If you accidently delete the dns-hostname account, that is required for BIND to update the zones in AD, samba_upgradedns doesn't recreate it, because it persists saying that it already exists: # samba-tool user delete dns-DC2 Deleted user dns-DC2 # samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist dns-DC2 account already exists See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS (Pay attention to the "dns-DC2 account already exists" message, what is wrong, because we had deleted the account before). The problem seems to be in the "try" section of source4/scripting/bin/samba_upgradedns, because it directly jumpes into the else statement: if opts.dns_backend == "BIND9_DLZ": # Check if dns-HOSTNAME account exists and create it if required try: dn = 'samAccountName=dns-%s,CN=Principals' % hostname msg = ldbs.secrets.search(expression='(dn=%s)' % dn, attrs=['secret']) dnssecret = msg[0]['secret'][0] except IndexError: ..... else: logger.info("dns-%s account already exists" % hostname) Reproducable bug in 4.2.0rc2 and 4.1.12 (haven't tried 4.0.x).
WORKAROUND: ============== Switch to internal DNS and then directly back to BIND_DLZ9 backend. In this case, samba_upgradedns re-creates the dns-hostname account. # samba_upgradedns --dns-backend=SAMBA_INTERNAL Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Finished upgrading DNS # samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Adding dns-DC2 account See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS
There is a possible fix in: http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads /samba_dnsupdate-and-tests-base
(In reply to Andrew Bartlett from comment #2) I tried the latest master. It already contains your commit 308d645f3428660b0466dbe273b995a887af68da "samba_upgradedns: Improve search for existing accounts in secrets.ldb". However, it doesn't fix the problem. It still says that the account exists, even if I deleted it before, and it is not created: [root@DC2 samba-master]# samba-tool user delete dns-DC2 Deleted user dns-DC2 [root@DC2 samba-master]# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist dns-DC2 account already exists See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS
(In reply to Marc Muehlfeld from comment #3) The reason why the dns-hostname doesn't get created is that the search for the required account isn't done on sam.ldb (the place it is most likely to be deleted from) but on secrets.ldb. As most people don't even know it is also created in there, it will most likely still exist and the search will succeed and if the search succeeds, the user account in sam.ldb will not get created.
Created attachment 12290 [details] Delete secrets.ldb record if there's no account in sam.ldb I think this is probably what you wanted, but I haven't tested to make sure it hasn't broken anything else.
Update: The problem is still exists in 4.5.0rc2. It looks you're already close to a solution. It would be great if you could get this fixed in 4.5.
(In reply to Garming Sam from comment #5) > Created attachment 12290 [details] > Delete secrets.ldb record if there's no account in sam.ldb Garmin, I tried your patch in master, and it fails: [root@DC1 samba-master]# samba-tool user delete dns-DC1 Deleted user dns-DC1 [root@DC1 samba-master]# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist Adding dns-DC1 account Traceback (most recent call last): File "/usr/local/samba/sbin/samba_upgradedns", line 426, in <module> ldbs.secrets.delete(dn) _ldb.LdbError: (1, 'Failed to update keytab from entry samAccountName=dns-DC1,CN=Principals in /usr/local/samba/private/secrets.ldb: No saltPrincipal provided')
(In reply to Marc Muehlfeld from comment #7) I haven't been able to reproduce the error you've seen yet. I'll probably have to defer this for now. Do you think there's anything else that you may have modified about this domain that could have an impact?
(In reply to Garming Sam from comment #8) I'm not able to reproduce the problem with a new provisioned 4.5.0rc3 domain: [root@DC1 samba-4.5.0rc3]# samba-tool domain provision --use-rfc2307 --interactive Realm [SAMDOM.EXAMPLE.COM]: Domain [SAMDOM]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ ... [root@DC1 samba-4.5.0rc3]# systemctl start named [root@DC1 samba-4.5.0rc3]# samba-tool user delete dns-DC1 Deleted user dns-DC1 [root@DC1 samba-4.5.0rc3]# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist dns-DC1 account already exists See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS However it fails in a constantly updated environment. The domain was provisioned with 4.1.11 (self compiled), and regularly updated up to now 4.5.0rc3. The DNS setup has never been changed (no accounts deleted/recreated, no back end switch, etc.).
