[Samba] User names not replicating to secondary DC

L.P.H. van Belle belle at bazuin.nl
Fri Feb 28 16:01:18 UTC 2020


+1 .. 
So fix both resolv.conf.

Then both smb.conf 
DC1 : > 	        dns forwarder = 172.23.93.3  
DC0 : no forwarder. 

And reboot DC0. wait 1 min.
Reboot DC1. 
Wait 1 min.

And no check it all. 

Have a nice weekend. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: vrijdag 28 februari 2020 16:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] User names not replicating to secondary DC
> 
> Found one error , see below. 
> do note, most look very good for the othere things. 
> 
> ________________________________
> 
> 	Van: durwin at mgtsciences.com [mailto:durwin at mgtsciences.com] 
> 	Verzonden: vrijdag 28 februari 2020 16:41
> 	Aan: L.P.H. van Belle
> 	CC: samba at lists.samba.org; samba
> 	Onderwerp: Re: [Samba] User names not replicating to 
> secondary DC
> 	
> 	
> 	> Can you run this script on both DC's. 
> 	> 
> 	> 
> https://github.com/thctlo/samba4/raw/master/samba-collect-debu
> g-info.sh 
> <https://github.com/thctlo/samba4/raw/master/samba-collect-deb
> ug-info.sh>  
> 	
> 	=== BEGIN dc0 === 
> 	Collected config  --- 2020-02-28-08:30 ----------- 
> 	
> 	Hostname: dc0 
> 	DNS Domain: msi.mydomain.com 
> 	FQDN: dc0.msi.mydomain.com 
> 	ipaddress: 172.23.93.25 
> 	
> 	----------- 
> 	
> 	Kerberos SRV _kerberos._tcp.msi.mydomain.com record 
> verified ok, sample output: 
> 	Server:                172.23.93.25 
> 	Address:        172.23.93.25#53 
> 	
> 	_kerberos._tcp.msi.mydomain.com        service = 0 100 
> 88 dc0.msi.mydomain.com. 
> 	_kerberos._tcp.msi.mydomain.com        service = 0 100 
> 88 dc1.msi.mydomain.com. 
> 	Samba is running as an AD DC 
> 	
> 	----------- 
> 	       Checking file: /etc/os-release 
> 	
> 	NAME="Ubuntu" 
> 	VERSION="18.04.3 LTS (Bionic Beaver)" 
> 	ID=ubuntu 
> 	ID_LIKE=debian 
> 	PRETTY_NAME="Ubuntu 18.04.3 LTS" 
> 	VERSION_ID="18.04" 
> 	HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> " 
> 	SUPPORT_URL="https://help.ubuntu.com/ 
> <https://help.ubuntu.com/> " 
> 	BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/ 
> <https://bugs.launchpad.net/ubuntu/> " 
> 	
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy 
> <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> " 
> 	VERSION_CODENAME=bionic 
> 	UBUNTU_CODENAME=bionic 
> 	
> 	----------- 
> 	
> 	
> 	This computer is running Ubuntu 18.04.3 LTS x86_64 
> 	
> 	----------- 
> 	running command : ip a 
> 	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue 
> state UNKNOWN group default qlen 1000 
> 	    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
> 	    inet 127.0.0.1/8 scope host lo 
> 	    inet6 ::1/128 scope host 
> 	2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 
> qdisc fq_codel state UP group default qlen 1000 
> 	    link/ether 08:00:27:88:47:0f brd ff:ff:ff:ff:ff:ff 
> 	    inet 172.23.93.25/24 brd 172.23.93.255 scope global enp0s3 
> 	    inet6 fe80::a00:27ff:fe88:470f/64 scope link 
> 	
> 	----------- 
> 	       Checking file: /etc/hosts 
> 	
> 	127.0.0.1        localhost 
> 	172.23.93.25        dc0.msi.mydomain.com dc0 
> 	
> 	# The following lines are desirable for IPv6 capable hosts 
> 	::1     localhost ip6-localhost ip6-loopback 
> 	fe00::0 ip6-localnet 
> 	ff02::1 ip6-allnodes 
> 	ff02::2 ip6-allrouters 
> 	ff02::3 ip6-allhosts 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/resolv.conf 
> 	
> 	# This file is managed by man:systemd-resolved(8). Do not edit. 
> 	# 
> 	# This is a dynamic resolv.conf file for connecting 
> local clients directly to 
> 	# all known uplink DNS servers. This file lists all 
> configured search domains. 
