Zentyal Forum, Linux Small Business Server
Zentyal Server => Other modules => Topic started by: plarsson on January 30, 2020, 12:33:02 pm
-
I'm using zentyal as my DHCP and DNS server.
from time to time the DNS stops resolving addresses on my internal domain for a while.
So far I have not been able to figure out if there is an event that makes the domain start again, usually I just go to the zentyal webpage by IP and log in and at some point it seems to start working again.
I'm not sure where to start troubleshooting. Any ideas?
-
Ran:
sudo systemctl status samba-ad-dc.service
and noticed:
Jan 30 20:23:32 dc-002 samba[29638]: [2020/01/30 20:23:32.292633, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:23:32 dc-002 samba[29638]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:28:32 dc-002 samba[29638]: [2020/01/30 20:28:32.415317, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:28:32 dc-002 samba[29638]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:33:32 dc-002 samba[29638]: [2020/01/30 20:33:32.474230, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:33:32 dc-002 samba[29638]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:38:32 dc-002 samba[29638]: [2020/01/30 20:38:32.520138, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:38:32 dc-002 samba[29638]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Jan 30 20:43:32 dc-002 samba[29638]: [2020/01/30 20:43:32.626901, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 30 20:43:32 dc-002 samba[29638]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Not sure if it's related or not?
-
Me too :'(
-
I'm using zentyal as my DHCP and DNS server.
from time to time the DNS stops resolving addresses on my internal domain for a while.
So far I have not been able to figure out if there is an event that makes the domain start again, usually I just go to the zentyal webpage by IP and log in and at some point it seems to start working again.
I'm not sure where to start troubleshooting. Any ideas?
:)
The '/var/log/zentyal/zentyal.log' file uses to be a good site to begin the debugging process.
Search into 'zentyal.log' for errors and paste them here
Cheers!
-
i have this problem too :-\
-
I got into this state just now.
The log doesn't contain anything since yesterday morning (And at that time just information that I logged in to the web interface)
I was in this state at around 7:45am not sure when it started; and got out of it around 7:53(ish)- maybe a minute or so before that (Writing it here to help me if I need to look in log files later)
In samba service I still have:
Feb 09 07:37:09 dc-002 samba[2510]: [2020/02/09 07:37:09.630973, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:37:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:42:09 dc-002 samba[2510]: [2020/02/09 07:42:09.723072, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:42:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:47:09 dc-002 samba[2510]: [2020/02/09 07:47:09.774040, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:47:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:52:09 dc-002 samba[2510]: [2020/02/09 07:52:09.949345, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:52:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:57:10 dc-002 samba[2510]: [2020/02/09 07:57:10.002038, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:57:10 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
I also looked for other log files; didn't see anything of interest, but I'm not sure where to look (I think that Samba-AD-DC is what is handling the DNS? so that is why I looked at samba service) - the samba log file was really big; couldn't tell if it was errors or not- if it would be of help I can paste part of it
Thanks
-
:)
I can't reproduce this behavior.
Could you give us some details about your system? There's some other domain controller? Do you have some other zone configured in your DNS server? If it's the case, it crashes too? Do you configure some other network external to Zentyal to use the Zentyal DNS server? Did you check the DNS server via the command line? See here: https://forum.zentyal.org/index.php/topic,34866.msg113324.html#msg113324 (https://forum.zentyal.org/index.php/topic,34866.msg113324.html#msg113324)
Cheers!
-
Sorry for the late reply
Since I initially had this problem, I decided to re-install Zentyal on a new VM (I'm running it in Proxmox). After reinstall I still have the same issue.
I tried some of the commands on the link, but they gave me bad user/password:
samba-tool dns serverinfo localhost -U admindc%admindc
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:127.0.0.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1] NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server 127.0.0.1 failed with (-1073741715, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 44, in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
I'm not sure if I should replace username in the command with something different, so I tried my own username and with root and got the same result still
There is only one domain controller on the network, the network is divided into multiple subnets. The original Zentyal server had 3 network cards (one for each server). The current install I have not gotten around to configure all 3 nics, only the one I'm using and the other nics are in zentyal, but not any ip assigned to them
In this setup Zentyal is DHCP and DNS server, it's not the gateway for the system
-
I realized that my DHCP (on zentyal) was configured to use zentyal as primary DNS and 8.8.8.8 as secondary.
