[Samba] Workstations cannot update DNS

[Rowland penny]

On 15/05/2019 21:43, durwin at mgtsciences.com wrote:
> > > *named.conf.options*
> > > options {
> > >         directory "/var/cache/bind";
> > >
> > >         // If there is a firewall between you and nameservers you want
> > >         // to talk to, you may need to fix the firewall to allow 
> multiple
> > >         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> > >
> > >         // If your ISP provided one or more IP addresses for stable
> > >         // nameservers, you probably want to use them as forwarders.
> > >         // Uncomment the following block, and insert the addresses
> > > replacing
> > >         // the all-0's placeholder.
> > >         // 172.23.93.3 is master dns for mycompany.com
> > >
> > >         forwarders {
> > >   172.23.93.3; 8.8.8.8;
> > >         };
> > >
> > > 
> //========================================================================
> > >         // If BIND logs error messages about the root key being 
> expired,
> > >         // you will need to update your keys.  See
> > > https://www.isc.org/bind-keys
> > > 
> //========================================================================
> > >         dnssec-validation auto;
> > >
> > >         auth-nxdomain no;    # conform to RFC1035
> > >         //listen-on-v6 { any; };
> > >         listen-on { any; };
> > >         notify no;
> > >
> > >         empty-zones-enable no;
> > >         // DNS dynamic updates via Kerberos
> > > /var/lib/samba/private/dns.keytab;
> > >         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > > };
> >
> >
> > OK, everything looks okay, except for /etc/bind/named.conf.options, 
> this
> > is mine (which as worked since 2012):
> >
> > options {
> >      directory "/var/cache/bind";
> >      version "0.0.7";
> >      notify no;
> >      empty-zones-enable no;
> >      allow-query { 127.0.0.1; 192.168.0.0/24; };
> >      allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
> >      forwarders { 8.8.8.8; 8.8.4.4; };
> >      allow-transfer { none; };
> >      dnssec-validation no;
> >      dnssec-enable no;
> >      dnssec-lookaside no;
> >      listen-on-v6 { none; };
> >      listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> >
> >      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > };
> >
> > I think you should be able to see the differences, especially the last
> > line ;-)
>
> I took your lines, modified for my subnet.
>   1 options {
>   2      directory "/var/cache/bind";
>   3      notify no;
>   4      empty-zones-enable no;
>   5      allow-query { 127.0.0.1; 172.23.93.0/24; };
>   6      allow-recursion {  172.23.93.0/24; 127.0.0.1/32; };
>   7      forwarders { 172.23.93.3; 8.8.8.8; };
>   8      allow-transfer { none; };
>   9      dnssec-validation no;
>  10      dnssec-enable no;
>  11      dnssec-lookaside no;
>  12      listen-on-v6 { none; };
>  13      listen-on port 53 { 172.23.93.25; 127.0.0.1; };
>  14
>  15      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>  16 };
>
> This is what systemctl status bind9 shows
>
> ● bind9.service - BIND Domain Name Server
>    Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor 
> preset: enabled)
>    Active: failed (Result: exit-code) since Wed 2019-05-15 14:25:31 
> MDT; 10min ago
>      Docs: man:named(8)
>   Process: 868 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, 
> status=1/FAILURE)
>  Main PID: 868 (code=exited, status=1/FAILURE)
>
> May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:9: 
> unknown option '   '
> May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:10: 
> unknown option '   '
> May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:11: 
> unknown option '   '
> May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:12: 
> unknown option '   '
> May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:13: 
> unknown option '   '
> May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:15: 
> unknown option '   '
> May 15 14:25:31 dc0 named[868]: loading configuration: failure
> May 15 14:25:31 dc0 named[868]: exiting (due to fatal error)
> May 15 14:25:31 dc0 systemd[1]: bind9.service: Main process exited, 
> code=exited, status=1/FAILURE
> May 15 14:25:31 dc0 systemd[1]: bind9.service: Failed with result 
> 'exit-code'.
>
Bit lost here, as I said, I have been using this since 2012, first on 
Ubuntu, then Debian and finally on Devuan, without problems. All I can 
suggest  is that you check it again for typos's etc.

Rowland