Hi, - I have changed my /etc/resolv.conf for all my three DCs. ### DC 01-03 nameserver 10.10.10.11 nameserver 10.10.10.12 nameserver 10.10.10.13 search intern.preiss.network - In the next step I changed my /etc/hosts for each DC ### DC1 127.0.0.1 localhost 10.10.10.11 01-dc01.intern.preiss.network 01-dc01 ### DC2 127.0.0.1 localhost 10.10.10.12 01-dc02.intern.preiss.network 01-dc02 ### DC3 127.0.0.1 localhost 10.10.10.13 01-dc01.intern.preiss.network 01-dc03 As mentioned , I've installed a 3rd DC without any issues from http://www.corpit.ru/mjt/packages/samba/. Now the 3rd DC has the same Problem as the 2nd one. Only the 1st DC has no issues. /var/log/syslog [...] Jun 23 06:05:20 01-dc03 samba[87230]: [2024/06/23 06:05:20.132829, 0] source4/rpc_server/dnsserver/dcerpc_dnsser ver.c:1076(dnsserver_query_zone) Jun 23 06:05:20 01-dc03 samba[87230]: dnsserver: Invalid zone operation IsSigned Jun 23 06:05:21 01-dc03 samba[87230]: [2024/06/23 06:05:21.176086, 0] source4/rpc_server/dnsserver/dcerpc_dnsser ver.c:1076(dnsserver_query_zone) [...] I've recreated the dns.keytab file but this did not help. ### DC 01-03 samba-tool dbcheck --cross-ncs Checking 3927 objects Checked 3927 objects (0 errors) ### DC 01-03 No issues with samba-tool drs showrepl on all three DCs. Am Fr., 14. Juni 2024 um 08:16 Uhr schrieb Rowland Penny via samba < samba at lists.samba.org>:> On Fri, 14 Jun 2024 08:04:57 +0200 > Ronny Preiss via samba <samba at lists.samba.org> wrote: > > > Am Mo., 10. Juni 2024 um 10:14 Uhr schrieb Rowland Penny via samba < > > samba at lists.samba.org>: > > > > > On Sun, 9 Jun 2024 13:18:10 +0200 > > > Ronny Preiss via samba <samba at lists.samba.org> wrote: > > > > > > > > No need to build Samba yourself, you can find packages here: > > > > > > > > > > http://www.corpit.ru/mjt/packages/samba/ > > > > How can I install these files? > > > > > > Try reading the 'README' file from the link I posted. > > > > > > > Please excuse me, I really managed to overlook the README. > > > > > > > > > > > > > > > Here are the requested files from both servers. > > > > > > > > ## DC01 ## > > > > > > > > /etc/hostname > > > > 01-dc01 > > > > > > > > ----- > > > > /etc/hosts > > > > 127.0.0.1 localhost > > > > #127.0.1.1 01-dc01 > > > > > > > > # The following lines are desirable for IPv6 capable hosts > > > > ::1 ip6-localhost ip6-loopback > > > > fe00::0 ip6-localnet > > > > ff00::0 ip6-mcastprefix > > > > ff02::1 ip6-allnodes > > > > ff02::2 ip6-allrouters > > > > > > > > 10.10.10.11 01-dc01.intern.preiss.network 01-dc01 > > > > 10.10.10.12 01-dc02.intern.preiss.network 01-dc02 > > > > > > You only need the actual DC info in /etc/hosts, all other dns info > > > should come from the AD dns server. > > > > > > > The DNS Info (ip6 and the other stuff) was generated by the server > > install. I only added the last two lines with my DC's. > > Yes, but you only need to the actual computer data, your dns server > should provide everything else. > > > > > > > > > > > > > > > > ----- > > > > /etc/resolv.conf > > > > nameserver 127.0.0.53 > > > > options edns0 trust-ad > > > > search intern.preiss.network > > > > > > You need to get NetworkManager to set the correct information in > > > /etc/resolv.conf , this is my resolv.conf > > > > > > > Can you explain to me why I should change from systemd-resolved to > > NetworkManager. > > I just took it that you were using Network Manger, so I will now > re-write that sentence: > > You need to get systemd-resolved to set the correct information in > /etc/resolv.conf > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Sun, 23 Jun 2024 09:34:46 +0200 Ronny Preiss via samba <samba at lists.samba.org> wrote:> Now the 3rd DC has the same Problem as the 2nd one. > Only the 1st DC has no issues. > > /var/log/syslog > [...] > Jun 23 06:05:20 01-dc03 samba[87230]: [2024/06/23 06:05:20.132829, 0] > source4/rpc_server/dnsserver/dcerpc_dnsser > > ver.c:1076(dnsserver_query_zone) > Jun 23 06:05:20 01-dc03 samba[87230]: dnsserver: Invalid zone > operation IsSigned > Jun 23 06:05:21 01-dc03 samba[87230]: [2024/06/23 06:05:21.176086, 0] > source4/rpc_server/dnsserver/dcerpc_dnsser > > ver.c:1076(dnsserver_query_zone) > [...] >If you go to line 1076 in source4/rpc_server/dnsserver/dcerpc_dnsserver.c you will find this: DEBUG(0,("dnsserver: Invalid zone operation %s\n", operation)); return WERR_DNS_ERROR_INVALID_PROPERTY; In this instance 'IsSigned' is the 'operation' and if you look in the extensive list of known 'operation' types above that, 'IsSigned' isn't there, so it falls into that 'DEBUG' and the message is printed. Now, where is 'IsSigned' coming from ? Well, 'IsSigned' means dnssec and so, something (probably a client) is using dnssec to query the Samba dns server and Samba knows nothing about dnssec. If you want to fix this, you are looking at the wrong end, you need to find the client(s) that are using dnssec and stop its use. Rowland
