[Samba] Winbind not able to start
L.P.H. van Belle
belle at bazuin.nl
Mon Apr 13 00:58:45 MDT 2015
and..
change your nsswitch.conf
>> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
to at least.
>> hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: zaterdag 11 april 2015 22:38
>Aan: sambalist
>Onderwerp: Re: [Samba] Winbind not able to start
>
>On 11/04/15 20:38, Timo Altun wrote:
>> Hi and thank you for the answers!
>>
>> How do I setup the clients to do their own updates? I do not recall
>> doing anything on the windows client side to setup the automatic dns
>> updates.
>
>You can turn off the windows clients ability to update their own dns
>records, if you don't know about it then it is doubtful this is your
>problem.
>
>> The linux wheezy clients with samba 3.6.6. actually never managed to
>> automatically update dns during domain join, not even in the test
>> environment. I settled for manually adding those to the dns, as
>> they're just a handful.
>
>This is one of the reasons why I run bind9 and a dhcp server on the AD
>DC, the AD DC already has the clients dns records before the join.
>
>>
>> One of my priorities during domain provision (during
>classicupgrade in
>> fact), was to not have to manually join the windows clients
>to the new
>> domain. This works with this configuration. The old NT-4 Domain also
>> had that dot in MAYWEG.NET <http://MAYWEG.NET>. This is also what I
>> was referring to when I said, the windows clients do not
>"notice" the
>> change. I knew that there's no "automatic" going back to the
>old NT-4
>> domain, once they've seen the new AD DC (Rowland enlightened me a
>> couple of days ago).
>
>Have a look here: https://support.microsoft.com/en-us/kb/909264
>
>especially under the heading 'Domain names'
>
>Names can contain a period (.). However, the name cannot start with a
>period. The use of non-DNS names with periods is allowed in Microsoft
>Windows NT. However, periods should not be used in Active Directory
>domains. If you are upgrading a domain whose NetBIOS name contains a
>period, change the name by migrating the domain to a new domain
>structure. Do not use periods in new NetBIOS domain names.
>
>>
>> Is there maybe a deeper logging level I can turn on somewhere? Or is
>> there a log on the windows client side?
>>
>
>You could have a look in the event log on a client that isn't updating
>its records, is there anything in any of the samba logs ?
>
>Have you looked at this wiki page:
>https://wiki.samba.org/index.php/DNS_Backend_BIND
>
>Rowland
>
>> Greetings,
>> Timo
>>
>> On 11 April 2015 at 20:29, Rowland Penny
><rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>> On 11/04/15 18:54, Timo Altun wrote:
>>
>> Good evening,
>>
>> unfortunately one problem emerged during the change from my
>> testing environment to a small portion of the live
>environment.
>> The automatic dns updates of the windows clients do not seem
>> to work in the live environment. I changed the AD DC IP from
>> another subnet to 192.168.111.90, without reprovisioning.
>> Everything else seems to work fine though (e.g. domain joins,
>> shares and DNS forwarding, looking up manually added
>entries).
>> I could also add entries manually with samba-tool
>dns add, but
>> keeping in mind that it worked in the other subnet I would
>> like to avoid that.
>> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
>> As I don't receive any real error messages (looked in syslog,
>> messages, /var/log/samba/log.smbd) I don't have a clue where
>> the problem is. Maybe somebody has an idea?!
>>
>> The startup seems fine in the log:
>> Apr 11 18:53:42 server06 named[4141]: starting BIND
>> 9.9.5-9-Debian -f -u bind
>> Apr 11 18:53:42 server06 named[4141]: built with
>> '--prefix=/usr' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
>> '--localstatedir=/var' '--enable-threads'
>'--enable-largefile'
>> '--with-libtool' '--enable-shared' '--enable-static'
>> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
>> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa'
>> 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
>> -DDIG_SIGCHASE -O2'
>> Apr 11 18:53:42 server06 named[4141]:
>> ----------------------------------------------------
>> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by
>> Internet Systems Consortium,
>> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a
>non-profit
>> 501(c)(3) public-benefit
>> Apr 11 18:53:42 server06 named[4141]: corporation.
