Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: zoombiel on February 20, 2017, 06:59:27 pm

Title: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: zoombiel on February 20, 2017, 06:59:27 pm
Hi,

After upgrade from version 4.2 to 5.0 (5.0.7) i can't update DNS zone.

Log from /var/log/zentyal/zentyal.log
Code: [Select]
2017/02/20 18:00:26 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/uo_lMDy6Bb failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/uo_lMDy6Bb failed.
Error output: update failed: REFUSED


Log from /var/log/syslog
Code: [Select]
Feb 20 18:45:10 ad01 named[3502]: samba_dlz: disallowing update of signer=dns-ad01\@EXAMPLE.LOC name=example.loc type=A error=insufficient access rights
Feb 20 18:45:10 ad01 named[3502]: client 10.1.0.2#41805/key dns-ad01\@EXAMPLE.LOC: updating zone 'example.loc/NONE': update failed: rejected by secure update (REFUSED)

Do You have any solution to this problem?
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: yougotborked on February 21, 2017, 01:27:36 am
I am getting similar problems with different error messages

Code: [Select]
2017/02/20 18:19:52 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-tatooine failed.
Error output: Password has expired
 dns-tatooine@EXAMPLE.CO's Password:
 kinit: Password incorrect

Command output: .
Exit value: 1
2017/02/20 18:19:52 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-tatooine failed.
Error output: Password has expired
 dns-tatooine@EXAMPLE.CO's Password:
 kinit: Password incorrect

Command output: .
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-tatooine failed.
Error output: Password has expired
 dns-tatooine@EXAMPLE.CO's Password:
 kinit: Password incorrect

EDIT:

Now I am getting the same errors as you after and apt upgrade
Code: [Select]
EBox::Util::Init::moduleAction('dns', 'restartService', 'restart') called at /usr/share/perl5/EBox/Util/Init.pm line 247
EBox::Util::Init::moduleRestart('dns') called at /etc/init.d/zentyal line 60
main::main at /etc/init.d/zentyal line 80
2017/02/20 18:50:24 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/mmaKvyZ3WN failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2017/02/20 18:50:24 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/mmaKvyZ3WN failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/mmaKvyZ3WN failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2 at /usr/share/perl5/EBox/Module/Service.pm line 964
EBox::Module::Service::restartService('EBox::DNS=HASH(0x5a1e1e8)', 'restartModules', 1) called at /usr/share/perl5/EBox/Util/Init.pm line 121
eval {...} at /usr/share/perl5/EBox/Util/Init.pm line 119
EBox::Util::Init::moduleAction('dns', 'restartService', 'restart') called at /usr/share/perl5/EBox/Util/Init.pm line 247
EBox::Util::Init::moduleRestart('dns') called at /etc/init.d/zentyal line 60
main::main at /etc/init.d/zentyal line 80
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: soso on February 24, 2017, 10:23:22 pm
Identical issue in my case.
Code: [Select]
Error output: update failed: REFUSEDAny idea how to solve this dns update issue?
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: zoombiel on February 27, 2017, 10:44:03 am
Update of component "Domain Controller and File Sharing " from version 5.0.3 to 5.0.4 is resolving this issue. This update was published at the end of the last week.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: ompoly on March 02, 2017, 11:49:08 am
Hi All,

this problem still exists in "Domain Controller and File Sharing " version 5.0.4:
The whole DNS update process fails, because it wants to delete and recreate all the items, but "dns-..." user has no rights for it:
"... disallowing update of signer=dns-zentyal\@SILICON.HU name=www.silicon.hu type=CNAME error=insufficient access rights"

As I could see nsupdate refuses changes on items created BEFORE the Zentyal 5 upgrade.
My terminology: old host/alias was created BEFORE upgrade to Zentyal 5, new host/alias was created AFTER the upgrade.
During the execution of a /var/lib/zentyal/tmp/... file at nsupdate prompt line by line I could notice the following:
creating new host (A) is OK
adding new alias (CNAME) to new host is OK
adding new alias (CNAME) to old host is OK
deleting old alias FAILS
deleting old host FAILS

Here is the test:
root@zentyal:/home/zadmin# nsupdate -g
> update add itsanewhost.silicon.hu 259200 A 10.9.20.3
> send
> add itsanewalias.silicon.hu 259200 CNAME itsanewhost.silicon.hu
> send
> add itsanewalias2.silicon.hu 259200 CNAME web.silicon.hu
> send
> update delete www.silicon.hu CNAME
> send
update failed: REFUSED
>

How can I fix it?