> 	# 
> 	# Third party programs must not access this file 
> directly, but only through the 
> 	# symlink at /etc/resolv.conf. To manage 
> man:resolv.conf(5) in a different way, 
> 	# replace this symlink by a static file or a different symlink. 
> 	# 
> 	# See man:systemd-resolved.service(8) for details about 
> the supported modes of 
> 	# operation for /etc/resolv.conf. 
> 	
> 	nameserver 172.23.93.25 
> ADD:  nameserver 172.23.93.26
> 	search msi.mydomain.com 
> 	----------- 
> 	
> 	       Checking file: /etc/krb5.conf 
> 	
> 	[libdefaults] 
> 	        default_realm = MSI.MYDOMAIN.COM 
> 	
> 	; Note, this is added because other software may need it. 
> 	; personaly i would remove : des-cbc-crc des-cbc-md5 
> but for compatibility i leave it in. 
> 	; for Windows 2008 with AES 
> 	        default_tgs_enctypes =  aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
> 	        default_tkt_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
> 	        permitted_enctypes = aes256-cts-hmac-sha1-96 
> aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/nsswitch.conf 
> 	
> 	# /etc/nsswitch.conf 
> 	# 
> 	# Example configuration of GNU Name Service Switch 
> functionality. 
> 	# If you have the `glibc-doc-reference' and `info' 
> packages installed, try: 
> 	# `info libc "Name Service Switch"' for information 
> about this file. 
> 	
> 	passwd:         compat systemd 
> 	group:          compat systemd 
> 	shadow:         compat 
> 	gshadow:        files 
> 	
> 	hosts:          files dns 
> 	networks:       files 
> 	
> 	protocols:      db files 
> 	services:       db files 
> 	ethers:         db files 
> 	rpc:            db files 
> 	
> 	netgroup:       nis 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/samba/smb.conf 
> 	
> 	# Global parameters 
> 	[global] 
> 	        netbios name = DC0 
> 	        realm = MSI.MYDOMAIN.COM 
> 	        server role = active directory domain controller 
> 	        server services = s3fs, rpc, nbt, wrepl, ldap, 
> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
> 	        workgroup = MSI 
> 	        # This line was added 190710 (DFD) 
> 	        dns update command = /usr/sbin/samba_dnsupdate 
> --use-samba-tool 
> 	        idmap_ldb:use rfc2307 = yes 
> 	
> 	[netlogon] 
> 	        path = /var/lib/samba/sysvol/msi.mydomain.com/scripts 
> 	        read only = No 
> 	
> 	[sysvol] 
> 	        path = /var/lib/samba/sysvol 
> 	        read only = No 
> 	
> 	----------- 
> 	
> 	Detected bind DLZ enabled.. 
> 	       Checking file: /etc/bind/named.conf 
> 	
> 	// This is the primary configuration file for the BIND 
> DNS server named. 
> 	// 
> 	// Please read /usr/share/doc/bind9/README.Debian.gz 
> for information on the 
> 	// structure of BIND configuration files in Debian, 
> *BEFORE* you customize 
> 	// this configuration file. 
> 	// 
> 	// If you are just adding zones, please do that in 
> /etc/bind/named.conf.local 
> 	
> 	include "/etc/bind/named.conf.options"; 
> 	include "/etc/bind/named.conf.local"; 
> 	include "/etc/bind/named.conf.default-zones"; 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/bind/named.conf.options 
> 	
> 	acl "trusted" { 
> 	        172.23.93.0/24; 
> 	        127.0.0.1; 
> 	}; 
> 	
> 	
> 	options { 
> 	        directory "/var/cache/bind"; 
> 	        notify no; 
> 	        empty-zones-enable no; 
> 	        allow-query { trusted;}; 
> 	        allow-recursion { trusted;}; 
> 	        forwarders { 8.8.8.8; }; 
> 	        allow-transfer { none;}; 
> 	        dnssec-validation no; 
> 	        dnssec-enable no; 
> 	        dnssec-lookaside no; 
> 	        listen-on-v6 { none; }; 
> 	        listen-on port 53 { 172.23.93.25; 127.0.0.1; }; 
> 	
> 	        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; 
> 	}; 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/bind/named.conf.local 
> 	
> 	// 
> 	// Do any local configuration here 
> 	// 
> 	
> 	// Consider adding the 1918 zones here, if they are not 
> used in your 
> 	// organization 
> 	//include "/etc/bind/zones.rfc1918"; 
> 	
> 	// adding the Samba dlopen ( Bind DLZ ) module 
> 	include "/var/lib/samba/bind-dns/named.conf"; 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/bind/named.conf.default-zones 
> 	
> 	// prime the server with knowledge of the root servers 
> 	zone "." { 
> 	        type hint; 
> 	        file "/etc/bind/db.root"; 
> 	}; 
> 	
> 	// be authoritative for the localhost forward and 