After removing 8.8.8.8 as secondary, things got worse.
Now it's not just internal sites that are not resolving, all sites stops resolving, after a few minutes it works again... and then stops again
-
I'm having the same issue for some time now ... (not sure when it started). I've going over and over these settings but cannot find waht is wrong (it used to work at some point).
My config is a follows (my apologies if it is a bit too long):
Zentyal 5.0 Development Edition
System
General - Hostname and Domanin
Hostname zentyal
Domain myname.mydomain.org
Network
Interfaces
eth0 DHCP External (WAN)
eth1 Static 192.168.122.1/23
wlan0 not set (I run on an old laptop)
DNS - Search Domain
Domain myname.mydomain.org
Objects
fixed_addresses (members set manually)
LAN Name 192.168.122.0-123.255
IP address 192.168.122.0-192.168.122.123.255
MAC address --
openVPN-eth1-192.168.122.0-23 <-- readonly
openVPN-wlan0-192.168.0.0-24 <-- readonly ? used to be the wlan0
Domain
[ modules Domain Controller and File Sharing not enabled ]
Settings
Server Role Domain Controller
Realm myname.mydomain.org
NetBIOS domain name myname
NetBIOS computer name (fixed to) zentyal
Server Description Zentyal Server
Enable Roaming Profiles unchecked
Drive letter H:
File Sharing
[ modules Domain Controller and File Sharing not enabled ]
Enabled | Share | Share | Comment | Guest | Acces control
| name | path | | access |
--------+--------+-------+---------+-----------+-------------------------------------
checked | aname1 | path1 | Comment | unchecked | Group: Domain Users - Read Only
| | | | | User: Me - Administrator
--------+--------+-------+---------+-----------+-------------------------------------
checked | aname2 | path2 | Comment | unchecked | Group: Domain Users - Read Only
| | | | |
--------+--------+-------+---------+-----------+-------------------------------------
DNS
Settings - Enable transparent DNS cache checked
Forwarders - none set
Domains *
domain | Domain IP | Hostnames | Name Servers | TXT records | Services | Dynamic
| Addresses | | | |
--------------------+---------------+-----------+---------------+-------------+----------+---------
myname.mydomain.org | 192.168.122.1 | manually |Hostname | kerberos related and |
| | set ** | [This domain] | set by Zentyal | yes
| | | [zentyal] *** | |
--------------------+---------------+-----------+---------------+-------------+----------+---------
* no Mail Exchange Servers
** e.g. zentyal 192.168.122.1
other 192.168.122.132
*** from list of manually set hostnames
DHCP
Interfaces
Enabled checked
Interface eth1
Configuration
[Tab] Common Options
Default gateway Zentyal
Search domain Zentyal domain - myname.mydomain.org
Primary nameserver local Zentyal DNS
Secondary nameserver not set
NTP server local Zentyal NTP
WINS server local Zentyal
[Tab] Dynamic DNS Options
Enabled checked
Dynamic Domain myname.mydomain.org
Static domain same as Dynamic Domain
[Tab] Advanced options
Lease times
Default leased time 1800 s
Maximumum leased time 7200 s
DHCP ranges (not set-able)
Interface IP address 192.168.122.1
Subnet 192.168.122.0/23
Available range 192.168.122.1 - 192.168.123.254
Ranges
Name From To
DHCP 192.168.122.16 192.168.122.127
Fixed addresses
Object Description
fixed_addresses fixed addresses Network objects
When I make a change, I save and either reboot or restart the DNS DHCP services from the Dashboard. For the client (other) I renew the dhcp lease before testing (but all to no avail).
