Il 15/05/2018 15:37, Rowland Penny via samba ha scritto:> On Tue, 15 May 2018 15:30:08 +0200 > Marco Coli via samba <samba at lists.samba.org> wrote: > >>> On Sat, 12 May 2018 01:17:02 -0600 >>> "Paul R. Ganci via samba" <samba at lists.samba.org> wrote: >>> >>>> Well I may have been over zealous and upgraded my Samba AD server >>>> to CentOS 7.5. After doing so the named service will not start. The >>>> error message I get is: >>>> >>>> May 12 00:50:55 nureyev named[11351]: Loading 'AD DNS Zone' using >>>> driver dlopen >>>> May 12 00:50:55 nureyev named[11351]: dlz_dlopen of 'AD DNS Zone' >>>> failed May 12 00:50:55 nureyev named[11351]: SDLZ driver failed to >>>> load. May 12 00:50:55 nureyev named[11351]: DLZ driver failed to >>>> load. May 12 00:50:55 nureyev named[11351]: loading configuration: >>>> out of memory May 12 00:50:55 nureyev named[11351]: exiting (due >>>> to fatal error) >>>> >>>> Everything was fine with the previous version of CentOS 7.4. If I >>>> comment out the line from /etc/named.conf >>>> >>>> // include "/var/lib/samba/private/named.conf"; >>>> >>> >>> Wrong 'include' line ;-) >>> I think you will find that your /etc/krb5.conf starts with an >>> 'include' line, remove this and your problem will go away. >>> >>> Rowland >> >> I have the same problem (no named starting after Centos Upgrade), but >> my /etc/krb5.conf has no 'include' line : >> >> [libdefaults] >> default_realm = INTRANET.MAGIGAS.LOCAL >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> What can I do to restore named functionality? >> >> Thank you >> > > Are you getting the same error message ? > If not, please the error message you are getting. > > Please post your named.conf > > RowlandHello, the message is exactly the same: mag 15 11:30:20 mail.magigas.local named[30186]: Loading 'AD DNS Zone' using driver dlopen mag 15 11:30:20 mail.magigas.local named[30186]: dlz_dlopen of 'AD DNS Zone' failed mag 15 11:30:20 mail.magigas.local named[30186]: SDLZ driver failed to load. mag 15 11:30:20 mail.magigas.local named[30186]: DLZ driver failed to load. mag 15 11:30:20 mail.magigas.local named[30186]: loading configuration: out of memory mag 15 11:30:20 mail.magigas.local named[30186]: exiting (due to fatal error) mag 15 11:30:20 mail.magigas.local systemd[1]: named.service: control process exited, code=exited status=1 mag 15 11:30:20 mail.magigas.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). mag 15 11:30:20 mail.magigas.local systemd[1]: Unit named.service entered failed state. mag 15 11:30:20 mail.magigas.local systemd[1]: named.service failed. Here is named.conf (at the end I have other zones external to AD): include "/etc/rndc.key"; // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // include "/var/lib/samba/private/named.conf"; options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; // // memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { 10.0.0.0/16 ; 10.1.0.0/16 ; 192.168.100.0/24 ; localhost; }; // recursion yes; listen-on { any; }; query-source address * port 53; // dnssec-enable yes; // dnssec-validation yes; // dnssec-lookaside auto; /* Path to ISC DLV key */ /// bindkeys-file "/etc/named.iscdlv.key"; // managed-keys-directory "/var/named/dynamic"; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; forward first; forwarders { 8.8.8.8; 8.8.4.4; // 151.99.125.2; // 151.99.250.2; // 213.92.5.54; // 194.185.88.5; // 151.99.125.3; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; }; zone "." IN { type hint; file "named.ca"; }; zone "magigas.homelinux.com" IN { type master; file "homelinux"; allow-update { none; }; notify yes; }; zone "magigas.it" IN { type master; file "magigas.it"; allow-update { none; }; ## notify yes; }; zone "magigas.eu" IN { type master; file "magigas.eu"; allow-update { none; }; # notify yes; }; zone "villabasilicaenergy.eu" IN { type master; file "villabasilicaenergy.eu"; allow-update { none; }; ## notify yes; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; I have the same problem on 3 different machines, different location, different AD domains. For 2 (after the problem occurred on the first one),being Virtual, I did a snapshot before, so I was able to reverse the problem. sernet-samba-ad-4.8.1-9.el7.x86_64 on all 3. 2 of them are CentOs, the third RHEL. Same behaviour. Thank you.
