[Samba] question about zone and tsig verify failure

steve steve at steve-ss.com
Thu Dec 19 08:20:45 MST 2013


On Thu, 2013-12-19 at 14:29 +0000, Rowland Penny wrote:
> On 19/12/13 14:16, L.P.H. van Belle wrote:
> > Hai
> >   
> > Im running: debian wheezy, sernet samba 4.1.3 , DC, in windows 2008 AD domain.
> >   
> > Im reading the wiki and i stumbled on this.
> >
> > https://wiki.samba.org/index.php/Dns-backend_bind
> >
> > semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
> > semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
> >
> > the strange thing is, and this is also my question,
> >
> > Should there be the zone files, if you using bind9.
> > Since im not seeing these. the server ( samba 4.1.3) has joined a windows domain as DC, no problems,
> > only the samba_dnsupdate --verbose --all-name give ; TSIG error with server: tsig verify failure
> >
> > all other tests are ok as far i can see.
> > if tested bind9 ( debian wheezy stable ) 9.8.4
> > and i backported bind from sid,
> > BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4
> >
> > Both do not create these zone files.
> >
> >
> >
> > dlopen is loaded:
> > Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating session key for dynamic DNS
> > Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task pool based on 5 zones
> > Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS Zone' using driver dlopen
> >
> >
> > when i run : samba_upgradedns --dns-backend=BIND9_DLZ it looks ok but no zone file.
> > Reading domain information
> > DNS accounts already exist
> > No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
> > DNS records will be automatically created
> > DNS partitions already exist
> > dns-WS005-S4DC-001 account already exists
> > See /var/lib/samba/private/named.conf for an example configuration include file for BIND
> > and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
> > Finished upgrading DNS
> >
> > i also noticed that the output of these 2 are different.
> > ls -lai /var/lib/samba/private/sam.ldb.d/
> > ls -lai /var/lib/samba/private/dns/sam.ldb.d/
> >
> >
> > after restarting bind, i noticed that
> > samba_upgradedns --dns-backend=BIND9_DLZ
> >
> > didnt seem my bind9 upgrade, and bind is not starting anymore, manually fixing
> >
> > /var/lib/samba/private/named.conf changing bind9.8 to 9.9 dlopen fixed it.
> >
> > bug ? shouldnt samba follow the installed bind version?
> >
> >   
> >
> > After reading a lot about the tsig message, i've read there is a fix,
> >
> > if the fix already applied, or do i have an other problem.
> >
> >   
> >
> >   
> >
> > best regards,
> >
> >   
> >
> > Louis
> >
> >
> >
> >   
> >
> Hi Louis, I am running Samba 4.1.0 with Bind 9.9.4 ( both self compiled) 
> and DHCP, everthing works ok for me and I also do not have the two zone 
> files. I think that you only get them if you are running an earlier 
> version of Bind with flat files.
> 
> Rowland
> 

Hi
With dlz, the zone information is not stored in files but in the
database. After running 
samba_upgradedns
did you adjust the permissions on the partitions that the user running
named can access them? Usually, they're left with only root access. On
openSUSE it's running as named. On debian it's the user bind. Make sure
that the user can access the DNS stuff under .../private. Then restart
named.
HTH
Steve




More information about the samba mailing list