samba - Jan 2018 - Switching from Internal DNS to Bind9_DLZ

On 1/2/2018 2:49 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 14:40:10 -0500
> lingpanda101 <lingpanda101 at gmail.com> wrote:
>
>> On 1/2/2018 2:23 PM, Rowland Penny wrote:
>>> On Tue, 2 Jan 2018 14:15:11 -0500
>>> lingpanda101 <lingpanda101 at gmail.com> wrote:
>>>
>>>> On 1/2/2018 1:51 PM, Rowland Penny wrote:
>>>>> On Tue, 2 Jan 2018 13:38:52 -0500
>>>>> lingpanda101 via samba <samba at lists.samba.org>
wrote:
>>>>>
>>>>>
>>>>>> A few other observations while attempting to switch.
>>>>>>
>>>>>>      * I do not have a dns.keytab file. Should I or is
created
>>>>>> after attempting to switch?
>>>>> See my earlier post about samba_dnsupgrade.
>>>>>
>>>>>>      * running 'named-checkconf' throws an
error.
>>>>> It would, it cannot find the zones files that are now in
AD.
>>>>>
>>>>> Rowland
>>>> Rowland,
>>>>
>>>>        I think I'm on the home stretch :). However I am
running
>>>> into a issue after switching the backend. The switch command
>>>> completes successfully. Bind starts but I get errors when
>>>> attempting to run this command after reboot.
>>>>
>>>> samba_dnsupdate --verbose --all-names
>>>>
>>>> I get this error for all updates.
>>>>
>>>> TSIG error with server: tsig indicates error
>>>> update failed: NOTAUTH(BADSIG)
>>>> Failed nsupdate: 2
>>>> update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
>>>> Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27
(add)
>>>> Successfully obtained Kerberos ticket to DNS/DDC1.domain.local
as
>>>> DDC2$ Outgoing update query:
>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR,
id:      0
>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>> ;; UPDATE SECTION:
>>>> gc._msdcs.domain.local.   900     IN      A       172.16.22.27
>>>>
>>>>
>>>> I can connect to the server via. Windows DNS Manager and
browse.
>>>>
>>>>
>>> Try adding '--use-samba-tool' to the
'samba_dnsupdate' command
>>>
>>> Rowland
>> I will add that DNS is replicating correctly.  I deleted and added a
>> DNS A record and it replicated instantaneously across sites.
>>
> The problem is that only the owner (or a member of dnsadmins) of a dns
> record can update it. You seem to be trying to use a computer account
> (fairly common) that doesn't own the records.
>
> Rowland
Actually it looks as if Bind isn't running. Though I could've sworn it 
did at one point.

service bind9 restart
  * Stopping domain name service... bind9
               rndc: connect failed: 127.0.0.1#953: connection refused
[ OK ]
  * Starting domain name service... bind9 [fail]

Log shows;

Jan  2 15:20:51 ddc2 named[2793]: 
----------------------------------------------------
Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet 
Systems Consortium,
Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit
Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and training for 
BIND 9 are
Jan  2 15:20:51 ddc2 named[2793]: available at https://www.isc.org/support
Jan  2 15:20:51 ddc2 named[2793]: 
----------------------------------------------------
Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from 4096 
to 1048576
Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker threads
Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners per interface
Jan  2 15:20:51 ddc2 named[2793]: using up to 4096 sockets
Jan  2 15:20:51 ddc2 named[2793]: loading configuration from 
'/etc/bind/named.conf'
Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: 'options' 
redefined near 'options'
Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already exists
Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal error)

It seems to stem from the issue I had before "/etc/bind/named.conf:15: 
'options' redefined near 'options'"

-- 
--
James

On Tue, 2 Jan 2018 15:23:18 -0500
lingpanda101 <lingpanda101 at gmail.com> wrote:

> Actually it looks as if Bind isn't running. Though I could've sworn
> it did at one point.
> 
> service bind9 restart
>   * Stopping domain name service... bind9
>                rndc: connect failed: 127.0.0.1#953: connection refused
> [ OK ]
>   * Starting domain name service... bind9 [fail]
> 
> Log shows;
> 
> Jan  2 15:20:51 ddc2 named[2793]: 
> ----------------------------------------------------
> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet 
> Systems Consortium,
> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit 501(c)(3) 
> public-benefit
> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and training
> for BIND 9 are
> Jan  2 15:20:51 ddc2 named[2793]: available at
> https://www.isc.org/support Jan  2 15:20:51 ddc2 named[2793]: 
> ----------------------------------------------------
> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
> 4096 to 1048576
> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker threads
> Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners per interface
> Jan  2 15:20:51 ddc2 named[2793]: using up to 4096 sockets
> Jan  2 15:20:51 ddc2 named[2793]: loading configuration from 
> '/etc/bind/named.conf'
> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15:
'options'
> redefined near 'options'
> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal error)
> 
> It seems to stem from the issue I had before
> "/etc/bind/named.conf:15: 'options' redefined near
'options'"
> 
I reread your earlier post and noticed something I missed earlier, do
you normally use red-hat ?
I ask this because you have this line in /etc/bind/named.conf:

include "/etc/bind/named.conf.options";

Followed by:
# Global Configuration Options
options {
.........
......



If this is all in the one file (ala red-hat), then this is your
problem, debian splits up Bind9 into separate conf files and you will
have two 'options'

Rowland

On 1/2/2018 3:37 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 15:23:18 -0500
> lingpanda101 <lingpanda101 at gmail.com> wrote:
>
>
>> Actually it looks as if Bind isn't running. Though I could've
sworn
>> it did at one point.
>>
>> service bind9 restart
>>    * Stopping domain name service... bind9
>>                 rndc: connect failed: 127.0.0.1#953: connection refused
>> [ OK ]
>>    * Starting domain name service... bind9 [fail]
>>
>> Log shows;
>>
>> Jan  2 15:20:51 ddc2 named[2793]:
>> ----------------------------------------------------
>> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
>> Systems Consortium,
>> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit 501(c)(3)
>> public-benefit
>> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and training
>> for BIND 9 are
>> Jan  2 15:20:51 ddc2 named[2793]: available at
>> https://www.isc.org/support Jan  2 15:20:51 ddc2 named[2793]:
>> ----------------------------------------------------
>> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
>> 4096 to 1048576
>> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker threads
>> Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners per interface
>> Jan  2 15:20:51 ddc2 named[2793]: using up to 4096 sockets
>> Jan  2 15:20:51 ddc2 named[2793]: loading configuration from
>> '/etc/bind/named.conf'
>> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15:
'options'
>> redefined near 'options'
>> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
>> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal error)
>>
>> It seems to stem from the issue I had before
>> "/etc/bind/named.conf:15: 'options' redefined near
'options'"
>>
> I reread your earlier post and noticed something I missed earlier, do
> you normally use red-hat ?
> I ask this because you have this line in /etc/bind/named.conf:
>
> include "/etc/bind/named.conf.options";
>
> Followed by:
> # Global Configuration Options
> options {
> .........
> ......
>
>
>
> If this is all in the one file (ala red-hat), then this is your
> problem, debian splits up Bind9 into separate conf files and you will
> have two 'options'
>
> Rowland
I do not. Ubuntu but I do have two CentOS systems.

The config file was auto-generated when I installed via. apt-get. This 
is what it originally contained before I made any modifications.

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in 
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

If I comment out these include files, Bind9 starts. However I do still get

rndc: connect failed: 127.0.0.1#953: connection refused

However I'm still getting the TSIG errors.

-- 
--
James