Hi Ronny, I reported this problem a week ago, and before me Mark Petersen on 17 May. This message pops up on the DC when you use the DNS manager in Windows administrative tools. Samba does not handle DNSSEC, while the DNS manager assumes so. The error has got no practical impact. Best regards, Peter On 23.06.2024 9:34, Ronny Preiss via samba wrote:> Hi, > > - I have changed my /etc/resolv.conf for all my three DCs. > > ### DC 01-03 > nameserver 10.10.10.11 > nameserver 10.10.10.12 > nameserver 10.10.10.13 > search intern.preiss.network > > - In the next step I changed my /etc/hosts for each DC > ### DC1 > 127.0.0.1 localhost > 10.10.10.11 01-dc01.intern.preiss.network 01-dc01 > > ### DC2 > 127.0.0.1 localhost > 10.10.10.12 01-dc02.intern.preiss.network 01-dc02 > > ### DC3 > 127.0.0.1 localhost > 10.10.10.13 01-dc01.intern.preiss.network 01-dc03 > > As mentioned , I've installed a 3rd DC without any issues from > http://www.corpit.ru/mjt/packages/samba/. > Now the 3rd DC has the same Problem as the 2nd one. > Only the 1st DC has no issues. > > /var/log/syslog > [...] > Jun 23 06:05:20 01-dc03 samba[87230]: [2024/06/23 06:05:20.132829, 0] > source4/rpc_server/dnsserver/dcerpc_dnsser > > ver.c:1076(dnsserver_query_zone) > Jun 23 06:05:20 01-dc03 samba[87230]: dnsserver: Invalid zone operation > IsSigned > Jun 23 06:05:21 01-dc03 samba[87230]: [2024/06/23 06:05:21.176086, 0] > source4/rpc_server/dnsserver/dcerpc_dnsser > > ver.c:1076(dnsserver_query_zone) > [...] > > I've recreated the dns.keytab file but this did not help. > > ### DC 01-03 > samba-tool dbcheck --cross-ncs > Checking 3927 objects > Checked 3927 objects (0 errors) > > ### DC 01-03 > No issues with samba-tool drs showrepl on all three DCs. > > > > Am Fr., 14. Juni 2024 um 08:16 Uhr schrieb Rowland Penny via samba < > samba at lists.samba.org>: > >> On Fri, 14 Jun 2024 08:04:57 +0200 >> Ronny Preiss via samba <samba at lists.samba.org> wrote: >> >>> Am Mo., 10. Juni 2024 um 10:14 Uhr schrieb Rowland Penny via samba < >>> samba at lists.samba.org>: >>> >>>> On Sun, 9 Jun 2024 13:18:10 +0200 >>>> Ronny Preiss via samba <samba at lists.samba.org> wrote: >>>> >>>>>> No need to build Samba yourself, you can find packages here: >>>>>> >>>>>> http://www.corpit.ru/mjt/packages/samba/ >>>>> How can I install these files? >>>> Try reading the 'README' file from the link I posted. >>>> >>> Please excuse me, I really managed to overlook the README. >>> >>> >>>>> Here are the requested files from both servers. >>>>> >>>>> ## DC01 ## >>>>> >>>>> /etc/hostname >>>>> 01-dc01 >>>>> >>>>> ----- >>>>> /etc/hosts >>>>> 127.0.0.1 localhost >>>>> #127.0.1.1 01-dc01 >>>>> >>>>> # The following lines are desirable for IPv6 capable hosts >>>>> ::1 ip6-localhost ip6-loopback >>>>> fe00::0 ip6-localnet >>>>> ff00::0 ip6-mcastprefix >>>>> ff02::1 ip6-allnodes >>>>> ff02::2 ip6-allrouters >>>>> >>>>> 10.10.10.11 01-dc01.intern.preiss.network 01-dc01 >>>>> 10.10.10.12 01-dc02.intern.preiss.network 01-dc02 >>>> You only need the actual DC info in /etc/hosts, all other dns info >>>> should come from the AD dns server. >>>> >>> The DNS Info (ip6 and the other stuff) was generated by the server >>> install. I only added the last two lines with my DC's. >> Yes, but you only need to the actual computer data, your dns server >> should provide everything else. >> >>> >>>>> ----- >>>>> /etc/resolv.conf >>>>> nameserver 127.0.0.53 >>>>> options edns0 trust-ad >>>>> search intern.preiss.network >>>> You need to get NetworkManager to set the correct information in >>>> /etc/resolv.conf , this is my resolv.conf >>>> >>> Can you explain to me why I should change from systemd-resolved to >>> NetworkManager. >> I just took it that you were using Network Manger, so I will now >> re-write that sentence: >> >> You need to get systemd-resolved to set the correct information in >> /etc/resolv.conf >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
On Sunday, June 23, 2024 8:35 AM Ronny Preiss wrote:> Hi, > > - I have changed my /etc/resolv.conf for all my three DCs. > > ### DC 01-03 > nameserver 10.10.10.11 > nameserver 10.10.10.12 > nameserver 10.10.10.13 > search intern.preiss.network >>From the above I assume all DC's resolv.conf are the same? If so, try setting it so each DC has its own IP address as the first entry and see if that changes anything.HTH, spindles7