Author Topic: _ldap._tcp.dc._msdcs missing / Join Domain  (Read 14339 times)

UdoB

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +17/-0
    • View Profile
_ldap._tcp.dc._msdcs missing / Join Domain
« on: November 04, 2012, 11:24:48 am »
Hello everybody,
the Bind instance of my uptodate Zentyal Box has "forgotten" an important SRV record. I am fairly sure it has been there as I was able to join some windows boxes without any problems a short while ago. Today a Win7 client refrained from joining. I had to add one entry manually to /etc/bind/db.$MYDOMAIN:
Code: [Select]
_ldap._tcp.dc._msdcs IN      SRV     100 100 390 zen
   
After restarting bind I could join Zentyal successfully. I am not sure how to make this change persistent.  Adding a SRV record through Zentyal web frontend does not work - it would ommit the dc._msdcs part.

This manual workaround works for me. Nevertheless I will report this to Trac as a bug report if someone can confirm this observation...

Best regards
Udo

kernevil

  • Zen Apprentice
  • *
  • Posts: 31
  • Karma: +10/-0
    • View Profile
Re: _ldap._tcp.dc._msdcs missing / Join Domain
« Reply #1 on: November 04, 2012, 04:31:59 pm »
Hi,

the records for AD are not stored in /etc/bind/, they are stored in the samba4 database and bind read them as a dlz (dynamic loadable zone). To update this zone with all required records you can execute
Code: [Select]
samba_dnsupdate

UdoB

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +17/-0
    • View Profile
Re: _ldap._tcp.dc._msdcs missing / Join Domain
« Reply #2 on: November 04, 2012, 05:42:29 pm »
the records for AD are not stored in /etc/bind/, they are stored in the samba4 database and bind read them as a dlz (dynamic loadable zone).

Thanks for the reply. I know that the information comes from Samba4 and bind's configuration files are generated. I do not understand (yet) how "dlz" works. Unfortunately something seems to be broken on my box:
Code: [Select]
root@zen:~# samba_dnsupdate
ldb_wrap open of secrets.ldb
Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 485, in <module>
    get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 120, in get_credentials
    creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for ZEN$@NEO.LAN failed (Client not found in Kerberos database)

Avoiding authentication is no solution:
Code: [Select]
samba_dnsupdate --no-credentials
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Credentials cache file '/tmp/krb5cc_0' not found.

While --verbose gives *a lot* more messages regarding missing DNS entries - all .dc. and _ldap entries  :(

/var/log/heimdal-kdc.log confirms the missing Principal:
Code: [Select]
2012-11-04T17:02:03 AS-REQ ZEN$@NEO.LAN from IPv4:10.1.100.1 for krbtgt/NEO.LAN@NEO.LAN
2012-11-04T17:02:03 UNKNOWN -- ZEN$@NEO.LAN: no such entry found in hdb

What does ZEN$ stand for? My Zentyal host is zen.neo.lan. Do I have a chance to repair this? Even if I would reinstall the box I would probably run into the same situation as I am not aware of having done something wrong.

The File Sharing Module shows
  Server Role: Domain Controller
  Realm:    NEO.LAN
  NetBIOS domain name: NEO
  NetBIOS computer name:    zen

The DNS Module has (only) one zone "neo.lan" with 
 Domain IP Addresses  = only one entry = IP of this host
 Hosts
   One entry "zen" with IP address = this host

Was it a fault to enter the host entry? Is it wrong to enter the same IP address to both "Domain IP Address" and a normal Host entry?

Should Kerberos tools work? The following list shows all Principals I have:
Code: [Select]
root@zen:~# kadmin -l
kadmin> list *
krbtgt/NEO.LAN
kadmin/changepw
kadmin/admin
changepw/kerberos
kadmin/hprop
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
default
Administrator
dns-zen
ubt
... (shortened, Zentyal users follow)


Sorry for the long post, I hope it includes useful description of my situation and you read it anyway :-)
Best regards and thanks for any hint on how to resolve the above problem.
Udo

kernevil

  • Zen Apprentice
  • *
  • Posts: 31
  • Karma: +10/-0
    • View Profile
Re: _ldap._tcp.dc._msdcs missing / Join Domain
« Reply #3 on: November 05, 2012, 12:34:13 am »
Hi,

some details about implementation will help to understand what is going on.

The Dynamic Loadable Zones (DLZ) allow bind to store the zone information in other databases apart from plain text files. Samba4 implement the DLZ dlopen driver to store the data in the samba4 LDAP. When bind boot up, loads a a dynamic library (dlz_bind9.so) that implement the DLZ dlopen driver to retrieve/store the records from/to samba4 LDAP.

Also, there are two principals databases and two kerberos servers in a zentyal box. One pair is installed by "users and groups" module (heimdal daemon storing principals in openLDAP) and the other is embedded in samba4. The heimdal daemon listens on port 8880 and samba4 KDC on port 88.

When the users and groups module is installed, openLDAP is populated and the heimdal kerberos principals are created. Also, a domain and all kerberos records are added to it to allow clients to locate the KDC (kerberos server). This database is which you are inspecting executing kadmin, the heimdal admin tool.

After that, when samba4 is installed and provisioned a flag is switched in the auto created DNS domain to skip the records added by the users and groups module, because clients should use the samba4 KDC, not heimdal. Your problem seems to be that this flag is not properly set up, so when samba_dnsupdate try to get a ticket for the ZEN$ principal (the machine account, stored in the samba4 principals database) it is not found because the DNS is answering with the heimdal port (8880) instead of samba4 (88)

You can check it by executing:

Code: [Select]
dig SRV _kerberos._tcp.neo.lan
If you haven't any problem during installation and enabling the modules, this is clearly a bug caused by a random combination of actions. The easiest solution is to reinstall the server and skip the package installation wizard. Then pull updated package versions from internet and install zentyal-samba.

