DNS and GENSEC issues when running the samba binary

tridge at samba.org tridge at samba.org
Sun Nov 8 17:24:38 MST 2009

Hi Eduardo and Erick,

This almost certainly means your bind9 configuration is incorrect. To
diagnose/fix these types of problems you should do this:

 1) first check that you can resolve the name using the 'host' command
 on Linux, pointing it directly at the windows box. For example:

    host -t SRV _ldap._tcp.DOMAIN

where DOMAIN is the DNS domain name you are looking for. In the
example Erick gave this would be:


You should get back something like this:

    _ldap._tcp.DOMAIN has SRV record 0 100 389 xxx.DOMAIN

where 'xxx' is the hostname of the DC.

If that doesn't work, then either you have the wrong name, or your
windows DC is not configured correctly. Is 'winserverad' really the
name of the Windows domain? 

 2) when that works, then try it on the name that is failing in the
 logs (the GUID name in _msdcs). It is probably a CNAME so change the
 query from a SRV record to a CNAME

 3) once that works, you need to make sure your local bind9 config is
 right. For example, in /etc/named.conf.local you may have an entry
 like this:

    zone "winserverad.ltc.inovasoft.unicamp.br" IN {
        type forward;
        forwarders {

  Alternatively, you may be using a include file. Now restart bind
  (with /etc/init.d/bind9 restart) and look in its syslog file (try
  /var/log/daemon.log). Does it report any errors? A very common cause
  of errors is apparmor restrictions. Try running aa-logprof and see
  if bind9 is asking for permissions on any files that apparmore is

  3) when you think you have the bind9 config right, try the 'host'
  command again but pointing at localhost:

    host -t SRV _ldap._tcp.DOMAIN

  If it doesn't work then look carefully again at your bind9
  config. Check for errors in the bind9 log file.

Cheers, Tridge

More information about the samba-technical mailing list