[Samba] BIND9 failing

Mon Oct 12 14:17:53 UTC 2020

I am working towards joining my second DC to the first.

If I am understanding:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
correctly I am to get bind9 working properly before the join should happen.

I am getting this:

> root at dc2:~# systemctl status bind9
>
> ● bind9.service - BIND Domain Name Server
>
> Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset:
> enabled)
>
> Active: failed (Result: exit-code) since Mon 2020-10-12 08:53:06 CDT; 2min
> 38s ago
>
> Docs: man:named(8)
>
> Process: 560 ExecStart=/usr/sbin/named $OPTIONS (code=exited,
> status=1/FAILURE)
>
>
> Oct 12 08:53:06 dc2 named[561]: samba_dlz: Failed to connect to Failed to
> connect to */var/lib/samba/private/dns/sam.ldb*: Unable to open tdb
> '/var/lib/samba/private/dns/sam.ldb': No such file or directory: Operations
> error
>
> Oct 12 08:53:06 dc2 named[561]: samba_dlz: FAILED dlz_create call
> result=25 #refs=0
>
> Oct 12 08:53:06 dc2 named[561]: dlz_dlopen of 'AD DNS Zone' failed
>
> Oct 12 08:53:06 dc2 named[561]: SDLZ driver failed to load.
>
> Oct 12 08:53:06 dc2 named[561]: DLZ driver failed to load.
>
> Oct 12 08:53:06 dc2 named[561]: loading configuration: failure
>
> Oct 12 08:53:06 dc2 named[561]: exiting (due to fatal error)
>
> Oct 12 08:53:06 dc2 systemd[1]: bind9.service: Control process exited,
> code=exited, status=1/FAILURE
>
> Oct 12 08:53:06 dc2 systemd[1]: bind9.service: Failed with result
> 'exit-code'.
>
> Oct 12 08:53:06 dc2 systemd[1]: Failed to start BIND Domain Name Server.
>

And this:

> root at dc2:~# journalctl -xe
>
> Oct 12 08:53:06 dc2 named[561]: SDLZ driver failed to load.
>
> Oct 12 08:53:06 dc2 named[561]: DLZ driver failed to load.
>
> Oct 12 08:53:06 dc2 named[561]: loading configuration: failure
>
> Oct 12 08:53:06 dc2 named[561]: exiting (due to fatal error)
>
> Oct 12 08:53:06 dc2 systemd[1]: bind9.service: Control process exited,
> code=exited, status=1/FAILURE
>
> -- Subject: Unit process exited
>
> -- Defined-By: systemd
>
> -- Support: https://www.debian.org/support
>
> --
>
> -- An ExecStart= process belonging to unit bind9.service has exited.
>
> --
>
> -- The process' exit code is 'exited' and its exit status is 1.
>
> Oct 12 08:53:06 dc2 systemd[1]: bind9.service: Failed with result
> 'exit-code'.
>
> -- Subject: Unit failed
>
> -- Defined-By: systemd
>
> -- Support: https://www.debian.org/support
>
> --
>
> -- The unit bind9.service has entered the 'failed' state with result
> 'exit-code'.
>
> Oct 12 08:53:06 dc2 systemd[1]: Failed to start BIND Domain Name Server.
>
> -- Subject: A start job for unit bind9.service has failed
>
> -- Defined-By: systemd
>
> -- Support: https://www.debian.org/support
>
> --
>
> -- A start job for unit bind9.service has finished with a failure.
>
> --
>
> -- The job identifier is 338 and the job result is failed.
>
> Oct 12 08:54:59 dc2 sshd[570]: Connection closed by 192.168.0.22 port
> 38620 [preauth]
>
> lines 1640-1666/1666 (END)
>

I have been through the bind9 changes many times. Compared the changes to
the first DC and cannot see any difference. But, I cannot figure out why
bind is looking here: '/var/lib/samba/private/dns/sam.ldb' .

Here are my:

> root at dc2:~# cat /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server named.
>
> //
>
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on
> the
>
> // structure of BIND configuration files in Debian, *BEFORE* you customize
>
> // this configuration file.
>
> //
>
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
>
> include "/etc/bind/named.conf.options";
>
> include "/etc/bind/named.conf.local";
>
> include "/etc/bind/named.conf.default-zones";
>
>
> root at dc2:~# cat /etc/bind/named.conf.options
>
> options {
>
> directory "/var/cache/bind";
>
>
> // If there is a firewall between you and nameservers you want
>
> // to talk to, you may need to fix the firewall to allow multiple
>
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
>
> // If your ISP provided one or more IP addresses for stable
>
> // nameservers, you probably want to use them as forwarders.
>
> // Uncomment the following block, and insert the addresses replacing
>
> // the all-0's placeholder.
>
>
> // forwarders {
>
> forwarders { 8.8.8.8; 8.8.4.4; };
>
> // 0.0.0.0;
>
> // };
>
>
> //========================================================================
>
> // If BIND logs error messages about the root key being expired,
>
> // you will need to update your keys. See https://www.isc.org/bind-keys
>
> //========================================================================
>
> dnssec-validation auto;
>
>
> listen-on-v6 { any; };
>
> empty-zones-enable no;
>
> // https://wiki.samba.org/index.php/Dns-backend_bind
>
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
> };
>
> root at dc2:~# cat /etc/bind/named.conf.local
>
> //
>
> // Do any local configuration here
>
> //
>
>
> // Consider adding the 1918 zones here, if they are not used in your
>
> // organization
>
> //include "/etc/bind/zones.rfc1918";
>
>
> // adding the dlopen ( Bind DLZ ) module for samba.
>
> // at install debian already sets the correct bind9.XX version in this
> file below.
>
> include "/var/lib/samba/bind-dns/named.conf";
>
>
> root at dc2:~# cat /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
>
> zone "." {
>
> type hint;
>
> file "/usr/share/dns/root.hints";
>
> };
>
>
> // be authoritative for the localhost forward and reverse zones, and for
>
> // broadcast zones as per RFC 1912
>
>
> zone "localhost" {
>
> type master;
>
> file "/etc/bind/db.local";
>
> };
>
>
> zone "127.in-addr.arpa" {
>
> type master;
>
> file "/etc/bind/db.127";
>
> };
>
>
> zone "0.in-addr.arpa" {
>
> type master;
>
> file "/etc/bind/db.0";
>
> };
>
>
> zone "255.in-addr.arpa" {
>
> type master;
>
> file "/etc/bind/db.255";
>
> };
>

Am I overlooking something?