> reverse zones, and for 
> 	// broadcast zones as per RFC 1912 
> 	
> 	zone "localhost" { 
> 	        type master; 
> 	        file "/etc/bind/db.local"; 
> 	}; 
> 	
> 	zone "127.in-addr.arpa" { 
> 	        type master; 
> 	        file "/etc/bind/db.127"; 
> 	}; 
> 	
> 	zone "0.in-addr.arpa" { 
> 	        type master; 
> 	        file "/etc/bind/db.0"; 
> 	}; 
> 	
> 	zone "255.in-addr.arpa" { 
> 	        type master; 
> 	        file "/etc/bind/db.255"; 
> 	}; 
> 	
> 	----------- 
> 	
> 	Samba DNS zone list:   3 zone(s) found 
> 	
> 	  pszZoneName                 : 93.23.172.in-addr.arpa 
> 	  Flags                       : 
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
> 	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
> 	  Version                     : 50 
> 	  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
> 	  pszDpFqdn                   : DomainDnsZones.msi.mydomain.com 
> 	
> 	  pszZoneName                 : msi.mydomain.com 
> 	  Flags                       : 
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
> 	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
> 	  Version                     : 50 
> 	  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
> 	  pszDpFqdn                   : DomainDnsZones.msi.mydomain.com 
> 	
> 	  pszZoneName                 : _msdcs.msi.mydomain.com 
> 	  Flags                       : 
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
> 	  ZoneType                    : DNS_ZONE_TYPE_PRIMARY 
> 	  Version                     : 50 
> 	  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
> 	  pszDpFqdn                   : ForestDnsZones.msi.mydomain.com 
> 	
> 	Samba DNS zone list Automated check : 
> 	zone : 93.23.172.in-addr.arpa ok, no Bind flat-files found 
> 	----------- 
> 	zone : msi.mydomain.com ok, no Bind flat-files found 
> 	----------- 
> 	zone : _msdcs.msi.mydomain.com ok, no Bind flat-files found 
> 	----------- 
> 	
> 	Installed packages: 
> 	ii  acl                                   
> 2.2.52-3build1                                  amd64        
> Access control list utilities 
> 	ii  attr                                  
> 1:2.4.47-2build1                                amd64        
> Utilities for manipulating filesystem extended attributes 
> 	ii  bind9                                 
> 1:9.11.3+dfsg-1ubuntu1.11                       amd64        
> Internet Domain Name Server 
> 	ii  bind9-host                            
> 1:9.11.3+dfsg-1ubuntu1.11                       amd64        
> DNS lookup utility (deprecated) 
> 	ii  bind9utils                            
> 1:9.11.3+dfsg-1ubuntu1.11                       amd64        
> Utilities for BIND 
> 	ii  krb5-config                           2.6           
>                                   all          Configuration 
> files for Kerberos Version 5 
> 	ii  krb5-locales                          
> 1.16-2ubuntu0.1                                 all          
> internationalization support for MIT Kerberos 
> 	ii  krb5-user                             
> 1.16-2ubuntu0.1                                 amd64        
> basic programs to authenticate using MIT Kerberos 
> 	ii  libacl1:amd64                         
> 2.2.52-3build1                                  amd64        
> Access control list shared library 
> 	ii  libacl1-dev                           
> 2.2.52-3build1                                  amd64        
> Access control list static libraries and headers 
> 	ii  libattr1:amd64                        
> 1:2.4.47-2build1                                amd64        
> Extended attribute shared library 
> 	ii  libattr1-dev:amd64                    
> 1:2.4.47-2build1                                amd64        
> Extended attribute static libraries and headers 
> 	ii  libbind9-160:amd64                    
> 1:9.11.3+dfsg-1ubuntu1.11                       amd64        
> BIND9 Shared Library used by BIND 
> 	ii  libgssapi-krb5-2:amd64                
> 1.16-2ubuntu0.1                                 amd64        
> MIT Kerberos runtime libraries - krb5 GSS-API Mechanism 
> 	ii  libkrb5-26-heimdal:amd64              7.5.0+dfsg-1  
>                                   amd64        Heimdal 
> Kerberos - libraries 
> 	ii  libkrb5-3:amd64                       
> 1.16-2ubuntu0.1                                 amd64        
> MIT Kerberos runtime libraries 
