[Samba] Starting second DC makes named to freeze on primary DC
Rowland Penny
rowlandpenny at googlemail.com
Tue Sep 9 03:47:38 MDT 2014
On 09/09/14 10:16, Bruno Andrade wrote:
>
> On 09/08/2014 06:33 PM, Rowland Penny wrote:
>> On 08/09/14 18:09, Bruno Andrade wrote:
>>>
>>> On 09/08/2014 05:31 PM, Rowland Penny wrote:
>>>> On 08/09/14 17:01, Bruno Andrade wrote:
>>>>>
>>>>>
>>>>> On 09/08/2014 04:57 PM, Rowland Penny wrote:
>>>>>> On 08/09/14 16:33, Bruno Andrade wrote:
>>>>>>> hey,
>>>>>>>
>>>>>>> first, i user bind 9.8.1 as my DNS backend
>>>>>>>
>>>>>>> Well, I have a domain controller, dc1.example.com, running
>>>>>>> correctly and with the following configurations...
>>>>>>>
>>>>>>> == smb.conf ==
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = EXAMPLE
>>>>>>> realm = EXAMPLE.COM
>>>>>>> netbios name = DC1
>>>>>>> server role = active directory domain controller
>>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>>>
>>>>>>> server services = -dns
>>>>>>>
>>>>>>> dsdb:schema update allowed = true
>>>>>>>
>>>>>>> dos charset = ISO8859-1
>>>>>>> unix charset = cp850
>>>>>>>
>>>>>>> interfaces = vlan2
>>>>>>> bind interfaces only = Yes
>>>>>>>
>>>>>>> allow dns updates = nonsecure
>>>>>>> #nsupdate command = nsupdate
>>>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>>>
>>>>>>> == named.conf ==
>>>>>>>
>>>>>>> options {
>>>>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>>>> listen-on-v6 port 53 { ::1; };
>>>>>>> directory "/var/named";
>>>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>>> allow-query { any; };
>>>>>>> recursion yes;
>>>>>>>
>>>>>>> # just example
>>>>>>> forwarders { 8.8.8.8; };
>>>>>>>
>>>>>>> dnssec-enable no;
>>>>>>> dnssec-validation no;
>>>>>>> dnssec-lookaside auto;
>>>>>>>
>>>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>>>> managed-keys-directory "/var/named/dynamic";
>>>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>>>> };
>>>>>>>
>>>>>>> zone "." IN {
>>>>>>> type hint;
>>>>>>> file "named.ca";
>>>>>>> };
>>>>>>>
>>>>>>> include "/etc/named.rfc1912.zones";
>>>>>>> include "/etc/named.root.key";
>>>>>>> include "/var/lib/samba/private/named.conf";
>>>>>>>
>>>>>>> And I have second DC with configurations:
>>>>>>>
>>>>>>> == smb.conf ==
>>>>>>>
>>>>>>> [global]
>>>>>>> workgroup = EXAMPLE
>>>>>>> realm = EXAMPLE.COM
>>>>>>> netbios name = DC2
>>>>>>> server role = active directory domain controller
>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>>>>> kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>>
>>>>>>> interfaces = eth1
>>>>>>> bind interfaces only = Yes
>>>>>>>
>>>>>>> dsdb:schema update allowed = true
>>>>>>>
>>>>>>> dos charset = ISO8859-1
>>>>>>> unix charset = cp850
>>>>>>>
>>>>>>> allow dns updates = nonsecure
>>>>>>> #nsupdate command = nsupdate
>>>>>>> #nsupdate command = /usr/bin/nsupdate -g -t 5
>>>>>>>
>>>>>>> == named.conf ==
>>>>>>>
>>>>>>> options {
>>>>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>>>> listen-on-v6 port 53 { ::1; };
>>>>>>> directory "/var/named";
>>>>>>> dump-file "/var/named/data/cache_dump.db";
>>>>>>> statistics-file "/var/named/data/named_stats.txt";
>>>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>>> allow-query { any; };
>>>>>>> recursion yes;
>>>>>>>
>>>>>>> forwarders { 10.1.11.2; };
>>>>>>>
>>>>>>> dnssec-enable no;
>>>>>>> dnssec-validation no;
>>>>>>> dnssec-lookaside auto;
>>>>>>>
>>>>>>> /* Path to ISC DLV key */
>>>>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>>>>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>>>>>> };
>>>>>>>
>>>>>>> zone "." IN {
>>>>>>> type hint;
>>>>>>> file "named.ca";
>>>>>>> };
>>>>>>>
>>>>>>> include "/etc/named.rfc1912.zones";
>>>>>>> include "/etc/named.root.key";
>>>>>>> include "/var/lib/samba/private/named.conf";
>>>>>>>
>>>>>>> DC1 works fine until I start samba on DC2... then named on DC1
>>>>>>> freezes and some logs related to DNS failed updates appear on
>>>>>>> the logs.
