[Samba] Starting second DC makes named to freeze on primary DC
Bruno Andrade
bma at eurotux.com
Mon Sep 8 10:01:16 MDT 2014
On 09/08/2014 04:57 PM, Rowland Penny wrote:
> On 08/09/14 16:33, Bruno Andrade wrote:
>> hey,
>>
>> first, i user bind 9.8.1 as my DNS backend
>>
>> Well, I have a domain controller, dc1.example.com, running correctly
>> and with the following configurations...
>>
>> == smb.conf ==
>>
>> [global]
>> workgroup = EXAMPLE
>> realm = EXAMPLE.COM
>> netbios name = DC1
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>>
>> server services = -dns
>>
>> dsdb:schema update allowed = true
>>
>> dos charset = ISO8859-1
>> unix charset = cp850
>>
>> interfaces = vlan2
>> bind interfaces only = Yes
>>
>> allow dns updates = nonsecure
>> #nsupdate command = nsupdate
>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>
>> == named.conf ==
>>
>> options {
>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>> listen-on-v6 port 53 { ::1; };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>> allow-query { any; };
>> recursion yes;
>>
>> # just example
>> forwarders { 8.8.8.8; };
>>
>> dnssec-enable no;
>> dnssec-validation no;
>> dnssec-lookaside auto;
>>
>> bindkeys-file "/etc/named.iscdlv.key";
>> managed-keys-directory "/var/named/dynamic";
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>>
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>>
>> include "/etc/named.rfc1912.zones";
>> include "/etc/named.root.key";
>> include "/var/lib/samba/private/named.conf";
>>
>> And I have second DC with configurations:
>>
>> == smb.conf ==
>>
>> [global]
>> workgroup = EXAMPLE
>> realm = EXAMPLE.COM
>> netbios name = DC2
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>
>> interfaces = eth1
>> bind interfaces only = Yes
>>
>> dsdb:schema update allowed = true
>>
>> dos charset = ISO8859-1
>> unix charset = cp850
>>
>> allow dns updates = nonsecure
>> #nsupdate command = nsupdate
>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>
>> == named.conf ==
>>
>> options {
>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>> listen-on-v6 port 53 { ::1; };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>> allow-query { any; };
>> recursion yes;
>>
>> forwarders { 10.1.11.2; };
>>
>> dnssec-enable no;
>> dnssec-validation no;
>> dnssec-lookaside auto;
>>
>> /* Path to ISC DLV key */
>> bindkeys-file "/etc/named.iscdlv.key";
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>>
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>>
>> include "/etc/named.rfc1912.zones";
>> include "/etc/named.root.key";
>> include "/var/lib/samba/private/named.conf";
>>
>> DC1 works fine until I start samba on DC2... then named on DC1
>> freezes and some logs related to DNS failed updates appear on the logs.
>>
>> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>>
>> Is there anyone with some problems related to this.
>>
>> best regards,
>> Bruno.
>>
>>
>>
> Hi, can you let us know what OS you are using, I did spot one
> potential problem, though this shouldn't give the problems you are
> having:
>
I have CentOS 6.5 on both DCs.
> On dc1:
>
> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>
> forwarders { 8.8.8.8; };
>
> on dc2:
>
> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>
> forwarders { 10.1.11.2; };
I made a mistake... DC2 also forward to 8.8.8.8.
> I think that this means your DC's have the address's of '10.1.11.2' &
> '10.1.1.150' and that you are forwarding anything that dc2 knows
> nothing about to dc1. dc2 should know what dc1 knows, so you need to
> change this, they should both forward to outside the samba AD domain.
>
> How did you join the second DC to the first and did you get any errors
> when you did so, did you follow this page on the wiki:
>
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
>
Yes, I follow the process on that page. Without errors.
> Rowland
>
--
Bruno Andrade <bma at eurotux.com>
Programador (I&D)
Eurotux Informática, S.A. | www.eurotux.com
(t) +351 253 680 300
More information about the samba
mailing list