[Samba] Internal DNS logging

[John Gardeniers]

We're using the Sernet Samba v4.2.4 with internal DNS and I can't find
the DNS logs. Where does the Samba 4 internal DNS log queries? Thanks.

regards,
John


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[John Gardeniers]

Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or was
this was a huge oversight and the internal DNS doesn't get logged at
all, as appears to be suggested by my utter failure to locate such logs.

[Reindl Harald]

no DNS server on that planet logs normal queries just because there si
not enough disk space in most setups, there is not benefit log anything
except erros and warnings for normal operations

what is the problem you like to solve and if there is no problem why do
you want logging normal operations?

in other words: what do you try to solve except
https://wiki.samba.org/index.php/DNS

[Marc Muehlfeld]

Hello John,

Am 04.11.2015 um 22:13 schrieb John Gardeniers:

> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or was
> this was a huge oversight and the internal DNS doesn't get logged at
> all, as appears to be suggested by my utter failure to locate such logs.

Samba doesn't log DNS queries.

Patches are welcome. :-)


Regards,
Marc

[Marc Muehlfeld]

Am 04.11.2015 um 22:21 schrieb Reindl Harald:
> no DNS server on that planet logs normal queries just because
> there si not enough disk space in most setups, there is not benefit
> log anything except erros and warnings for normal operations

I don't know the reason the OP is asking, but I had cases in the past
where I temporary turned on query logging on BIND for debugging
purposes. Mostly this is enough and easier than looking at wireshark
traces.


Regards,
Marc

[John Gardeniers]

Hi Marc,

I don't feel any need to explain or defend my reasons but I will say
that I am trying to do some debugging.

regards,
John

[John Gardeniers]

Thanks Marc,

That's a nice unambiguous answer, so I'll stop looking.

I really doubt I'll be doing any coding on Samba, so it's kind of
unlikely I'll be supplying a patch. If I did create a patch it would be
to return to BIND flat files, so that the DNS can be made fully
functional again.

regards,
John

[John Gardeniers]

Well that is not just an useless and unhelpful answer, it's also
completely wrong and demonstrates a lack of knowledge and experience
with DNS servers.

> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________

[Reindl Harald]

Am 04.11.2015 um 23:03 schrieb John Gardeniers:
> Well that is not just an useless and unhelpful answer, it's also
> completely wrong and demonstrates a lack of knowledge and experience
> with DNS servers.

well, while beeing responsible for some hundret domains, wrote database
backed DNS admin-backends maintaining internal and public zones from the
same raw data 8 years ago i can live with the fact you think i lack
knowledge....

[Rowland Penny]

On 04/11/15 22:02, John Gardeniers wrote:
> Thanks Marc,
>
> That's a nice unambiguous answer, so I'll stop looking.
>
> I really doubt I'll be doing any coding on Samba, so it's kind of
> unlikely I'll be supplying a patch. If I did create a patch it would
> be to return to BIND flat files, so that the DNS can be made fully
> functional again.
>
> regards,
> John
>
>
> On 05/11/15 08:25, Marc Muehlfeld wrote:
>> Hello John,
>>
>> Am 04.11.2015 um 22:13 schrieb John Gardeniers:
>>> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or
>>> was
>>> this was a huge oversight and the internal DNS doesn't get logged at
>>> all, as appears to be suggested by my utter failure to locate such
>>> logs.
>> Samba doesn't log DNS queries.
>>
>> Patches are welcome. :-)
>>
>>
>> Regards,
>> Marc
>>
>
>

Just because you want to use samba with bind flat files doesn't make it
the right thing to do. I have have been using bind9 dlz with samba4 for
3 years now and it does what it is supposed to do, I know there are a
few things that need sorting, but they are minor and I am sure they will
get fixed eventually.

I wouldn't bother rushing to create a patch to make flat files work
again, I don't think it would be accepted.

Rowland

[mathias dufresne]

Code is like books, or art (painting...). Some guy produce something, as he
likes, some others use/watch/listen it, as they like. Most of the time
these two ways are different.

What I mean is it is not because something was not developed to be used in
some way that way of usage is not a good way of usage.

Perhaps for most of us this is not the right way the OP want to do. Anyway
it is his way. Who are we to tell what he's doing should not be? I thought
opensource was more open than the other world.

Same thing but about SSSD: I was thinking providing to my client same
behaviour for Linux systems as on Windows systems about local
administrators of computers (clients). On Windows you can define groups and
using GPO put some group(s) in client's local "administrators" group. There
you have people able to manage clients systems without any rights on AD.
This can be done using LDAP tree and user accounts with UID = 0. SSSD comes
also with filters to avoid peoples with UID=0 which have no right to
connect on some systems can connect on these refused systems.
So I had all I wanted to give my client same way of managing all their
systems with nominative accounts, to be able to trace a little bit what
admins do.
This is not possible because SSSD refuses (hardcoded...) users with UID=0
to connect on SSSD systems. I was told this is for security reason: SSSD
through LDAP can, under certain configuration, grant man in the middle
attack (or something like that).
The fact is using AD servers are also authenticated, this security reason
disappear. Not the refusal because devs think what they thought is the only
to think. I don't.

