[Samba] dns_tkey_gssnegotiate: TKEY is unacceptable

Billy Bob billysbobs at yahoo.com
Mon Jan 7 18:59:15 UTC 2019


 I have installed and configured a Samba version 4.9.4 first in forest AD DC on a clean, updated installation of Ubuntu 18.04 running BIND 9.11.3-1ubuntu1.3-Ubuntu ... built by make with ... '--with-gssapi=/usr' ...  '--sysconfdir=/etc' ... '--sysconfdir=/etc/bind' ....
I am following the Samba Wiki for guidiance.
The installation proceeded without error in all tests until I attempted to run:
$ sudo samba_dnsupdate --verbose --all-names
which returned:
IPs: ['172.20.10.130']
force update: A dc01.corp.<DOMAIN>.com 172.20.10.130
 * * * * *
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as DC01$
update(nsupdate): A dc01.corp.<DOMAIN>.com 172.20.10.130
Calling nsupdate for A dc01.corp.<DOMAIN>.com 172.20.10.130 (add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc01.corp.<DOMAIN>.com.     900     IN      A       172.20.10.130dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com
Calling nsupdate for NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com (add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
corp.<DOMAIN>.com.          900     IN      NS      dc01.corp.<DOMAIN>.com. * * * * *dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 29 entries
===================================
ATTEMPTS TO RESOLVE:
===================================
(1) Verify keytab and dns user ...
$ sudo klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-dc01' dn
# record 1
dn: CN=dns-dc01,CN=Users,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref: ldap://corp.<DOMAIN>.com/CN=Configuration,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref: ldap://corp.<DOMAIN>.com/DC=DomainDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref: ldap://corp.<DOMAIN>.com/DC=ForestDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# returned 4 records
# 1 entries
# 3 referrals
(2) Confirm files accessible to BIND ...
$ sudo ls -la /etc/krb5.conf
-rw-r--r-- 1 root root 94 Jan  6 18:18 /etc/krb5.conf
$ sudo ls -la /var/cache/bind
total 20
drwxrwxr-x  3 root bind 4096 Jan  7 09:38 .
drwxr-xr-x 11 root root 4096 Jan  6 17:09 ..
-rw-r--r--  1 bind bind  221 Jan  6 17:36 managed-keys.bind
drwxrwxr-x  2 root bind 4096 Jan  6 17:27 master
-rw-r-----  1 root bind 3316 Nov 14 13:00 named.root
$ sudo ls -la /var/tmp
total 16
drwxrwxrwt  4 root root 4096 Jan  7 10:27 .
drwxr-xr-x 13 root root 4096 Jan  6 15:48 ..
(3) Temporarily switch backends ...
$ sudo samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/CORP.<DOMAIN>.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
You have switched to using SAMBA_INTERNAL as your dns backend, but you still have samba starting looking for a BIND backend. Please remove the -dns from your server services line.
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/CORP.<DOMAIN>.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-dc01 account
See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
(4) Remove and recreate keytab and user
$ sudo rm /usr/local/samba/private/dns.keytab

$ sudo samba-tool user delete dns-dc01
Deleted user dns-dc01
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/CORP.<DOMAIN>.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-dc01 account
See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
$ sudo systemctl restart bind9
$ sudo systemctl status bind9 -n 500
$ sudo reboot
$ sudo klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM
   1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
   1 dns-dc01 at CORP.<DOMAIN>.COM$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-dc01' dn
# record 1
dn: CN=dns-dc01,CN=Users,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref: ldap://corp.<DOMAIN>.com/CN=Configuration,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref: ldap://corp.<DOMAIN>.com/DC=DomainDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref: ldap://corp.<DOMAIN>.com/DC=ForestDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# returned 4 records
# 1 entries
# 3 referrals
FOR ALL OF THE ABOVE (after restarting BIND, rebooting system, etc.), the problem persists as follows:
$ sudo samba_dnsupdate --verbose --all-names
IPs: ['172.20.10.130']
force update: A dc01.corp.<DOMAIN>.com 172.20.10.130
 * * * * *
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as DC01$
update(nsupdate): A dc01.corp.<DOMAIN>.com 172.20.10.130
Calling nsupdate for A dc01.corp.<DOMAIN>.com 172.20.10.130 (add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc01.corp.<DOMAIN>.com.     900     IN      A       172.20.10.130dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com
Calling nsupdate for NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com (add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
corp.<DOMAIN>.com.          900     IN      NS      dc01.corp.<DOMAIN>.com. * * * * *dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 29 entries
===================================
BACKGROUND/CONFIGURATION:
===================================
(1) /etc/bind/named.conf file (NOTE: BIND9_DLZ and tkey settings uncommented/added at proper time during installation):
    # Global Configuration Options
    options {        auth-nxdomain yes;
        directory "/var/cache/bind";
        notify no;
        empty-zones-enable no;
        
