Mark
asked on
getting BIND to work with Samba4
I'm having a heck of a time getting Samba4 to work with Bind. I am using Slackware 14.1 and Samba 4.1.11,
Prior to trying Samba4, I have a working BInd. My named.conf and zone files are as follows:
/etc/named.conf
The page https://wiki.samba.org/index.php/DNS#Which_DNS_backend_should_I_choose.3F says, "BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in." So, I followed the instructions in https://wiki.samba.org/index.php/Changing_the_DNS_backend to set the DNS backend to BIND_DLZ, which were to run:
include "/etc/samba/private/named.
To the end of my /etc/named.conf.
When I then tried to start bind, I got the following message:
Can anyone help?
Prior to trying Samba4, I have a working BInd. My named.conf and zone files are as follows:
/etc/named.conf
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
# dnssec-enable no;
forwarders { // These are the ISP provided name servers
66.193.88.3;
66.192.88.4;
};
allow-query { // Permit querying by others in the domain
192.168.0.0/24;
127.0.0.1;
};
};
zone "localhost" {
type master;
file "db.local";
};
zone "127.in-addr.arpa" {
type master;
file "db.127";
};
zone "hprs.local" in {
type master;
allow-update { 192.168.0.2; 127.0.0.1; }; // local DHCP server
file "db.hprs.local";
};
zone "0.168.192.in-addr.arpa" in {
type master;
allow-update { 192.168.0.2; 127.0.0.1; }; // local DHCP server
file "db.192.168.0";
};$ORIGIN .
$TTL 4H
hprs.local IN SOA mail.hprs.local. sysadmin.mail.ohprs.org. (
100 ; serial
3H ; refresh (3 hours)
1H ; retry (1 hour)
8H ; expire (1 week)
1H ; minimum (1 hour)
)
NS mail.hprs.local.
$ORIGIN hprs.local.
$TTL 4H
mail A 192.168.0.2
richo A 192.168.0.20$ORIGIN .
$TTL 4H
0.168.192.in-addr.arpa IN SOA mail.hprs.local. sysadmin.mail.ohprs.org. (
100 ; serial
3H ; refresh (3 hours)
1H ; retry (1 hour)
8H ; expire (1 week)
1H ; minimum (1 hour)
)
NS mail.hprs.local.
$ORIGIN 0.168.192.in-addr.arpa.
$TTL 4H
2 PTR mail.hprs.local.
20 PTR richo.hprs.local.The page https://wiki.samba.org/index.php/DNS#Which_DNS_backend_should_I_choose.3F says, "BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in." So, I followed the instructions in https://wiki.samba.org/index.php/Changing_the_DNS_backend to set the DNS backend to BIND_DLZ, which were to run:
$ samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
Reading records from zone file /etc/samba/private/dns/hprs.local.zone
Creating DNS partitions
Looking up IPv4 addresses
Looking up IPv6 addresses
Populating DNS partitions
Importing records from zone file
dns-mail account already exists
Unable to find group id for BIND,
set permissions to sam.ldb* files manually
See /etc/samba/private/named.conf for an example configuration include file for BIND
and /etc/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/etc/samba/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
database "dlopen /usr/lib64/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/lib64/bind9/dlz_bind9_9.so";
};include "/etc/samba/private/named.
To the end of my /etc/named.conf.
When I then tried to start bind, I got the following message:
$ /etc/rc.d/rc.bind start
Starting BIND: /usr/sbin/named
WARNING: named did not start.
Attempting to start named again: /usr/sbin/named
FAILED: Sorry, a second attempt to start named has also failed.