I also have a external dynamic dns service that points to my external IP address: so from a host outside my local network:
[me@somewhere_else ~]$ dig myname.mydomain.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> myname.mydomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;myname.mydomain.org. IN A
;; ANSWER SECTION:
myname.mydomain.org. 17 IN A xxx.yyy.zzz.www [obfuscated]
;; Query time: 0 msec
;; SERVER: 172.16.150.1#53(172.16.150.1)
;; WHEN: Sat Mar 14 15:45:39 CET 2020
;; MSG SIZE rcvd: 62
inside my local network dhcpd set /etc/resolv.conf
[me@other~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search myname.mydomain.org
nameserver 192.168.122.1
When asking for just the zentyal:
[me@other ~]$ dig zentyal
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> zentyal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4632
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zentyal. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020031400 1800 900 604800 86400
;; Query time: 197 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Sat Mar 14 15:38:18 CET 2020
;; MSG SIZE rcvd: 111
or when using the FQDN for zentyal:
[me@other ~]$ dig zentyal.myname.mydomain.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> zentyal.durodie.no-ip.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zentyal.durodie.no-ip.org. IN A
;; Query time: 1 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Sat Mar 14 15:42:45 CET 2020
;; MSG SIZE rcvd: 54
So no answer, external addresses work
[me@other ~]$ dig google.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26730
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 172.217.17.142
;; AUTHORITY SECTION:
google.com. 172525 IN NS ns4.google.com.
google.com. 172525 IN NS ns2.google.com.
google.com. 172525 IN NS ns1.google.com.
google.com. 172525 IN NS ns3.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 172502 IN A 216.239.32.10
ns1.google.com. 172502 IN AAAA 2001:4860:4802:32::a
ns2.google.com. 172502 IN A 216.239.34.10
ns2.google.com. 172502 IN AAAA 2001:4860:4802:34::a
ns3.google.com. 172502 IN A 216.239.36.10
ns3.google.com. 172502 IN AAAA 2001:4860:4802:36::a
ns4.google.com. 172502 IN A 216.239.38.10
ns4.google.com. 172502 IN AAAA 2001:4860:4802:38::a
;; Query time: 22 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Sat Mar 14 15:40:35 CET 2020
;; MSG SIZE rcvd: 303
There is also something I else that is really mysterious:
when I am connected with openvpn to somewhere_else (see above) I got the correct answer from somewhere_else's (local) dns server 172.16.150.1. BUT when I ask for
[me@other:~]$ dig @8.8.8.8 myname.mydomain.org
I do not get an answer. However when I do exactly the same somewhere_else I get the correct answer ...
I would appreciate if someone could explain this and point me in the correct direction.
Thanks.
-
Sorry for the late reply
Since I initially had this problem, I decided to re-install Zentyal on a new VM (I'm running it in Proxmox). After reinstall I still have the same issue.
I tried some of the commands on the link, but they gave me bad user/password:
samba-tool dns serverinfo localhost -U admindc%admindc
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:127.0.0.1[49152,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1] NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server 127.0.0.1 failed with (-1073741715, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 44, in dns_connect
dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
I'm not sure if I should replace username in the command with something different, so I tried my own username and with root and got the same result still
There is only one domain controller on the network, the network is divided into multiple subnets. The original Zentyal server had 3 network cards (one for each server). The current install I have not gotten around to configure all 3 nics, only the one I'm using and the other nics are in zentyal, but not any ip assigned to them
In this setup Zentyal is DHCP and DNS server, it's not the gateway for the system
:)
'admindc%admindc' are my own administration account and password. You have to create an administrative account on Webadmin and use it with the commands.
Cheers!
-
I got into this state just now.
The log doesn't contain anything since yesterday morning (And at that time just information that I logged in to the web interface)
I was in this state at around 7:45am not sure when it started; and got out of it around 7:53(ish)- maybe a minute or so before that (Writing it here to help me if I need to look in log files later)
In samba service I still have:
Feb 09 07:37:09 dc-002 samba[2510]: [2020/02/09 07:37:09.630973, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:37:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:42:09 dc-002 samba[2510]: [2020/02/09 07:42:09.723072, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:42:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:47:09 dc-002 samba[2510]: [2020/02/09 07:47:09.774040, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:47:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:52:09 dc-002 samba[2510]: [2020/02/09 07:52:09.949345, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:52:09 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
Feb 09 07:57:10 dc-002 samba[2510]: [2020/02/09 07:57:10.002038, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Feb 09 07:57:10 dc-002 samba[2510]: /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
I also looked for other log files; didn't see anything of interest, but I'm not sure where to look (I think that Samba-AD-DC is what is handling the DNS? so that is why I looked at samba service) - the samba log file was really big; couldn't tell if it was errors or not- if it would be of help I can paste part of it
Thanks
:)
Samba KDC is an application related with the replication between domain controllers. Do you have some additional domain controller?
Cheers!