        # Enable dynamic DNS updates using Kerberos
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
        
        # IP addresses and network ranges allowed to query the DNS server:
        allow-query {
            127.0.0.1;
            172.20.10.128/25;
        };        # IP addresses and network ranges allowed to run recursive queries:
        # (Zones not served by this DNS server)
        allow-recursion {
            127.0.0.1;
            172.20.10.128/25;
        };        # Forward queries that can not be answered from own zones
        # to these DNS servers:
        forwarders {
            172.20.10.129;
        };        # Disable zone transfers 
        allow-transfer {
            none;
        };
     };    # Configure dynamically loadable zones (DLZ) from AD schema
    dlz "AD DNS Zone" {
        database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
    };    # Root Servers
    # (Required for recursive DNS queries)
    zone "." {
        type hint;
        file "named.root";
    };    # localhost zone
    zone "localhost" {
        type master;
        file "master/localhost.zone";
    };    # 127.0.0. zone.
    zone "0.0.127.in-addr.arpa" {
        type master;
        file "master/0.0.127.zone";
    };
(2) AppArmor - BIND Placed in Complain Mode, and, in any case, no violations noted:
  
$ sudo aa-complain /usr/sbin/named
Setting /usr/sbin/named to complain mode.
$ sudo aa-status
  1 profiles are in complain mode.
     /usr/sbin/named
  1 processes are in complain mode.
     /usr/sbin/named (1038)
$ sudo journalctl -b | grep ALLOWED
(3) Samba 4.9.4 Build and provision:
$ ./configure --enable-selftest --enable-gnutls --with-systemd --accel-aes=intelaesni
$ sudo smbd -b

  Paths:
     SBINDIR: /usr/local/samba/sbin
     BINDIR: /usr/local/samba/bin
     CONFIGFILE: /usr/local/samba/etc/smb.conf
     LOGFILEBASE: /usr/local/samba/var
     LMHOSTSFILE: /usr/local/samba/etc/lmhosts
     LIBDIR: /usr/local/samba/lib
     MODULESDIR: /usr/local/samba/lib
     SHLIBEXT: so
     LOCKDIR: /usr/local/samba/var/lock
     STATEDIR: /usr/local/samba/var/locks
     CACHEDIR: /usr/local/samba/var/cache
     PIDDIR: /usr/local/samba/var/run
     SMB_PASSWD_FILE: /usr/local/samba/private/smbpasswd
     PRIVATE_DIR: /usr/local/samba/private
     BINDDNS_DIR: /usr/local/samba/bind-dns
$ sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=CORP.<DOMAIN>.COM --domain=CORP --option="interfaces=lo eno1" --option="bind interfaces only=yes" --adminpass=<PASSWORD>
    Looking up IPv4 addresses
    Looking up IPv6 addresses
    No IPv6 address will be assigned
    Setting up share.ldb
    Setting up secrets.ldb
    Setting up the registry
    Setting up the privileges database
    Setting up idmap db
    Setting up SAM db
    Setting up sam.ldb partitions and settings
    Setting up sam.ldb rootDSE
    Pre-loading the Samba 4 and AD schema
    Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs    Adding DomainDN: DC=corp,DC=<DOMAIN>,DC=com
    Adding configuration container
    Setting up sam.ldb schema
    Setting up sam.ldb configuration data
    Setting up display specifiers
    Modifying display specifiers and extended rights
    Adding users container
    Modifying users container
    Adding computers container
    Modifying computers container
    Setting up sam.ldb data
    Setting up well known security principals
    Setting up sam.ldb users and groups
    Setting up self join
    Adding DNS accounts
    Creating CN=MicrosoftDNS,CN=System,DC=corp,DC=<DOMAIN>,DC=com
    Creating DomainDnsZones and ForestDnsZones partitions
    Populating DomainDnsZones and ForestDnsZones partitions
    See /usr/local/samba/bind-dns/named.conf for an example configuration include file for BIND
    and /usr/local/samba/bind-dns/named.txt for further documentation required for secure DNS updates
    Setting up sam.ldb rootDSE marking as synchronized
    Fixing provision GUIDs
    A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf
    Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
    Setting up fake yp server settings
    Once the above files are installed, your Samba AD server will be ready to use
    Server Role:           active directory domain controller
    Hostname:              dc01
    NetBIOS Domain:        CORP
    DNS Domain:            corp.<DOMAIN>.com
    DOMAIN SID:            <SID>

