Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

"Access denied" while trying to access a BIND DNS Server from ADS. :(

Posted on 2004-09-24
7
375 Views
Last Modified: 2010-03-17
I've set the BIND server and the AD. I have a MSDNS configured in the AD settings, and now I added the BIND Server v 9.2.2, but I get a "Access Denied: You don't have permission to access this DNS Server" from the AD DNS Settings Panel when I add it or when I click on the icon for details.

The Server Icon displays a "not available" sign (just like MSN Messenger does). :(

I think it is a BIND configuration problem, but I have it set as my DNS and works fine (for my computer, not for AD).

I used Nslookup and got these lines:

--- START  ---
C:\>Nslookup
Default Server:  redhat_server
Address:  192.168.100.3

www.experts-exchange.com
Server:  redhat_server
Address:  192.168.100.3

Non-authoritative answer:
Name:    experts-exchange.com
Address:  64.156.132.140
Aliases:  www.experts-exchange.com

--- END ---

So, I only see thay Non-authoritative answer... that I don't know how to set it to an Authoritative one.

I feel like I'm grasping the surface here... but right now, I'm stuck. :S heeeeeelp!

this is my named.conf

-- START --
logging {
     category lame-servers { null; };
     category cname { null; };
};

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */

query-source address * port 53;
     
     // forward only;

     allow-query { any; };
};

controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
 };

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
     type master;
     file "db.100.168.192.in-addr.arpa";
     allow-update { 192.168.100.2; };
};

zone "domain1" {
     type master;
     file "/var/named/domain1.hosts";
     allow-query { any; };
     allow-transfer { 192.168.100.2; };
};

-- END --

I added the allow-transfer tag, restarted the named service (/etc/init.d/named restart) but I still get the Access Denied msg.

192.168.100.2 is the AD server.

should I post the zone and reverse files? (domain1.hosts, db.100.168.192.in-addr.arpa, localhost.zone, named.local)

Well.. I thought about the rndc too, but whenever there's an rndc key problem  you get a "Connection refused" message from the rndc controls while trying to [start | restart] the named service. I generated a new key (dnskeygen -H 128 -h -n newkey.) and copied the key from the 'Knew.key.+157+00000.key' into the /etc/rndc.key file and didn't change the configs in rndc.conf or named.conf so I had those ERR msgs. Now, maybe I don't knkow something about rndc, but since I can [start | restart] the named service I think there's no problem with rndc anymore.

It's urgent, but any help will be apreciated.
0
Comment
Question by:mmartha
  • 4
  • 3
7 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12145271
add this in options  

       
        allow-transfer {192.168.100.2;};



0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12145297
for example your options will see like this

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */

query-source address * port 53;
     
     // forward only;
 allow-transfer {192.168.100.2;};
 allow-query { any; };
};
0
 
LVL 2

Author Comment

by:mmartha
ID: 12146958
I added the allow-transfer option to the "options" section, restarted the named service (/etc/init.d/named restart) and I still get the Access Denied msg. :(

I tried both without deleting the "allow-transfer" option from the zone section, and also deleting the line from the zone section.
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 14

Accepted Solution

by:
pablouruguay earned 500 total points
ID: 12147030
zone "100.168.192.in-addr.arpa" IN {
     type master;
     file "db.100.168.192.in-addr.arpa";
     allow-update { 192.168.100.2; };
};

you need to add transfer in here too.


and allow-update for both zones and options i have

allow-update {localhost; 192.168.100.2; 200.80.0.0/16;};


you can use it {localhost; 192.168.100.0/24; yourexternalnet; };
0
 
LVL 2

Author Comment

by:mmartha
ID: 12147864
I changed the config to this:

-- START --
logging {
      category lame-servers { null; };
      category cname { null; };
};

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */

       // query-source address * port 53;
      
      // forward only;

      allow-query { any; };
      allow-transfer { any; };
};

controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

//Zone entry for my Active Directory domain ad.mydom.com.

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
      type master;
      file "db.100.168.192.in-addr.arpa";
      allow-update { any; };
      allow-transfer { any; };
      allow-query { any; };
};

zone "linuxlab.grupochamberlain.com" {
      type master;
      file "/var/named/linuxlab.grupochamberlain.com.hosts";
      allow-query { any; };
      allow-transfer { any; };
      allow-update { any; };
};
-- END --

And I still get the Access Denied msg from ADS.

If I set the allow-update in the options section i get the rndc error "unable to connect" while trying to restart the service (And the service doesn't start).

The BIND server is logged into the ADS domain with samba and kerberos, The name resolution between them is OK.

Any ideas? :S
0
 
LVL 2

Author Comment

by:mmartha
ID: 12161494
Well I'll close the question. Thanks for your help. I appreciate it. :)
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12161626
your welcome
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 82
OpenWrt 1 47
Linux neworking 4 113
Video Streaming 6 85
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question