There may be a configuration error that needs fixing. Good luck!Sep 1 16:35:31 mail named[6546]: /etc/samba/private/named.conf:17: 'database' redefined near 'database'
Sep 1 16:35:31 mail named[6546]: loading configuration: already exists
Sep 1 16:35:31 mail named[6546]: exiting (due to fatal error)
Sep 1 16:35:32 mail named[6555]: /etc/samba/private/named.conf:17: 'database' redefined near 'database'
Sep 1 16:35:32 mail named[6555]: loading configuration: already exists
Sep 1 16:35:32 mail named[6555]: exiting (due to fatal error)Sep 1 16:35:31 mail named[6546]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep 1 16:35:31 mail named[6546]: ----------------------------------------------------
Sep 1 16:35:31 mail named[6546]: BIND 9 is maintained by Internet Systems Consortium,
Sep 1 16:35:31 mail named[6546]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 1 16:35:31 mail named[6546]: corporation. Support and training for BIND 9 are
Sep 1 16:35:31 mail named[6546]: available at https://www.isc.org/support
Sep 1 16:35:31 mail named[6546]: ----------------------------------------------------
Sep 1 16:35:31 mail named[6546]: adjusted limit on open files from 4096 to 1048576
Sep 1 16:35:31 mail named[6546]: found 2 CPUs, using 2 worker threads
Sep 1 16:35:31 mail named[6546]: using 2 UDP listeners per interface
Sep 1 16:35:31 mail named[6546]: using up to 4096 sockets
Sep 1 16:35:31 mail named[6546]: loading configuration from '/etc/named.conf'
Sep 1 16:35:32 mail named[6555]: starting BIND 9.9.5-P1
Sep 1 16:35:32 mail named[6555]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep 1 16:35:32 mail named[6555]: ----------------------------------------------------
Sep 1 16:35:32 mail named[6555]: BIND 9 is maintained by Internet Systems Consortium,
Sep 1 16:35:32 mail named[6555]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 1 16:35:32 mail named[6555]: corporation. Support and training for BIND 9 are
Sep 1 16:35:32 mail named[6555]: available at https://www.isc.org/support
Sep 1 16:35:32 mail named[6555]: ----------------------------------------------------
Sep 1 16:35:32 mail named[6555]: adjusted limit on open files from 4096 to 1048576
Sep 1 16:35:32 mail named[6555]: found 2 CPUs, using 2 worker threads
Sep 1 16:35:32 mail named[6555]: using 2 UDP listeners per interface
Sep 1 16:35:32 mail named[6555]: using up to 4096 sockets
Sep 1 16:35:32 mail named[6555]: loading configuration from '/etc/named.conf'Can anyone help?
ASKER
named-checkconf give me the same error:
> You can have just one database backend at any given time.
Have I defined more than one? Would having zone ... { file "db..."; ... } in named.conf mean I am defining a database?
$ named-checkconf
/etc/samba/private/named.conf:17: 'database' redefined near 'database'> You can have just one database backend at any given time.
Have I defined more than one? Would having zone ... { file "db..."; ... } in named.conf mean I am defining a database?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Duh! OK, I thought that 1st one was commented out. Did that and re-ran. Still error, but different:
/var/log/syslog
/var/log/syslog
Sep 2 11:33:35 mail named[27337]: zone 'hprs.local' allows updates by IP address, which is insecure
Sep 2 11:33:35 mail named[27337]: zone '0.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Sep 2 11:33:35 mail named[27337]: samba_dlz: Failed to configure zone 'hprs.local'
Sep 2 11:33:35 mail named[27337]: loading configuration: already exists
Sep 2 11:33:35 mail named[27337]: exiting (due to fatal error)
Sep 2 11:33:36 mail named[27346]: zone 'hprs.local' allows updates by IP address, which is insecure
Sep 2 11:33:36 mail named[27346]: zone '0.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Sep 2 11:33:37 mail named[27346]: samba_dlz: Failed to configure zone 'hprs.local'
Sep 2 11:33:37 mail named[27346]: loading configuration: already exists
Sep 2 11:33:37 mail named[27346]: exiting (due to fatal error)Sep 2 11:33:35 mail named[27337]: starting BIND 9.9.5-P1
Sep 2 11:33:35 mail named[27337]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep 2 11:33:35 mail named[27337]: ----------------------------------------------------
Sep 2 11:33:35 mail named[27337]: BIND 9 is maintained by Internet Systems Consortium,