(4) Verify BIND access for DLZ
Verify or make /usr/local/samba/private/dns.keytab readable by BIND user:
  $ sudo chmod 640 /usr/local/samba/private/dns.keytab
  $ sudo chown root:bind /usr/local/samba/private/dns.keytab
  $ sudo ls -la /usr/local/samba/private/dns.keytab
  -rw-r----- 2 root bind 757 Jan  6 17:59 /usr/local/samba/private/dns.keytab
Verify or make /usr/local/samba/bind-dns/dns.keytab readable by BIND user:
  $ sudo chmod 640 /usr/local/samba/bind-dns/dns.keytab
  $ sudo chown root:bind /usr/local/samba/bind-dns/dns.keytab
  $ sudo ls -la /usr/local/samba/bind-dns/dns.keytab
  -rw-r----- 2 root bind 757 Jan  6 17:59 /usr/local/samba/bind-dns/dns.keytab
Add new krb5.conf file (configure Kerberos), and verify or make readable by BIND user [if necessary, chmod 644]:
  $ sudo cp /usr/local/samba/private/krb5.conf /etc
  $ sudo ls -la /etc/krb5.conf
  -rw-r--r-- 1 root root 94 Jan  6 18:18 /etc/krb5.conf
  
Verify that nsupdate utility exists on domain controller:
  $ sudo which nsupdate
  /usr/bin/nsupdate
(5) Configure DNS resolver:
Delete symlink in /etc:
  $ sudo rm /etc/resolv.conf
Create and set permissions for new /etc/resolv.conf file:
  $ sudo nano /etc/resolv.conf
    domain corp.<DOMAIN>.com
    # nameserver 172.20.10.131
    nameserver 172.20.10.130
  $ sudo chmod 777 /etc/resolv.conf
  $ sudo ls -la /etc/resolv.conf
  -rwxrwxrwx 1 root root 73 Jan  6 18:24 /etc/resolv.conf
(6) Test Samba AD DC
Verify File Server
  List all shares provided by the DC:
      $ smbclient -L localhost -U%        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.9.4)
        
        Reconnecting with SMB1 for workgroup listing.        Server               Comment
        ---------            -------        Workgroup            Master
        ---------            -------
  Connect to netlogon share using domain administrator account to verify authentication: 
    $ smbclient //localhost/netlogon -UAdministrator -c 'ls'      Enter CORP\administrator's password: [wjcStrong]
        .                                   D        0  Sun Jan  6 17:59:44 2019
        ..                                  D        0  Sun Jan  6 17:59:48 2019                      243559804 blocks of size 1024. 227614076 blocks available
Verify DNS (query some DNS records)
  Query tcp-based _ldap SRV record in the domain:    $ host -t SRV _ldap._tcp.corp.<DOMAIN>.com.
    
