[Samba] question about zone and tsig verify failure

L.P.H. van Belle belle at bazuin.nl
Fri Dec 20 01:36:31 MST 2013 

Hello Günter,  

Thank you very much for this explaination. 
This makes sence. 

to bad for me i just removed my server for a new install.. :-/ 
but good to know TSIG error is only a glitch, maybe something for the wiki ? 

btw..  this explaination is also good for the wiki. 


Louis



>-----Oorspronkelijk bericht-----
>Van: Günter Kukkukk [mailto:linux at kukkukk.com] 
>Verzonden: donderdag 19 december 2013 21:29
>Aan: L.P.H. van Belle; samba at lists.samba.org
>Onderwerp: Re: [Samba] question about zone and tsig verify failure
>
>Am 19.12.2013 15:16, schrieb L.P.H. van Belle:
>> Hai  
>>  
>> Im running: debian wheezy, sernet samba 4.1.3 , DC, in 
>windows 2008 AD domain. 
>>  
>> Im reading the wiki and i stumbled on this. 
>> 
>> https://wiki.samba.org/index.php/Dns-backend_bind  
>> 
>> semanage fcontext -a -t named_var_run_t 
>/usr/local/samba/private/dns/${MYREALM}.zone
>> semanage fcontext -a -t named_var_run_t 
>/usr/local/samba/private/dns/${MYREALM}.zone.jnl
>> 
>> the strange thing is, and this is also my question, 
>> 
>> Should there be the zone files, if you using bind9. 
>> Since im not seeing these. the server ( samba 4.1.3) has 
>joined a windows domain as DC, no problems, 
>> only the samba_dnsupdate --verbose --all-name give ; TSIG 
>error with server: tsig verify failure
>> 
>> all other tests are ok as far i can see. 
>> if tested bind9 ( debian wheezy stable ) 9.8.4 
>> and i backported bind from sid, 
>> BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 
>> 
>> Both do not create these zone files. 
>> 
>> 
>> 
>> dlopen is loaded: 
>> Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating 
>session key for dynamic DNS
>> Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task 
>pool based on 5 zones
>> Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS 
>Zone' using driver dlopen
>> 
>> 
>> when i run : samba_upgradedns --dns-backend=BIND9_DLZ it 
>looks ok but no zone file. 
>> Reading domain information
>> DNS accounts already exist
>> No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
>> DNS records will be automatically created
>> DNS partitions already exist
>> dns-WS005-S4DC-001 account already exists
>> See /var/lib/samba/private/named.conf for an example 
>configuration include file for BIND
>> and /var/lib/samba/private/named.txt for further 
>documentation required for secure DNS updates
>> Finished upgrading DNS
>> 
>> i also noticed that the output of these 2 are different. 
>> ls -lai /var/lib/samba/private/sam.ldb.d/ 
>> ls -lai /var/lib/samba/private/dns/sam.ldb.d/ 
>> 
>> 
>> after restarting bind, i noticed that 
>> samba_upgradedns --dns-backend=BIND9_DLZ
>> 
>> didnt seem my bind9 upgrade, and bind is not starting 
>anymore, manually fixing
>> 
>> /var/lib/samba/private/named.conf changing bind9.8 to 9.9 
>dlopen fixed it. 
>> 
>> bug ? shouldnt samba follow the installed bind version? 
>> 
>>  
>> 
>> After reading a lot about the tsig message, i've read there 
>is a fix, 
>> 
>> if the fix already applied, or do i have an other problem. 
>> 
>>  
>> 
>>  
>> 
>> best regards, 
>> 
>>  
>> 
>> Louis
>> 
>
>Hi Louis,
>
>some clarifications:
>
>the samba AD DC can use two different dns servers
>   - internal DNS (default)
>   - ISC Bind DNS
>      - using flat ASCII zone files (special setup, not tested 
>too much these days) (*)
>      - using the samba DLZ dynamic libraries
>           - dlz_bind9.so    (for bind versions 9.8.x)
>           - dlz_bind9_9.so  (for bind versions 9.9.x)
>             atm the bind version must be manually 
>selected/edited in ./samba/private/named.conf
>
>(*)Note - the ISC bind flat ASCII zone files are only used in 
>this configuration!
>All other dns setups use ADS to store the zone infos.
>
>To see whether samba is using the internal DNS or ISC bind:
>   samba-tool testparm -v --suppress-prompt | grep "server services"
>When "dns" is listed, the internal server is used. Btw - 
>dnsupdate is used in both cases.
>Remove "dns" for the DLZ driver. (smb.conf)
>The [global] smb.conf option
>    dns forwarder = .....
>is also only used with the internal DNS server, bind uses it's 
>/etc/named.conf for that.
>
>In case you want to use the DLZ driver, check the following 3 files
>
>164962 -rw-rw---- 2 root named 4251648 Dec 19 14:44 
>DC=DOMAINDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb
>164963 -rw-rw---- 2 root named 4251648 Dec  8 20:56 
>DC=FORESTDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb
>164947 -rw-rw---- 2 root named  421888 Dec 19 14:44 metadata.tdb
>
>with both
>   ls -lai /usr/local/samba/private/dns/sam.ldb.d/    (path 
>might be different)
>   ls -lai /usr/local/samba/private/sam.ldb.d/        (path 
>might be different)
>to use the _same_ inodes.
>
>Also note that some distros run ISC bind as user "bind", 
>others use "named". This user/group
>must have access to some already discussed samba files/paths ....
>
>I often use the following 2 root consoles for testing:
>1.)   named -g -u bind -d3   (Note that "-u bind" must be 
>replaced with "-u named" on some distros)
>2.)   samba -i -M single -d3
>Both programs should now run and send their debug 3 output to 
>their consoles.
>When you see lines like
>   Not authoritative for 'wiki.samba.org', forwarding
>in the samba log, the internal DNS is active.
>
>That output
>   ; TSIG error with server: tsig verify failure
>is usually only seen when the internal DNS server is running.
>It's a glitch, which can be ignored atm (all dyn. updates are done OK).
>
>Cheers, Günter
>
>
>

More information about the samba mailing list