Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

"Access denied" while trying to access a BIND DNS Server from ADS. :(

I've set the BIND server and the AD. I have a MSDNS configured in the AD settings, and now I added the BIND Server v 9.2.2, but I get a "Access Denied: You don't have permission to access this DNS Server" from the AD DNS Settings Panel when I add it or when I click on the icon for details.

The Server Icon displays a "not available" sign (just like MSN Messenger does). :(

I think it is a BIND configuration problem, but I have it set as my DNS and works fine (for my computer, not for AD).

I used Nslookup and got these lines:

--- START  ---
C:\>Nslookup
Default Server:  redhat_server
Address:  192.168.100.3

www.experts-exchange.com
Server:  redhat_server
Address:  192.168.100.3

Non-authoritative answer:
Name:    experts-exchange.com
Address:  64.156.132.140
Aliases:  www.experts-exchange.com

--- END ---

So, I only see thay Non-authoritative answer... that I don't know how to set it to an Authoritative one.

I feel like I'm grasping the surface here... but right now, I'm stuck. :S heeeeeelp!

this is my named.conf

-- START --
logging {
     category lame-servers { null; };
     category cname { null; };
};

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */

query-source address * port 53;
     
     // forward only;

     allow-query { any; };
};

controls {
     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
 };

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
     type master;
     file "localhost.zone";
     allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
     type master;
     file "named.local";
     allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
     type master;
     file "db.100.168.192.in-addr.arpa";
     allow-update { 192.168.100.2; };
};

zone "domain1" {
     type master;
     file "/var/named/domain1.hosts";
     allow-query { any; };
     allow-transfer { 192.168.100.2; };
};

-- END --

I added the allow-transfer tag, restarted the named service (/etc/init.d/named restart) but I still get the Access Denied msg.

192.168.100.2 is the AD server.

should I post the zone and reverse files? (domain1.hosts, db.100.168.192.in-addr.arpa, localhost.zone, named.local)

Well.. I thought about the rndc too, but whenever there's an rndc key problem  you get a "Connection refused" message from the rndc controls while trying to [start | restart] the named service. I generated a new key (dnskeygen -H 128 -h -n newkey.) and copied the key from the 'Knew.key.+157+00000.key' into the /etc/rndc.key file and didn't change the configs in rndc.conf or named.conf so I had those ERR msgs. Now, maybe I don't knkow something about rndc, but since I can [start | restart] the named service I think there's no problem with rndc anymore.

It's urgent, but any help will be apreciated.
0
mmartha
Asked:
mmartha
  • 4
  • 3
1 Solution
 
pablouruguayCommented:
add this in options  

       
        allow-transfer {192.168.100.2;};



0
 
pablouruguayCommented:
for example your options will see like this

options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */

query-source address * port 53;
     
     // forward only;
 allow-transfer {192.168.100.2;};
 allow-query { any; };
};
0
 
mmarthaAuthor Commented:
I added the allow-transfer option to the "options" section, restarted the named service (/etc/init.d/named restart) and I still get the Access Denied msg. :(

I tried both without deleting the "allow-transfer" option from the zone section, and also deleting the line from the zone section.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pablouruguayCommented:
zone "100.168.192.in-addr.arpa" IN {
     type master;
     file "db.100.168.192.in-addr.arpa";
     allow-update { 192.168.100.2; };
};

you need to add transfer in here too.


and allow-update for both zones and options i have

allow-update {localhost; 192.168.100.2; 200.80.0.0/16;};


you can use it {localhost; 192.168.100.0/24; yourexternalnet; };
0
 
mmarthaAuthor Commented:
I changed the config to this:

-- START --
logging {
      category lame-servers { null; };
      category cname { null; };
};

options {
      directory "/var/named";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */

       // query-source address * port 53;
      
      // forward only;

      allow-query { any; };
      allow-transfer { any; };
};

controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

//Zone entry for my Active Directory domain ad.mydom.com.

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

include "/etc/rndc.key";

zone "100.168.192.in-addr.arpa" IN {
      type master;
      file "db.100.168.192.in-addr.arpa";
      allow-update { any; };
      allow-transfer { any; };
      allow-query { any; };
};

zone "linuxlab.grupochamberlain.com" {
      type master;
      file "/var/named/linuxlab.grupochamberlain.com.hosts";
      allow-query { any; };
      allow-transfer { any; };
      allow-update { any; };
};
-- END --

And I still get the Access Denied msg from ADS.

If I set the allow-update in the options section i get the rndc error "unable to connect" while trying to restart the service (And the service doesn't start).

The BIND server is logged into the ADS domain with samba and kerberos, The name resolution between them is OK.

Any ideas? :S
0
 
mmarthaAuthor Commented:
Well I'll close the question. Thanks for your help. I appreciate it. :)
0
 
pablouruguayCommented:
your welcome
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now