      _ldap._tcp.corp.<DOMAIN>.com has SRV record 0 100 389 dc01.corp.<DOMAIN>.com.
  Query udp-based _kerberos SRV resource record in the domain:    $ host -t SRV _kerberos._udp.corp.<DOMAIN>.com.
    
      _kerberos._udp.corp.<DOMAIN>.com has SRV record 0 100 88 dc01.corp.<DOMAIN>.com.
  Query A record of the domain controller:    $ host -t A dc01.corp.<DOMAIN>.com.
    
      dc01.corp.<DOMAIN>.com has address 172.20.10.130
Verify Kerberos
  Request Kerberos ticket for domain administrator account:    $ kinit administrator
    
      Password for administrator at CORP.<DOMAIN>.COM: [wjcStrong]
  List cached Kerberos tickets:    $ klist      Ticket cache: FILE:/tmp/krb5cc_1000
      Default principal: administrator at CORP.<DOMAIN>.COM      Valid starting       Expires              Service principal
      01/07/2019 09:08:35  01/07/2019 19:08:35  krbtgt/CORP.<DOMAIN>.COM at CORP.<DOMAIN>.COM
              renew until 01/08/2019 09:08:31
(7) Test Dynamic DNS Updates
Verify domain and forest partitions, as well as metadata.tdb database, are hard linked in both directories:
  $ sudo ls -lai /usr/local/samba/private/sam.ldb.d/
  
    6167165 -rw-rw---- 2 root bind 4247552 Jan  6 17:59 'DC=DOMAINDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
    6167166 -rw-rw---- 2 root bind 4247552 Jan  6 17:59 'DC=FORESTDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
    6167161 -rw-rw---- 2 root bind  421888 Jan  7 09:06  metadata.tdb
  $ sudo ls -lai /usr/local/samba/bind-dns/dns/sam.ldb.d/
    6167165 -rw-rw---- 2 root bind 4247552 Jan  6 17:59 'DC=DOMAINDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
    6167166 -rw-rw---- 2 root bind 4247552 Jan  6 17:59 'DC=FORESTDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
    6167161 -rw-rw---- 2 root bind  421888 Jan  7 09:06  metadata.tdb
$ sudo samba_dnsupdate --verbose --all-names
  Resulting in above noted failures, steps taken ...
===================================
OTHER CONFIGURATION FILES
===================================
/usr/local/samba/etc/smb.conf
# Global parameters
[global]
        bind interfaces only = Yes
        interfaces = lo eno1
        netbios name = DC01
        realm = CORP.<DOMAIN>.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = CORP
        idmap_ldb:use rfc2307 = yes[netlogon]
        path = /usr/local/samba/var/locks/sysvol/corp.<DOMAIN>.com/scripts
        read only = No[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

