[Samba] samba_dlz: Failed to find our own NTDS

Oleg Ruso soy_siberiano at yahoo.com
Tue Nov 26 00:22:16 MST 2013 

samba_dlz: Failed to find our own NTDS


Hi All!
Got a  FreeBSD 9.2-RELEASE system with Samba4.0.8 Dc + AD. the BIND 9.9.4 as a DNS service .
I try to adjust of dynamic updating  zones......for update DDHCP+DDNS 

The Bind starting errores:

BIND 9.9.4 (Extended Support Version) <id:8f9657aa> built with '--disable-chroot' '--with-gssapi=/usr/local/gssapi' 
'--with-dlopen=yes' '--with-dlz-bdb'
using OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
using libxml2 version: 2.8.0
............................
Nov 25 02:59:54 Dn named[3008]: Loading 'AD DNS Zone' using driver dlopen
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'gssapi_spnego' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'gssapi_krb5' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'sasl-DIGEST-MD5' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'schannel' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'spnego' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'ntlmssp' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'krb5' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
Nov 25 02:59:54 Dn named[3008]: samba_dlz: Searching for dsServiceName in rootDSE failed: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:501

Nov 25 02:59:54 Dn named[3008]: samba_dlz: Failed to find our own NTDS Settings DN in the ldb!
Nov 25 02:59:54 Dn named[3008]: samba_dlz: ldb: schema_load_init: no schema head present: (skip schema loading)
..............................

But

 #  samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smbdomain,DC=local
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smbdomain,DC=local
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smbdomain,DC=local
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smbdomain,DC=local
SchemaMasterRole owner: CN=NTDS Settings,CN=DN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smbdomain,DC=local

The Samba instalation options (from the port)

===> The following configuration options are available for samba4-4.0.8:
     ACL_SUPPORT=on: File system ACL support
     ADS=on: Active Directory support
     AIO_SUPPORT=on: Asyncronous IO support
     AVAHI=on: Zeroconf support via Avahi
     CUPS=on: CUPS printing system support
     DEBUG=on: With debug information in the binaries
     DEVELOPER=off: With development support
     DNSUPDATE=on: Dynamic DNS update(require ADS)
     EXP_MODULES=off: Experimental modules
     FAM_SUPPORT=on: File Alteration Monitor support
     LDAP=on: LDAP support
     MANPAGES=on: Build and/or install manual pages
     PAM_SMBPASS=on: PAM authentication via passdb backends
     PTHREADPOOL=on: Pthread pool
     QUOTAS=on: Disk quota support
     SWAT=off: SWAT WebGUI
     SYSLOG=on: Syslog support
     UTMP=on: UTMP accounting support
     WINBIND=on: WinBIND support
====> Options available for the single DNS: you have to select exactly one of them
     NSUPDATE=off: Use internal DNS with NSUPDATE utility
     BIND98=off: Use bind98 as a DNS server frontend
     BIND99=on: Use bind99 as a DNS server frontend
===============================================================

My named.conf


acl "mynet" { 192.168.0.0/28; 127.0.0.1; };
options {

#include  "/var/db/samba4/private/named.conf";
#Both files are integrated here, to easy for me

       auth-nxdomain yes;
       directory "/etc/namedb";
       forwarders { 192.168.0.1; };
       allow-transfer { none; };
       notify no;
       empty-zones-enable no;

       allow-query { "mynet"; };
       allow-recursion { "mynet"; };
       version "unknown";
        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
         };


zone "." {
       type hint;
       file "named.root";
        };

zone "localhost" {
       type master;
       file "master/localhost.zone";
        };
zone "0.0.127.in-addr.arpa" {
       type master;
       file "master/0.0.127.zone";
        };

zone "smbdomain.local" IN
        {
        type master;
        file "master/smbdomain.local.zone";
        include "named.conf.update";
        check-names ignore;
        };


dlz "AD DNS Zone"   {
database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so -d 3";
                  };
===============================================================================

If starting Bind without DLZ, and trying to perform update zones manually, got an error

#samba_dnsupdate --verbose --all-names

dns_tkey_negotiategss: TKEY is unacceptable


I think my problem is in installation options or  in the daemon`s wrapper for some services, or on some keys .....

Please, let me know what`s wrong && what must i do?

More information about the samba mailing list