[Samba] samba Digest, Vol 172, Issue 2
Karl Heinz Wichmann
wichmann-karl at web.de
Sun Apr 2 14:36:09 UTC 2017
Hello Rowland
Yes i have a timeserver and time in correct and in sync with the client
und server.
named.conf
----------
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
# samba
include "/etc/bind/named.conf.samba";
// logging
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/log/named/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/log/named/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/log/named/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/log/named/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/log/named/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/log/named/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/log/named/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/log/named/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/log/named/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/log/named/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/log/named/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/log/named/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
named.conf.default-zones
------------------------
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
named.conf.options
------------------
options {
directory "/var/cache/bind";
forward only;
forwarders {
<IP of my forwarder>;
};
dnssec-validation no;
dnssec-enable no;
auth-nxdomain no;
listen-on-v6 { 127.0.0.1; 192.168.99.8; };
listen-on {127.0.0.1; 192.168.99.8;};
allow-update { any;};
notify yes;
allow-query { any; };
# temp setting
allow-recursion {
192.168.0.0/16;
};
edns-udp-size 2048;
max-udp-size 2048;
# samba update keytab
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
allow-transfer {
<ip of other samba dc1>;
<ip of other samba dc2>;
<ip of other samba dc3>;
<ip of other samba dc4>;
192.168.99.6;
};
};
Can this be a Problem with my debian 8.7 bind service?
named -V
--------
BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e>
built by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
-DDIG_SIGCHASE -O2'
compiled by GCC 4.9.2
using OpenSSL version: OpenSSL 1.0.1t 3 May 2016
using libxml2 version: 2.9.1
Karl Heinz
Am 02.04.2017 um 16:01 schrieb Rowland Penny:
> On Sun, 2 Apr 2017 15:22:31 +0200
> Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:
>
>> Hallo Rowland
>>
>
>> client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update
>> failed: rejected by secure update (REFUSED)
>
> This shows your problem
>
>>
>> Are the rights ok?
>
> Yes
>
>>
>> I created the dns entry with samba-tool. Is this a problem?
>
> No
>
>>
>> How can i check if i had problems with access rights? For example if
>> bind can not read or write a file. Currently i check the bind with "
>> named -u bind -f -g 2>&1 | tee /etc/bind/named.log ".
>>
>
> Your problem isn't the actual permissions on the directories, you do
> not seem to have the right to update AD. This could be something as
> simple as a time difference between the clients and the DC. Are you
> running an ntp server on the DC and are your windows clients using this
> as their timeserver ?
>
> If time isn't the problem, can you please post your Bind conf files.
>
> Rowland
>
More information about the samba
mailing list