DNS and GENSEC issues when running the samba binary

Eduardo Lima eduardoll at gmail.com
Wed Nov 11 14:22:54 MST 2009 

Hi Tridge,

Is it possible to this problem be a bug in the samba's code?

Everything was configured as expected. Provision and Vampire were working
well, but the replication was failing. Then I did a "git pull" and the
"GENSEC" message is not appearing anymore but the replication is only
working from Windows to Samba. From Samba to Windows it is still not
replicating.

Thanks.

--
Eduardo Lima
Sent from Campinas, SP, Brazil

2009/11/8 <tridge at samba.org>

> Hi Eduardo and Erick,
>
> This almost certainly means your bind9 configuration is incorrect. To
> diagnose/fix these types of problems you should do this:
>
>  1) first check that you can resolve the name using the 'host' command
>  on Linux, pointing it directly at the windows box. For example:
>
>    host -t SRV _ldap._tcp.DOMAIN 143.106.167.147
>
> where DOMAIN is the DNS domain name you are looking for. In the
> example Erick gave this would be:
>
>    winserverad.ltc.inovasoft.unicamp.br
>
> You should get back something like this:
>
>    _ldap._tcp.DOMAIN has SRV record 0 100 389 xxx.DOMAIN
>
> where 'xxx' is the hostname of the DC.
>
> If that doesn't work, then either you have the wrong name, or your
> windows DC is not configured correctly. Is 'winserverad' really the
> name of the Windows domain?
>
>  2) when that works, then try it on the name that is failing in the
>  logs (the GUID name in _msdcs). It is probably a CNAME so change the
>  query from a SRV record to a CNAME
>
>  3) once that works, you need to make sure your local bind9 config is
>  right. For example, in /etc/named.conf.local you may have an entry
>  like this:
>
>    zone "winserverad.ltc.inovasoft.unicamp.br" IN {
>        type forward;
>        forwarders {
>                   143.106.167.147;
>        };
>    };
>
>  Alternatively, you may be using a include file. Now restart bind
>  (with /etc/init.d/bind9 restart) and look in its syslog file (try
>  /var/log/daemon.log). Does it report any errors? A very common cause
>  of errors is apparmor restrictions. Try running aa-logprof and see
>  if bind9 is asking for permissions on any files that apparmore is
>  denying.
>
>  3) when you think you have the bind9 config right, try the 'host'
>  command again but pointing at localhost:
>
>    host -t SRV _ldap._tcp.DOMAIN 127.0.0.1
>
>  If it doesn't work then look carefully again at your bind9
>  config. Check for errors in the bind9 log file.
>
>
> Cheers, Tridge
>

More information about the samba-technical mailing list