Web lists-archives.com

Re: [Samba] After upgrade to 4.9.4, internal DNS no longer working




Hi Louis,

Please keep in mind that this was just an incremental upgrade of an
otherwise working AD DC. Files such as /etc/hostname, /etc/nsswitch.conf
and /etc/resolv.conf were not affected by the upgrade. But yes, I double
checked, and they are all correct as I've shown in previous emails.

hostname is DC1, confirmed by hostnamectl, resolv.conf has just two
entries: nameserver (own IP), and search samdom.example.com. Same as it is
now, so this all works.

resolvectl is no longer showing anything because I disabled
systemd-resolved in the meantime. I don't think that was necessary but I
did it either way, just to be on the safe side. I'm actually pretty sure it
would have been sufficient to just set DNSStubListener=No in
/etc/systemd/resolved.conf.

As for managing the network, I'm using systemd-network and my network file
looks as follows (no changes in years):

[Match]
Name=br-lxc

[Network]
Address=192.168.1.1/24   <---- = DC1
DNS=192.168.1.1
IPForward=ipv4
Domains=samdom.example.com
Gateway=192.168.1.2   <------ = Router
UseDomains=yes

And yes, I agree, the Arch Wiki is great resource.

Cheers,
Viktor


On Thu, 27 Dec 2018 at 12:19, L.P.H. van Belle via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> Ps.
>
> I forgot, to ask.
> Which is used : systemd-networkd or NetworkManager?
>
> The why is shown here:
> https://wiki.archlinux.org/index.php/Systemd-resolved
>
> The wiki of arch is very good, i do use these these often. ( yes even for
> my debian servers ).
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> > Viktor Trojanovic via samba
> > Verzonden: donderdag 27 december 2018 11:58
> > Aan: Rowland Penny; samba@xxxxxxxxxxxxxxx
> > Onderwerp: Re: [Samba] After upgrade to 4.9.4, internal DNS
> > no longer working
> >
> > Hi Louis and Rowland,
> >
> > Thanks for all your input. In answer to your questions, yes,
> > all packages were upgraded to 4.9.4 so that was not the issue
> > – the error messages you’ve seen in this regard are from
> > during the upgrade. I can only guess that something was
> > removed too early. Also both hostname and resolv.conf were
> > set up correctly.  But these points seem moot now as I was
> > able to solve the issue.
> >
> > I didn’t touch the base system which was upgraded but I did
> > downgrade Samba and dependencies (samba, smbclient,
> > libwbclient) back to v4.7.4, I then just overwrote the Samba
> > folder (/var/lib/samba) which contains private and sysvol
> > with a recent backup – and everything works again. Users can
> > log in, GPOs are being distributed. I have not yet tried to
> > upgrade again, I’ll leave this for some other day.
> >
> > samba-tool dbcheck isn’t showing any errors. samba-tool ntacl
> > sysvolcheck does complain about an incorrect db acl on a gpo
> > directory so I ran sysvolreset. The error remains but doesn’t
> > seem to bother the AD otherwise. Still, to be safe, here is
> > the error:
> >
> > $ sudo samba-tool ntacl sysvolcheck
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> > exception - ProvisioningError: DB ACL on GPO directory
> > /var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-01
> <http://samdom.example.com/Policies/%7B31B2F340-01>
> > 6D-11D2-945F-00C04FB984F9}
> > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > does not match expected value
> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;
> > OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
> > 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > from GPO object
> >   File
> > "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 270, in run
> >     lp)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/provision/__init__.py"
> > , line 1723, in checksysvolacl
> >     direct_db_access)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/provision/__init__.py"
> > , line 1674, in check_gpos_acl
> >     domainsid, direct_db_access)
> >   File
> > "/usr/lib/python2.7/site-packages/samba/provision/__init__.py"
> > , line 1621, in check_dir_acl
> >     raise ProvisioningError('%s ACL on GPO directory %s %s
> > does not match expected value %s from GPO object' %
> > (acl_type(direct_db_access), path, fsacl_sddl, acl))
> >
> > Any advice on how to take care of this error, or can this be
> > safely ignored?
> >
> > Thanks,
> > Viktor
> >
> >
> > From: Rowland Penny via samba
> > Sent: Donnerstag, 27. Dezember 2018 11:29
> > To: samba@xxxxxxxxxxxxxxx
> > Subject: Re: [Samba] After upgrade to 4.9.4, internal DNS no
> > longer working
> >
> > On Thu, 27 Dec 2018 11:07:08 +0100
> > "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > Gooood morning Rowland, :-)
> > >
> > > Your late ;-)..
> > > What i also did see, so its more clear for others also.
> > >
> > > > Dez 22 21:08:31 dc1 systemd[1]: Starting Samba AD Daemon...
> > > > Dez 22 21:08:31 dc1 kernel: audit: type=1131
> > > > audit(1545509311.984:52): pid=1 uid=0 auid=4294967295
> > > > ses=4294967295 msg='unit=samba comm="systemd"
> > > > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > > > res=failed' Dez 22 21:08:32 dc1 samba[733]: root process[733]:
> > > > [2018/12/22
> > >
> > > This line:  exe="/usr/lib/systemd/systemd" hostname=? addr=?
> > > terminal=? res=failed'
> > >
> > > So incorrect hostname/resolving resulting in this problem.
> >
> > I actually think it could be a symptom and not the root cause. It
> > could be that two main things happened, systemd was upgraded and with
> > it 'resolved' was installed and smbclient wasn't upgraded.
> >
> > I think that if 'resolved' is removed and ALL Samba packages are
> > upgraded, he might get it to work again.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba