[Samba] Samba internal dns problem / No domain service

Rowland Penny rowlandpenny at googlemail.com
Fri Nov 7 06:22:34 MST 2014 

On 07/11/14 12:54, sr wrote:
>
> Le 07/11/2014 13:18, Rowland Penny a écrit :
>> On 07/11/14 10:49, sr wrote:
>>>
>>> Le 07/11/2014 11:40, Rowland Penny a écrit :
>>>> On 07/11/14 10:17, sr wrote:
>>>>>
>>>>> Le 07/11/2014 10:11, Rowland Penny a écrit :
>>>>>> On 07/11/14 08:27, sr wrote:
>>>>>>> All seems ok because I have only "1341/samba" listenning 
>>>>>>> process. But I don't have the 953 port line...
>>>>>>> If I read the /etc/service file I have for the port 953 tcp and 
>>>>>>> udp "rndc control sockets (BIND9)"
>>>>>>> Should I remove this lines since I don't have named installed?
>>>>>>> ( and manualy add this line? Or restart samba install... )
>>>>>>> thanks.
>>>>>>>
>>>>>>>
>>>>>>> Le 06/11/2014 17:38, Rowland Penny a écrit :
>>>>>>>> On 06/11/14 16:27, sr wrote:
>>>>>>>>> Does this problem could come from a port occupied by another 
>>>>>>>>> program in the / etc / services file? And which one?
>>>>>>>>
>>>>>>>> If something else is listening on port 53, then yes, as you are 
>>>>>>>> using the internal DNS server, you shouldn't have any other DNS 
>>>>>>>> program running on the same server, i.e. dnsmasq, bind etc
>>>>>>>>
>>>>>>>> Try running 'netstat -tulpn | grep 53 | grep LISTEN' on the 
>>>>>>>> samba4 AD DC
>>>>>>>>
>>>>>>>> I use Bind9 and get:
>>>>>>>>
>>>>>>>> tcp        0      0 192.168.0.2:53 0.0.0.0:* LISTEN 2346/named
>>>>>>>> tcp        0      0 127.0.0.1:53 0.0.0.0:* LISTEN 2346/named
>>>>>>>> tcp        0      0 127.0.0.1:953 0.0.0.0:* LISTEN 2346/named
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Samuel
>>>>>>>>>
>>>>>>>>> Le 06/11/2014 13:41, sr a écrit :
>>>>>>>>>>
>>>>>>>>>> Le 06/11/2014 12:25, Rowland Penny a écrit :
>>>>>>>>>>> On 06/11/14 10:59, sr wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Le 06/11/2014 11:23, Rowland Penny a écrit :
>>>>>>>>>>>>> On 06/11/14 10:16, sr wrote:
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm trying to move from a windows 2008R2 domain controler 
>>>>>>>>>>>>>> to samba4 ( centos 6.5 x64 + samba v 4.1.13 )
>>>>>>>>>>>>>> For now, both of server are working as AD controlers.
>>>>>>>>>>>>>
>>>>>>>>>>>>> How did you join the Samba4 DC to the windows domain ?
>>>>>>>>>>>> I followed the wiki guide "Join a domain as a DC" with no 
>>>>>>>>>>>> problem unless for the msdcs CNAME entry of the new dc, 
>>>>>>>>>>>> which return error ( I did it with the win2000 graphical 
>>>>>>>>>>>> interface, like others guys in the same situation )
>>>>>>>>>>>
>>>>>>>>>>> SO, 'host -t CNAME 
>>>>>>>>>>> YOUR_objectGUID._msdcs.samba4.domain.com.' does not return a 
>>>>>>>>>>> CNAME, have you run:
>>>>>>>>>>>
>>>>>>>>>>> samba-tool dns add IP-of-your-DNS _msdcs.samba4.domain.com 
>>>>>>>>>>> YOUR_objectGUID CNAME DC2.samba4.domain.com -Uadministrator
>>>>>>>>>>>
>>>>>>>>>>> Also, I see that you mention 'the win2000 graphical 
>>>>>>>>>>> interface' , I wonder if this is the problem, the lowest 
>>>>>>>>>>> function level of Samba4 AD is 2003 ?
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>> No, the command 'host -t CNAME 
>>>>>>>>>> YOUR_objectGUID._msdcs.samba4.domain.com.' return 'host -t 
>>>>>>>>>> CNAME YOUR_objectGUID._msdcs.samba4.domain.com is an alias 
>>>>>>>>>> for samba4.domain.com'.
>>>>>>>>>> whops! I would says "win2008 graphical interface. ;)
>>>>>>>>>> I tryed a first install with domain and forest with a 2008 
>>>>>>>>>> functional level with the same problem... ( now it's a 2003 
>>>>>>>>>> domain and forest functional level )
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>> Samuel