/etc/krb5.conf
[libdefaults]
        default_realm = CORP.<DOMAIN>.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
===================================
LOGS FROM FIRST STARTUP OF AD-DC
PRIOR TO AD-DC TESTING
===================================
$ sudo systemctl status --all --state=failed
? dc01
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Sun 2019-01-06 18:27:44 CST; 36s ago
   CGroup: /
           +-user.slice
           ¦ +-user-1000.slice
           ¦   +-user at 1000.service
           ¦   ¦ +-init.scope
           ¦   ¦   +-1348 /lib/systemd/systemd --user
           ¦   ¦   +-1356 (sd-pam)
           ¦   +-session-1.scope
           ¦     +-1329 sshd: cadmin [priv]
           ¦     +-1467 sshd: cadmin at pts/0
           ¦     +-1468 -bash
           ¦     +-1481 sudo systemctl status --all --state=failed
           ¦     +-1489 systemctl status --all --state=failed
           ¦     +-1490 pager
           +-init.scope
           ¦ +-1 /sbin/init
           +-system.slice
             +-irqbalance.service
             ¦ +-842 /usr/sbin/irqbalance --foreground
             +-system-systemd\x2dfsck.slice
             +-samba-ad-dc.service
             ¦ +-1171 samba: root process .
             ¦ +-1286 samba: task[s3fs_parent] .
             ¦ +-1288 samba: task[dcesrv] .
             ¦ +-1289 samba: tfork waiter process
             ¦ +-1290 samba: task[nbtd] .
             ¦ +-1291 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ¦ +-1293 samba: task[wrepl] .
             ¦ +-1303 samba: task[ldapsrv] .
             ¦ +-1304 samba: task[cldapd] .
             ¦ +-1305 samba: task[kdc] .
             ¦ +-1306 samba: task[dreplsrv] .
             ¦ +-1307 samba: task[winbindd_parent]
             ¦ +-1308 samba: task[ntp_signd] .
             ¦ +-1309 samba: task[kccsrv] .
             ¦ +-1310 samba: task[dnsupdate] .
             ¦ +-1315 samba: tfork waiter process
             ¦ +-1320 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
             ¦ +-1337 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ¦ +-1338 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ¦ +-1340 winbindd: domain child [CORP] .
             ¦ +-1342 winbindd: idmap child .
             ¦ +-1344 winbindd: domain child [BUILTIN]
             ¦ +-1345 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             +-systemd-networkd.service
             ¦ +-712 /lib/systemd/systemd-networkd
             +-systemd-udevd.service
             ¦ +-474 /lib/systemd/systemd-udevd
             +-cron.service
             ¦ +-802 /usr/sbin/cron -f
             +-sys-fs-fuse-connections.mount
             +-sys-kernel-config.mount
             +-polkit.service
             ¦ +-994 /usr/lib/policykit-1/polkitd --no-debug
             +-networkd-dispatcher.service
             ¦ +-880 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
             +-sys-kernel-debug.mount
             +-bind9.service
             ¦ +-864 /usr/sbin/named -f -u bind
             +-accounts-daemon.service
             ¦ +-915 /usr/lib/accountsservice/accounts-daemon
             +-systemd-journald.service
             ¦ +-450 /lib/systemd/systemd-journald
             +-atd.service
             ¦ +-887 /usr/sbin/atd -f
             +-lxd.socket
             +-unattended-upgrades.service
             ¦ +-968 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
             +-ssh.service
             ¦ +-1167 /usr/sbin/sshd -D
             +-dev-mqueue.mount
             +-snapd.service
             ¦ +-979 /usr/lib/snapd/snapd
             +-rsyslog.service
             ¦ +-902 /usr/sbin/rsyslogd -n
             +-boot-efi.mount
             +-lxcfs.service
             ¦ +-794 /usr/bin/lxcfs /var/lib/lxcfs/
             +-snapd.socket
             +-lvm2-lvmetad.service
             ¦ +-464 /sbin/lvmetad -f
             +-systemd-resolved.service
             ¦ +-744 /lib/systemd/systemd-resolved
             +-system-lvm2\x2dpvscan.slice
             +-dev-mapper-dc01\x2d\x2dvg\x2dswap_1.swap
             +-dev-hugepages.mount
             +-dbus.service
             ¦ +-920 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
             +-systemd-timesyncd.service
             ¦ +-621 /lib/systemd/systemd-timesyncd
             +-system-getty.slice
             ¦ +-getty at tty1.service
             ¦   +-1233 /sbin/agetty -o -p -- \u --noclear tty1 linux
             +-systemd-logind.service
               +-814 /lib/systemd/systemd-logind

