[Samba] samba4+bind on centos
NOC
noc at nieuwland.nl
Tue Jun 11 03:54:33 MDT 2013
Hi All
I've started again from scratch, following the wikipage at
https://wiki.samba.org/index.php/Dns-backend_bind#Bind_9.8_.2F_9.9
I'm using bind 9.8.5-P1 and samba4 master (from yesterday I guess)
compiling from scratch:
bind: ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
And the given named.conf in /etc/bind/ (as this is where I want the
config to reside)
I've include the local zones as provided and I modified the named in a
few places:
diff orig-named.conf /etc/bind/named.conf
6c6
< directory "/var/named";
---
> directory "/etc/bind";
8c8
< forwarders { 8.8.8.8; 8.8.4.4; };
---
> forwarders { 172.16.1.12; 172.16.1.18; };
16,17c16,18
< 10.1.1.0/24;
< ...other networks you want to allow to query your DNS...;
---
> 192.168.6.0/24;
> 127.0.0.0/8;
> #...other networks you want to allow to query your DNS...;
21,22c22,24
< 10.1.1.0/24;
< ...other networks you want to allow to do recursive
queries...;
---
> 192.168.6.0/24;
> 127.0.0.0/8;
> #...other networks you want to allow to do recursive
queries...;
24a27,28
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
26a31
> include "/usr/local/samba/private/named.conf";
This is just so bind actually works and the files created by provision
are included
Provision was done using:
samba-tool domain provision
Realm: example
Domain [example]: example.com
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
[SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /usr/local/samba/private/named.conf for an example configuration
include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: sambabind02
NetBIOS Domain: EXAMPLE.COM
DNS Domain: example
DOMAIN SID: S-1-5-21-294307859-3325552197-969134079
stopped/started bind using the new config file
Then I started /usr/local/samba/sbin/samba -D
Then command:
# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
IPs: ['192.168.6.86']
Traceback (most recent call last):
File "/usr/local/samba/sbin/samba_dnsupdate", line 511, in <module>
get_credentials(lp)
File "/usr/local/samba/sbin/samba_dnsupdate", line 124, in
get_credentials
raise e
RuntimeError: kinit for SAMBABIND02$@EXAMPLE failed (Cannot contact any
KDC for requested realm)
It appears that samba_dnsupdate tries to get a ticket from the KDC that
it tries to find using DNS, but the record isn't yet inserted in the
bind dns database. Is it a chicken/egg problem?
Now either the wiki hasn't been fully tested or it's missing a obvious step
Any clues?
/Simon
More information about the samba
mailing list