[Rowland Penny]

On 05/11/15 09:55, mathias dufresne wrote:
> Code is like books, or art (painting...). Some guy produce something, as he
> likes, some others use/watch/listen it, as they like. Most of the time
> these two ways are different.
>
> What I mean is it is not because something was not developed to be used in
> some way that way of usage is not a good way of usage.
>
> Perhaps for most of us this is not the right way the OP want to do. Anyway
> it is his way. Who are we to tell what he's doing should not be? I thought
> opensource was more open than the other world.

Samba4 initially used the bind9 flat files way of running, but it didn't
and couldn't be made to work as an AD DC expects. This is why Samba4
moved to dlz, a lot needed to be done to get this to work, but it does
work as expected, ok there are a few minor problems, but I am sure these
will be fixed in time. I am not saying that the OP cannot use
flat-files, just that he is on his own there.

>
> Same thing but about SSSD: I was thinking providing to my client same
> behaviour for Linux systems as on Windows systems about local
> administrators of computers (clients). On Windows you can define groups and
> using GPO put some group(s) in client's local "administrators" group. There
> you have people able to manage clients systems without any rights on AD.
> This can be done using LDAP tree and user accounts with UID = 0. SSSD comes
> also with filters to avoid peoples with UID=0 which have no right to
> connect on some systems can connect on these refused systems.
> So I had all I wanted to give my client same way of managing all their
> systems with nominative accounts, to be able to trace a little bit what
> admins do.
> This is not possible because SSSD refuses (hardcoded...) users with UID=0
> to connect on SSSD systems. I was told this is for security reason: SSSD
> through LDAP can, under certain configuration, grant man in the middle
> attack (or something like that).
> The fact is using AD servers are also authenticated, this security reason
> disappear. Not the refusal because devs think what they thought is the only
> to think. I don't.

That is (in my opinion) a stupid way of doing things, every user with
the UID of 0 raises the potential for an attack, if you want to do this,
use sudo instead and yes sssd, AD and sudo will play nicely together.

Just because you think something is a good idea doesn't mean it is, but
nobody is stopping *you* doing things your way, just don't expect
sympathy if things go wrong.

[mathias dufresne]

2015-11-05 11:17 GMT+01:00 Rowland Penny <rowlandpe...@gmail.com>:

> On 05/11/15 09:55, mathias dufresne wrote:
>
>> Code is like books, or art (painting...). Some guy produce something, as
>> he
>> likes, some others use/watch/listen it, as they like. Most of the time
>> these two ways are different.
>>
>> What I mean is it is not because something was not developed to be used in
>> some way that way of usage is not a good way of usage.
>>
>> Perhaps for most of us this is not the right way the OP want to do. Anyway
>> it is his way. Who are we to tell what he's doing should not be? I thought
>> opensource was more open than the other world.
>>
>
> Samba4 initially used the bind9 flat files way of running, but it didn't
> and couldn't be made to work as an AD DC expects. This is why Samba4 moved
> to dlz, a lot needed to be done to get this to work, but it does work as
> expected, ok there are a few minor problems, but I am sure these will be
> fixed in time. I am not saying that the OP cannot use flat-files, just that
> he is on his own there.

I didn't write against your previous mail but more generally against a way
of mind I don't like. Software are tools and what users do with tools is
under their own responsibility. And sometimes, some user find a way of
usage which was not foreseen by anyone, and rarely that new way of usage is
a really good idea.
I don't mean my ideas are better than those from others ;)

Perhaps you think it is, anyway that's how IT world is proceeding for users
for computer management as soon as we speak of computers, and they are
numerous, and they work not too badly. I'm not confident enough in my own
knowledge to say all Windows world is stupid.

Now you speak about sudo and it is a very great tool if you don't have to
much things to delegate. Once you want to give full access to one server to
someone because that one is a sysadmin, sudo become a bit complex if you
want to trace stuffs (refusing shells, even in vi/awk... and still give
this user a way to work quickly, efficiently). This is true because I take
as a reference my own knowledge or more exactly my own lacks of knowledge.

>
> Just because you think something is a good idea doesn't mean it is, but
> nobody is stopping *you* doing things your way, just don't expect sympathy
> if things go wrong.

Oh I'm not much loving myself to think that :D
And I grown old enough to fully understand that using a tool for something
it is not initially meant for, support goes away, thank you.

Cheers,

mathias

[mathias dufresne]

A last thing: that's what is great with mailing list: they are not paying
support, you can post on them to speak about new ways to use software as
you speakl to a community and not to a paying support, with contract and
limitation. That does not mean you will necessarily found someone to speak
with about your new way, I understand that too.

