DNS and GENSEC issues when running the samba binary

Eduardo Lima eduardoll at gmail.com
Wed Nov 11 14:22:54 MST 2009

Hi Tridge,

Is it possible to this problem be a bug in the samba's code?

Everything was configured as expected. Provision and Vampire were working
well, but the replication was failing. Then I did a "git pull" and the
"GENSEC" message is not appearing anymore but the replication is only
working from Windows to Samba. From Samba to Windows it is still not


Eduardo Lima
Sent from Campinas, SP, Brazil

2009/11/8 <tridge at samba.org>

> Hi Eduardo and Erick,
> This almost certainly means your bind9 configuration is incorrect. To
> diagnose/fix these types of problems you should do this:
>  1) first check that you can resolve the name using the 'host' command
>  on Linux, pointing it directly at the windows box. For example:
>    host -t SRV _ldap._tcp.DOMAIN
> where DOMAIN is the DNS domain name you are looking for. In the
> example Erick gave this would be:
>    winserverad.ltc.inovasoft.unicamp.br
> You should get back something like this:
>    _ldap._tcp.DOMAIN has SRV record 0 100 389 xxx.DOMAIN
> where 'xxx' is the hostname of the DC.
> If that doesn't work, then either you have the wrong name, or your
> windows DC is not configured correctly. Is 'winserverad' really the
> name of the Windows domain?
>  2) when that works, then try it on the name that is failing in the
>  logs (the GUID name in _msdcs). It is probably a CNAME so change the
>  query from a SRV record to a CNAME
>  3) once that works, you need to make sure your local bind9 config is
>  right. For example, in /etc/named.conf.local you may have an entry
>  like this:
>    zone "winserverad.ltc.inovasoft.unicamp.br" IN {
>        type forward;
>        forwarders {
>         ;
>        };
>    };
>  Alternatively, you may be using a include file. Now restart bind
>  (with /etc/init.d/bind9 restart) and look in its syslog file (try
>  /var/log/daemon.log). Does it report any errors? A very common cause
>  of errors is apparmor restrictions. Try running aa-logprof and see
>  if bind9 is asking for permissions on any files that apparmore is
>  denying.
>  3) when you think you have the bind9 config right, try the 'host'
>  command again but pointing at localhost:
>    host -t SRV _ldap._tcp.DOMAIN
>  If it doesn't work then look carefully again at your bind9
>  config. Check for errors in the bind9 log file.
> Cheers, Tridge

More information about the samba-technical mailing list