$ sudo systemctl status samba-ad-dc -n 500
? samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-01-06 18:27:50 CST; 48s ago
  Process: 1151 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS)
 Main PID: 1171 (samba)
    Tasks: 23 (limit: 4915)
   CGroup: /system.slice/samba-ad-dc.service
           +-1171 samba: root process .
           +-1286 samba: task[s3fs_parent] .
           +-1288 samba: task[dcesrv] .
           +-1289 samba: tfork waiter process
           +-1290 samba: task[nbtd] .
           +-1291 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           +-1293 samba: task[wrepl] .
           +-1303 samba: task[ldapsrv] .
           +-1304 samba: task[cldapd] .
           +-1305 samba: task[kdc] .
           +-1306 samba: task[dreplsrv] .
           +-1307 samba: task[winbindd_parent]
           +-1308 samba: task[ntp_signd] .
           +-1309 samba: task[kccsrv] .
           +-1310 samba: task[dnsupdate] .
           +-1315 samba: tfork waiter process
           +-1320 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
           +-1337 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           +-1338 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
           +-1340 winbindd: domain child [CORP] .
           +-1342 winbindd: idmap child .
           +-1344 winbindd: domain child [BUILTIN]
           +-1345 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foregroundJan 06 18:27:50 dc01 systemd[1]: Starting Samba Active Directory Domain Controller...
Jan 06 18:27:50 dc01 samba[1151]: root process[1151]: [2019/01/06 18:27:50.631690,  0] ../source4/smbd/server.c:510(binary_smbd_main)
Jan 06 18:27:50 dc01 samba[1151]: root process[1151]:   samba version 4.9.4 started.
Jan 06 18:27:50 dc01 samba[1151]: root process[1151]:   Copyright Andrew Tridgell and the Samba Team 1992-2018
Jan 06 18:27:50 dc01 systemd[1]: Started Samba Active Directory Domain Controller.
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]: [2019/01/06 18:27:50.867193,  0] ../source4/smbd/server.c:696(binary_smbd_main)
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]:   binary_smbd_main: samba: using 'standard' process model
Jan 06 18:27:50 dc01 samba[1303]: task[ldapsrv][1303]: [2019/01/06 18:27:50.875460,  0] ../source4/lib/tls/tlscert.c:72(tls_cert_generate)
Jan 06 18:27:50 dc01 samba[1303]: task[ldapsrv][1303]:   Attempting to autogenerate TLS self-signed keys for https for hostname 'DC01.corp.<DOMAIN>.com'
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]: [2019/01/06 18:27:50.883033,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]:   daemon_ready: STATUS=daemon 'samba' finished starting up and ready to serve connections
Jan 06 18:27:51 dc01 winbindd[1320]: [2019/01/06 18:27:51.049802,  0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Jan 06 18:27:51 dc01 winbindd[1320]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jan 06 18:27:51 dc01 winbindd[1320]: [2019/01/06 18:27:51.056143,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Jan 06 18:27:51 dc01 winbindd[1320]:   daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Jan 06 18:27:51 dc01 smbd[1291]: [2019/01/06 18:27:51.225640,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Jan 06 18:27:51 dc01 smbd[1291]:   daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Jan 06 18:27:52 dc01 samba[1303]: task[ldapsrv][1303]: [2019/01/06 18:27:52.496784,  0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
Jan 06 18:27:52 dc01 samba[1303]: task[ldapsrv][1303]:   TLS self-signed keys generated OK