[James]

On 11/4/2015 4:13 PM, John Gardeniers wrote:
> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or
> was this was a huge oversight and the internal DNS doesn't get logged
> at all, as appears to be suggested by my utter failure to locate such
> logs.
>
> On 28/10/15 14:28, John Gardeniers wrote:
>> We're using the Sernet Samba v4.2.4 with internal DNS and I can't
>> find the DNS logs. Where does the Samba 4 internal DNS log queries?
>> Thanks.
>>
>> regards,
>> John
>>
>>
>
>

I've found increasing the log level of samba to 9 or 10 will usually
give me the DNS logs I require. Depending on how you configured your
server. You may find them in

'/usr/local/samba/var/log.samba'

This along with Wireshark has been enough to debug. I found out why
secure dynamic updates no longer work with this method.

--
-James

[Rowland Penny]

On 05/11/15 15:18, James wrote:
> On 11/4/2015 4:13 PM, John Gardeniers wrote:
>> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or
>> was this was a huge oversight and the internal DNS doesn't get logged
>> at all, as appears to be suggested by my utter failure to locate such
>> logs.
>>
>> On 28/10/15 14:28, John Gardeniers wrote:
>>> We're using the Sernet Samba v4.2.4 with internal DNS and I can't
>>> find the DNS logs. Where does the Samba 4 internal DNS log queries?
>>> Thanks.
>>>
>>> regards,
>>> John
>>>
>>>
>>
>>
> I've found increasing the log level of samba to 9 or 10 will usually
> give me the DNS logs I require. Depending on how you configured your
> server. You may find them in
>
> '/usr/local/samba/var/log.samba'
>
> This along with Wireshark has been enough to debug. I found out why
> secure dynamic updates no longer work with this method.
>

OK, I'll ask, why don't they work now and what method??

Rowland

[James]

On 11/5/2015 10:30 AM, Rowland Penny wrote:
> On 05/11/15 15:18, James wrote:
>> On 11/4/2015 4:13 PM, John Gardeniers wrote:
>>> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or
>>> was this was a huge oversight and the internal DNS doesn't get
>>> logged at all, as appears to be suggested by my utter failure to
>>> locate such logs.
>>>
>>> On 28/10/15 14:28, John Gardeniers wrote:
>>>> We're using the Sernet Samba v4.2.4 with internal DNS and I can't
>>>> find the DNS logs. Where does the Samba 4 internal DNS log queries?
>>>> Thanks.
>>>>
>>>> regards,
>>>> John
>>>>
>>>>
>>>
>>>
>> I've found increasing the log level of samba to 9 or 10 will usually
>> give me the DNS logs I require. Depending on how you configured your
>> server. You may find them in
>>
>> '/usr/local/samba/var/log.samba'
>>
>> This along with Wireshark has been enough to debug. I found out why
>> secure dynamic updates no longer work with this method.
>>
>
> OK, I'll ask, why don't they work now and what method??
>
> Rowland
>
>

Method = increasing the log level of samba and using Wireshark to debug.
I had to use a log level of 10 to get the information I was looking for.
I only mentioned my issue in case OP was debugging the same thing. I'm
going to update the thread I already have open as to keep everything
centralized. Don't want to derail this thread.

--
-James

[Rafael Domiciano]

The log file should not be in a different file? Like, smb-dns.log. This
avoid increase of the log level and a lot of info not necessary to that
analysis.

[Jeremy Allison]

On Thu, Nov 05, 2015 at 02:51:46PM -0200, Rafael Domiciano wrote:
> The log file should not be in a different file? Like, smb-dns.log.
> This avoid increase of the log level and a lot of info not necessary
> to that analysis.

If you want to log queries separately this probably needs
to be a separate logging subsystem.

[John Gardeniers]

Thanks James,

I'll give that a try. Although we are already rolling Samba 4 out to our
users I find I'm getting ever more frustrated by it's shortcomings and
incomplete features, especially around DNS. The lack of any DNS specific
logging must be considered an incredible oversight, to put it mildly.

regards,
John

On 06/11/15 02:18, James wrote:
> On 11/4/2015 4:13 PM, John Gardeniers wrote:
>> Nobody? Surely somebody knows where Samba 4 logs its DNS queries, or
>> was this was a huge oversight and the internal DNS doesn't get logged
>> at all, as appears to be suggested by my utter failure to locate such
>> logs.
>>
>> On 28/10/15 14:28, John Gardeniers wrote:
>>> We're using the Sernet Samba v4.2.4 with internal DNS and I can't
>>> find the DNS logs. Where does the Samba 4 internal DNS log queries?
>>> Thanks.
>>>
>>> regards,
>>> John
>>>
>>>
>>
>>
> I've found increasing the log level of samba to 9 or 10 will usually
> give me the DNS logs I require. Depending on how you configured your
> server. You may find them in
>
> '/usr/local/samba/var/log.samba'
>
> This along with Wireshark has been enough to debug. I found out why
> secure dynamic updates no longer work with this method.
>


--