behavior could be? > > > > > > > > > > It sounds like DNS. > > > Can you post the contents of: > > > /etc/resolv.conf > > nameserver 192.168.90.21 > > nameserver 192.168.90.3 > > nameserver 192.168.90.1 > > search some.domain.org > > Nothing really wrong there, but you really only need to set the DCs > ipaddress as a nameserver, the others are not required. > ? > > > > > /etc/hosts > > 127.0.0.1 localhost localhost.localdomain localhost4 > > localhost4.localdomain4 > > ::1 localhost localhost.localdomain localhost6 > > localhost6.localdomain6 > > 192.168.90.21 dc01.some.domain.org dc01 > > Again nothing wrong. > > > > > > > dns resolving works without problems: > > [admin at dc01 ~]$ nslookup dc01 > > Server: 192.168.90.21 > > Address: 192.168.90.21#53 > > > > Name:dc01.some.domain.org > > Address: 192.168.90.21 > > > > > > on dc02 is all set similar way and it works > > > > > > On dc01 I've tried add line to /etc/hosts > > 192.168.90.21 dc05.some.domain.org dc05 > > > > and then this command works > > sudo samba-tool dns zonelist dc05 -U Administrator > > This rather points to dns, but what ? > > > > everything except names with dc01 works correctly. > > > > And I don't understand why. > > Neither do I. > > What dns server are you using ? > Bind9 or the builtin Samba internal one ?Samba internal one placed in: /var/lib/samba/bind-dns/ Now I've found some differences in /etc/krb5.conf and it seams to be possible root cause. I will write summary after further testing. Pavel
On Fri, 05 Apr 2024 17:18:12 +0200 pavel.lisy at gmail.com wrote:> > Now I've found some differences in /etc/krb5.conf > and it seams to be possible root cause. > > I will write summary after further testing. >Ah, yes, I should have remembered that you are running 'experimental' DCs on Fedora and they do strange things to the krb5.conf. All you need is this: [libdefaults] default_realm = DNS.DOMAIN.IN.CAPITALS dns_lookup_realm = false dns_lookup_kdc = true [realms] DNS.DOMAIN.IN.CAPITALS = { default_domain = dns.domain.in.lowercase } [domain_realm] SHORT_HOSTNAME_IN_CAPITALS = DNS.DOMAIN.IN.CAPITALS Rowland