[Samba] question about zone and tsig verify failure

Günter Kukkukk linux at kukkukk.com
Thu Dec 19 13:28:52 MST 2013

Am 19.12.2013 15:16, schrieb L.P.H. van Belle:
> Hai  
> Im running: debian wheezy, sernet samba 4.1.3 , DC, in windows 2008 AD domain. 
> Im reading the wiki and i stumbled on this. 
> https://wiki.samba.org/index.php/Dns-backend_bind  
> semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
> semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
> the strange thing is, and this is also my question, 
> Should there be the zone files, if you using bind9. 
> Since im not seeing these. the server ( samba 4.1.3) has joined a windows domain as DC, no problems, 
> only the samba_dnsupdate --verbose --all-name give ; TSIG error with server: tsig verify failure
> all other tests are ok as far i can see. 
> if tested bind9 ( debian wheezy stable ) 9.8.4 
> and i backported bind from sid, 
> BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 
> Both do not create these zone files. 
> dlopen is loaded: 
> Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating session key for dynamic DNS
> Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task pool based on 5 zones
> Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS Zone' using driver dlopen
> when i run : samba_upgradedns --dns-backend=BIND9_DLZ it looks ok but no zone file. 
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
> DNS records will be automatically created
> DNS partitions already exist
> dns-WS005-S4DC-001 account already exists
> See /var/lib/samba/private/named.conf for an example configuration include file for BIND
> and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
> Finished upgrading DNS
> i also noticed that the output of these 2 are different. 
> ls -lai /var/lib/samba/private/sam.ldb.d/ 
> ls -lai /var/lib/samba/private/dns/sam.ldb.d/ 
> after restarting bind, i noticed that 
> samba_upgradedns --dns-backend=BIND9_DLZ
> didnt seem my bind9 upgrade, and bind is not starting anymore, manually fixing
> /var/lib/samba/private/named.conf changing bind9.8 to 9.9 dlopen fixed it. 
> bug ? shouldnt samba follow the installed bind version? 
> After reading a lot about the tsig message, i've read there is a fix, 
> if the fix already applied, or do i have an other problem. 
> best regards, 
> Louis

Hi Louis,

some clarifications:

the samba AD DC can use two different dns servers
   - internal DNS (default)
   - ISC Bind DNS
      - using flat ASCII zone files (special setup, not tested too much these days) (*)
      - using the samba DLZ dynamic libraries
           - dlz_bind9.so    (for bind versions 9.8.x)
           - dlz_bind9_9.so  (for bind versions 9.9.x)
             atm the bind version must be manually selected/edited in ./samba/private/named.conf

(*)Note - the ISC bind flat ASCII zone files are only used in this configuration!
All other dns setups use ADS to store the zone infos.

To see whether samba is using the internal DNS or ISC bind:
   samba-tool testparm -v --suppress-prompt | grep "server services"
When "dns" is listed, the internal server is used. Btw - dnsupdate is used in both cases.
Remove "dns" for the DLZ driver. (smb.conf)
The [global] smb.conf option
    dns forwarder = .....
is also only used with the internal DNS server, bind uses it's /etc/named.conf for that.

In case you want to use the DLZ driver, check the following 3 files

164962 -rw-rw---- 2 root named 4251648 Dec 19 14:44 DC=DOMAINDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb
164963 -rw-rw---- 2 root named 4251648 Dec  8 20:56 DC=FORESTDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb
164947 -rw-rw---- 2 root named  421888 Dec 19 14:44 metadata.tdb

with both
   ls -lai /usr/local/samba/private/dns/sam.ldb.d/    (path might be different)
   ls -lai /usr/local/samba/private/sam.ldb.d/        (path might be different)
to use the _same_ inodes.

Also note that some distros run ISC bind as user "bind", others use "named". This user/group
must have access to some already discussed samba files/paths ....

I often use the following 2 root consoles for testing:
1.)   named -g -u bind -d3   (Note that "-u bind" must be replaced with "-u named" on some distros)
2.)   samba -i -M single -d3
Both programs should now run and send their debug 3 output to their consoles.
When you see lines like
   Not authoritative for 'wiki.samba.org', forwarding
in the samba log, the internal DNS is active.

That output
   ; TSIG error with server: tsig verify failure
is usually only seen when the internal DNS server is running.
It's a glitch, which can be ignored atm (all dyn. updates are done OK).

Cheers, Günter

More information about the samba mailing list