Thanks,
Peter
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: ompoly on March 06, 2017, 02:27:27 pm
Any idea how to solve this dns update issue?

thanks.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: ompoly on March 08, 2017, 07:37:11 pm
Bump.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: mahax01 on March 27, 2017, 01:24:28 pm
Hi there Peter,

I've got exactly the same problem after upgrading from 4.2.
Where you able to solve yours?

greetings
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: hagies on March 27, 2017, 02:30:46 pm
I have exactly the same problem after the update, quite a headache!

Any feedback would be greatly appreciated on this thread!
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: jclaggett on March 28, 2017, 02:00:58 am
There seems to be no less than 3 or 4 different threads on this particular problem...and yet no resolution.  :(
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: adarkbar on March 29, 2017, 06:22:03 pm
Good Morning!,
I've found this link searching for the same error, and I've solved doing these few steps:

Code: [Select]
sudo cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
sudo rm /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=DNS/server.domain.local /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=dns-ZENTYAL@DOMAIN.LOCAL /var/lib/samba/private/dns.keytab
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-ZENTYAL

If you still get errors with the last command, review the Zentyal DNS user name

Cheers!
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: rihokirss on March 29, 2017, 08:05:43 pm
How to check the name of dns user?
It looks that I dont have one.

Is it possible to somehow make new dns-user?

In zentyal.log I have
Code: [Select]
2017/03/29 22:18:06 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-server
 failed.
Error output: kinit: Password incorrect


user dns-server does not exist
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: mahax01 on March 29, 2017, 09:35:27 pm
Hi there,

@rihokirss
Code: [Select]
sudo pdbedit -Lwould list your users, just search for your user with "dns" prefix, usually it's dns-Servername.

@adarkbar
I tried your solution but that just shifted my problem to:
Code: [Select]
2017/03/29 21:31:12 ERROR> GlobalImpl.pm:661 EBox::GlobalImpl::saveAllModules - Failed to save changes in module dns: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/TUVjOoVEOm failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable
Any Idea on that one?

Thanks in advance!
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: rihokirss on March 30, 2017, 06:09:14 pm
Hi there,

@rihokirss
Code: [Select]
sudo pdbedit -Lwould list your users, just search for your user with "dns" prefix, usually it's dns-Servername.

Looks like the dns user is missing. Name of the user shall be dns-server.
Probably I can not create that user through the web interface. How to add it correctly?
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: rihokirss on April 04, 2017, 06:31:21 pm
Can anybody help to find a way to re-make dns-server user?
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: jgould on June 14, 2017, 04:02:40 pm
I'm going to post something I had put in a different thread.

I've gone through many Zentyal version upgrades on this server and am having the DNS issue.

My initial error message was
Code: [Select]
2017/06/13 12:10:25 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/13 12:10:27 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/13 12:10:32 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .
Exit value: 1
2017/06/13 12:10:32 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .

What I found was that the user account (dns-[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
Code: [Select]
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputer
These two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.

This seemed to remove the Error output: Password has expired error, but now started to show the problem that other members here are having.

Code: [Select]
2017/06/14 00:15:38 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 00:15:39 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 00:15:41 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2017/06/14 00:15:41 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2

I've tried multiple ways to resolve this error using recommendations here and the Samba wiki, but nothing has really worked and I STILL end up with the REFUSED error or the other error mentioned.