>Support and
>> training for BIND 9 are
>> Apr 11 18:53:42 server06 named[4141]: available at
>> https://www.isc.org/support
>> Apr 11 18:53:42 server06 named[4141]:
>> ----------------------------------------------------
>> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open
>> files from 4096 to 1048576
>> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4
>> worker threads
>> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners
>> per interface
>> Apr 11 18:53:42 server06 named[4141]: using up to
>4096 sockets
>> Apr 11 18:53:42 server06 named[4141]: loading configuration
>> from '/etc/bind/named.conf'
>> Apr 11 18:53:42 server06 named[4141]: reading
>built-in trusted
>> keys from file '/etc/bind/bind.keys'
>> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4
>> port range: [1024, 65535]
>> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6
>> port range: [1024, 65535]
>> Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>> interface lo, 127.0.0.1#53
>> Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>> interface eth0, 192.168.111.90#53
>> Apr 11 18:53:42 server06 named[4141]: generating session key
>> for dynamic DNS
>> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool
>> based on 5 zones
>> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone'
>> using driver dlopen
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for
>> DN DC=intranet,DC=mayweg,DC=net
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting
>> configure
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>> writeable zone '111.168.192.in-addr.arpa'
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>> writeable zone 'intranet.mayweg.net
>> <http://intranet.mayweg.net> <http://intranet.mayweg.net>'
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>> writeable zone '_msdcs.intranet.mayweg.net
>> <http://msdcs.intranet.mayweg.net>
>> <http://msdcs.intranet.mayweg.net>'
>> Apr 11 18:53:42 server06 named[4141]: set up managed
>keys zone
>> for view _default, file 'managed-keys.bind'
>> [...]
>> Apr 11 18:53:42 server06 named[4141]: command channel
>> listening on 127.0.0.1#953
>> Apr 11 18:53:42 server06 named[4141]: command channel
>> listening on ::1#953
>> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone:
>> loaded serial 3
>> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN:
>> loaded serial 1
>> Apr 11 18:53:42 server06 named[4141]: zone
>> 127.in-addr.arpa/IN: loaded serial 1
>> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN:
>> loaded serial 2
>> Apr 11 18:53:42 server06 named[4141]: zone
>> 255.in-addr.arpa/IN: loaded serial 1
>> Apr 11 18:53:42 server06 named[4141]: all zones loaded
>> Apr 11 18:53:42 server06 named[4141]: running
>>
>> The only thing I find a bit strange is "command channel
>> listening on ::1#953" instead of the actual IPv4 address.
>> My smb.conf on the AD DC can be found in the e-mail before.
>> Here is the rest:
>>
>> *krb5.conf:*
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET>
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> *
>> *
>> *named.conf:*
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/private/named.conf";
>>
>> *named.conf.default-zones:*
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>>
>> // be authoritative for the localhost forward and reverse
>> zones, and for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>>
>> *named.conf.options:*
>> options {
>> directory "/var/cache/bind";
>>
>> forwarders {
>> 192.168.111.79;
>> };
>>
>> dnssec-validation no;
>>
>> auth-nxdomain no; # conform to RFC1035
>> listen-on { any; };
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>> *
>> *
>> *named.conf.local:*
>> //empty
>>
>> */var/lib/samba/private/named.conf:*
>> dlz "AD DNS Zone" {
>> # For BIND 9.9.x
>> database "dlopen
>> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>> };
>>
>> I also checked the permissions on /etc/krb5.keytab and
>> /var/lib/samba/private/dns.keytab. Both should be accessible
>> by bind and samba.
>>
>> Greetings,
>> Timo
>>
>>
>> Your files are the same as mine and mine works (mind you I use
>> dhcp running on the first DC), If something does go
>wrong It shows
>> errors in syslog. I take it that the clients are set up to do
>> their own updates.
>>
>> The '953' number you are worrying about is the command channel
>> listening on the ipv6 localhost address.
>>
>> I am not entirely sure you can use the DNS server on an AD DC for
>> more than one domain, it usually just updates the one forward
>> zone. I am still not happy with the workgroup with a dot in it.
>>
>> Rowland
>>
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL
>and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list