[Samba] Winbind not able to start
Rowland Penny
rowlandpenny at googlemail.com
Sat Apr 11 14:37:36 MDT 2015
On 11/04/15 20:38, Timo Altun wrote:
> Hi and thank you for the answers!
>
> How do I setup the clients to do their own updates? I do not recall
> doing anything on the windows client side to setup the automatic dns
> updates.
You can turn off the windows clients ability to update their own dns
records, if you don't know about it then it is doubtful this is your
problem.
> The linux wheezy clients with samba 3.6.6. actually never managed to
> automatically update dns during domain join, not even in the test
> environment. I settled for manually adding those to the dns, as
> they're just a handful.
This is one of the reasons why I run bind9 and a dhcp server on the AD
DC, the AD DC already has the clients dns records before the join.
>
> One of my priorities during domain provision (during classicupgrade in
> fact), was to not have to manually join the windows clients to the new
> domain. This works with this configuration. The old NT-4 Domain also
> had that dot in MAYWEG.NET <http://MAYWEG.NET>. This is also what I
> was referring to when I said, the windows clients do not "notice" the
> change. I knew that there's no "automatic" going back to the old NT-4
> domain, once they've seen the new AD DC (Rowland enlightened me a
> couple of days ago).
Have a look here: https://support.microsoft.com/en-us/kb/909264
especially under the heading 'Domain names'
Names can contain a period (.). However, the name cannot start with a
period. The use of non-DNS names with periods is allowed in Microsoft
Windows NT. However, periods should not be used in Active Directory
domains. If you are upgrading a domain whose NetBIOS name contains a
period, change the name by migrating the domain to a new domain
structure. Do not use periods in new NetBIOS domain names.
>
> Is there maybe a deeper logging level I can turn on somewhere? Or is
> there a log on the windows client side?
>
You could have a look in the event log on a client that isn't updating
its records, is there anything in any of the samba logs ?
Have you looked at this wiki page:
https://wiki.samba.org/index.php/DNS_Backend_BIND
Rowland
> Greetings,
> Timo
>
> On 11 April 2015 at 20:29, Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 11/04/15 18:54, Timo Altun wrote:
>
> Good evening,
>
> unfortunately one problem emerged during the change from my
> testing environment to a small portion of the live environment.
> The automatic dns updates of the windows clients do not seem
> to work in the live environment. I changed the AD DC IP from
> another subnet to 192.168.111.90, without reprovisioning.
> Everything else seems to work fine though (e.g. domain joins,
> shares and DNS forwarding, looking up manually added entries).
> I could also add entries manually with samba-tool dns add, but
> keeping in mind that it worked in the other subnet I would
> like to avoid that.
> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
> As I don't receive any real error messages (looked in syslog,
> messages, /var/log/samba/log.smbd) I don't have a clue where
> the problem is. Maybe somebody has an idea?!
>
> The startup seems fine in the log:
> Apr 11 18:53:42 server06 named[4141]: starting BIND
> 9.9.5-9-Debian -f -u bind
> Apr 11 18:53:42 server06 named[4141]: built with
> '--prefix=/usr' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
> '--localstatedir=/var' '--enable-threads' '--enable-largefile'
> '--with-libtool' '--enable-shared' '--enable-static'
> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
> '--enable-rrl' '--enable-filter-aaaa'
> 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
> -DDIG_SIGCHASE -O2'
> Apr 11 18:53:42 server06 named[4141]:
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by
> Internet Systems Consortium,
> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit
> 501(c)(3) public-benefit
> Apr 11 18:53:42 server06 named[4141]: corporation. Support and
> training for BIND 9 are
> Apr 11 18:53:42 server06 named[4141]: available at
> https://www.isc.org/support
> Apr 11 18:53:42 server06 named[4141]:
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open
> files from 4096 to 1048576
> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4
> worker threads
> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners
> per interface
> Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
> Apr 11 18:53:42 server06 named[4141]: loading configuration
> from '/etc/bind/named.conf'
> Apr 11 18:53:42 server06 named[4141]: reading built-in trusted
> keys from file '/etc/bind/bind.keys'
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4
> port range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6
> port range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4
> interface lo, 127.0.0.1#53
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4
> interface eth0, 192.168.111.90#53
> Apr 11 18:53:42 server06 named[4141]: generating session key
> for dynamic DNS
> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool
> based on 5 zones
> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone'
> using driver dlopen
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for
> DN DC=intranet,DC=mayweg,DC=net
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting
> configure
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
> writeable zone '111.168.192.in-addr.arpa'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
> writeable zone 'intranet.mayweg.net
> <http://intranet.mayweg.net> <http://intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
> writeable zone '_msdcs.intranet.mayweg.net
> <http://msdcs.intranet.mayweg.net>
> <http://msdcs.intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: set up managed keys zone
> for view _default, file 'managed-keys.bind'
> [...]
> Apr 11 18:53:42 server06 named[4141]: command channel
> listening on 127.0.0.1#953
> Apr 11 18:53:42 server06 named[4141]: command channel
> listening on ::1#953
> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone:
> loaded serial 3
> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN:
> loaded serial 1
> Apr 11 18:53:42 server06 named[4141]: zone
> 127.in-addr.arpa/IN: loaded serial 1
> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN:
> loaded serial 2
> Apr 11 18:53:42 server06 named[4141]: zone
> 255.in-addr.arpa/IN: loaded serial 1
> Apr 11 18:53:42 server06 named[4141]: all zones loaded
> Apr 11 18:53:42 server06 named[4141]: running
>
> The only thing I find a bit strange is "command channel
> listening on ::1#953" instead of the actual IPv4 address.
> My smb.conf on the AD DC can be found in the e-mail before.
> Here is the rest:
>
> *krb5.conf:*
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET
> <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET>
> dns_lookup_realm = false
> dns_lookup_kdc = true
> *
> *
> *named.conf:*
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> *named.conf.default-zones:*
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse
> zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> *named.conf.options:*
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 192.168.111.79;
> };
>
> dnssec-validation no;
>
> auth-nxdomain no; # conform to RFC1035
> listen-on { any; };
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> *
> *
> *named.conf.local:*
> //empty
>
> */var/lib/samba/private/named.conf:*
> dlz "AD DNS Zone" {
> # For BIND 9.9.x
> database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> };
>
> I also checked the permissions on /etc/krb5.keytab and
> /var/lib/samba/private/dns.keytab. Both should be accessible
> by bind and samba.
>
> Greetings,
> Timo
>
>
> Your files are the same as mine and mine works (mind you I use
> dhcp running on the first DC), If something does go wrong It shows
> errors in syslog. I take it that the clients are set up to do
> their own updates.
>
> The '953' number you are worrying about is the command channel
> listening on the ipv6 localhost address.
>
> I am not entirely sure you can use the DNS server on an AD DC for
> more than one domain, it usually just updates the one forward
> zone. I am still not happy with the workgroup with a dot in it.
>
> Rowland
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list