Solved

"Access denied" from AD to a BIND Server.

Posted on 2004-09-23
12
352 Views
Last Modified: 2010-05-18
I've set the BIND server and the AD. I have a MSDNS configured in the AD settings, and now I added the BIND Server v 9.2.2, but I get a "Access Denied: You don't have permission to access this DNS Server" from the AD DNS Settings Panel when I add it or when I click on the icon for details.

The Server Icon displays a "not available" sign (just like MSN Messenger does). :(

I think it is a BIND configuration problem, but I have it set as my DNS and works fine (for my computer, not for AD).

I used Nslookup and got these lines:

--- START  ---
C:\>Nslookup
Default Server:  redhat_server
Address:  192.168.100.3

www.experts-exchange.com
Server:  redhat_server
Address:  192.168.100.3

Non-authoritative answer:
Name:    experts-exchange.com
Address:  64.156.132.140
Aliases:  www.experts-exchange.com

--- END ---

So, I only see thay Non-authoritative answer... that I don't know how to set it to an Authoritative one.

I feel like I'm grasping the surface here... but right now, I'm stuck. :S heeeeeelp!

Any idea?
0
Comment
Question by:mmartha
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 2

Accepted Solution

by:
KaiserSose earned 500 total points
ID: 12135114
Have you set permissions on who can query the server?   Its in named.conf...     something like   allow-query{ all };

dave
0
 
LVL 2

Expert Comment

by:KaiserSose
ID: 12135149
or even better, add

allow-transfer { IP ADDRESS };

to your zone

dave
0
 
LVL 2

Expert Comment

by:KaiserSose
ID: 12135159
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 2

Author Comment

by:mmartha
ID: 12135595
this is my named.conf

-- START --
logging {
      category lame-servers { null; };
      category cname { null; };
};

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */

query-source address * port 53;
      
      // forward only;

      allow-query { any; };
};

controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
 };

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
      type master;
      file "db.100.168.192.in-addr.arpa";
      allow-update { 192.168.100.2; };
};

zone "domain1" {
      type master;
      file "/var/named/domain1.hosts";
      allow-query { any; };
      allow-transfer { 192.168.100.2; };
};

-- END --

I added the allow-transfer tag, restarted the named service (/etc/init.d/named restart) but I still get the Access Denied msg.

192.168.100.2 is the AD server.

should I post the zone and reverse files? (domain1.hosts, db.100.168.192.in-addr.arpa, localhost.zone, named.local)
0
 
LVL 2

Expert Comment

by:KaiserSose
ID: 12135653
Everything looks ok there,  maybe it's something to do with the rndc key,  I have never bothered with that part so I don't know much about it.
0
 
LVL 2

Author Comment

by:mmartha
ID: 12136192
Well.. I thought about the rndc too, but whenever there's an rndc key problem  you get a "Connection refused" message from the rndc controls while trying to [start | restart] the named service. I generated a new key (dnskeygen -H 128 -h -n newkey.) and copied the key from the 'Knew.key.+157+00000.key' into the /etc/rndc.key file and didn't change the configs in rndc.conf or named.conf so I had those ERR msgs. Now, maybe I don't knkow something about rndc, but since I can [start | restart] the named service I think there's no problem with rndc anymore.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12159075
you need to have the port 995 open to use keys. like this.

iptables -A INPUT -p tcp -m tcp  --dport 995 -j ACCEPT
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12159084
im sorry im confused is the por 953  tcp/udp

0
 
LVL 2

Author Comment

by:mmartha
ID: 12160754
I did a nmap to the BINDS and the ADS servers and the port 953 is open in both.
0
 
LVL 2

Expert Comment

by:KaiserSose
ID: 12161037
I don't think it's the rndc key.   Do you have any other BIND servers you can test on?
0
 
LVL 2

Author Comment

by:mmartha
ID: 12161300
I'll setup one with the following configuration:
(From http://www.experts-exchange.com/Networking/Linux_Networking/Q_21143866.html)

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */

      // query-source address * port 53;
     
     // forward only;

     allow-query { any; };
     allow-transfer { any; };
};

controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

//Zone entry for my Active Directory domain ad.mydom.com.

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
     type master;
     file "db.100.168.192.in-addr.arpa";
     allow-update { any; };
     allow-transfer { any; };
     allow-query { any; };
};

zone "linuxlab.grupochamberlain.com" {
     type master;
     file "/var/named/linuxlab.grupochamberlain.com.hosts";
     allow-query { any; };
     allow-transfer { any; };
     allow-update { any; };
};
0
 
LVL 2

Author Comment

by:mmartha
ID: 12161507
I'll close the question. Thanks for the advices.
0

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question