[Samba] samba AD-DC with bind9, dyn-dns complains that "No AD dhcp user exists"
Carlos Jesus
camjesus2 at gmail.com
Thu Sep 9 10:18:32 UTC 2021
Hello again,
As you have suggested, I've replaced all named files on both DC's,
restarted bind and noticed some dns_tkey_gssnegotiate: TKEY is
unacceptable errors on samba.log. So I did
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
which worked as expected, but the errors persist.
So I tried something else; on a windoze machine I tried to use RSAT do
manage the DNS. It complains that the "Active Directory Service is not
available" and doesn't let me add any of the 2 servers. However, ADUC works
fine and I can join machines to the domain.
I've also noticed that _msdcs is missing. Trying to create it with
samba-tool dns zonecreate DC1 _msdcs.SAMDOM.EXAMPLE gives back the same old
error
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 186, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/dns.py",
line 737, in run
zone_create_info)
Any more clues?
Best regard
CJ
Carlos Jesus <camjesus2 at gmail.com> escreveu no dia quinta, 9/09/2021 à(s)
01:30:
> Hey Roland,thanks for the files. I've been "on the road" and only now
> (1:25AM) could do some tests
> I think that when you say allow-query { acl internals; }; and
> allow-recursion { acl internals; }; you actually mean allow-query
> {internals; }; and
> allow-recursion { internals; }; refering to the "acl internals"
> previously created? Well, after that modification, the files worked and
> everything is now cleaner.
> It's still throwing errors, but I have a few theories about the keytab but
> I'll try again tomorrow. Well, later on today anyway...
> I'll probably ask for more help, but thanks again.
>
> best regards
> CJ
>
> Rowland Penny <rpenny at samba.org> escreveu no dia quarta, 8/09/2021 à(s)
> 16:59:
>
>> On Wed, 2021-09-08 at 16:29 +0100, Carlos Jesus wrote:
>> > They're here....
>>
>> OK, try these, based on my working (for the last 9 years) files, with
>> data from yours:
>>
>> /etc/bind/named.conf
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> /etc/bind/named.conf.options
>>
>> acl internals {
>> 127.0.0.0/8;
>> 192.168.1.0/24;
>> };
>>
>> options {
>> directory "/var/cache/bind";
>> auth-nxdomain yes;
>> notify no;
>> empty-zones-enable no;
>> allow-query { acl internals; };
>> allow-recursion { acl internals; };
>> listen-on-v6 { none; };
>> forwarders {
>> 8.8.8.8;
>> 8.8.4.4;
>> };
>> dnssec-enable no;
>> dnssec-validation no;
>> tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
>> minimal-responses yes;
>> };
>>
>> logging {
>> channel bind_log {
>> file "/var/log/bind/bind.log" versions 3 size 5m;
>> severity notice;
>> print-category yes;
>> print-severity yes;
>> print-time yes;
>> };
>> category default { bind_log; };
>> category update { bind_log; };
>> category update-security { bind_log; };
>> category security { bind_log; };
>> category queries { bind_log; };
>> category lame-servers { null; };
>> };
>>
>> /etc/bind/named.conf.local
>> include "/usr/local/samba/bind-dns/named.conf";
>>
>> /etc/bind/named.conf.default-zones
>>
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/usr/share/dns/root.hints";
>> };
>>
>> // be authoritative for the localhost forward and reverse zones, and
>> for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>>
>> Rowland
>>
>>
>>
More information about the samba
mailing list