[Samba] Starting second DC makes named to freeze on primary DC

Bruno Andrade bma at eurotux.com
Mon Sep 8 11:09:01 MDT 2014 

On 09/08/2014 05:31 PM, Rowland Penny wrote:
> On 08/09/14 17:01, Bruno Andrade wrote:
>>
>>
>> On 09/08/2014 04:57 PM, Rowland Penny wrote:
>>> On 08/09/14 16:33, Bruno Andrade wrote:
>>>> hey,
>>>>
>>>> first, i user bind 9.8.1 as my DNS backend
>>>>
>>>> Well, I have a domain controller, dc1.example.com, running 
>>>> correctly and with the following configurations...
>>>>
>>>> == smb.conf ==
>>>>
>>>> [global]
>>>>         workgroup = EXAMPLE
>>>>         realm = EXAMPLE.COM
>>>>         netbios name = DC1
>>>>         server role = active directory domain controller
>>>>         idmap_ldb:use rfc2307 = yes
>>>>
>>>>         server services = -dns
>>>>
>>>>         dsdb:schema update allowed = true
>>>>
>>>>         dos charset = ISO8859-1
>>>>         unix charset = cp850
>>>>
>>>>         interfaces = vlan2
>>>>         bind interfaces only = Yes
>>>>
>>>>         allow dns updates = nonsecure
>>>>         #nsupdate command = nsupdate
>>>>         #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>
>>>> == named.conf ==
>>>>
>>>> options {
>>>>         listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>         listen-on-v6 port 53 { ::1; };
>>>>         directory       "/var/named";
>>>>         dump-file       "/var/named/data/cache_dump.db";
>>>>         statistics-file "/var/named/data/named_stats.txt";
>>>>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>         allow-query     { any; };
>>>>         recursion yes;
>>>>
>>>>         # just example
>>>>         forwarders { 8.8.8.8; };
>>>>
>>>>         dnssec-enable no;
>>>>         dnssec-validation no;
>>>>         dnssec-lookaside auto;
>>>>
>>>>         bindkeys-file "/etc/named.iscdlv.key";
>>>>         managed-keys-directory "/var/named/dynamic";
>>>>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>> };
>>>>
>>>> zone "." IN {
>>>>         type hint;
>>>>         file "named.ca";
>>>> };
>>>>
>>>> include "/etc/named.rfc1912.zones";
>>>> include "/etc/named.root.key";
>>>> include "/var/lib/samba/private/named.conf";
>>>>
>>>> And I have  second DC with configurations:
>>>>
>>>> == smb.conf ==
>>>>
>>>> [global]
>>>>         workgroup = EXAMPLE
>>>>         realm = EXAMPLE.COM
>>>>         netbios name = DC2
>>>>         server role = active directory domain controller
>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>
>>>>         interfaces = eth1
>>>>         bind interfaces only = Yes
>>>>
>>>>         dsdb:schema update allowed = true
>>>>
>>>>         dos charset = ISO8859-1
>>>>         unix charset = cp850
>>>>
>>>>         allow dns updates = nonsecure
>>>>         #nsupdate command = nsupdate
>>>>         #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>
>>>> == named.conf ==
>>>>
>>>> options {
>>>>         listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>         listen-on-v6 port 53 { ::1; };
>>>>         directory       "/var/named";
>>>>         dump-file       "/var/named/data/cache_dump.db";
>>>>         statistics-file "/var/named/data/named_stats.txt";
>>>>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>         allow-query     { any; };
>>>>         recursion yes;
>>>>
>>>>         forwarders { 10.1.11.2; };
>>>>
>>>>         dnssec-enable no;
>>>>         dnssec-validation no;
>>>>         dnssec-lookaside auto;
>>>>
>>>>         /* Path to ISC DLV key */
>>>>         bindkeys-file "/etc/named.iscdlv.key";
>>>>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>> };
>>>>
>>>> zone "." IN {
>>>>         type hint;
>>>>         file "named.ca";
>>>> };
>>>>
>>>> include "/etc/named.rfc1912.zones";
>>>> include "/etc/named.root.key";
>>>> include "/var/lib/samba/private/named.conf";
>>>>
>>>> DC1 works fine until I start samba on DC2... then named on DC1 
>>>> freezes and some logs related to DNS failed updates appear on the 
>>>> logs.
>>>>
>>>> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>>>>
>>>> Is there anyone with some problems related to this.
>>>>
>>>> best regards,
>>>> Bruno.
>>>>
>>>>
>>>>
>>> Hi, can you let us know what OS you are using, I did spot one 
>>> potential problem, though this shouldn't give the problems you are 
>>> having:
>>>
>>
>>     I have CentOS 6.5 on both DCs.
>>
>>> On dc1:
>>>
>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>
>>> forwarders { 8.8.8.8; };
>>>
>>> on dc2:
>>>
>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>
>>> forwarders { 10.1.11.2; };
>>
>> I made a mistake... DC2 also forward to 8.8.8.8.
>>
>>> I think that this means your DC's have the address's of  '10.1.11.2' 
>>> & '10.1.1.150' and that you are forwarding anything that dc2 knows 
>>> nothing about to dc1. dc2 should know what dc1 knows, so you need to 
>>> change this, they should both forward to outside the samba AD domain.
>>>
>>> How did you join the second DC to the first and did you get any 
>>> errors when you did so, did you follow this page on the wiki:
>>>
>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
>>>
>>
>> Yes, I follow the process on that page. Without errors.
>>
>>> Rowland
>>>
>>
> I think I have spotted your problem:
>
> In dc1 smb.conf
>
> server services = -dns
>
> I think that you have turned everything off, try changing it to the 
> line from the other DC:
>
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbind, ntp_signd, kcc, dnsupdate
>
> Oh and whilst you are changing smb.conf's add:
>
> idmap_ldb:use rfc2307 = yes
>
> to the second DC, why the join doesn't add this line I do not know.
>
> Rowland
I tried that changes but the problem persists :(

Bruno.

More information about the samba mailing list