[Samba] samba4+bind on centos
NOC
noc at nieuwland.nl
Fri Jun 7 08:27:28 MDT 2013
On 06/07/2013 03:38 PM, Ludek Finstrle wrote:
> Hello NOC,
>
> you didn't provide any configuration so I'm just guessing using
> my new crystal ball.
Hi Ludek
can you tell in your crystal ball whether I'll succeed getting this to
work? ;-)
The parts I added to my config:
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
database "dlopen /usr/lib64/samba4/modules/bind9/dlz_bind91.so -d 3";
# For BIND 9.9.0
# database "dlopen /usr/lib64/samba4/modules/bind9/dlz_bind9_9.so";
};
options {
...
#samba4 key for dyn.updates
tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab";
....
}
>
> Fri, Jun 07, 2013 at 02:45:09PM +0200, NOC napsal(a):
>> Hi all
>>
>> root at puppettest01 var]# samba_dnsupdate --verbose --all-names
>> IPs: ['192.168.0.1']
>> Traceback (most recent call last):
>> File "/usr/sbin/samba_dnsupdate", line 506, in <module>
>> get_credentials(lp)
>> File "/usr/sbin/samba_dnsupdate", line 119, in get_credentials
>> creds.get_named_ccache(lp, ccachename)
>> RuntimeError: kinit for PUPPETTEST01$@NIEUWLAND.NL failed (Cannot
>> contact any KDC for requested realm)
> You have configured kerberos to look for KDC using DNS and DNS
> server is not running.
Yes, that's why I figured it was a problem with bind.
>
>> When looking at the debug output of bind, it doesn't seem to have
>> loaded the DLZ module from samba4.
>>
>> I tried this: named -g -c /etc/bind/named.conf -u named -d3 2>&1
>> |grep -i dlz
>> 07-Jun-2013 14:18:24.514 built with '--host=x86_64-redhat-linux-gnu'
>> '--build=x86_64-redhat-linux-gnu' '--program-prefix='
>> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
>> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
>> '--includedir=/usr/include' '--libdir=/usr/lib64'
>> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--with-libtool' '--localstatedir=/var' '--enable-threads'
>> '--enable-ipv6' '--with-pic' '--disable-static'
>> '--disable-openssl-version-check' '--with-dlopen=yes'
>> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
>> '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes'
>> '--with-dlz-stub=yes' '--with-gssapi=yes' '--disable-isc-spnego'
>> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
>> '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS=
>> -DDIG_SIGCHASE'
>> 07-Jun-2013 14:18:24.516 Registering DLZ_dlopen driver
>> 07-Jun-2013 14:18:24.516 Registering SDLZ driver 'dlopen'
>> 07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'
With the freshly compiled bind I now get this output:
named -g -c /etc/bind/named.conf -u named -d3 2>&1 |grep -i dlz
07-Jun-2013 15:52:04.484 built with '--host=x86_64-redhat-linux-gnu'
'--build=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS=
-DDIG_SIGCHASE'
07-Jun-2013 15:52:04.486 Registering DLZ_dlopen driver
07-Jun-2013 15:52:04.486 Registering SDLZ driver 'dlopen'
07-Jun-2013 15:52:04.486 Registering DLZ driver 'dlopen'
>> med.conf location is nonstandard, this is handled in
>> /etc/sysconfig/named).
> What about selinux?
selinux is set to permissive
> Also giving us only grep of logs are useless. There should be very
> interesting lines below:
> 07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'
like what? I figured getting a line with the dlz driver loading was the
first step, that isn't happening...
>
>> samba4 was provisioned for NIEUWLAND.NL as dc and BIND9_DLZ
>>
>> I wonder which steps would be most likely to let bind load the driver
>> for dlz? Should I suspect all the patches redhat includes in their
>> source rpm? or is it a configuration issue?
> This part is working with plain CentOS named for me.
> The problem mentioned with --disable-isc-spnego is only with
> Windows client updates to the dns.
Ok, that will happen when we take it in production, so I'll still need
to remove it for testing as well.
>
> Please give us the named.conf (at least the part you copied
> from samba) and also the named output from /var/log/messages
> during startup (no debug is needed usually).
