DNS and GENSEC issues when running the samba binary
tridge at samba.org
tridge at samba.org
Sun Nov 8 17:24:38 MST 2009
Hi Eduardo and Erick,
This almost certainly means your bind9 configuration is incorrect. To
diagnose/fix these types of problems you should do this:
1) first check that you can resolve the name using the 'host' command
on Linux, pointing it directly at the windows box. For example:
host -t SRV _ldap._tcp.DOMAIN 143.106.167.147
where DOMAIN is the DNS domain name you are looking for. In the
example Erick gave this would be:
winserverad.ltc.inovasoft.unicamp.br
You should get back something like this:
_ldap._tcp.DOMAIN has SRV record 0 100 389 xxx.DOMAIN
where 'xxx' is the hostname of the DC.
If that doesn't work, then either you have the wrong name, or your
windows DC is not configured correctly. Is 'winserverad' really the
name of the Windows domain?
2) when that works, then try it on the name that is failing in the
logs (the GUID name in _msdcs). It is probably a CNAME so change the
query from a SRV record to a CNAME
3) once that works, you need to make sure your local bind9 config is
right. For example, in /etc/named.conf.local you may have an entry
like this:
zone "winserverad.ltc.inovasoft.unicamp.br" IN {
type forward;
forwarders {
143.106.167.147;
};
};
Alternatively, you may be using a include file. Now restart bind
(with /etc/init.d/bind9 restart) and look in its syslog file (try
/var/log/daemon.log). Does it report any errors? A very common cause
of errors is apparmor restrictions. Try running aa-logprof and see
if bind9 is asking for permissions on any files that apparmore is
denying.
3) when you think you have the bind9 config right, try the 'host'
command again but pointing at localhost:
host -t SRV _ldap._tcp.DOMAIN 127.0.0.1
If it doesn't work then look carefully again at your bind9
config. Check for errors in the bind9 log file.
Cheers, Tridge
More information about the samba-technical
mailing list