[Samba] Workstations cannot update DNS

durwin at mgtsciences.com durwin at mgtsciences.com
Wed May 15 20:43:02 UTC 2019 

> > *named.conf.options*
> > options {
> >         directory "/var/cache/bind";
> >
> >         // If there is a firewall between you and nameservers you want
> >         // to talk to, you may need to fix the firewall to allow 
multiple
> >         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> >
> >         // If your ISP provided one or more IP addresses for stable
> >         // nameservers, you probably want to use them as forwarders.
> >         // Uncomment the following block, and insert the addresses 
> > replacing
> >         // the all-0's placeholder.
> >         // 172.23.93.3 is master dns for mycompany.com
> >
> >         forwarders {
> >   172.23.93.3; 8.8.8.8;
> >         };
> >
> > 
//========================================================================
> >         // If BIND logs error messages about the root key being 
expired,
> >         // you will need to update your keys.  See 
> > https://www.isc.org/bind-keys
> > 
//========================================================================
> >         dnssec-validation auto;
> >
> >         auth-nxdomain no;    # conform to RFC1035
> >         //listen-on-v6 { any; };
> >         listen-on { any; };
> >         notify no;
> >
> >         empty-zones-enable no;
> >         // DNS dynamic updates via Kerberos 
> > /var/lib/samba/private/dns.keytab;
> >         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > };
> 
> 
> OK, everything looks okay, except for /etc/bind/named.conf.options, this 

> is mine (which as worked since 2012):
> 
> options {
>      directory "/var/cache/bind";
>      version "0.0.7";
>      notify no;
>      empty-zones-enable no;
>      allow-query { 127.0.0.1; 192.168.0.0/24; };
>      allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
>      forwarders { 8.8.8.8; 8.8.4.4; };
>      allow-transfer { none; };
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>      listen-on-v6 { none; };
>      listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> 
>      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> };
> 
> I think you should be able to see the differences, especially the last 
> line ;-)

I took your lines, modified for my subnet.
  1 options {
  2      directory "/var/cache/bind";
  3      notify no;
  4      empty-zones-enable no;
  5      allow-query { 127.0.0.1; 172.23.93.0/24; };
  6      allow-recursion {  172.23.93.0/24; 127.0.0.1/32; };
  7      forwarders { 172.23.93.3; 8.8.8.8; };
  8      allow-transfer { none; };
  9      dnssec-validation no;
 10      dnssec-enable no;
 11      dnssec-lookaside no;
 12      listen-on-v6 { none; };
 13      listen-on port 53 { 172.23.93.25; 127.0.0.1; };
 14
 15      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
 16 };

This is what systemctl status bind9 shows

● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor 
preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-05-15 14:25:31 MDT; 
10min ago
     Docs: man:named(8)
  Process: 868 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, 
status=1/FAILURE)
 Main PID: 868 (code=exited, status=1/FAILURE)

May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:9: unknown 
option '   '
May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:10: unknown 
option '   '
May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:11: unknown 
option '   '
May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:12: unknown 
option '   '
May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:13: unknown 
option '   '
May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:15: unknown 
option '   '
May 15 14:25:31 dc0 named[868]: loading configuration: failure
May 15 14:25:31 dc0 named[868]: exiting (due to fatal error)
May 15 14:25:31 dc0 systemd[1]: bind9.service: Main process exited, 
code=exited, status=1/FAILURE
May 15 14:25:31 dc0 systemd[1]: bind9.service: Failed with result 
'exit-code'.


> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



This email message and any attachments are for the sole use of the 
intended recipient(s) and may contain proprietary and/or confidential 
information which may be privileged or otherwise protected from 
disclosure. Any unauthorized review, use, disclosure or distribution is 
prohibited. If you are not the intended recipient(s), please contact the 
sender by reply email and destroy the original message and any copies of 
the message as well as any attachments to the original message.

More information about the samba mailing list