[Samba] Issues with bind9 dlz
Rob Thoman
emailthomasrob at gmail.com
Sat May 4 23:30:10 UTC 2019
Hi Rowland,
Thank you.
I think the 5 zones maybe a parsing issues somewhere. Also, the realms are
in capital, must have been a typo.
The UFW has been disabled and selinux is in a disbaled state
/etc/bind/named.conf.options has
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
/usr/lib/x86_64-linux-gnu/samba/bind9
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9.so
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_10.so
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_11.so
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_9.so
/etc/hosts
192.168.117.10 server5
192.168.117.10 server5.intdom.group
/etc/hostname
server5
On Sun, May 5, 2019 at 12:58 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 5 May 2019 00:11:40 +1000
> Rob Thoman via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6.
> > The DNS backend is DLZ
> >
> > We are seeing DNS issues as per below
> >
> > When using dnsupdate we get the following error. The server can
> > resolve the hostname(itself)
> >
> > added interface eth0 ip=192.168.117.10 bcast=192.168.117.255
> > netmask=255.255.255.0
> > IPs: ['192.168.117.10']
> > need cache add: A server5.intdom.group 192.168.117.10
> > Looking for DNS entry A server5.intdom.group 192.168.117.10 as
> > server5.intdom.group.
> > Traceback (most recent call last):
> > File "/usr/sbin/samba_dnsupdate", line 827, in <module>
> > elif not check_dns_name(d):
> > File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
> > raise Exception("Timeout while waiting to contact a working DNS
> > server while looking for %s as %s" % (d, normalised_na$
> > Exception: Timeout while waiting to contact a working DNS server while
> > looking for A server5.intdom.group 192.168.117.10 $
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> >
> > service bind9 status
> >
> > May 04 13:50:40 server5-new named[2079]: sizing zone task pool based
> > on 5 zones
>
> Why '5' zones ?
>
> > May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone' using
> > driver dlopen
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open
> > library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$
>
> Does /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so exist and if
> so, who owns it and what are the permissions ?
>
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS Zone'
> > failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: loading configuration:
> > failure May 04 13:50:40 server5-new named[2079]: exiting (due to
> > fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service:
> > Main process exited, code=exited, status=1/FAILURE
> > May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with
> > result 'exit-code'.
> >
> > /etc/bind/name.conf has the following
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> >
> > named.conf.options has
> >
> > dnssec-validation auto;
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > auth-nxdomain no; # conform to RFC1035
> > listen-on-v6 { any; };
>
> If that is all there is, there isn't enough.
> If it isn't all there is, please post the entire contents.
>
> > /etc/krb5.conf has
> >
> > [libdefaults]
> > default_realm = intdom.GROUP
>
> All the REALM should be in UPPERCASE
>
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > [realms]
> > intdom.GROUP = {
> > kdc = server5
> > admin_server = server5
>
> You do not require the [realms] part.
>
> > }
> >
> > /etc/resolv.conf has
> >
> > nameserver 192.168.117.10
> > search intdom.group
> >
> > smb.conf has
> >
> > [global]
> > workgroup = intdom
> > realm = intdom.GROUP
> > netbios name = server5
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > log file = /var/log/samba/log.%m
> > log level = 4
> > acl allow execute always = True
> > server services = -dns
> > allow dns updates = nonsecure
> >
>
> Can you post the contents of /etc/hostname & /etc/hosts
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list