[Samba] Issues with bind9 dlz

Rob Thoman emailthomasrob at gmail.com
Sat May 4 23:30:10 UTC 2019 

Hi Rowland,

Thank you.

I think the 5 zones maybe a parsing issues somewhere. Also, the realms are
in capital, must have been a typo.
The UFW has been disabled and selinux is in a disbaled state

/etc/bind/named.conf.options has
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };


//========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See
https://www.isc.org/bind-keys

//========================================================================
        dnssec-validation auto;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

/usr/lib/x86_64-linux-gnu/samba/bind9
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9.so
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_10.so
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_11.so
-rw-r--r--  1 root root 38904 Apr  4 18:05 dlz_bind9_9.so

/etc/hosts
192.168.117.10 server5
192.168.117.10 server5.intdom.group

/etc/hostname
server5























On Sun, May 5, 2019 at 12:58 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Sun, 5 May 2019 00:11:40 +1000
> Rob Thoman via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6.
> > The DNS backend is DLZ
> >
> > We are seeing DNS issues as per below
> >
> > When using dnsupdate we get the following error. The server can
> > resolve the hostname(itself)
> >
> > added interface eth0 ip=192.168.117.10 bcast=192.168.117.255
> > netmask=255.255.255.0
> > IPs: ['192.168.117.10']
> > need cache add: A server5.intdom.group 192.168.117.10
> > Looking for DNS entry A server5.intdom.group 192.168.117.10 as
> > server5.intdom.group.
> > Traceback (most recent call last):
> >   File "/usr/sbin/samba_dnsupdate", line 827, in <module>
> >     elif not check_dns_name(d):
> >   File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
> >     raise Exception("Timeout while waiting to contact a working DNS
> > server while looking for %s as %s" % (d, normalised_na$
> > Exception: Timeout while waiting to contact a working DNS server while
> > looking for A server5.intdom.group 192.168.117.10 $
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> >
> > service bind9 status
> >
> > May 04 13:50:40 server5-new named[2079]: sizing zone task pool based
> > on 5 zones
>
> Why '5' zones ?
>
> > May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone' using
> > driver dlopen
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open
> > library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$
>
> Does /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so exist and if
> so, who owns it and what are the permissions ?
>
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS Zone'
> > failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: loading configuration:
> > failure May 04 13:50:40 server5-new named[2079]: exiting (due to
> > fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service:
> > Main process exited, code=exited, status=1/FAILURE
> > May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with
> > result 'exit-code'.
> >
> > /etc/bind/name.conf has the following
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> >
> > named.conf.options has
> >
> > dnssec-validation auto;
> >         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on-v6 { any; };
>
> If that is all there is, there isn't enough.
> If it isn't all there is, please post the entire contents.
>
> > /etc/krb5.conf has
> >
> > [libdefaults]
> >         default_realm = intdom.GROUP
>
> All the REALM should be in UPPERCASE
>
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> > [realms]
> >         intdom.GROUP = {
> >                 kdc = server5
> >                 admin_server = server5
>
> You do not require the [realms] part.
>
> > }
> >
> > /etc/resolv.conf has
> >
> > nameserver 192.168.117.10
> > search intdom.group
> >
> > smb.conf has
> >
> > [global]
> >         workgroup = intdom
> >         realm = intdom.GROUP
> >         netbios name = server5
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         log file = /var/log/samba/log.%m
> >         log level = 4
> >         acl allow execute always = True
> >         server services = -dns
> >         allow dns updates = nonsecure
> >
>
> Can you post the contents of /etc/hostname & /etc/hosts
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list