Sep 2 11:33:35 mail named[27337]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 2 11:33:35 mail named[27337]: corporation. Support and training for BIND 9 are
Sep 2 11:33:35 mail named[27337]: available at https://www.isc.org/support
Sep 2 11:33:35 mail named[27337]: ----------------------------------------------------
Sep 2 11:33:35 mail named[27337]: adjusted limit on open files from 4096 to 1048576
Sep 2 11:33:35 mail named[27337]: found 2 CPUs, using 2 worker threads
Sep 2 11:33:35 mail named[27337]: using 2 UDP listeners per interface
Sep 2 11:33:35 mail named[27337]: using up to 4096 sockets
Sep 2 11:33:35 mail named[27337]: loading configuration from '/etc/named.conf'
Sep 2 11:33:35 mail named[27337]: reading built-in trusted keys from file '/etc/bind.keys'
Sep 2 11:33:35 mail named[27337]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 11:33:35 mail named[27337]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 11:33:35 mail named[27337]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 2 11:33:35 mail named[27337]: listening on IPv4 interface eth0, 64.129.23.170#53
Sep 2 11:33:35 mail named[27337]: listening on IPv4 interface eth1, 192.168.0.2#53
Sep 2 11:33:35 mail named[27337]: generating session key for dynamic DNS
Sep 2 11:33:35 mail named[27337]: sizing zone task pool based on 4 zones
Sep 2 11:33:35 mail named[27337]: Loading 'AD DNS Zone' using driver dlopen
Sep 2 11:33:35 mail named[27337]: samba_dlz: started for DN DC=hprs,DC=local
Sep 2 11:33:35 mail named[27337]: samba_dlz: starting configure
Sep 2 11:33:35 mail named[27337]: samba_dlz: shutting down
Sep 2 11:33:36 mail named[27346]: starting BIND 9.9.5-P1
Sep 2 11:33:36 mail named[27346]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep 2 11:33:36 mail named[27346]: ----------------------------------------------------
Sep 2 11:33:36 mail named[27346]: BIND 9 is maintained by Internet Systems Consortium,
Sep 2 11:33:36 mail named[27346]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 2 11:33:36 mail named[27346]: corporation. Support and training for BIND 9 are
Sep 2 11:33:36 mail named[27346]: available at https://www.isc.org/support
Sep 2 11:33:36 mail named[27346]: ----------------------------------------------------
Sep 2 11:33:36 mail named[27346]: adjusted limit on open files from 4096 to 1048576
Sep 2 11:33:36 mail named[27346]: found 2 CPUs, using 2 worker threads
Sep 2 11:33:36 mail named[27346]: using 2 UDP listeners per interface
Sep 2 11:33:36 mail named[27346]: using up to 4096 sockets
Sep 2 11:33:36 mail named[27346]: loading configuration from '/etc/named.conf'
Sep 2 11:33:36 mail named[27346]: reading built-in trusted keys from file '/etc/bind.keys'
Sep 2 11:33:36 mail named[27346]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 11:33:36 mail named[27346]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 11:33:36 mail named[27346]: listening on IPv4 interface lo, 127.0.0.1#53
Sep 2 11:33:36 mail named[27346]: listening on IPv4 interface eth0, 64.129.23.170#53
Sep 2 11:33:36 mail named[27346]: listening on IPv4 interface eth1, 192.168.0.2#53
Sep 2 11:33:36 mail named[27346]: generating session key for dynamic DNS
Sep 2 11:33:36 mail named[27346]: sizing zone task pool based on 4 zones
Sep 2 11:33:36 mail named[27346]: Loading 'AD DNS Zone' using driver dlopen
Sep 2 11:33:37 mail named[27346]: samba_dlz: started for DN DC=hprs,DC=local
Sep 2 11:33:37 mail named[27346]: samba_dlz: starting configure
Sep 2 11:33:37 mail named[27346]: samba_dlz: shutting downASKER
I commented out the hprs.local zone in the named.conf file and this time it seems to have run OK. Does that make sense to you? I will do some testing on name resolution and post back the results.
You must keep this intact:
/etc/samba/private/named.c
If the zone you removed is defined somewhere else you can delete it safely.
/etc/samba/private/named.c
If the zone you removed is defined somewhere else you can delete it safely.
ASKER
Still having problems (but getting closer, I think). After commenting out the hprs.local zone in named.conf, restarting bind and starting samba, I tried `ipconfig /release && ipconfig /renew` on one of the Windows client workstations. The messages file shows "samba_dlz: cancelling transation on zone hprs.local". The syslog shows "update ... denied".