> 	ii  libkrb5support0:amd64                 
> 1.16-2ubuntu0.1                                 amd64        
> MIT Kerberos runtime libraries - Support library 
> 	ii  libnss-winbind:amd64                  
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Samba nameservice integration plugins 
> 	ii  libpam-winbind:amd64                  
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Windows domain authentication integration plugin 
> 	ii  libwbclient0:amd64                    
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Samba winbind client library 
> 	ii  python-samba                          
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Python bindings for Samba 
> 	ii  python3-attr                          17.4.0-2      
>                                   all          Attributes 
> without boilerplate (Python 3) 
> 	ii  samba                                 
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> SMB/CIFS file, print, and login server for Unix 
> 	ii  samba-common                          
> 2:4.9.18+dfsg-0.1bionic1                        all          
> common files used by both the Samba server and client 
> 	ii  samba-common-bin                      
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Samba common files used by both the server and the client 
> 	ii  samba-dsdb-modules:amd64              
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Samba Directory Services Database 
> 	ii  samba-libs:amd64                      
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Samba core libraries 
> 	ii  samba-vfs-modules:amd64               
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> Samba Virtual FileSystem plugins 
> 	ii  winbind                               
> 2:4.9.18+dfsg-0.1bionic1                        amd64        
> service to resolve user and group information from Windows NT servers 
> 	
> 	----------- 
> 	=== END dc0 === 
> 	
> 	=== BEGIN dc1 === 
> 	Collected config  --- 2020-02-28-08:28 ----------- 
> 	
> 	Hostname: dc1 
> 	DNS Domain: msi.mydomain.com 
> 	FQDN: dc1.msi.mydomain.com 
> 	ipaddress: 172.23.93.26 
> 	
> 	----------- 
> 	
> 	Kerberos SRV _kerberos._tcp.msi.mydomain.com record 
> verified ok, sample output: 
> 	Server:                172.23.93.3 
> 	Address:        172.23.93.3#53 
> 	
> 	_kerberos._tcp.msi.mydomain.com        service = 0 100 
> 88 dc0.msi.mydomain.com. 
> 	_kerberos._tcp.msi.mydomain.com        service = 0 100 
> 88 dc1.msi.mydomain.com. 
> 	Samba is running as an AD DC 
> 	
> 	----------- 
> 	       Checking file: /etc/os-release 
> 	
> 	NAME="Ubuntu" 
> 	VERSION="18.04.3 LTS (Bionic Beaver)" 
> 	ID=ubuntu 
> 	ID_LIKE=debian 
> 	PRETTY_NAME="Ubuntu 18.04.3 LTS" 
> 	VERSION_ID="18.04" 
> 	HOME_URL="https://www.ubuntu.com/ <https://www.ubuntu.com/> " 
> 	SUPPORT_URL="https://help.ubuntu.com/ 
> <https://help.ubuntu.com/> " 
> 	BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/ 
> <https://bugs.launchpad.net/ubuntu/> " 
> 	
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy 
> <https://www.ubuntu.com/legal/terms-and-policies/privacy-policy> " 
> 	VERSION_CODENAME=bionic 
> 	UBUNTU_CODENAME=bionic 
> 	
> 	----------- 
> 	
> 	
> 	This computer is running Ubuntu 18.04.3 LTS x86_64 
> 	
> 	----------- 
> 	running command : ip a 
> 	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue 
> state UNKNOWN group default qlen 1000 
> 	    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
> 	    inet 127.0.0.1/8 scope host lo 
> 	    inet6 ::1/128 scope host 
> 	2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 
> qdisc fq_codel state UP group default qlen 1000 
> 	    link/ether 08:00:27:3e:9b:53 brd ff:ff:ff:ff:ff:ff 
> 	    inet 172.23.93.26/24 brd 172.23.93.255 scope global enp0s3 
> 	    inet6 fe80::a00:27ff:fe3e:9b53/64 scope link 
> 	
> 	----------- 
> 	       Checking file: /etc/hosts 
> 	
> 	127.0.0.1        localhost 
> 	172.23.93.26    dc1.msi.mydomain.com dc1 
> 	
> 	# The following lines are desirable for IPv6 capable hosts 
> 	::1     ip6-localhost ip6-loopback 
> 	fe00::0 ip6-localnet 
> 	ff00::0 ip6-mcastprefix 
> 	ff02::1 ip6-allnodes 
> 	ff02::2 ip6-allrouters 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/resolv.conf 
> 	
> 	# Generated by NetworkManager 
> ADD Top: nameserver 172.23.93.26
> ADD 	nameserver 172.23.93.25 
> 	nameserver 172.23.93.3 		<<< and this is  ? 
