[Samba] Winbind not able to start

Rowland Penny rowlandpenny at googlemail.com
Sat Apr 11 12:29:08 MDT 2015 

On 11/04/15 18:54, Timo Altun wrote:
> Good evening,
>
> unfortunately one problem emerged during the change from my testing 
> environment to a small portion of the live environment.
> The automatic dns updates of the windows clients do not seem to work 
> in the live environment. I changed the AD DC IP from another subnet to 
> 192.168.111.90, without reprovisioning. Everything else seems to work 
> fine though (e.g. domain joins, shares and DNS forwarding, looking up 
> manually added entries). I could also add entries manually with 
> samba-tool dns add, but keeping in mind that it worked in the other 
> subnet I would like to avoid that.
> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
> As I don't receive any real error messages (looked in syslog, 
> messages, /var/log/samba/log.smbd) I don't have a clue where the 
> problem is. Maybe somebody has an idea?!
>
> The startup seems fine in the log:
> Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f 
> -u bind
> Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr' 
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' 
> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' 
> '--enable-largefile' '--with-libtool' '--enable-shared' 
> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' 
> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' 
> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing 
> -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
> Apr 11 18:53:42 server06 named[4141]: 
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet 
> Systems Consortium,
> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit 
> 501(c)(3) public-benefit
> Apr 11 18:53:42 server06 named[4141]: corporation. Support and 
> training for BIND 9 are
> Apr 11 18:53:42 server06 named[4141]: available at 
> https://www.isc.org/support
> Apr 11 18:53:42 server06 named[4141]: 
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files 
> from 4096 to 1048576
> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads
> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface
> Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
> Apr 11 18:53:42 server06 named[4141]: loading configuration from 
> '/etc/bind/named.conf'
> Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys 
> from file '/etc/bind/bind.keys'
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port 
> range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port 
> range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo, 
> 127.0.0.1#53
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface 
> eth0, 192.168.111.90#53
> Apr 11 18:53:42 server06 named[4141]: generating session key for 
> dynamic DNS
> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 
> zones
> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using 
> driver dlopen
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN 
> DC=intranet,DC=mayweg,DC=net
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone '111.168.192.in-addr.arpa'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone 'intranet.mayweg.net <http://intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone '_msdcs.intranet.mayweg.net <http://msdcs.intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for 
> view _default, file 'managed-keys.bind'
> [...]
> Apr 11 18:53:42 server06 named[4141]: command channel listening on 
> 127.0.0.1#953
> Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953
> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3
> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2
> Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: all zones loaded
> Apr 11 18:53:42 server06 named[4141]: running
>
> The only thing I find a bit strange is "command channel listening on 
> ::1#953" instead of the actual IPv4 address.
> My smb.conf on the AD DC can be found in the e-mail before. Here is 
> the rest:
>
> *krb5.conf:*
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
> dns_lookup_realm = false
> dns_lookup_kdc = true
> *
> *
> *named.conf:*
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> *named.conf.default-zones:*
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> *named.conf.options:*
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 192.168.111.79;
> };
>
> dnssec-validation no;
>
> auth-nxdomain no;    # conform to RFC1035
> listen-on { any; };
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> *
> *
> *named.conf.local:*
> //empty
>
> */var/lib/samba/private/named.conf:*
> dlz "AD DNS Zone" {
>     # For BIND 9.9.x
>     database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> };
>
> I also checked the permissions on /etc/krb5.keytab and 
> /var/lib/samba/private/dns.keytab. Both should be accessible by bind 
> and samba.
>
> Greetings,
> Timo

Your files are the same as mine and mine works (mind you I use dhcp 
running on the first DC), If something does go wrong It shows errors in 
syslog. I take it that the clients are set up to do their own updates.

The '953' number you are worrying about is the command channel listening 
on the ipv6 localhost address.

I am not entirely sure you can use the DNS server on an AD DC for more 
than one domain, it usually just updates the one forward zone. I am 
still not happy with the workgroup with a dot in it.

Rowland

Rowland

More information about the samba mailing list