Please take note about the actions you perform, so we can reproduce the bug if it is not fixed in the current package version.

Thanks for reporting.

UdoB

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +17/-0
    • View Profile
Re: _ldap._tcp.dc._msdcs missing / Join Domain
« Reply #4 on: November 05, 2012, 09:35:31 am »
some details about implementation will help to understand what is going on.

Thanks for the explanations, it helps!

Quote
... it is not found because the DNS is answering with the heimdal port (8880) instead of samba4 (88)

Correct diagnosed! All "_kerberos..." pointed to 8880 and 8464. Without your explanation I did not know that this was wrong. (Simply manually correcting those entries did not solve the problem but only changes the error messages. This is obviously not a valid solution.)

Quote
The easiest solution is to reinstall the server and skip the package installation wizard. Then pull updated package versions from internet and install zentyal-samba.

Before I reinstall the system from scratch I will try two steps: 1) purge/reinstall zentyal-samba only. 2) purge zentyal-dns (which purges zentyal-printers zentyal-samba zentyal-usercorner zentyal-users as reverse dependencies).

Quote
Please take note about the actions you perform, so we can reproduce the bug if it is not fixed in the current package version.

I will report here...

Best regards
Udo

UdoB

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +17/-0
    • View Profile
Re: _ldap._tcp.dc._msdcs missing / Join Domain
« Reply #5 on: November 05, 2012, 11:26:33 am »
I will report here...

And here it comes for approach #1:  only re-install zentyal-samba. This is a long post, just to document whats happening. It boils down to the question in the last line...

apt-get --purge remove zentyal-samba
No additional manual cleanup done.

<reboot> should not be necessary, but...

Re-Install File Sharing and Domain Services 3.0.6 via web interface. Activate module.

Zone file /etc/bind/db.neo.lan is gone!

dig SRV _kerberos._tcp.neo.lan # works correctly!
Code: [Select]
;; ANSWER SECTION:
_kerberos._tcp.neo.lan. 900     IN      SRV     0 100 88 zen.neo.lan.

Testing DNS module: add one host entry with one IP address. Save.
Works (without wrongly re-creating that zone file)

<reboot> just for testing (I did reboot three days ago. Maybe the problem rised then.)
No problem.

Windows 7: leave domain/reboot/join:
missing SRV record  _ldap._tcp.dc._msdcs.neo.lan.

The error message is human readable but not exactly correct. The entry is there but it has the same problem as _kerberos had: it points to the wrong instance:

Code: [Select]
dig SRV _ldap._tcp.dc._msdcs.neo.lan
_ldap._tcp.dc._msdcs.neo.lan. 900 IN    SRV     0 100 389 zen.neo.lan.

Trying:
Disabling User and Groups (disables File Sharing and User Area). Save.
/etc/init.d/zentyal restart
Enable modules. Save.
No change regarding 389//390

Conclusion: the problem with _kerberos has been solved by re-installing zentyal-samba. The same problem with _ldap is not. My workaround by adding that record manually (I did that only because the zone file was present!) is not possible anymore and would not be the correct solution anyway.

A look into my backups shows that the obviously not-to-be-present zone file was just created 3 days ago. Before that point in time it was not present. This host is up and running (but idling) for 6 weeks now. Unfortunately I am absolutely not sure what I did that day. The only service I want this box for is Samba. Only dependencies are installed, no other Zentyal services. But I did install some additional packages outside Zentyal (zabbix-agent, munin, ubuntu-zfs...).
 
I hesitate to purge/re-install zentyal-dns because I would lose all my (actually only few, but...) users.

Is there another way to trigger re-initialization of those SRV records?


Best regards



Edited/added the next day:

~# apt-get --purge remove zentyal-dns # removes zentyal-dns* zentyal-samba* zentyal-usercorner* zentyal-users*

<reboot>

Install "File Sharing and Domain Services" via web frontend

DNS:
 Add Domain "neo.lan".
 Domain IP Addresses and one Host entry are generated automatically. No manual extension necessary.
 Add Forwarders.
 Activate module / Save changes.
 This creates a file /etc/bind/db.neo.lan which existence is questionable. The file is empty except one single host A record for the Zentyal box itself. But Samba is not activated yet...

Users and Groups
 Try to re-create groups - FAILES "Group already exist" error. Seems that "apt-get --purge" did not do a good job?
 Activate module
 All Users and all Groups are visible now. Learned lesson: turn on the module before using it ;-)

File sharing
 Activate module
 Save changes
 The zone file /etc/bind/db.neo.lan is gone again.

root@zen:~# dig SRV _kerberos._tcp.neo.lan | grep -A1 ANSWER\ SECTION
;; ANSWER SECTION:
_kerberos._tcp.neo.lan. 900     IN      SRV     0 100 88 zen.neo.lan.

root@zen:~# dig SRV _ldap._tcp.dc._msdcs.neo.lan | grep -A1 ANSWER\ SECTION
;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.neo.lan. 900 IN    SRV     0 100 389 zen.neo.lan.

So this did not solve the problem. Why not?  :-\



Edited/added after another some hours of trial and error:

It works!  8) - I can join a Windows 7 client.

Unfortunately I am not sure what happened. Basically all I did since yesterday is another reboot of the Zentyal box and the Windows 7 client. 

« Last Edit: November 06, 2012, 08:44:24 pm by UdoB »
Udo

jeffb1

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: _ldap._tcp.dc._msdcs missing / Join Domain
« Reply #6 on: June 09, 2015, 03:51:35 pm »
I had a similar problem, disabling ipv6 on the windows machine worked.