>>>>>>>
>>>>>>> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>>>>>>>
>>>>>>> Is there anyone with some problems related to this.
>>>>>>>
>>>>>>> best regards,
>>>>>>> Bruno.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hi, can you let us know what OS you are using, I did spot one
>>>>>> potential problem, though this shouldn't give the problems you
>>>>>> are having:
>>>>>>
>>>>>
>>>>> I have CentOS 6.5 on both DCs.
>>>>>
>>>>>> On dc1:
>>>>>>
>>>>>> listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>>>>>>
>>>>>> forwarders { 8.8.8.8; };
>>>>>>
>>>>>> on dc2:
>>>>>>
>>>>>> listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>>>>>>
>>>>>> forwarders { 10.1.11.2; };
>>>>>
>>>>> I made a mistake... DC2 also forward to 8.8.8.8.
>>>>>
>>>>>> I think that this means your DC's have the address's of
>>>>>> '10.1.11.2' & '10.1.1.150' and that you are forwarding anything
>>>>>> that dc2 knows nothing about to dc1. dc2 should know what dc1
>>>>>> knows, so you need to change this, they should both forward to
>>>>>> outside the samba AD domain.
>>>>>>
>>>>>> How did you join the second DC to the first and did you get any
>>>>>> errors when you did so, did you follow this page on the wiki:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
>>>>>>
>>>>>
>>>>> Yes, I follow the process on that page. Without errors.
>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>> I think I have spotted your problem:
>>>>
>>>> In dc1 smb.conf
>>>>
>>>> server services = -dns
>>>>
>>>> I think that you have turned everything off, try changing it to the
>>>> line from the other DC:
>>>>
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>> winbind, ntp_signd, kcc, dnsupdate
>>>>
>>>> Oh and whilst you are changing smb.conf's add:
>>>>
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> to the second DC, why the join doesn't add this line I do not know.
>>>>
>>>> Rowland
>>> I tried that changes but the problem persists :(
>>>
>>> Bruno.
>> From what you posted, it would seem that you provisioned the first DC
>> to use the internal dns, and later changed to bind9, is this correct ?
>
> The first DC was a classicupgrade from samba 3 to samba 4.1. And yes,
> at first samba was using internal dns, the I upgraded to bind9.
OK, nothing wrong there as far as I can see
>
>> What type of bind9 are you using, flatfile or dlz ? also I hope that
>> you are doing this in a test environment.
>
> DLZ. I used BIND9_DLZ during the upgrade to bind9.
OK
>
> Unfortunately no, the first DC is already in production (Superior
> 'forces' request), but I have a synced machine in a development
> environment.
>
This could be where you are able to say 'I told you so', you really
don't want to put anything into production until you are 100% sure it is
working.
I presume that the samba logs are in '/var/log/samba', so what is in
/var/log/samba/log.samba, anything to show why named is freezing,
anything in bind's log and what is showing in the syslog (which is
called 'messages' on centos, if I remember correctly)
Rowland
> Regards,
> Bruno.
>
>> Rowland
>>
>
More information about the samba
mailing list