Code: [Select]
2017/06/14 01:55:23 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 01:55:24 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 01:55:25 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/Ym0eh3Z4y8.cmd 2> /var/lib/zentyal/tmp/stderr', 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8', 256, 'ARRAY(0x8ae78a0)', 'ARRAY(0x435f558)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/DNS.pm line 923
EBox::DNS::_postServiceHook('EBox::DNS=HASH(0x8997970)', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 941
EBox::Module::Service::_regenConfig('EBox::DNS=HASH(0x8997970)', 'restart', 1, 'restartModules', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 960
eval {...} at /usr/share/perl5/EBox/Module/Service.pm line 959
EBox::Module::Service::restartService('EBox::DNS=HASH(0x8997970)', 'restartModules', 1) called at /usr/share/perl5/EBox/Util/Init.pm line 121
eval {...} at /usr/share/perl5/EBox/Util/Init.pm line 119
EBox::Util::Init::moduleAction('dns', 'restartService', 'start') called at /usr/share/perl5/EBox/Util/Init.pm line 87
EBox::Util::Init::start at /usr/bin/zs line 35
main::main at /usr/bin/zs line 82
2017/06/14 01:55:25 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1
2017/06/14 01:55:25 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

I even followed THESE INSTRUCTIONS (https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC) on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run samba_upgradedns --dns-backend=BIND9_DLZ to reprovision the user account and dns.keytab file from scratch. It still failed.

This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.


I will say that a fresh install of Zentyal isn't giving me this issue NOW, but who knows if it will after a certain amount of time. I'd also say that removing and reinstalling the DNS module also appeared to solve the issue for me. However that is REALLY NOT IDEAL. If you have to remove the DNS module you also have to remove the Domain Controller and File Sharing module. That means you'd remove all your domain joined computers, users, GPO, and so on. So the only other option I can think of right now would be a transfer of FSMO roles to a new Samba4 server.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: jgould on June 14, 2017, 04:11:34 pm
Good Morning!,
I've found this link searching for the same error, and I've solved doing these few steps:

Code: [Select]
sudo cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
sudo rm /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=DNS/server.domain.local /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=dns-ZENTYAL@DOMAIN.LOCAL /var/lib/samba/private/dns.keytab
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-ZENTYAL

If you still get errors with the last command, review the Zentyal DNS user name

Cheers!

This seemed promising but didn't work for me, and I know I had the right user and the right information in the keytab file.

One thing to note is that this approach does not generate a dns.keytab file exactly like the original. It doesn't include the aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 enctypes. See HERE (https://wiki.samba.org/index.php/Generating_Keytabs). There is discussion on this in the samba mailing list I was reading. I couldn't get the solutions to add them to work for me but I didn't spend a ton of time on it as you can regenerate the dns.keytab and user by deleting everything and running samba_upgradedns --dns-backend=BIND9_DLZ as mentioned in my above post.

Example of what I mean;

New keytab file generated with your steps;
Code: [Select]
root@zentyal:~$ sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
/var/lib/samba/private/dns.keytab:

Vno  Type                     Principal                      Date        Aliases
  1  des-cbc-crc              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-crc              dns-zentyal@TEST.LAN           2017-06-14
  1  des-cbc-md5              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-md5              dns-zentyal@TEST.LAN           2017-06-14
  1  arcfour-hmac-md5         DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  arcfour-hmac-md5         dns-zentyal@TEST.LAN           2017-06-14

Old keytab that you are replacing;
Code: [Select]
root@zentyal:~$ sudo ktutil -v -k /var/lib/samba/private/dns.keytab.old list
/var/lib/samba/private/dns.keytab.old:

Vno  Type                     Principal                      Date        Aliases
  1  des-cbc-crc              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-crc              dns-zentyal@TEST.LAN           2017-06-14
  1  des-cbc-md5              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-md5              dns-zentyal@TEST.LAN           2017-06-14
  1  arcfour-hmac-md5         DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  arcfour-hmac-md5         dns-zentyal@TEST.LAN           2017-06-14
  1  aes128-cts-hmac-sha1-96  DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  aes128-cts-hmac-sha1-96  dns-zentyal@TEST.LAN           2017-06-14
  1  aes256-cts-hmac-sha1-96  DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  aes256-cts-hmac-sha1-96  dns-zentyal@TEST.LAN           2017-06-14
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: jgould on June 14, 2017, 05:21:59 pm
SOOOO, I managed to get mine working now!

