[Samba] question about zone and tsig verify failure

L.P.H. van Belle belle at bazuin.nl
Thu Dec 19 07:16:23 MST 2013

Im running: debian wheezy, sernet samba 4.1.3 , DC, in windows 2008 AD domain. 
Im reading the wiki and i stumbled on this. 


semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl

the strange thing is, and this is also my question, 

Should there be the zone files, if you using bind9. 
Since im not seeing these. the server ( samba 4.1.3) has joined a windows domain as DC, no problems, 
only the samba_dnsupdate --verbose --all-name give ; TSIG error with server: tsig verify failure

all other tests are ok as far i can see. 
if tested bind9 ( debian wheezy stable ) 9.8.4 
and i backported bind from sid, 
BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 

Both do not create these zone files. 

dlopen is loaded: 
Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating session key for dynamic DNS
Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task pool based on 5 zones
Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS Zone' using driver dlopen

when i run : samba_upgradedns --dns-backend=BIND9_DLZ it looks ok but no zone file. 
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
DNS records will be automatically created
DNS partitions already exist
dns-WS005-S4DC-001 account already exists
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

i also noticed that the output of these 2 are different. 
ls -lai /var/lib/samba/private/sam.ldb.d/ 
ls -lai /var/lib/samba/private/dns/sam.ldb.d/ 

after restarting bind, i noticed that 
samba_upgradedns --dns-backend=BIND9_DLZ

didnt seem my bind9 upgrade, and bind is not starting anymore, manually fixing

/var/lib/samba/private/named.conf changing bind9.8 to 9.9 dlopen fixed it. 

bug ? shouldnt samba follow the installed bind version? 


After reading a lot about the tsig message, i've read there is a fix, 

if the fix already applied, or do i have an other problem. 



best regards, 




More information about the samba mailing list