>
named.conf (attached) (I reduced it a bit)
/var/log/messages:
Jun 7 16:11:59 puppettest01 named[7138]: starting BIND
9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 -u named -c /etc/bind/named.conf
Jun 7 16:11:59 puppettest01 named[7138]: built with
'--host=x86_64-redhat-linux-gnu' '--build=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
'--disable-static' '--disable-openssl-version-check' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS=
-DDIG_SIGCHASE'
Jun 7 16:11:59 puppettest01 named[7138]:
----------------------------------------------------
Jun 7 16:11:59 puppettest01 named[7138]: BIND 9 is maintained by
Internet Systems Consortium,
Jun 7 16:11:59 puppettest01 named[7138]: Inc. (ISC), a non-profit
501(c)(3) public-benefit
Jun 7 16:11:59 puppettest01 named[7138]: corporation. Support and
training for BIND 9 are
Jun 7 16:11:59 puppettest01 named[7138]: available at
https://www.isc.org/support
Jun 7 16:11:59 puppettest01 named[7138]:
----------------------------------------------------
Jun 7 16:11:59 puppettest01 named[7138]: adjusted limit on open files
from 4096 to 1048576
Jun 7 16:11:59 puppettest01 named[7138]: found 1 CPU, using 1 worker thread
Jun 7 16:11:59 puppettest01 named[7138]: using up to 4096 sockets
Jun 7 16:11:59 puppettest01 named[7138]: loading configuration from
'/etc/bind/named.conf'
Jun 7 16:11:59 puppettest01 named[7138]: reading built-in trusted keys
from file '/etc/bind.keys'
Jun 7 16:11:59 puppettest01 named[7138]: statistics channel listening
on 0.0.0.0#8053
Jun 7 16:11:59 puppettest01 named[7138]: statistics channel listening
on ::#8053
Jun 7 16:11:59 puppettest01 named[7138]: using default UDP/IPv4 port
range: [1024, 65535]
Jun 7 16:11:59 puppettest01 named[7138]: using default UDP/IPv6 port
range: [1024, 65535]
Jun 7 16:11:59 puppettest01 named[7138]: listening on IPv6 interfaces,
port 53
Jun 7 16:11:59 puppettest01 named[7138]: listening on IPv4 interface
lo, 127.0.0.1#53
Jun 7 16:11:59 puppettest01 named[7138]: listening on IPv4 interface
eth0, 192.168.0.1#53
Jun 7 16:11:59 puppettest01 named[7138]: generating session key for
dynamic DNS
Jun 7 16:11:59 puppettest01 named[7138]: sizing zone task pool based on
6 zones
Jun 7 16:11:59 puppettest01 named[7138]: set up managed keys zone for
view internal, file
'/etc/bind/data/keys/3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys'
Jun 7 16:11:59 puppettest01 named[7138]: Warning: view internal:
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918
empty zones
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 0.IN-ADDR.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 127.IN-ADDR.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 254.169.IN-ADDR.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 2.0.192.IN-ADDR.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 100.51.198.IN-ADDR.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 113.0.203.IN-ADDR.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 255.255.255.255.IN-ADDR.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: D.F.IP6.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 8.E.F.IP6.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 9.E.F.IP6.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: A.E.F.IP6.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: B.E.F.IP6.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: automatic empty zone: view
internal: 8.B.D.0.1.0.0.2.IP6.ARPA
Jun 7 16:11:59 puppettest01 named[7138]: command channel listening on
127.0.0.1#953
Jun 7 16:11:59 puppettest01 named[7138]: zone
0.0.127.in-addr.arpa/IN/internal: loaded serial 200204121
Jun 7 16:11:59 puppettest01 named[7138]: zone
168.192.in-addr.arpa/IN/internal: loaded serial 2013052803
Jun 7 16:11:59 puppettest01 named[7138]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/internal:
loaded serial 200204121
Jun 7 16:11:59 puppettest01 named[7138]: zone localhost/IN/internal:
loaded serial 42
Jun 7 16:11:59 puppettest01 named[7138]: zone nieuwland.nl/IN/internal:
loaded serial 2013060503
Jun 7 16:11:59 puppettest01 named[7138]: managed-keys-zone
./IN/internal: loaded serial 0
Jun 7 16:11:59 puppettest01 named[7138]: running
Jun 7 16:11:59 puppettest01 setroubleshoot: SELinux is preventing
/usr/sbin/named from write access on the directory /etc/bind/data. For
complete SELinux messages. run sealert -l
b6365726-01db-49d4-80e3-87c870b21058
Jun 7 16:12:00 puppettest01 setroubleshoot: SELinux is preventing
/usr/sbin/named from write access on the directory /etc/bind/data. For
complete SELinux messages. run sealert -l
b6365726-01db-49d4-80e3-87c870b21058
Jun 7 16:12:02 puppettest01 setroubleshoot: SELinux is preventing
/usr/sbin/named from append access on the file /etc/bind/data/bind.log.
