[Samba] Winbind not able to start

Rowland Penny rowlandpenny at googlemail.com
Sat Apr 11 14:37:36 MDT 2015


On 11/04/15 20:38, Timo Altun wrote:
> Hi and thank you for the answers!
>
> How do I setup the clients to do their own updates? I do not recall 
> doing anything on the windows client side to setup the automatic dns 
> updates.

You can turn off the windows clients ability to update their own dns 
records, if you don't know about it then it is doubtful this is your 
problem.

> The linux wheezy clients with samba 3.6.6. actually never managed to 
> automatically update dns during domain join, not even in the test 
> environment. I settled for manually adding those to the dns, as 
> they're just a handful.

This is one of the reasons why I run bind9 and a dhcp server on the AD 
DC, the AD DC already has the clients dns records before the join.

>
> One of my priorities during domain provision (during classicupgrade in 
> fact), was to not have to manually join the windows clients to the new 
> domain. This works with this configuration. The old NT-4 Domain also 
> had that dot in MAYWEG.NET <http://MAYWEG.NET>. This is also what I 
> was referring to when I said, the windows clients do not "notice" the 
> change. I knew that there's no "automatic" going back to the old NT-4 
> domain, once they've seen the new AD DC (Rowland enlightened me a 
> couple of days ago).

Have a look here: https://support.microsoft.com/en-us/kb/909264

especially under the heading 'Domain names'

Names can contain a period (.). However, the name cannot start with a 
period. The use of non-DNS names with periods is allowed in Microsoft 
Windows NT. However, periods should not be used in Active Directory 
domains. If you are upgrading a domain whose NetBIOS name contains a 
period, change the name by migrating the domain to a new domain 
structure. Do not use periods in new NetBIOS domain names.

>
> Is there maybe a deeper logging level I can turn on somewhere? Or is 
> there a log on the windows client side?
>

You could have a look in the event log on a client that isn't updating 
its records, is there anything in any of the samba logs ?

Have you looked at this wiki page: 
https://wiki.samba.org/index.php/DNS_Backend_BIND

