[Samba] Starting second DC makes named to freeze on primary DC
Bruno Andrade
bma at eurotux.com
Mon Sep 15 02:40:47 MDT 2014
Good morning,
After all, the problem was not on the named but on samba. Not really a
problem, basically, it needs some time to stabilize the processes. A run
it over the weekend and now everything seems to run smoothly.
Best Regards,
Bruno.
On 09/09/2014 10:47 AM, Rowland Penny wrote:
> On 09/09/14 10:16, Bruno Andrade wrote:
>>
>> On 09/08/2014 06:33 PM, Rowland Penny wrote:
>>> On 08/09/14 18:09, Bruno Andrade wrote:
>>>>
>>>> On 09/08/2014 05:31 PM, Rowland Penny wrote:
>>>>> On 08/09/14 17:01, Bruno Andrade wrote:
>>>>>>
>>>>>>
>>>>>> On 09/08/2014 04:57 PM, Rowland Penny wrote:
>>>>>>> On 08/09/14 16:33, Bruno Andrade wrote:
>>>>>>>> hey,
>>>>>>>>
>>>>>>>> first, i user bind 9.8.1 as my DNS backend
>>>>>>>>
>>>>>>>> Well, I have a domain controller, dc1.example.com, running
>>>>>>>> correctly and with the following configurations...
>>>>>>>>
>>>>>>>> == smb.conf ==
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = EXAMPLE
>>>>>>>> realm = EXAMPLE.COM
>>>>>>>> netbios name = DC1
>>>>>>>> server role = active directory domain controller
>>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>>
>>>>>>>> server services = -dns
>>>>>>>>
>>>>>>>> dsdb:schema update allowed = true
>>>>>>>>
>>>>>>>> dos charset = ISO8859-1
>>>>>>>> unix charset = cp850
>>>>>>>>
>>>>>>>> interfaces = vlan2
>>>>>>>> bind interfaces only = Yes
>>>>>>>>
>>>>>>>> allow dns updates = nonsecure
>>>>>>>> #nsupdate command = nsupdate
>>>>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>>>>
>>>>>>>> == named.conf ==
>>>>>>>>
>>>>>>>> options {
>>>>>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>>>>> listen-on-v6 port 53 { ::1; };
>>>>>>>> directory "/var/named";
>>>>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>>>> allow-query { any; };
>>>>>>>> recursion yes;
>>>>>>>>
>>>>>>>> # just example
>>>>>>>> forwarders { 8.8.8.8; };
>>>>>>>>
>>>>>>>> dnssec-enable no;
>>>>>>>> dnssec-validation no;
>>>>>>>> dnssec-lookaside auto;
>>>>>>>>
>>>>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>>>>> managed-keys-directory "/var/named/dynamic";
>>>>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>>>>> };
>>>>>>>>
>>>>>>>> zone "." IN {
>>>>>>>> type hint;
>>>>>>>> file "named.ca";
>>>>>>>> };
>>>>>>>>
>>>>>>>> include "/etc/named.rfc1912.zones";
>>>>>>>> include "/etc/named.root.key";
>>>>>>>> include "/var/lib/samba/private/named.conf";
>>>>>>>>
>>>>>>>> And I have second DC with configurations:
>>>>>>>>
>>>>>>>> == smb.conf ==
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> workgroup = EXAMPLE
>>>>>>>> realm = EXAMPLE.COM
>>>>>>>> netbios name = DC2
>>>>>>>> server role = active directory domain controller
>>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>>>>>> kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>>>
>>>>>>>> interfaces = eth1
>>>>>>>> bind interfaces only = Yes
>>>>>>>>
>>>>>>>> dsdb:schema update allowed = true
>>>>>>>>
>>>>>>>> dos charset = ISO8859-1
>>>>>>>> unix charset = cp850
>>>>>>>>
>>>>>>>> allow dns updates = nonsecure
>>>>>>>> #nsupdate command = nsupdate
>>>>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>>>>
>>>>>>>> == named.conf ==
>>>>>>>>
>>>>>>>> options {
>>>>>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>>>>> listen-on-v6 port 53 { ::1; };
>>>>>>>> directory "/var/named";
>>>>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>>>> allow-query { any; };
>>>>>>>> recursion yes;
>>>>>>>>
>>>>>>>> forwarders { 10.1.11.2; };
>>>>>>>>
>>>>>>>> dnssec-enable no;
>>>>>>>> dnssec-validation no;
>>>>>>>> dnssec-lookaside auto;
>>>>>>>>
>>>>>>>> /* Path to ISC DLV key */
>>>>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>>>>> };
>>>>>>>>
>>>>>>>> zone "." IN {
>>>>>>>> type hint;
>>>>>>>> file "named.ca";
>>>>>>>> };
>>>>>>>>
>>>>>>>> include "/etc/named.rfc1912.zones";
>>>>>>>> include "/etc/named.root.key";
>>>>>>>> include "/var/lib/samba/private/named.conf";
>>>>>>>>
>>>>>>>> DC1 works fine until I start samba on DC2... then named on DC1
>>>>>>>> freezes and some logs related to DNS failed updates appear on
>>>>>>>> the logs.
