[Samba] Issues with bind9 dlz
Rob Thoman
emailthomasrob at gmail.com
Sun May 5 13:27:26 UTC 2019
Hi Rowland,
The samba-tool dns zonelist 127.0.0.1 -U Administrator%xxxxxxxxxx | grep
'pszZoneName', gives
Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
Mapped to DCERPC endpoint 1024
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
added interface eth0 ip=192.168.117.10 bcast=192.168.14.255
netmask=255.255.255.0
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
pszZoneName : intdom.group
pszZoneName : _msdcs.intdom.group
I went through the
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration bit
and setup the selinux and apparmor exceptions, restarting the apparmor. I
hadn't noticed but am seeing an rndc issue
May 05 13:19:20 dozer5-new named[17817]: dlz_dlopen of 'AD DNS Zone' failed
May 05 13:19:20 dozer5-new named[17817]: SDLZ driver failed to load.
May 05 13:19:20 dozer5-new named[17817]: DLZ driver failed to load.
May 05 13:19:20 dozer5-new named[17817]: loading configuration: failure
May 05 13:19:20 dozer5-new named[17817]: exiting (due to fatal error)
May 05 13:19:20 dozer5-new systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
May 05 13:19:20 dozer5-new rndc[17824]: rndc: connect failed:
127.0.0.1#953: connection refused
Regards,
RT
On Sun, May 5, 2019 at 5:11 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 5 May 2019 09:30:10 +1000
> Rob Thoman <emailthomasrob at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thank you.
> >
> > I think the 5 zones maybe a parsing issues somewhere.
>
> I think you need to double check this, you normally only have 3, what
> does this command produce when run on a DC:
>
> samba-tool dns zonelist 127.0.0.1 -U Administrator%xxxxxxxxxx | grep
> 'pszZoneName'
>
> Replace 'xxxxxxxxxx' with your Administrator password.
>
> It should produce something like this:
>
> pszZoneName : samdom.example.com
> pszZoneName : 0.168.192.in-addr.arpa
> pszZoneName : _msdcs.samdom.example.com
>
> > /etc/bind/named.conf.options has
> > options {
> > directory "/var/cache/bind";
> > dnssec-validation auto;
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > auth-nxdomain no; # conform to RFC1035
> > listen-on-v6 { any; };
> > };
>
> This is mine, which has worked since 2012:
>
> options {
> directory "/var/cache/bind";
> version "0.0.7";
> notify no;
> empty-zones-enable no;
> allow-query { 127.0.0.1; 192.168.0.0/24; };
> allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
> forwarders { 8.8.8.8; 8.8.4.4; };
> allow-transfer { none; };
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> };
>
> You do not have any forwarders and the 'dns.keytab' location has
> changed.
>
> > /usr/lib/x86_64-linux-gnu/samba/bind9
> > -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9.so
> > -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_10.so
> > -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_11.so
> > -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_9.so
>
> Nothing wrong there
>
> > /etc/hosts
> > 192.168.117.10 server5
> > 192.168.117.10 server5.intdom.group
>
> That really should be on one line and what happened to '127.0.0.1' ?
>
> try it like this:
> 127.0.0.1 localhost
> 192.168.117.10 server5.intdom.group server5
>
> > /etc/hostname
> > server5
>
> Good, just the short hostname
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list