Rowland

> Greetings,
> Timo
>
> On 11 April 2015 at 20:29, Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 11/04/15 18:54, Timo Altun wrote:
>
>         Good evening,
>
>         unfortunately one problem emerged during the change from my
>         testing environment to a small portion of the live environment.
>         The automatic dns updates of the windows clients do not seem
>         to work in the live environment. I changed the AD DC IP from
>         another subnet to 192.168.111.90, without reprovisioning.
>         Everything else seems to work fine though (e.g. domain joins,
>         shares and DNS forwarding, looking up manually added entries).
>         I could also add entries manually with samba-tool dns add, but
>         keeping in mind that it worked in the other subnet I would
>         like to avoid that.
>         My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
>         As I don't receive any real error messages (looked in syslog,
>         messages, /var/log/samba/log.smbd) I don't have a clue where
>         the problem is. Maybe somebody has an idea?!
>
>         The startup seems fine in the log:
>         Apr 11 18:53:42 server06 named[4141]: starting BIND
>         9.9.5-9-Debian -f -u bind
>         Apr 11 18:53:42 server06 named[4141]: built with
>         '--prefix=/usr' '--mandir=/usr/share/man'
>         '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
>         '--localstatedir=/var' '--enable-threads' '--enable-largefile'
>         '--with-libtool' '--enable-shared' '--enable-static'
>         '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
>         '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
>         '--enable-rrl' '--enable-filter-aaaa'
>         'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
>         -DDIG_SIGCHASE -O2'
>         Apr 11 18:53:42 server06 named[4141]:
>         ----------------------------------------------------
>         Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by
>         Internet Systems Consortium,
>         Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit
>         501(c)(3) public-benefit
>         Apr 11 18:53:42 server06 named[4141]: corporation. Support and
>         training for BIND 9 are
>         Apr 11 18:53:42 server06 named[4141]: available at
>         https://www.isc.org/support
>         Apr 11 18:53:42 server06 named[4141]:
>         ----------------------------------------------------
>         Apr 11 18:53:42 server06 named[4141]: adjusted limit on open
>         files from 4096 to 1048576
>         Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4
>         worker threads
>         Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners
>         per interface
>         Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
>         Apr 11 18:53:42 server06 named[4141]: loading configuration
>         from '/etc/bind/named.conf'
>         Apr 11 18:53:42 server06 named[4141]: reading built-in trusted
>         keys from file '/etc/bind/bind.keys'
>         Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4
>         port range: [1024, 65535]
>         Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6
>         port range: [1024, 65535]
>         Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>         interface lo, 127.0.0.1#53
>         Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>         interface eth0, 192.168.111.90#53
>         Apr 11 18:53:42 server06 named[4141]: generating session key
>         for dynamic DNS
>         Apr 11 18:53:42 server06 named[4141]: sizing zone task pool
>         based on 5 zones
>         Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone'
>         using driver dlopen
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for
>         DN DC=intranet,DC=mayweg,DC=net
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting
>         configure
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>         writeable zone '111.168.192.in-addr.arpa'
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>         writeable zone 'intranet.mayweg.net
>         <http://intranet.mayweg.net> <http://intranet.mayweg.net>'
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>         writeable zone '_msdcs.intranet.mayweg.net
>         <http://msdcs.intranet.mayweg.net>
>         <http://msdcs.intranet.mayweg.net>'
>         Apr 11 18:53:42 server06 named[4141]: set up managed keys zone
>         for view _default, file 'managed-keys.bind'
>         [...]
>         Apr 11 18:53:42 server06 named[4141]: command channel
>         listening on 127.0.0.1#953
>         Apr 11 18:53:42 server06 named[4141]: command channel
>         listening on ::1#953
>         Apr 11 18:53:42 server06 named[4141]: managed-keys-zone:
>         loaded serial 3
>         Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN:
>         loaded serial 1
>         Apr 11 18:53:42 server06 named[4141]: zone
>         127.in-addr.arpa/IN: loaded serial 1
>         Apr 11 18:53:42 server06 named[4141]: zone localhost/IN:
>         loaded serial 2
>         Apr 11 18:53:42 server06 named[4141]: zone
>         255.in-addr.arpa/IN: loaded serial 1
>         Apr 11 18:53:42 server06 named[4141]: all zones loaded
>         Apr 11 18:53:42 server06 named[4141]: running
>
>         The only thing I find a bit strange is "command channel
>         listening on ::1#953" instead of the actual IPv4 address.
>         My smb.conf on the AD DC can be found in the e-mail before.
>         Here is the rest:
>
>         *krb5.conf:*
>         [libdefaults]
>         default_realm = INTRANET.MAYWEG.NET
>         <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET>
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         *
>         *
>         *named.conf:*
>         include "/etc/bind/named.conf.options";
>         include "/etc/bind/named.conf.local";
>         include "/etc/bind/named.conf.default-zones";
>         include "/var/lib/samba/private/named.conf";
>
>         *named.conf.default-zones:*
>         // prime the server with knowledge of the root servers
>         zone "." {
>         type hint;
>         file "/etc/bind/db.root";
>         };
>
>         // be authoritative for the localhost forward and reverse
>         zones, and for
>         // broadcast zones as per RFC 1912
>
>         zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
>         };
>
>         zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
>         };
>
>         zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
>         };
>
>         zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
>         };
>
>         *named.conf.options:*
>         options {
>         directory "/var/cache/bind";
>
>         forwarders {
>         192.168.111.79;
>         };
>
>         dnssec-validation no;
>
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on { any; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         };
>         *
>         *
>         *named.conf.local:*
>         //empty
>
>         */var/lib/samba/private/named.conf:*
>         dlz "AD DNS Zone" {
>             # For BIND 9.9.x
>             database "dlopen
>         /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>         };
>
>         I also checked the permissions on /etc/krb5.keytab and
>         /var/lib/samba/private/dns.keytab. Both should be accessible
>         by bind and samba.
>
>         Greetings,
>         Timo
>
>
>     Your files are the same as mine and mine works (mind you I use
>     dhcp running on the first DC), If something does go wrong It shows
>     errors in syslog. I take it that the clients are set up to do
>     their own updates.
>
>     The '953' number you are worrying about is the command channel
>     listening on the ipv6 localhost address.
>
>     I am not entirely sure you can use the DNS server on an AD DC for
>     more than one domain, it usually just updates the one forward
>     zone. I am still not happy with the workgroup with a dot in it.
>
>     Rowland
>
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list