>>>>>>>>
>>>>>>>> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>>>>>>>>
>>>>>>>> Is there anyone with some problems related to this.
>>>>>>>>
>>>>>>>> best regards,
>>>>>>>> Bruno.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Hi, can you let us know what OS you are using, I did spot one
>>>>>>> potential problem, though this shouldn't give the problems you
>>>>>>> are having:
>>>>>>>
>>>>>>
>>>>>> I have CentOS 6.5 on both DCs.
>>>>>>
>>>>>>> On dc1:
>>>>>>>
>>>>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>>>>
>>>>>>> forwarders { 8.8.8.8; };
>>>>>>>
>>>>>>> on dc2:
>>>>>>>
>>>>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>>>>
>>>>>>> forwarders { 10.1.11.2; };
>>>>>>
>>>>>> I made a mistake... DC2 also forward to 8.8.8.8.
>>>>>>
>>>>>>> I think that this means your DC's have the address's of
>>>>>>> '10.1.11.2' & '10.1.1.150' and that you are forwarding anything
>>>>>>> that dc2 knows nothing about to dc1. dc2 should know what dc1
>>>>>>> knows, so you need to change this, they should both forward to
>>>>>>> outside the samba AD domain.
>>>>>>>
>>>>>>> How did you join the second DC to the first and did you get any
>>>>>>> errors when you did so, did you follow this page on the wiki:
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
>>>>>>>
>>>>>>
>>>>>> Yes, I follow the process on that page. Without errors.
>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>> I think I have spotted your problem:
>>>>>
>>>>> In dc1 smb.conf
>>>>>
>>>>> server services = -dns
>>>>>
>>>>> I think that you have turned everything off, try changing it to
>>>>> the line from the other DC:
>>>>>
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>>> winbind, ntp_signd, kcc, dnsupdate
>>>>>
>>>>> Oh and whilst you are changing smb.conf's add:
>>>>>
>>>>> idmap_ldb:use rfc2307 = yes
>>>>>
>>>>> to the second DC, why the join doesn't add this line I do not know.
>>>>>
>>>>> Rowland
>>>> I tried that changes but the problem persists :(
>>>>
>>>> Bruno.
>>> From what you posted, it would seem that you provisioned the first
>>> DC to use the internal dns, and later changed to bind9, is this
>>> correct ?
>>
>> The first DC was a classicupgrade from samba 3 to samba 4.1. And yes,
>> at first samba was using internal dns, the I upgraded to bind9.
>
> OK, nothing wrong there as far as I can see
>
>>
>>> What type of bind9 are you using, flatfile or dlz ? also I hope that
>>> you are doing this in a test environment.
>>
>> DLZ. I used BIND9_DLZ during the upgrade to bind9.
>
> OK
>
>>
>> Unfortunately no, the first DC is already in production (Superior
>> 'forces' request), but I have a synced machine in a development
>> environment.
>>
>
> This could be where you are able to say 'I told you so', you really
> don't want to put anything into production until you are 100% sure it
> is working.
>
> I presume that the samba logs are in '/var/log/samba', so what is in
> /var/log/samba/log.samba, anything to show why named is freezing,
> anything in bind's log and what is showing in the syslog (which is
> called 'messages' on centos, if I remember correctly)
>
> Rowland
>
>> Regards,
>> Bruno.
>>
>>> Rowland
>>>
>>
>
More information about the samba
mailing list