$ sudo systemctl status bind9 -n 500
? bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-01-06 18:27:46 CST; 1min 54s ago
     Docs: man:named(8)
 Main PID: 864 (named)
    Tasks: 7 (limit: 4915)
   CGroup: /system.slice/bind9.service
           +-864 /usr/sbin/named -f -u bindJan 06 18:27:46 dc01 systemd[1]: Started BIND Domain Name Server.
Jan 06 18:27:46 dc01 named[864]: starting BIND 9.11.3-1ubuntu1.3-Ubuntu (Extended Support Version) <id:a375815>
Jan 06 18:27:46 dc01 named[864]: running on Linux x86_64 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018
Jan 06 18:27:46 dc01 named[864]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules'
Jan 06 18:27:46 dc01 named[864]: running as: named -f -u bind
Jan 06 18:27:46 dc01 named[864]: ----------------------------------------------------
Jan 06 18:27:46 dc01 named[864]: BIND 9 is maintained by Internet Systems Consortium,
Jan 06 18:27:46 dc01 named[864]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jan 06 18:27:46 dc01 named[864]: corporation.  Support and training for BIND 9 are
Jan 06 18:27:46 dc01 named[864]: available at https://www.isc.org/support
Jan 06 18:27:46 dc01 named[864]: ----------------------------------------------------
Jan 06 18:27:46 dc01 named[864]: adjusted limit on open files from 4096 to 1048576
Jan 06 18:27:46 dc01 named[864]: found 4 CPUs, using 4 worker threads
Jan 06 18:27:46 dc01 named[864]: using 3 UDP listeners per interface
Jan 06 18:27:46 dc01 named[864]: using up to 4096 sockets
Jan 06 18:27:46 dc01 named[864]: loading configuration from '/etc/bind/named.conf'
Jan 06 18:27:46 dc01 named[864]: reading built-in trust anchors from file '/etc/bind/bind.keys'
Jan 06 18:27:46 dc01 named[864]: initializing GeoIP Country (IPv4) (type 1) DB
Jan 06 18:27:46 dc01 named[864]: GEO-106FREE 20180315 Build
Jan 06 18:27:46 dc01 named[864]: initializing GeoIP Country (IPv6) (type 12) DB
Jan 06 18:27:46 dc01 named[864]: GEO-106FREE 20180315 Build
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv4) (type 2) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv4) (type 6) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv6) (type 30) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv6) (type 31) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Region (type 3) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Region (type 7) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP ISP (type 4) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Org (type 5) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP AS (type 9) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Domain (type 11) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP NetSpeed (type 10) DB not available
Jan 06 18:27:46 dc01 named[864]: using default UDP/IPv4 port range: [32768, 60999]
Jan 06 18:27:46 dc01 named[864]: using default UDP/IPv6 port range: [32768, 60999]
Jan 06 18:27:46 dc01 named[864]: listening on IPv6 interfaces, port 53
Jan 06 18:27:46 dc01 named[864]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 06 18:27:46 dc01 named[864]: generating session key for dynamic DNS
Jan 06 18:27:46 dc01 named[864]: sizing zone task pool based on 3 zones
Jan 06 18:27:46 dc01 named[864]: Loading 'AD DNS Zone' using driver dlopen
Jan 06 18:27:47 dc01 named[864]: samba_dlz: started for DN DC=corp,DC=<DOMAIN>,DC=com
Jan 06 18:27:47 dc01 named[864]: samba_dlz: starting configure
Jan 06 18:27:47 dc01 named[864]: samba_dlz: configured writeable zone 'corp.<DOMAIN>.com'
Jan 06 18:27:47 dc01 named[864]: samba_dlz: configured writeable zone '_msdcs.corp.<DOMAIN>.com'
Jan 06 18:27:47 dc01 named[864]: none:103: 'max-cache-size 90%' - setting to 14399MB (out of 15999MB)
Jan 06 18:27:47 dc01 named[864]: set up managed keys zone for view _default, file 'managed-keys.bind'
Jan 06 18:27:47 dc01 named[864]: none:103: 'max-cache-size 90%' - setting to 14399MB (out of 15999MB)
Jan 06 18:27:47 dc01 named[864]: configuring command channel from '/etc/bind/rndc.key'
Jan 06 18:27:47 dc01 named[864]: command channel listening on 127.0.0.1#953
Jan 06 18:27:47 dc01 named[864]: configuring command channel from '/etc/bind/rndc.key'
Jan 06 18:27:47 dc01 named[864]: command channel listening on ::1#953
Jan 06 18:27:47 dc01 named[864]: managed-keys-zone: journal file is out of date: removing journal file
Jan 06 18:27:47 dc01 named[864]: managed-keys-zone: loaded serial 4
Jan 06 18:27:47 dc01 named[864]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2018120901
Jan 06 18:27:47 dc01 named[864]: zone localhost/IN: loaded serial 2018120901
Jan 06 18:27:47 dc01 named[864]: all zones loaded
Jan 06 18:27:47 dc01 named[864]: running
Jan 06 18:27:49 dc01 named[864]: listening on IPv4 interface eno1, 172.20.10.130#53
Jan 06 18:27:50 dc01 named[864]: resolver priming query complete


More information about the samba mailing list