All I had to do was solve the initial "Error output: Password has expired" error as I described earlier;

Which got me to where most of you were with the Error output: update failed: REFUSED error.

Then, I had to add the dns-[servername] user to the DNSAdmins Group;

Pretty standard steps for anyone familiar with AD.

Anyway, after adding the user account to the DnsAdmins group the DNS module restarts through the GUI without any errors and everything looks to be working as it should.

I found this issue by comparing to a freshly installed and untouched Zentyal 5 installation that was working. I did NOT remove the user from this group. The user WAS a member of Domain Users which obviously doesn't have enough permissions. DnsAdmins is what is granted permissions (through windows security tab) when I was looking in the RSAT DNS tool for the domain.

Also, I should note that even in Zentyal 5 the dns-[servername] user account password is not set to never expire, but as I seen in my initial error it sure looks like it did expire at some point.

I have a sneaking suspicion this is also why when I followed the Samba Wiki I linked above to completely delete the dns.keytab file, dns-[servername] user, and recreate everything using samba_upgradedns --dns-backend=BIND9_DLZ it STILL wasn't working. Because the user account wasn't added to the DnsAdmins group (I can't verify that at this point though, but highly likely).
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: ivan.m on June 15, 2017, 05:22:21 am
Im having similiar issues since the upgrade to 5.

Essentially, now, I can't even 'add a dns' record via DNS module in the web min without throwing an error.

It appears that I'm getting the 'password expired' error others are getting, but I see no way to correct it (im not an experienced LDAP/AD admin, especially from nix point of view)

it looks to me that the previous post solves the issue, but his fix mentions go here do that from 'Active Directory users and Groups'. But I have no Windows machine running active directory users and groups from which to make these changes.

Any help would be appreciated on how I can correctly replicate the steps to restore functionality to the dnc-pdc user, or fix the dns issue.

Cheers



Quote
2017/06/14 19:25:32 INFO> GlobalImpl.pm:625 EBox::GlobalImpl::saveAllModules - Saving config and restarting services: firewall dns dhcp
2017/06/14 19:25:32 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: firewall
2017/06/14 19:25:33 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: dns
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host pdc.somedomain.com with IP 10.5.0.2 is not going to be added $
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host jira.somedomain.com with IP 10.5.0.41 is not going to be adde$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host jenkins.somedomain.com with IP 10.5.0.44 is not going to be a$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host fileserver.somedomain.com with IP 10.5.0.45 is not going to b$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host git.somedomain.com with IP 10.5.0.40 is not going to be added$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host unitycache.somedomain.com with IP 10.5.0.39 is not going to b$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 176.68.184 is already mapped to domain dev.somedomain.com. The host vpn.somedomain.com with IP 184.68.176.202 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host maas.somedomain.com with IP 10.5.0.144 is not going to be add$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host igg-srv-001.somedomain.com with IP 10.5.0.220 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host igg-srv-005.somedomain.com with IP 10.5.0.242 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host igg-srv-007.somedomain.com with IP 10.5.0.232 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host potato.somedomain.com with IP 10.5.0.62 is not going to be ad$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host kube-master.somedomain.com with IP 10.5.0.34 is not going to $
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host bigdata-database.somedomain.com with IP 10.5.0.35 is not goin$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host docker-node-a.somedomain.com with IP 10.5.0.37 is not going t$
2017/06/14 19:25:36 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 19:25:37 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.
Error output: Password has expired
 dns-pdc@somedomain.COM's Password:

Command output: .
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.
Error output: Password has expired
 dns-pdc@somedomain.COM's Password:


Will these tools help I wonder? about to try it anyway

https://www.microsoft.com/en-ca/download/details.aspx?id=45520
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: ivan.m on June 15, 2017, 05:32:38 am
Update, indeed, I was able to use the Microsoft Tools to get further, however, there is no DNS related groups at all in the active directory group membership. I added to Domain Admins, set that as the primary group, and remove Domain Users as the secodry membership for that dns-pdc user.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: jgould on June 15, 2017, 11:05:51 pm
ivan.m

The Active Directory User and Computers is provided through Window RSAT (remote server administrative tools) which you will find references as the simplest way to manage a Samba 4 Active Directory.

