[Samba] Starting second DC makes named to freeze on primary DC
Bruno Andrade
bma at eurotux.com
Tue Sep 9 03:16:08 MDT 2014
On 09/08/2014 06:33 PM, Rowland Penny wrote:
> On 08/09/14 18:09, Bruno Andrade wrote:
>>
>> On 09/08/2014 05:31 PM, Rowland Penny wrote:
>>> On 08/09/14 17:01, Bruno Andrade wrote:
>>>>
>>>>
>>>> On 09/08/2014 04:57 PM, Rowland Penny wrote:
>>>>> On 08/09/14 16:33, Bruno Andrade wrote:
>>>>>> hey,
>>>>>>
>>>>>> first, i user bind 9.8.1 as my DNS backend
>>>>>>
>>>>>> Well, I have a domain controller, dc1.example.com, running
>>>>>> correctly and with the following configurations...
>>>>>>
>>>>>> == smb.conf ==
>>>>>>
>>>>>> [global]
>>>>>> workgroup = EXAMPLE
>>>>>> realm = EXAMPLE.COM
>>>>>> netbios name = DC1
>>>>>> server role = active directory domain controller
>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>
>>>>>> server services = -dns
>>>>>>
>>>>>> dsdb:schema update allowed = true
>>>>>>
>>>>>> dos charset = ISO8859-1
>>>>>> unix charset = cp850
>>>>>>
>>>>>> interfaces = vlan2
>>>>>> bind interfaces only = Yes
>>>>>>
>>>>>> allow dns updates = nonsecure
>>>>>> #nsupdate command = nsupdate
>>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>>
>>>>>> == named.conf ==
>>>>>>
>>>>>> options {
>>>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>>> listen-on-v6 port 53 { ::1; };
>>>>>> directory "/var/named";
>>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>> allow-query { any; };
>>>>>> recursion yes;
>>>>>>
>>>>>> # just example
>>>>>> forwarders { 8.8.8.8; };
>>>>>>
>>>>>> dnssec-enable no;
>>>>>> dnssec-validation no;
>>>>>> dnssec-lookaside auto;
>>>>>>
>>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>>> managed-keys-directory "/var/named/dynamic";
>>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>>> };
>>>>>>
>>>>>> zone "." IN {
>>>>>> type hint;
>>>>>> file "named.ca";
>>>>>> };
>>>>>>
>>>>>> include "/etc/named.rfc1912.zones";
>>>>>> include "/etc/named.root.key";
>>>>>> include "/var/lib/samba/private/named.conf";
>>>>>>
>>>>>> And I have second DC with configurations:
>>>>>>
>>>>>> == smb.conf ==
>>>>>>
>>>>>> [global]
>>>>>> workgroup = EXAMPLE
>>>>>> realm = EXAMPLE.COM
>>>>>> netbios name = DC2
>>>>>> server role = active directory domain controller
>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>>>> kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>
>>>>>> interfaces = eth1
>>>>>> bind interfaces only = Yes
>>>>>>
>>>>>> dsdb:schema update allowed = true
>>>>>>
>>>>>> dos charset = ISO8859-1
>>>>>> unix charset = cp850
>>>>>>
>>>>>> allow dns updates = nonsecure
>>>>>> #nsupdate command = nsupdate
>>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>>
>>>>>> == named.conf ==
>>>>>>
>>>>>> options {
>>>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>>> listen-on-v6 port 53 { ::1; };
>>>>>> directory "/var/named";
>>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>> allow-query { any; };
>>>>>> recursion yes;
>>>>>>
>>>>>> forwarders { 10.1.11.2; };
>>>>>>
>>>>>> dnssec-enable no;
>>>>>> dnssec-validation no;
>>>>>> dnssec-lookaside auto;
>>>>>>
>>>>>> /* Path to ISC DLV key */
>>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>>> };
>>>>>>
>>>>>> zone "." IN {
>>>>>> type hint;
>>>>>> file "named.ca";
>>>>>> };
>>>>>>
>>>>>> include "/etc/named.rfc1912.zones";
>>>>>> include "/etc/named.root.key";
>>>>>> include "/var/lib/samba/private/named.conf";
>>>>>>
>>>>>> DC1 works fine until I start samba on DC2... then named on DC1
>>>>>> freezes and some logs related to DNS failed updates appear on the
>>>>>> logs.
>>>>>>
>>>>>> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>>>>>>
>>>>>> Is there anyone with some problems related to this.
>>>>>>
>>>>>> best regards,
>>>>>> Bruno.
>>>>>>
>>>>>>
>>>>>>
>>>>> Hi, can you let us know what OS you are using, I did spot one
>>>>> potential problem, though this shouldn't give the problems you are
>>>>> having:
>>>>>
>>>>
>>>> I have CentOS 6.5 on both DCs.
>>>>
>>>>> On dc1:
>>>>>
>>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>>
>>>>> forwarders { 8.8.8.8; };
>>>>>
>>>>> on dc2:
>>>>>
>>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>>
>>>>> forwarders { 10.1.11.2; };
>>>>
>>>> I made a mistake... DC2 also forward to 8.8.8.8.
>>>>
>>>>> I think that this means your DC's have the address's of
>>>>> '10.1.11.2' & '10.1.1.150' and that you are forwarding anything
>>>>> that dc2 knows nothing about to dc1. dc2 should know what dc1
>>>>> knows, so you need to change this, they should both forward to
>>>>> outside the samba AD domain.
>>>>>
>>>>> How did you join the second DC to the first and did you get any
>>>>> errors when you did so, did you follow this page on the wiki:
>>>>>
>>>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
>>>>>
>>>>
>>>> Yes, I follow the process on that page. Without errors.
>>>>
>>>>> Rowland
>>>>>
>>>>
>>> I think I have spotted your problem:
>>>
>>> In dc1 smb.conf
>>>
>>> server services = -dns
>>>
>>> I think that you have turned everything off, try changing it to the
>>> line from the other DC:
>>>
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, ntp_signd, kcc, dnsupdate
>>>
>>> Oh and whilst you are changing smb.conf's add:
>>>
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> to the second DC, why the join doesn't add this line I do not know.
>>>
>>> Rowland
>> I tried that changes but the problem persists :(
>>
>> Bruno.
> From what you posted, it would seem that you provisioned the first DC
> to use the internal dns, and later changed to bind9, is this correct ?
The first DC was a classicupgrade from samba 3 to samba 4.1. And yes, at
first samba was using internal dns, the I upgraded to bind9.
> What type of bind9 are you using, flatfile or dlz ? also I hope that
> you are doing this in a test environment.
DLZ. I used BIND9_DLZ during the upgrade to bind9.
Unfortunately no, the first DC is already in production (Superior
'forces' request), but I have a synced machine in a development environment.
Regards,
Bruno.
> Rowland
>
--
Bruno Andrade <bma at eurotux.com>
Programador (I&D)
Eurotux Informática, S.A. | www.eurotux.com
(t) +351 253 680 300
More information about the samba
mailing list