[Samba] Problems setting up samba bind9_dlz on Ubuntu 18.04

Sun Nov 24 13:29:45 UTC 2019

On 24/11/2019 12:36, David Masshardt via samba wrote:
> Hi,
>
> I hope someone can help me with the following problem. I followed the following guides to setup samba as an additional active directory server to my windows server with bind9 dns:
>
> https://www.tecmint.com/join-additio...r-replication/<https://www.tecmint.com/join-additional-ubuntu-dc-to-samba4-ad-dc-failover-replication/>

You shouldn't need to add the first DCs data to /etc/resolv.conf, if you 
do need to, then your dns is broken. What you should ensure is there, is 
the data for the DC you are joining.

Sorry, but ntpdate is insufficient for time synchronisation between DCs, 
see here for more info:

https://wiki.samba.org/index.php/Time_Synchronisation

I would also install libpam-krb5

After the join, you need to copy the krb5.conf file created by the join 
to /etc/krb5.conf, do not symlink it.

At this point, you also need to edit /etc/resolv.conf so that the DC now 
points to itself as the nameserver, instead of the first DC. You can add 
the first DC as a secondary nameserver, if you wish, but if the DC goes 
down, there isn't much point.

> https://wiki.samba.org/index.php/BIN...roubleshooting<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting>
>
> The active directory replication works, but the dns replication does not. When I'm running "samba_dnsupdate --all-names" I get the following output:
>
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> update failed: REFUSED
> ; TSIG error with server: tsig verify failure
> update failed: REFUSED
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> ; TSIG error with server: tsig verify failure
> Failed update of 19 entries
This is probably because you are trying to change the second DCs info on 
the first DC with the wrong ticket
>
> Here is a list of versions:
>
> Ubuntu: 18.04
> Samba: 4.7.6-Ubuntu
4.7.6 is EOL from Samba's point of view, you can get later versions 
here: http://apt.van-belle.nl/
> bind9: 9.11.3-1ubuntu1.11-Ubuntu
>
> And this is my smb.conf:
>
> [global]
> netbios name = DC01
> realm = DOMAIN.COM
> server role = active directory domain controller
> workgroup = DOMAIN.COM
The workgroup CANNOT be the same as the realm
> dns forwarder = 172.17.1.1
> idmap_ldb:use rfc2307 = yes
>
> template shell = /bin/bash
> winbind use default domain = true
The line above does nothing on a DC
> winbind offline logon = false
The line above is a default setting and hence isn't required
> winbind nss info = rfc2307
The line above should only be used on a Unix domain member
> winbind enum users = yes
> winbind enum groups = yes
The lines above are not required, they only make 'getent passwd' & 
'getent group' work without specifying a user or group name, but they 
also slow things down.
> server services = -dns
>
> [netlogon]
> path = /var/lib/samba/sysvol/domain.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> I'm not really sure if samba is even using bind9. I've enabled the logging of bind9, but I cannot see any logs when running the dns update.
No, you see any logs
>
> Did I miss a step to activate the bind9 module?

Probably not, but it might help if you post the named.conf files in 
/etc/bind

Rowland