[Samba] Switching from Internal DNS to Bind9_DLZ

lingpanda101 lingpanda101 at gmail.com
Mon Jan 8 21:05:24 UTC 2018


On 1/8/2018 1:11 PM, lingpanda101 wrote:
> On 1/2/2018 4:05 PM, Rowland Penny wrote:
>> On Tue, 2 Jan 2018 15:52:57 -0500
>> lingpanda101<lingpanda101 at gmail.com>  wrote:
>>
>>> On 1/2/2018 3:37 PM, Rowland Penny wrote:
>>>> On Tue, 2 Jan 2018 15:23:18 -0500
>>>> lingpanda101<lingpanda101 at gmail.com>  wrote:
>>>>
>>>>
>>>>> Actually it looks as if Bind isn't running. Though I could've sworn
>>>>> it did at one point.
>>>>>
>>>>> service bind9 restart
>>>>>     * Stopping domain name service... bind9
>>>>>                  rndc: connect failed: 127.0.0.1#953: connection
>>>>> refused [ OK ]
>>>>>     * Starting domain name service... bind9 [fail]
>>>>>
>>>>> Log shows;
>>>>>
>>>>> Jan  2 15:20:51 ddc2 named[2793]:
>>>>> ----------------------------------------------------
>>>>> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
>>>>> Systems Consortium,
>>>>> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit
>>>>> 501(c)(3) public-benefit
>>>>> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and
>>>>> training for BIND 9 are
>>>>> Jan  2 15:20:51 ddc2 named[2793]: available at
>>>>> https://www.isc.org/support  Jan  2 15:20:51 ddc2 named[2793]:
>>>>> ----------------------------------------------------
>>>>> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
>>>>> 4096 to 1048576
>>>>> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker
>>>>> threads Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners
>>>>> per interface Jan  2 15:20:51 ddc2 named[2793]: using up to 4096
>>>>> sockets Jan  2 15:20:51 ddc2 named[2793]: loading configuration
>>>>> from '/etc/bind/named.conf'
>>>>> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15:
>>>>> 'options' redefined near 'options'
>>>>> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
>>>>> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal
>>>>> error)
>>>>>
>>>>> It seems to stem from the issue I had before
>>>>> "/etc/bind/named.conf:15: 'options' redefined near 'options'"
>>>>>
>>>> I reread your earlier post and noticed something I missed earlier,
>>>> do you normally use red-hat ?
>>>> I ask this because you have this line in /etc/bind/named.conf:
>>>>
>>>> include "/etc/bind/named.conf.options";
>>>>
>>>> Followed by:
>>>> # Global Configuration Options
>>>> options {
>>>> .........
>>>> ......
>>>>
>>>>
>>>>
>>>> If this is all in the one file (ala red-hat), then this is your
>>>> problem, debian splits up Bind9 into separate conf files and you
>>>> will have two 'options'
>>>>
>>>> Rowland
>>> I do not. Ubuntu but I do have two CentOS systems.
>>>
>>> The config file was auto-generated when I installed via. apt-get.
>>> This is what it originally contained before I made any modifications.
>>>
>>> // This is the primary configuration file for the BIND DNS server
>>> named. //
>>> // Please read /usr/share/doc/bind9/README.Debian.gz for information
>>> on the // structure of BIND configuration files in Debian, *BEFORE*
>>> you customize // this configuration file.
>>> //
>>> // If you are just adding zones, please do that in
>>> /etc/bind/named.conf.local
>>>
>>> include "/etc/bind/named.conf.options";
>>> include "/etc/bind/named.conf.local";
>>> include "/etc/bind/named.conf.default-zones";
>>>
>>> If I comment out these include files, Bind9 starts. However I do
>>> still get
>>>
>>> rndc: connect failed: 127.0.0.1#953: connection refused
>>>
>>> However I'm still getting the TSIG errors.
>>>
>> These are my named.conf files (with any comments stripped out), they
>> have worked for me for the last 5 years ;-)
>>
>> /etc/bind/named.conf
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> /etc/bind/named.conf.options
>>
>> options {
>>          directory "/var/cache/bind";
>>          version "0.0.7";
>>          notify no;
>>          empty-zones-enable no;
>>          allow-query { 127.0.0.1; 192.168.0.0/24; };
>>          allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>>          forwarders { 8.8.8.8; 8.8.4.4; };
>>          allow-transfer { none; };
>>          dnssec-validation no;
>>          dnssec-enable no;
>>          listen-on-v6 { none; };
>>          listen-on port 53 { 192.168.0.7; 127.0.0.1; };
>>
>>          tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>> };
>>
>> /etc/bind/named.conf.local