>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But I can't manage DNS from a windows client with the 
>>>>>>>>>>>>>> graphical tool... ( it says "active directory not 
>>>>>>>>>>>>>> available, ..." )
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On samba server if I try the following command
>>>>>>>>>>>>>> "samba-tool dns zonelist samba4.domain.com"
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Is 'samba4.domain.com' your dns domain on both DC's ? also 
>>>>>>>>>>>>> I take that you are adding '-UAdministrator' to the above 
>>>>>>>>>>>>> command.
>>>>>>>>>>>> Yes. Like the W2008 server
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>> the following message appears
>>>>>>>>>>>>>> "9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and if I shutdown the win2008 server the message is 
>>>>>>>>>>>>>> "NT_STATUS_IO_TIMEOUT"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> any help will be fully appreciate! :)
>>>>>>>>>>>>>> Thanks! :)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Samuel
>>>>>>>>>>>>>
>>>>>>>>>>>> thanks
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> You can ignore the lack of the '953' line, it is, as you say, the 
>>>>>> bind command port.
>>>>>> Do you by any chance have selinux running, I have spent time in 
>>>>>> the past, trying to find out just why a program wouldn't work and 
>>>>>> it turned out that Selinux was stopping something happening.
>>>>>>
>>>>>> I wonder if the directory structure is ok? try running this on 
>>>>>> the samba4 DC:
>>>>>>
>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs -b 
>>>>>> "CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com"
>>>>>>
>>>>>> You may have to alter the path to sam.ldb.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Selinux is disabled and iptables is flushed...
>>>>> Here is the result of the command :
>>>>> ldbedit -e nano -H /usr/local/samba/private/sam.ldb --cross-ncs -b 
>>>>> "CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com"
>>>>> search failed - No such Base DN: 
>>>>> CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>>>> What does it mean?
>>>>> Thanks!
>>>>>
>>>> You did change 'DC=example,DC=com' for your rootdse, didn't you ?
>>>>
>>>> Rowland
>>>>
>>> Sorry, I did it! :)
>>> Here is the result:
>>>
>>> # editing 3 records
>>> # record 1
>>> dn: CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>>
>>> # record 2
>>> dn: 
>>> DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>>
>>>
>>> # record 3
>>> dn: 
>>> DC=@,DC=..TrustAnchors,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>>
>>>
>>> Thanks
>>> Samuel
>>
>> OK, you seem to have a few records missing, I have these on my test 
>> domain:
>>
>> dn: CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=b2bd6040-6e58-48bb-b3fa-7d980f14dc24,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_kerberos._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=@,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.gc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=d768be2e-0072-4500-bb62-6fdabb14d995,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=gc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.pdc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_kerberos._tcp.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.82fb0000-060f-44f3-a6fb-b2a40c00d764.domains,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com
>>
>>
>> Could you check the domain level of the windows AD DC.
>>
>> Rowland
>>
> The domain functional level and the forest functional level are 
> Windows server 2003.
> Thanks.
>
> Samuel
>
What does 'samba-tool drs showrepl <YOURSAMBADC> -UAdministrator' show ?

Rowland

More information about the samba mailing list