[Samba] FW: Problems setting up samba bind9_dlz on Ubuntu 18.04

David Masshardt david at masshardt.ch
Sun Nov 24 15:28:17 UTC 2019 

Hi,

thanks for the quick reply. I've now installed libpam-krb5 and copied the krb5.conf to /etc instead of the symlink.

I've also installed the ntp service, but I'm still getting the same errors in the dns replication.

The /etc/resolv.conf is managed by netplan under Ubuntu 18:

	nameserver 127.0.0.53
	options edns0
	search domain.com

I've now changed the nameserver to localhost. This is the netplan yaml config behind this:

	network:
	    ethernets:
	        ens18:
	           addresses: ['172.17.2.1/16']
	            gateway4: 172.17.1.1
	            nameservers:
	                addresses: [127.0.0.1]
	                search: [domain.com]
	    version: 2

And this is the content of the /etc/bind/named.conf:

	include "/etc/bind/named.conf.options";
	include "/etc/bind/named.conf.local";
	include "/etc/bind/named.conf.default-zones";
	include "/var/lib/samba/private/named.conf";

Any other ideas what could cause this problem?

Regards
David

Am 24.11.19, 14:31 schrieb "samba im Auftrag von Rowland penny via samba" <samba-bounces at lists.samba.org im Auftrag von samba at lists.samba.org>:

    On 24/11/2019 12:36, David Masshardt via samba wrote:
    > Hi,
    >
    > I hope someone can help me with the following problem. I followed the following guides to setup samba as an additional active directory server to my windows server with bind9 dns:
    >
    > https://www.tecmint.com/join-additio...r-replication/<https://www.tecmint.com/join-additional-ubuntu-dc-to-samba4-ad-dc-failover-replication/>
    
    You shouldn't need to add the first DCs data to /etc/resolv.conf, if you
    do need to, then your dns is broken. What you should ensure is there, is
    the data for the DC you are joining.
    
    Sorry, but ntpdate is insufficient for time synchronisation between DCs,
    see here for more info:
    
    https://wiki.samba.org/index.php/Time_Synchronisation
    
    I would also install libpam-krb5
    
    After the join, you need to copy the krb5.conf file created by the join
    to /etc/krb5.conf, do not symlink it.
    
    At this point, you also need to edit /etc/resolv.conf so that the DC now
    points to itself as the nameserver, instead of the first DC. You can add
    the first DC as a secondary nameserver, if you wish, but if the DC goes
    down, there isn't much point.
    
    > https://wiki.samba.org/index.php/BIN...roubleshooting<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Troubleshooting>
    >
    > The active directory replication works, but the dns replication does not. When I'm running "samba_dnsupdate --all-names" I get the following output:
    >
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > update failed: REFUSED
    > ; TSIG error with server: tsig verify failure
    > update failed: REFUSED
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > ; TSIG error with server: tsig verify failure
    > Failed update of 19 entries
    This is probably because you are trying to change the second DCs info on
    the first DC with the wrong ticket
    >
    > Here is a list of versions:
    >
    > Ubuntu: 18.04
    > Samba: 4.7.6-Ubuntu
    4.7.6 is EOL from Samba's point of view, you can get later versions
    here: http://apt.van-belle.nl/
    > bind9: 9.11.3-1ubuntu1.11-Ubuntu
    >
    > And this is my smb.conf:
    >
    > [global]
    > netbios name = DC01
    > realm = DOMAIN.COM
    > server role = active directory domain controller
    > workgroup = DOMAIN.COM
    The workgroup CANNOT be the same as the realm
    > dns forwarder = 172.17.1.1
    > idmap_ldb:use rfc2307 = yes
    >
    > template shell = /bin/bash
    > winbind use default domain = true
    The line above does nothing on a DC
    > winbind offline logon = false
    The line above is a default setting and hence isn't required
    > winbind nss info = rfc2307
    The line above should only be used on a Unix domain member
    > winbind enum users = yes
    > winbind enum groups = yes
    The lines above are not required, they only make 'getent passwd' &
    'getent group' work without specifying a user or group name, but they
    also slow things down.
    > server services = -dns
    >
    > [netlogon]
    > path = /var/lib/samba/sysvol/domain.com/scripts
    > read only = No
    >
    > [sysvol]
    > path = /var/lib/samba/sysvol
    > read only = No
    >
    > I'm not really sure if samba is even using bind9. I've enabled the logging of bind9, but I cannot see any logs when running the dns update.
    No, you see any logs
    >
    > Did I miss a step to activate the bind9 module?
    
    Probably not, but it might help if you post the named.conf files in
    /etc/bind
    
    Rowland
    
    
    
    --
    To unsubscribe from this list go to the following URL and read the
    instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list