>>
>> include "/usr/local/samba/private/named.conf";
>>
>>
>> /etc/bind/named.conf.default-zones
>>
>> zone "." {
>>          type hint;
>>          file "/etc/bind/db.root";
>> };
>>
>> zone "localhost" {
>>          type master;
>>          file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>>          type master;
>>          file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>>          type master;
>>          file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>>          type master;
>>          file "/etc/bind/db.255";
>> };
>>
>> Rowland
>
> _It looks as if I have a issue with the switch to Bind on one of my 6 
> DC's. Samba log gives the following.
> _
>
>
> [2018/01/08 10:59:19.002290,  0, pid=968, effective(0, 0), real(0, 0)] 
> ../lib/util/fault.c:79(fault_report)
>   INTERNAL ERROR: Signal 7 in pid 968 (4.7.4)
>   Please read the Trouble-Shooting section of the Samba HOWTO
> [2018/01/08 10:59:19.002521,  0, pid=968, effective(0, 0), real(0, 0)] 
> ../lib/util/fault.c:81(fault_report)
> ===============================================================
> [2018/01/08 10:59:19.002712,  0, pid=968, effective(0, 0), real(0, 0)] 
> ../lib/util/fault.c:151(smb_panic_default)
>   PANIC: internal error
> [2018/01/08 10:59:19.873041,  0, pid=948, effective(0, 0), real(0, 0)] 
> ../source4/smbd/process_standard.c:161(standard_child_pipe_handler)
>   Child 968 (drepl) terminated with signal 6
> [2018/01/08 11:00:39.091609,  0, pid=960, effective(0, 0), real(0, 0)] 
> ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
>   IRPC callback failed for DsReplicaSync - NT_STATUS_OBJECT_NAME_NOT_FOUND
>
> _I get repeated errors over and over for the following._
>
> IRPC callback failed for DsReplicaSync - NT_STATUS_OBJECT_NAME_NOT_FOUND
>
> _I tried switching back to the internal but it didn't resolve. Running 
> 'samba-tool drs showrepl' shows a issue with the Domain DnsZones 
> partition. I tried manual replication but that to failed._
>
> /usr/local/samba/bin/samba-tool drs replicate ddc2 ddc1 
> DC=DomainDnsZones,DC=domain,DC=local -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
> drsException: DsReplicaSync failed (-1073610699, 'The operation cannot 
> be performed.')
>   File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", 
> line 386, in run
>     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
> source_dsa_guid, NC, req_options)
>   File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", 
> line 85, in sendDsReplicaSync
>     raise drsException("DsReplicaSync failed %s" % estr)
>
> _Raising the log level to 3 didn't give me anything other than this._
>
> [2018/01/08 12:40:05.883956,  3, pid=2271, effective(0, 0), real(0, 
> 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
>   Registered DDC2<00> with 172.16.22.27 on interface 172.16.22.255
> [2018/01/08 12:40:05.886205,  3, pid=2271, effective(0, 0), real(0, 
> 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
>   Registered DDC2<03> with 172.16.22.27 on interface 172.16.22.255
> [2018/01/08 12:40:05.886324,  3, pid=2271, effective(0, 0), real(0, 
> 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
>   Registered DDC2<20> with 172.16.22.27 on interface 172.16.22.255
> [2018/01/08 12:40:05.915493,  3, pid=2271, effective(0, 0), real(0, 
> 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
>   Registered DOMAIN<1c> with 172.16.22.27 on interface 172.16.22.255
> [2018/01/08 12:40:05.915654,  3, pid=2271, effective(0, 0), real(0, 
> 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
>   Registered DOMAIN<00> with 172.16.22.27 on interface 172.16.22.255
> [2018/01/08 12:40:06.183365,  3, pid=2282, effective(0, 0), real(0, 
> 0)] ../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)
>   samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_dnsupdate 
> exited 0
>
> _Why would the DC register itself on the broadcast address? Any harm 
> in simply demoting and rejoin the DC? Do I need to clean up all the 
> meta data before rejoin? Thanks._
>
>
>
>
>
> -- 
> --
> James

     As of this moment it's working again. Deleted NTDS settings on the 
affected DC's and Switched back to the Internal DNS on the two. Allowed 
them to use the internal DNS for a bit and switched back to Bind. Now 
I'm not showing any issues. Will continue to monitor.

-- 
--
James



More information about the samba mailing list