[Samba] question about zone and tsig verify failure

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 19 07:29:55 MST 2013 

On 19/12/13 14:16, L.P.H. van Belle wrote:
> Hai
>   
> Im running: debian wheezy, sernet samba 4.1.3 , DC, in windows 2008 AD domain.
>   
> Im reading the wiki and i stumbled on this.
>
> https://wiki.samba.org/index.php/Dns-backend_bind
>
> semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
> semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
>
> the strange thing is, and this is also my question,
>
> Should there be the zone files, if you using bind9.
> Since im not seeing these. the server ( samba 4.1.3) has joined a windows domain as DC, no problems,
> only the samba_dnsupdate --verbose --all-name give ; TSIG error with server: tsig verify failure
>
> all other tests are ok as far i can see.
> if tested bind9 ( debian wheezy stable ) 9.8.4
> and i backported bind from sid,
> BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4
>
> Both do not create these zone files.
>
>
>
> dlopen is loaded:
> Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating session key for dynamic DNS
> Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task pool based on 5 zones
> Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS Zone' using driver dlopen
>
>
> when i run : samba_upgradedns --dns-backend=BIND9_DLZ it looks ok but no zone file.
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
> DNS records will be automatically created
> DNS partitions already exist
> dns-WS005-S4DC-001 account already exists
> See /var/lib/samba/private/named.conf for an example configuration include file for BIND
> and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
> Finished upgrading DNS
>
> i also noticed that the output of these 2 are different.
> ls -lai /var/lib/samba/private/sam.ldb.d/
> ls -lai /var/lib/samba/private/dns/sam.ldb.d/
>
>
> after restarting bind, i noticed that
> samba_upgradedns --dns-backend=BIND9_DLZ
>
> didnt seem my bind9 upgrade, and bind is not starting anymore, manually fixing
>
> /var/lib/samba/private/named.conf changing bind9.8 to 9.9 dlopen fixed it.
>
> bug ? shouldnt samba follow the installed bind version?
>
>   
>
> After reading a lot about the tsig message, i've read there is a fix,
>
> if the fix already applied, or do i have an other problem.
>
>   
>
>   
>
> best regards,
>
>   
>
> Louis
>
>
>
>   
>
Hi Louis, I am running Samba 4.1.0 with Bind 9.9.4 ( both self compiled) 
and DHCP, everthing works ok for me and I also do not have the two zone 
files. I think that you only get them if you are running an earlier 
version of Bind with flat files.

Rowland

More information about the samba mailing list