Simply search google for Windows RSAT for whatever windows OS you can get (Windows 7, 8, 10) or if you have a Windows Server you can add these through adding Roles.

Once you have them installed you must have the Windows machine added to the domain or it won't be able to access the Samba4/Zentyal server to manage it.

Once you have that setup you can launch the Active Directory Users and Computers (and others like DNS, Group Policy Management, etc) provided by RSAT and manage your domain. The whole collection of tools is in "Administratove Tools" in windows (just search for it).

(http://i.imgur.com/w9UuWxo.png)

And here you will see my dns-vdc01 user (vdc01 being the name of my server) and DnsAdmin Group in my Active Directory under the "Users" folder.

(http://i.imgur.com/tKWnJWr.png)

And here you will see the dns-vdc01 user account properties where I've added the account to the DnsAdmins group.
(http://i.imgur.com/zDp2b6U.png)


Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: jgould on June 16, 2017, 03:13:38 pm
Here is why it matters. Using the DNS Manager of Windows RSAT you can check the security permissions on the various parts of DNS;

DNS server (vdc01 in my case)
(http://i.imgur.com/Y3uW3Nh.png)

Forward Lookup Zone for your Domain
(http://i.imgur.com/K0Euddv.png)

All DNS records (kerberos record as example)
(http://i.imgur.com/dKsiMmk.png)

As you can see, all records list the AD Group DnsAdmins. So it stands to reason that if the dns user account needs to update DNS records it will need to be apart of the DnsAdmins group (the dns user account doesn't have permissions otherwise).

When you restart the DNS module (through the web GUI or CLI) it updates some of the DNS records by running;
Code: [Select]
nsupdate -g -t 10 /var/lib/zentyal/tmp/[somerandomfile]but it can't if the dns user doesn't have those necessary permissions. Same goes for changing any of the setting in the DNS module (like adding a record). Should also note that using Windows RSAT DNS tool I was still able to add records and change settings. I suspect because I was connected as a "Domain Admin" which DID have permissions while the Web GUI runs under the dns-vdc01 user account on the localhost (127.0.0.1).

The domain joined PC's are able to update their own DNS records because, if you look in their security properties, you will find that the PC has permissions to update its OWN DNS records only.

PS: I'm almost 100% certain that the dns user account should be set to "password never expires" but even in the current Zentyal download this setting is not checked. Which means that the password will eventually expire and will stop working.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: jgould on June 16, 2017, 03:35:44 pm
Sorry for the multiple posts but I figure I should get all the information I can into this thread for others to benefit from.

If you don't have access to a Windows PC to join to the domain and install RSAT, you can accomplish all of this through the CLI.

Check if Account Flags has an "L" in it meaning the account is locked;
Code: [Select]
pdbedit -Lvu username
Unlock the account if necessary;
Code: [Select]
pdbedit -c='[]' --user=username
Set the user account to never expire;
Code: [Select]
samba-tool user setexpiry username --noexpiry
Check members of DnsAdmins group;
Code: [Select]
samba-tool group listmembers "DnsAdmins"
Add user to DnsAdmins group;
Code: [Select]
samba-tool group addmembers DnsAdmins username
I didn't do it this way but those SHOULD work.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: ap1821 on August 18, 2017, 02:02:39 pm
Same problem. Very similar solution.
Upgrade from 4.2 to 5.0 went suprisingly well, some minor changes had to be made to the configuration only.
Had the same problem with DNS, wasnt able to add DNS entries anymore. Only problem was that I didnt had that DnsAdmins group. Luckly Domain Admins group worked just fine instead.
Now DNS updates again and works normally.
Title: Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
Post by: desperados on April 17, 2019, 10:39:04 am
I've the same problem and it seems I've fixed, thanks to jgould

pay attention to the fact that if pdbedit results show "Password must change: never" it's NOT ok, it must show something like "Password must change: Tue, 19 Jan 2038 04:14:07 CET"