Ping! Is there anything we can do before the 4.5.0 release?
(In reply to Stefan Metzmacher from comment #10) I've managed to reproduce the bug (provision a domain from 4.1, then samba_dnsupgrade on master), and it's actually a side-effect of 86652c02083b411ad94217a871a2bcc81f16b369 (s4-setup: Add saltPrincipal to secrets_dns.ldif) and c9a8fff52519bb57040bf34b730263f191a6a88f (s4-auth: Always pass down the salt principal) which makes deletion of the account in secrets.ldb impossible. As far as I can tell, the workaround by switching to the internal DNS shouldn't have worked in the upgraded case either. Currently writing a patch to remedy this case...
Patch is sent to the list. Then it should probably be backported, as well as the one already in master to attempt the delete.
(In reply to Garming Sam from comment #12) I applied the patch sent to samba-technical to my 4.5rc3 installation without problem and it fixes the problem. Thanks. Good work, Garmin.
(In reply to Marc Muehlfeld from comment #13) Sorry; to withdraw my previous comment: It only does not fail any more. But it does not recreate the account. It says, like in the original bug report: "dns-DC1 account already exists", what is incorrect. # samba-tool user delete dns-DC1 Deleted user dns-DC1 # samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist dns-DC1 account already exists See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS # ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=dns-DC1)' # Referral ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com # returned 3 records # 0 entries # 3 referrals
(In reply to Marc Muehlfeld from comment #14) That explains why my patch works for me, I have the 'saltPrincipal' attribute: saltPrincipal: dns-dc1@SAMDOM.EXAMPLE.COM Try checking if you have this attribute and then try my patch again.
Created attachment 12451 [details] fix for bug 10882
(In reply to Rowland Penny from comment #16) I hate this bugzilla, wrote out how I tested, went to add the patch and it wiped everything I wrote :-( I created a 4.1.11 DC, upgraded to 4.4.5, deleted dns user, used my patch, but no go, recompiled 4.4.5 with Garmin's patch, this time success: root@testdc:~# samba-tool user delete dns-testdc Deleted user dns-testdc root@testdc:~# net cache flush root@testdc:~# wbinfo -u TESTING\administrator TESTING\krbtgt TESTING\guest root@testdc:~# samba_upgradedns --dns-backend=BIND9_DLZ --verbose Reading domain information DNS group account 'DnsAdmins' already exists No zone file /usr/local/samba/private/dns/TESTING.TLD.zone DNS records will be automatically created DNS partitions already exist Deleting samAccountName=dns-testdc,CN=Principals from secrets.ldb Adding dns-testdc account See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS root@testdc:~# wbinfo -u TESTING\administrator TESTING\dns-testdc TESTING\krbtgt TESTING\guest
(In reply to Marc Muehlfeld from comment #14) Just making sure Marc, is this with both patches? The one currently in master isn't it 4.5.0rc3 and it needs both to work correctly in the upgrade case.
(In reply to Garming Sam from comment #18) Helloo is anybody listening ????? With Garmins latest patch and mine, it works, you can recreate the deleted 'dns-*' users, even if the 'saltPrincipal' attribute doesn't exist, note: it will afterwards. If people would revue my patch's to samba-technical, we could probably have fixed this two months ago.
Rowland, can you propose these two on samba-technical and I promise I'll try and learn enough about the subject to review :-).
Update the samba to 4.1.X to 4.5.0, it was necessary to apply the following command: ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF dn: samAccountName=dns-<hostname>,CN=Principals changetype: modify add: saltPrincipal saltPrincipal: dns-<hostname>@<REALM> %EOF Replaces the <hostname> and <REAL> in command. Apparently it functioned normally without applying any patch suggested above.
(In reply to cleberson from comment #21) Sorry, but the patch (comment #5) is still necessary for the entry into secrets.ldb be deleted and allows be recreated.
Created attachment 12699 [details] backport saltPrincipal fix for 4.5 The salt principal patches should at least be backported to 4.5. That should at least resolve the superficial issues we currently have with missing salt principals.
(In reply to Garming Sam from comment #23) Pushed to autobuild-v4-5-test.
(In reply to Karolin Seeger from comment #24) Pushed to v4-5-test.
Re-assigning to Garming, because it sounds like that this is not the full fix.