For complete SELinux messages. run sealert -l
ec0a01a7-f56b-4c66-8386-4f0ed8a531f5
selinux would block some of these file accesses apparently, but it's
only reporting here, so that's not the problem.
The file to be loaded by dlopen is reachable and readable.
Further suggestions are very welcome!
/Simon
-------------- next part --------------
acl internal {
192.168.0.0/16;
172.16.0.0/12;
10.0.0.0/8;
127.0.0.1;
::1;
};
#include "/var/lib/samba4/private/named.conf";
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba4/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
database "dlopen /usr/lib64/samba4/modules/bind9/dlz_bind9.so -d 3";
# For BIND 9.9.0
# database "dlopen /usr/lib64/samba4/modules/bind9/dlz_bind9_9.so";
};
/*------------------------------------------------------------------------------*/
/* All options */
/*------------------------------------------------------------------------------*/
options {
directory "/etc/bind/data";
pid-file "/var/run/named/named.pid";
version "If you have a legitimate reason for requesting this info, please contact me";
hostname "puppettest01.nieuwland.nl";
managed-keys-directory "/etc/bind/data/keys";
#samba4 key for dyn.updates
tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
allow-recursion {
internal;
localhost;
};
listen-on { any; };
listen-on-v6 { any; };
preferred-glue AAAA;
session-keyfile "session.key";
statistics-file "bind.stats";
memstatistics-file "bind.mem";
zone-statistics yes;
};
/*------------------------------------------------------------------------------*/
/* Statistics network */
/*------------------------------------------------------------------------------*/
statistics-channels {
inet * port 8053 allow { internal; };
inet :: port 8053 allow { internal; };
};
/*------------------------------------------------------------------------------*/
/* Where and what to log */
/*------------------------------------------------------------------------------*/
logging {
channel audit_log {
file "bind.log" versions 5 size 25m;
severity debug;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_syslog; };
category general { default_syslog; };
category config { default_syslog; };
category security { audit_log; default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { null; };
category edns-disabled { null; };
};
/*------------------------------------------------------------------------------*/
/* RNDC controls */
/*------------------------------------------------------------------------------*/
controls {
inet 127.0.0.1 port 953 allow {
127.0.0.1;
} keys {
"rndc-key";
};
};
/*------------------------------------------------------------------------------*/
/* RNDC key */
/*------------------------------------------------------------------------------*/
key "rndc-key" {
algorithm hmac-md5;
secret "y7HLQRNy2FbwW5SQeQDPAuHzWZy6cNZH0MHqeSpW53pyrngSAnU3EI5zO7sk";
};
/*------------------------------------------------------------------------------*/
/* Updater key */
/*------------------------------------------------------------------------------*/
key updaters {
algorithm hmac-md5;
secret "ZLRCe7riNRRe5/SDwJfeuW7lDttN4l40+2nXhtO4t/E=";
};
/*------------------------------------------------------------------------------*/
/* Internal view */
/*------------------------------------------------------------------------------*/
view "internal" {
match-clients {
internal;
};
allow-query {
internal;
};
notify no;
/*--------------------------------------------------------------------------*/
/* Internal zones */
/*--------------------------------------------------------------------------*/
zone "nieuwland.nl" in {
type master;
file "internal/nieuwland.nl-fwd";
};
/*--------------------------------------------------------------------------*/
/* reverse lookup internal */
/*--------------------------------------------------------------------------*/
zone "168.192.in-addr.arpa." in {
type master;
file "internal/192.168-rev";
};
zone "localhost." in {
type master;
file "local.fwd";
};
zone "0.0.127.in-addr.arpa." in {
type master;
file "local.rev";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." in {
type master;
file "local.rev";
};
/*--------------------------------------------------------------------------*/
/* Root servers hint */
/*--------------------------------------------------------------------------*/
zone "." in {
type hint;
file "named.cache";
};
};
More information about the samba
mailing list