[Samba] CentOS 6, BIND_DLZ and kinit errors (Cannot contact any KDC for requested realm)

Rowland Penny rowlandpenny at googlemail.com
Sat May 3 09:28:19 MDT 2014 

On 03/05/14 15:48, Thomas Harold wrote:
> It seems like the BIND 9.8 that ships with CentOS 6.x (and probably RHEL
> 6.x) is not built with --with-dlopen option.
>
> Platform: CentOS 6.5
> BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
>
> Error seen:
>
> RuntimeError: kinit for HOSTNAME$EXAMPLE.COM failed (Cannot contact any
> KDC for requested realm)
>
> Background:
>
> Trying to setup Samba 4 using an existing install of BIND 9.8 as the DNS
> backend.  However, even though the configuration files are correct, I'm
> still stuck at the "kinit" errors.
>
> Looking at the output from starting 'named' in debug mode:
>
> named -g -c /etc/bind/named.conf -u named -d3
> 03-May-2014 10:33:42.456 starting BIND
> 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -g -c /etc/bind/named.conf -u
> named -d3
> 03-May-2014 10:33:42.456 built with '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
> '--disable-static' '--disable-openssl-version-check'
> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
> '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu'
> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
>
> There is no mention of --with-dlopen=yes in there.  That is even though
> the bind-9.8.2/README file states that as of 9.8.1, dlopen is built by
> default.
>
> ...
>
> Am I on the right track here that the base install of BIND on CentOS 6.x
> does not include --with-dlopen=yes, even as of the 9.8.2 build?
Hi, you should get something like this in syslog when named starts:

May  3 16:23:17 dc1 named[15789]: Loading 'AD DNS Zone' using driver dlopen
May  3 16:23:18 dc1 named[15789]: samba_dlz: started for DN 
DC=example,DC=com
May  3 16:23:18 dc1 named[15789]: samba_dlz: starting configure
May  3 16:23:18 dc1 named[15789]: samba_dlz: configured writeable zone 
'0.168.192.in-addr.arpa'
May  3 16:23:18 dc1 named[15789]: samba_dlz: configured writeable zone 
'example.com'
May  3 16:23:18 dc1 named[15789]: samba_dlz: configured writeable zone 
'_msdcs.example.com'

If you haven't got the above, then yes, bind is probably not built with 
dlopen.

Rowland

More information about the samba mailing list