[Samba] Starting second DC makes named to freeze on primary DC

Rowland Penny rowlandpenny at googlemail.com
Mon Sep 8 10:31:52 MDT 2014 

On 08/09/14 17:01, Bruno Andrade wrote:
>
>
> On 09/08/2014 04:57 PM, Rowland Penny wrote:
>> On 08/09/14 16:33, Bruno Andrade wrote:
>>> hey,
>>>
>>> first, i user bind 9.8.1 as my DNS backend
>>>
>>> Well, I have a domain controller, dc1.example.com, running correctly 
>>> and with the following configurations...
>>>
>>> == smb.conf ==
>>>
>>> [global]
>>>         workgroup = EXAMPLE
>>>         realm = EXAMPLE.COM
>>>         netbios name = DC1
>>>         server role = active directory domain controller
>>>         idmap_ldb:use rfc2307 = yes
>>>
>>>         server services = -dns
>>>
>>>         dsdb:schema update allowed = true
>>>
>>>         dos charset = ISO8859-1
>>>         unix charset = cp850
>>>
>>>         interfaces = vlan2
>>>         bind interfaces only = Yes
>>>
>>>         allow dns updates = nonsecure
>>>         #nsupdate command = nsupdate
>>>         #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>
>>> == named.conf ==
>>>
>>> options {
>>>         listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>         listen-on-v6 port 53 { ::1; };
>>>         directory       "/var/named";
>>>         dump-file       "/var/named/data/cache_dump.db";
>>>         statistics-file "/var/named/data/named_stats.txt";
>>>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>         allow-query     { any; };
>>>         recursion yes;
>>>
>>>         # just example
>>>         forwarders { 8.8.8.8; };
>>>
>>>         dnssec-enable no;
>>>         dnssec-validation no;
>>>         dnssec-lookaside auto;
>>>
>>>         bindkeys-file "/etc/named.iscdlv.key";
>>>         managed-keys-directory "/var/named/dynamic";
>>>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>> };
>>>
>>> zone "." IN {
>>>         type hint;
>>>         file "named.ca";
>>> };
>>>
>>> include "/etc/named.rfc1912.zones";
>>> include "/etc/named.root.key";
>>> include "/var/lib/samba/private/named.conf";
>>>
>>> And I have  second DC with configurations:
>>>
>>> == smb.conf ==
>>>
>>> [global]
>>>         workgroup = EXAMPLE
>>>         realm = EXAMPLE.COM
>>>         netbios name = DC2
>>>         server role = active directory domain controller
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>
>>>         interfaces = eth1
>>>         bind interfaces only = Yes
>>>
>>>         dsdb:schema update allowed = true
>>>
>>>         dos charset = ISO8859-1
>>>         unix charset = cp850
>>>
>>>         allow dns updates = nonsecure
>>>         #nsupdate command = nsupdate
>>>         #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>
>>> == named.conf ==
>>>
>>> options {
>>>         listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>         listen-on-v6 port 53 { ::1; };
>>>         directory       "/var/named";
>>>         dump-file       "/var/named/data/cache_dump.db";
>>>         statistics-file "/var/named/data/named_stats.txt";
>>>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>         allow-query     { any; };
>>>         recursion yes;
>>>
>>>         forwarders { 10.1.11.2; };
>>>
>>>         dnssec-enable no;
>>>         dnssec-validation no;
>>>         dnssec-lookaside auto;
>>>
>>>         /* Path to ISC DLV key */
>>>         bindkeys-file "/etc/named.iscdlv.key";
>>>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>> };
>>>
>>> zone "." IN {
>>>         type hint;
>>>         file "named.ca";
>>> };
>>>
>>> include "/etc/named.rfc1912.zones";
>>> include "/etc/named.root.key";
>>> include "/var/lib/samba/private/named.conf";
>>>
>>> DC1 works fine until I start samba on DC2... then named on DC1 
>>> freezes and some logs related to DNS failed updates appear on the logs.
>>>
>>> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>>>
>>> Is there anyone with some problems related to this.
>>>
>>> best regards,
>>> Bruno.
>>>
>>>
>>>
>> Hi, can you let us know what OS you are using, I did spot one 
>> potential problem, though this shouldn't give the problems you are 
>> having:
>>
>
>     I have CentOS 6.5 on both DCs.
>
>> On dc1:
>>
>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>
>> forwarders { 8.8.8.8; };
>>
>> on dc2:
>>
>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>
>> forwarders { 10.1.11.2; };
>
> I made a mistake... DC2 also forward to 8.8.8.8.
>
>> I think that this means your DC's have the address's of  '10.1.11.2' 
>> & '10.1.1.150' and that you are forwarding anything that dc2 knows 
>> nothing about to dc1. dc2 should know what dc1 knows, so you need to 
>> change this, they should both forward to outside the samba AD domain.
>>
>> How did you join the second DC to the first and did you get any 
>> errors when you did so, did you follow this page on the wiki:
>>
>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
>>
>
> Yes, I follow the process on that page. Without errors.
>
>> Rowland
>>
>
I think I have spotted your problem:

In dc1 smb.conf

server services = -dns

I think that you have turned everything off, try changing it to the line 
from the other DC:

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate

Oh and whilst you are changing smb.conf's add:

idmap_ldb:use rfc2307 = yes

to the second DC, why the join doesn't add this line I do not know.

Rowland

More information about the samba mailing list