[Samba] Samba internal dns problem / No domain service

Rowland Penny rowlandpenny at googlemail.com
Fri Nov 7 05:18:49 MST 2014 

On 07/11/14 10:49, sr wrote:
>
> Le 07/11/2014 11:40, Rowland Penny a écrit :
>> On 07/11/14 10:17, sr wrote:
>>>
>>> Le 07/11/2014 10:11, Rowland Penny a écrit :
>>>> On 07/11/14 08:27, sr wrote:
>>>>> All seems ok because I have only "1341/samba" listenning process. 
>>>>> But I don't have the 953 port line...
>>>>> If I read the /etc/service file I have for the port 953 tcp and 
>>>>> udp "rndc control sockets (BIND9)"
>>>>> Should I remove this lines since I don't have named installed?
>>>>> ( and manualy add this line? Or restart samba install... )
>>>>> thanks.
>>>>>
>>>>>
>>>>> Le 06/11/2014 17:38, Rowland Penny a écrit :
>>>>>> On 06/11/14 16:27, sr wrote:
>>>>>>> Does this problem could come from a port occupied by another 
>>>>>>> program in the / etc / services file? And which one?
>>>>>>
>>>>>> If something else is listening on port 53, then yes, as you are 
>>>>>> using the internal DNS server, you shouldn't have any other DNS 
>>>>>> program running on the same server, i.e. dnsmasq, bind etc
>>>>>>
>>>>>> Try running 'netstat -tulpn | grep 53 | grep LISTEN' on the 
>>>>>> samba4 AD DC
>>>>>>
>>>>>> I use Bind9 and get:
>>>>>>
>>>>>> tcp        0      0 192.168.0.2:53          0.0.0.0:* LISTEN 
>>>>>> 2346/named
>>>>>> tcp        0      0 127.0.0.1:53            0.0.0.0:* LISTEN 
>>>>>> 2346/named
>>>>>> tcp        0      0 127.0.0.1:953           0.0.0.0:* LISTEN 
>>>>>> 2346/named
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> Samuel
>>>>>>>
>>>>>>> Le 06/11/2014 13:41, sr a écrit :
>>>>>>>>
>>>>>>>> Le 06/11/2014 12:25, Rowland Penny a écrit :
>>>>>>>>> On 06/11/14 10:59, sr wrote:
>>>>>>>>>>
>>>>>>>>>> Le 06/11/2014 11:23, Rowland Penny a écrit :
>>>>>>>>>>> On 06/11/14 10:16, sr wrote:
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to move from a windows 2008R2 domain controler 
>>>>>>>>>>>> to samba4 ( centos 6.5 x64 + samba v 4.1.13 )
>>>>>>>>>>>> For now, both of server are working as AD controlers.
>>>>>>>>>>>
>>>>>>>>>>> How did you join the Samba4 DC to the windows domain ?
>>>>>>>>>> I followed the wiki guide "Join a domain as a DC" with no 
>>>>>>>>>> problem unless for the msdcs CNAME entry of the new dc, which 
>>>>>>>>>> return error ( I did it with the win2000 graphical interface, 
>>>>>>>>>> like others guys in the same situation )
>>>>>>>>>
>>>>>>>>> SO, 'host -t CNAME YOUR_objectGUID._msdcs.samba4.domain.com.' 
>>>>>>>>> does not return a CNAME, have you run:
>>>>>>>>>
>>>>>>>>> samba-tool dns add IP-of-your-DNS _msdcs.samba4.domain.com 
>>>>>>>>> YOUR_objectGUID CNAME DC2.samba4.domain.com -Uadministrator
>>>>>>>>>
>>>>>>>>> Also, I see that you mention 'the win2000 graphical interface' 
>>>>>>>>> , I wonder if this is the problem, the lowest function level 
>>>>>>>>> of Samba4 AD is 2003 ?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>> No, the command 'host -t CNAME 
>>>>>>>> YOUR_objectGUID._msdcs.samba4.domain.com.' return 'host -t 
>>>>>>>> CNAME YOUR_objectGUID._msdcs.samba4.domain.com is an alias for 
>>>>>>>> samba4.domain.com'.
>>>>>>>> whops! I would says "win2008 graphical interface. ;)
>>>>>>>> I tryed a first install with domain and forest with a 2008 
>>>>>>>> functional level with the same problem... ( now it's a 2003 
>>>>>>>> domain and forest functional level )
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> Samuel
>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> But I can't manage DNS from a windows client with the 
>>>>>>>>>>>> graphical tool... ( it says "active directory not 
>>>>>>>>>>>> available, ..." )
>>>>>>>>>>>>
>>>>>>>>>>>> On samba server if I try the following command
>>>>>>>>>>>> "samba-tool dns zonelist samba4.domain.com"
>>>>>>>>>>>>
>>>>>>>>>>> Is 'samba4.domain.com' your dns domain on both DC's ? also I 
>>>>>>>>>>> take that you are adding '-UAdministrator' to the above 
>>>>>>>>>>> command.
>>>>>>>>>> Yes. Like the W2008 server
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>> the following message appears
>>>>>>>>>>>> "9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE"
>>>>>>>>>>>>
>>>>>>>>>>>> and if I shutdown the win2008 server the message is 
>>>>>>>>>>>> "NT_STATUS_IO_TIMEOUT"
>>>>>>>>>>>>
>>>>>>>>>>>> any help will be fully appreciate! :)
>>>>>>>>>>>> Thanks! :)
>>>>>>>>>>>>
>>>>>>>>>>>> Samuel
>>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>> You can ignore the lack of the '953' line, it is, as you say, the 
>>>> bind command port.
>>>> Do you by any chance have selinux running, I have spent time in the 
>>>> past, trying to find out just why a program wouldn't work and it 
>>>> turned out that Selinux was stopping something happening.
>>>>
>>>> I wonder if the directory structure is ok? try running this on the 
>>>> samba4 DC:
>>>>
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs -b 
>>>> "CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com"
>>>>
>>>> You may have to alter the path to sam.ldb.
>>>>
>>>> Rowland
>>>>
>>> Selinux is disabled and iptables is flushed...
>>> Here is the result of the command :
>>> ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs -b 
>>> "CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com"
>>> search failed - No such Base DN: 
>>> CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>> What does it mean?
>>> Thanks!
>>>
>> You did change 'DC=example,DC=com' for your rootdse, didn't you ?
>>
>> Rowland
>>
> Sorry, I did it! :)
> Here is the result:
>
> # editing 3 records
> # record 1
> dn: CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>
> # record 2
> dn: DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>
>
> # record 3
> dn: 
> DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>
>
> Thanks
> Samuel

OK, you seem to have a few records missing, I have these on my test domain:

dn: CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=b2bd6040-6e58-48bb-b3fa-7d980f14dc24,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=@,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_ldap._tcp.gc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=d768be2e-0072-4500-bb62-6fdabb14d995,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=gc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_ldap._tcp.pdc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_ldap._tcp.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_kerberos._tcp.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com

dn: 
DC=_ldap._tcp.82fb0000-060f-44f3-a6fb-b2a40c00d764.domains,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com


Could you check the domain level of the windows AD DC.

Rowland

More information about the samba mailing list