> 	search msi.mydomain.com 
> 
> 	----------- 
> 	
> 	       Checking file: /etc/krb5.conf 
> 	
> 	[libdefaults] 
> 	        default_realm = MSI.MYDOMAIN.COM 
> 	        dns_lookup_realm = false 
> 	        dns_lookup_kdc = true 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/nsswitch.conf 
> 	
> 	# /etc/nsswitch.conf 
> 	# 
> 	# Example configuration of GNU Name Service Switch 
> functionality. 
> 	# If you have the `glibc-doc-reference' and `info' 
> packages installed, try: 
> 	# `info libc "Name Service Switch"' for information 
> about this file. 
> 	
> 	passwd:         compat systemd 
> 	group:          compat systemd 
> 	shadow:         compat 
> 	gshadow:        files 
> 	
> 	hosts:          files mdns4_minimal [NOTFOUND=return] 
> dns myhostname 
> 	networks:       files 
> 	
> 	protocols:      db files 
> 	services:       db files 
> 	ethers:         db files 
> 	rpc:            db files 
> 	
> 	netgroup:       nis 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/samba/smb.conf 
> 	
> 	# Global parameters 
> 	[global] 
> 	        netbios name = DC1 
> 	        realm = MSI.MYDOMAIN.COM 
> 	        server role = active directory domain controller 
> 	        server services = s3fs, rpc, nbt, wrepl, ldap, 
> cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate 
> 	        workgroup = MSI 
> 	
> 	        dns forwarder = 172.23.93.3 
> 	        idmap_ldb:use rfc2307 = yes 
> 	        template shell = /bin/bash 
> 	        #winbind use default domain = true 
> 	        #winbind offline logon = false 
> 	        #winbind nss info = rfc2307 
> 	        #winbind enum users = yes 
> 	        #winbind enum groups = yes 
> 	        # This line added 200129 DFD. 
> 	        dns update command = /usr/sbin/samba_dnsupdate 
> --use-samba-tool 
> 	
> 	[netlogon] 
> 	        path = /var/lib/samba/sysvol/msi.mydomain.com/scripts 
> 	        read only = No 
> 	
> 	[sysvol] 
> 	        path = /var/lib/samba/sysvol 
> 	        read only = No 
> 	
> 	----------- 
> 	
> 	Detected bind DLZ enabled.. 
> 	       Checking file: /etc/bind/named.conf 
> 	
> 	// This is the primary configuration file for the BIND 
> DNS server named. 
> 	// 
> 	// Please read /usr/share/doc/bind9/README.Debian.gz 
> for information on the 
> 	// structure of BIND configuration files in Debian, 
> *BEFORE* you customize 
> 	// this configuration file. 
> 	// 
> 	// If you are just adding zones, please do that in 
> /etc/bind/named.conf.local 
> 	
> 	include "/etc/bind/named.conf.options"; 
> 	include "/etc/bind/named.conf.local"; 
> 	include "/etc/bind/named.conf.default-zones"; 
> 	
> 	----------- 
> 	
> 	       Checking file: /etc/bind/named.conf.options 
> 	
> 	acl "trusted" { 
> 	        172.23.93.0/24; 
> 	        127.0.0.1; 
> 	}; 
> 	
> 	options { 
> 	        directory "/var/cache/bind"; 
> 	        notify no; 
> 	        empty-zones-enable no; 
> 	        allow-query { trusted;}; 
> 	        allow-recursion { trusted;}; 
> 	        forwarders { 8.8.8.8; }; 
> 	        allow-transfer { none;}; 
> 	        dnssec-validation no; 
> 	        dnssec-enable no; 
> 	        dnssec-lookaside no; 
> 	        listen-on-v6 { none; }; 
> 	        listen-on port 53 { 172.23.93.26; 127.0.0.1; }; 
> 	
> 	        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; 
> 	
> 	        // If there is a firewall between you and 
> nameservers you want 
> 	        // to talk to, you may need to fix the firewall 
> to allow multiple 
> 	        // ports to talk.  See 
> http://www.kb.cert.org/vuls/id/800113 
> <http://www.kb.cert.org/vuls/id/800113>  
> 	
> 	        // If your ISP provided one or more IP 
> addresses for stable 
> 	        // nameservers, you probably want to use them 
> as forwarders.   
> 	        // Uncomment the following block, and insert 
> the addresses replacing 
> 	        // the all-0's placeholder. 
> 	
> 	        // forwarders { 
> 	        //         0.0.0.0; 
> 	        // }; 
> 	
> 	        
> //============================================================
> ============ 
> 	        // If BIND logs error messages about the root 
> key being expired, 
>