On Tue, 15 May 2018 15:54:16 +0200 Marco Coli <marco.coli.gm at gmail.com> wrote:> > Hello, the message is exactly the same: > mag 15 11:30:20 mail.magigas.local named[30186]: Loading 'AD DNS Zone' > using driver dlopen > mag 15 11:30:20 mail.magigas.local named[30186]: dlz_dlopen of 'AD DNS > Zone' failed > mag 15 11:30:20 mail.magigas.local named[30186]: SDLZ driver failed > to load. mag 15 11:30:20 mail.magigas.local named[30186]: DLZ driver > failed to load. mag 15 11:30:20 mail.magigas.local named[30186]: > loading configuration: out of memory > mag 15 11:30:20 mail.magigas.local named[30186]: exiting (due to fatal > error) > process exited, code=exited status=1 > mag 15 11:30:20 mail.magigas.local systemd[1]: named.service: control > mag 15 11:30:20 mail.magigas.local systemd[1]: Failed to start > Berkeley Internet Name Domain (DNS). > mag 15 11:30:20 mail.magigas.local systemd[1]: Unit named.service > entered failed state. > mag 15 11:30:20 mail.magigas.local systemd[1]: named.service failed. > > Here is named.conf (at the end I have other zones external to AD): >A couple of comments, I personally wouldn't have any zones other than the AD zones in named conf. You should forward anything outside the AD domain to another dns server and talking about forwarders, you definitely do not 'forward first'. Try reading this: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End It might help Rowland
Il 15/05/2018 16:34, Rowland Penny via samba ha scritto:> On Tue, 15 May 2018 15:54:16 +0200 > Marco Coli <marco.coli.gm at gmail.com> wrote: > >> >> Hello, the message is exactly the same: >> mag 15 11:30:20 mail.magigas.local named[30186]: Loading 'AD DNS Zone' >> using driver dlopen >> mag 15 11:30:20 mail.magigas.local named[30186]: dlz_dlopen of 'AD DNS >> Zone' failed >> mag 15 11:30:20 mail.magigas.local named[30186]: SDLZ driver failed >> to load. mag 15 11:30:20 mail.magigas.local named[30186]: DLZ driver >> failed to load. mag 15 11:30:20 mail.magigas.local named[30186]: >> loading configuration: out of memory >> mag 15 11:30:20 mail.magigas.local named[30186]: exiting (due to fatal >> error) >> process exited, code=exited status=1 >> mag 15 11:30:20 mail.magigas.local systemd[1]: named.service: control >> mag 15 11:30:20 mail.magigas.local systemd[1]: Failed to start >> Berkeley Internet Name Domain (DNS). >> mag 15 11:30:20 mail.magigas.local systemd[1]: Unit named.service >> entered failed state. >> mag 15 11:30:20 mail.magigas.local systemd[1]: named.service failed. >> >> Here is named.conf (at the end I have other zones external to AD): >> > > A couple of comments, I personally wouldn't have any zones other than > the AD zones in named conf. You should forward anything outside the AD > domain to another dns server and talking about forwarders, you > definitely do not 'forward first'. > > Try reading this: > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End > > It might help > > RowlandOk, thank for your comments, but the problem is not related to this aspects. If I remove (prior to the upgrade) all 'aliens' zones, after the upgrade the problem is the same (I tested before, I tried to 'strip out' named.conf) I will try to remove 'forward first' as well, and I will let you know. The problem seems related to some package updated. If I upgrade sernet-samba alone to sernet-samba-ad-4.8.1-9.el7.x86_64 (and restart the service, of course), all is ok, but when I update all others packages, hell on earth (earth=samba)... Any clue about wich rpm can be involved? Kernel is out of the picture, because the problem is present immediately after upgrade, before reboot in new kernel (but reboot does not help)... My configuration started with 7.1 and survived happily until now... Thank you
me at tdiehl.org
2018-May-16  00:52 UTC
[Samba] named will not start after upgrade of CentOS
On Tue, 15 May 2018, Marco Coli via samba wrote:> > I have the same problem on 3 different machines, different location, > different AD domains. > For 2 (after the problem occurred on the first one),being Virtual, I did > a snapshot before, so I was able to reverse the problem. > > sernet-samba-ad-4.8.1-9.el7.x86_64 on all 3. 2 of them are CentOs, the > third RHEL. Same behavior.I am not sure if it will help but I would try turning up the logging on kerberos and see it that shows anything interesting. see https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module for details. You might also want to review https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Configuring_Kerberos. Does Sernet use 2 separate copies of krb5.conf? If yes, are they symlinked? The Wiki page specifically says don't do that. Are the permissions on krb5.conf set so that users other then root can read them. 644? I wonder if samba actually uses both copies or just the one in /etc? Regards, -- Tom me at tdiehl.org
Il 16/05/2018 02:52, me at tdiehl.org ha scritto:> On Tue, 15 May 2018, Marco Coli via samba wrote: > >> >> I have the same problem on 3 different machines, different location, >> different AD domains. >> For 2 (after the problem occurred on the first one),being Virtual, I did >> a snapshot before, so I was able to reverse the problem. >> >> sernet-samba-ad-4.8.1-9.el7.x86_64 on all 3. 2 of them are CentOs, the >> third RHEL. Same behavior. > > I am not sure if it will help but I would try turning up the logging on > kerberos > and see it that shows anything interesting. see > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module > > for details. > > You might also want to review > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Configuring_Kerberos. > > Does Sernet use 2 separate copies of krb5.conf? If yes, are they symlinked? > The Wiki page specifically says don't do that. > > Are the permissions on krb5.conf set so that users other then root can > read them. 644? > > I wonder if samba actually uses both copies or just the one in /etc? > > Regards, >I did find the problem is originating with kerberos upgrade. If I upgrade everything except kerberos rpm to 7.5, dns has no problem. I will find with log examination where is the problem. Thank you ALL for the help and suggestions!