Might be a permissions issue. Note that in line 17 of my `samba_upgradedns` output (initial posting) I got the error "Unable to find group id for BIND, / set permissions to sam.ldb* files manually". These files are in /etc/samba/private/dns and are all owned by root.root. They were created that way when `samba-tool provision` was run. I changed them to have group rw, but that didn't help. Before I mess up these files too much, what do you suggest? Creating a BIND group and making the group for these files BIND?
Note also that the same `samba_upgradedns` output shows:
3: DNS accounts already exist
10: dns-mail account already exists
Not sure what this means because there is no DNS account in /etc/passwd.
Here are the logfiles:
Might be a permissions issue. Note that in line 17 of my `samba_upgradedns` output (initial posting) I got the error "Unable to find group id for BIND, / set permissions to sam.ldb* files manually". These files are in /etc/samba/private/dns and are all owned by root.root. They were created that way when `samba-tool provision` was run. I changed them to have group rw, but that didn't help. Before I mess up these files too much, what do you suggest? Creating a BIND group and making the group for these files BIND?
Note also that the same `samba_upgradedns` output shows:
3: DNS accounts already exist
10: dns-mail account already exists
Not sure what this means because there is no DNS account in /etc/passwd.
Here are the logfiles:
I'll continue researching. Logfile output below.
/var/log/messages
[code]
Sep 2 11:50:58 mail dhcpd: DHCPRELEASE of 192.168.0.100 from 00:25:b3:bf:f5:42 (hplaptop) via eth1 (found)
Sep 2 11:50:59 mail dhcpd: DHCPDISCOVER from 00:25:b3:bf:f5:42 via eth1
Sep 2 11:51:00 mail dhcpd: DHCPOFFER on 192.168.0.100 to 00:25:b3:bf:f5:42 (hplaptop) via eth1
Sep 2 11:51:00 mail named[29041]: samba_dlz: starting transaction on zone hprs.local
Sep 2 11:51:00 mail named[29041]: samba_dlz: cancelling transaction on zone hprs.local
Sep 2 11:51:00 mail dhcpd: DHCPREQUEST for 192.168.0.100 (192.168.0.2) from 00:25:b3:bf:f5:42 (hplaptop) via eth1
Sep 2 11:51:00 mail dhcpd: DHCPACK on 192.168.0.100 to 00:25:b3:bf:f5:42 (hplaptop) via eth1Sep 2 11:51:00 mail named[29041]: client 192.168.0.2#12212: update 'hprs.local/IN' denied
Sep 2 11:51:00 mail dhcpd: Unable to add forward map from hplaptop.hprs.local. to 192.168.0.100: REFUSEDASKER
> If the zone you removed is defined somewhere else you can delete it safely.
I'm assuming the hprs.local zone is defined in the DLZ configuration and that was why I was getting the "loading configuration: already exists" error. Once I commented out that zone in named.conf named at least ran -- though still having issues as explained in my last post.
I'm assuming the hprs.local zone is defined in the DLZ configuration and that was why I was getting the "loading configuration: already exists" error. Once I commented out that zone in named.conf named at least ran -- though still having issues as explained in my last post.
So that was the dynamic zone for samba.
ASKER
> So that was the dynamic zone for samba.
I suppose that is so. there is only one real forward zone: hprs.local. The files created by samba_upgradedns are shown below. Only hprs.local appears to be configured.
So, what's up with my "updated denied" problem? Any ideas?
/etc/samba/private/dns/sam
I suppose that is so. there is only one real forward zone: hprs.local. The files created by samba_upgradedns are shown below. Only hprs.local appears to be configured.
So, what's up with my "updated denied" problem? Any ideas?
/etc/samba/private/dns/sam
-rw-rw---- 1 root root 7348224 2014-09-01 16:18 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 1 root root 8560640 2014-09-01 16:18 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root 4247552 2014-09-01 16:18 DC\=DOMAINDNSZONES,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root 4247552 2014-09-01 16:18 DC\=FORESTDNSZONES,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw-r-- 1 root root 1286144 2014-09-01 16:18 DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root 421888 2014-09-02 11:49 metadata.tdbASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can allow dynamic updates from samba's IP address. No need to authenticate yet while testing.
ASKER
I changed my approach to this problem.
You can have just one database backend at any given time.