[Samba] Starting second DC makes named to freeze on primary DC
Rowland Penny
rowlandpenny at googlemail.com
Mon Sep 8 11:33:06 MDT 2014
On 08/09/14 18:09, Bruno Andrade wrote:
>
> On 09/08/2014 05:31 PM, Rowland Penny wrote:
>> On 08/09/14 17:01, Bruno Andrade wrote:
>>>
>>>
>>> On 09/08/2014 04:57 PM, Rowland Penny wrote:
>>>> On 08/09/14 16:33, Bruno Andrade wrote:
>>>>> hey,
>>>>>
>>>>> first, i user bind 9.8.1 as my DNS backend
>>>>>
>>>>> Well, I have a domain controller, dc1.example.com, running
>>>>> correctly and with the following configurations...
>>>>>
>>>>> == smb.conf ==
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = EXAMPLE.COM
>>>>> netbios name = DC1
>>>>> server role = active directory domain controller
>>>>> idmap_ldb:use rfc2307 = yes
>>>>>
>>>>> server services = -dns
>>>>>
>>>>> dsdb:schema update allowed = true
>>>>>
>>>>> dos charset = ISO8859-1
>>>>> unix charset = cp850
>>>>>
>>>>> interfaces = vlan2
>>>>> bind interfaces only = Yes
>>>>>
>>>>> allow dns updates = nonsecure
>>>>> #nsupdate command = nsupdate
>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>
>>>>> == named.conf ==
>>>>>
>>>>> options {
>>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>> listen-on-v6 port 53 { ::1; };
>>>>> directory "/var/named";
>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>> allow-query { any; };
>>>>> recursion yes;
>>>>>
>>>>> # just example
>>>>> forwarders { 8.8.8.8; };
>>>>>
>>>>> dnssec-enable no;
>>>>> dnssec-validation no;
>>>>> dnssec-lookaside auto;
>>>>>
>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>> managed-keys-directory "/var/named/dynamic";
>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>> };
>>>>>
>>>>> zone "." IN {
>>>>> type hint;
>>>>> file "named.ca";
>>>>> };
>>>>>
>>>>> include "/etc/named.rfc1912.zones";
>>>>> include "/etc/named.root.key";
>>>>> include "/var/lib/samba/private/named.conf";
>>>>>
>>>>> And I have second DC with configurations:
>>>>>
>>>>> == smb.conf ==
>>>>>
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = EXAMPLE.COM
>>>>> netbios name = DC2
>>>>> server role = active directory domain controller
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>
>>>>> interfaces = eth1
>>>>> bind interfaces only = Yes
>>>>>
>>>>> dsdb:schema update allowed = true
>>>>>
>>>>> dos charset = ISO8859-1
>>>>> unix charset = cp850
>>>>>
>>>>> allow dns updates = nonsecure
>>>>> #nsupdate command = nsupdate
>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>
>>>>> == named.conf ==
>>>>>
>>>>> options {
>>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>> listen-on-v6 port 53 { ::1; };
>>>>> directory "/var/named";
>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>> allow-query { any; };
>>>>> recursion yes;
>>>>>
>>>>> forwarders { 10.1.11.2; };
>>>>>
>>>>> dnssec-enable no;
>>>>> dnssec-validation no;
>>>>> dnssec-lookaside auto;
>>>>>
>>>>> /* Path to ISC DLV key */
>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>> };
>>>>>
>>>>> zone "." IN {
>>>>> type hint;
>>>>> file "named.ca";
>>>>> };
>>>>>
>>>>> include "/etc/named.rfc1912.zones";
>>>>> include "/etc/named.root.key";
>>>>> include "/var/lib/samba/private/named.conf";
>>>>>
>>>>> DC1 works fine until I start samba on DC2... then named on DC1
>>>>> freezes and some logs related to DNS failed updates appear on the
>>>>> logs.
>>>>>
>>>>> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>>>>>
>>>>> Is there anyone with some problems related to this.
>>>>>
>>>>> best regards,
>>>>> Bruno.
>>>>>
>>>>>
>>>>>
>>>> Hi, can you let us know what OS you are using, I did spot one
>>>> potential problem, though this shouldn't give the problems you are
>>>> having:
>>>>
>>>
>>> I have CentOS 6.5 on both DCs.
>>>
>>>> On dc1:
>>>>
>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>
>>>> forwarders { 8.8.8.8; };
>>>>
>>>> on dc2:
>>>>
>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>
>>>> forwarders { 10.1.11.2; };
>>>
>>> I made a mistake... DC2 also forward to 8.8.8.8.
>>>
>>>> I think that this means your DC's have the address's of
>>>> '10.1.11.2' & '10.1.1.150' and that you are forwarding anything
>>>> that dc2 knows nothing about to dc1. dc2 should know what dc1
>>>> knows, so you need to change this, they should both forward to
>>>> outside the samba AD domain.
>>>>
>>>> How did you join the second DC to the first and did you get any
>>>> errors when you did so, did you follow this page on the wiki:
>>>>
>>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
>>>>
>>>
>>> Yes, I follow the process on that page. Without errors.
>>>
>>>> Rowland
>>>>
>>>
>> I think I have spotted your problem:
>>
>> In dc1 smb.conf
>>
>> server services = -dns
>>
>> I think that you have turned everything off, try changing it to the
>> line from the other DC:
>>
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbind, ntp_signd, kcc, dnsupdate
>>
>> Oh and whilst you are changing smb.conf's add:
>>
>> idmap_ldb:use rfc2307 = yes
>>
>> to the second DC, why the join doesn't add this line I do not know.
>>
>> Rowland
> I tried that changes but the problem persists :(
>
> Bruno.
From what you posted, it would seem that you provisioned the first DC
to use the internal dns, and later changed to bind9, is this correct ?
What type of bind9 are you using, flatfile or dlz ? also I hope that you
are doing this in a test environment.
Rowland
More information about the samba
mailing list