I have installed and configured a Samba version 4.9.4 first in forest AD DC on a
clean, updated installation of Ubuntu 18.04 running BIND
9.11.3-1ubuntu1.3-Ubuntu ... built by make with ... '--with-gssapi=/usr'
... '--sysconfdir=/etc' ... '--sysconfdir=/etc/bind' ....
I am following the Samba Wiki for guidiance.
The installation proceeded without error in all tests until I attempted to run:
$ sudo samba_dnsupdate --verbose --all-names
which returned:
IPs: ['172.20.10.130']
force update: A dc01.corp.<DOMAIN>.com 172.20.10.130
* * * * *
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as
DC01$
update(nsupdate): A dc01.corp.<DOMAIN>.com 172.20.10.130
Calling nsupdate for A dc01.corp.<DOMAIN>.com 172.20.10.130 (add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as
DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc01.corp.<DOMAIN>.com. 900 IN A
172.20.10.130dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com
Calling nsupdate for NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com
(add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as
DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
corp.<DOMAIN>.com. 900 IN NS
dc01.corp.<DOMAIN>.com. * * * * *dns_tkey_gssnegotiate: TKEY is
unacceptable
Failed nsupdate: 1
Failed update of 29 entries
==================================ATTEMPTS TO RESOLVE:
==================================(1) Verify keytab and dns user ...
$ sudo klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-dc01' dn
# record 1
dn: CN=dns-dc01,CN=Users,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref:
ldap://corp.<DOMAIN>.com/CN=Configuration,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref:
ldap://corp.<DOMAIN>.com/DC=DomainDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref:
ldap://corp.<DOMAIN>.com/DC=ForestDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# returned 4 records
# 1 entries
# 3 referrals
(2) Confirm files accessible to BIND ...
$ sudo ls -la /etc/krb5.conf
-rw-r--r-- 1 root root 94 Jan 6 18:18 /etc/krb5.conf
$ sudo ls -la /var/cache/bind
total 20
drwxrwxr-x 3 root bind 4096 Jan 7 09:38 .
drwxr-xr-x 11 root root 4096 Jan 6 17:09 ..
-rw-r--r-- 1 bind bind 221 Jan 6 17:36 managed-keys.bind
drwxrwxr-x 2 root bind 4096 Jan 6 17:27 master
-rw-r----- 1 root bind 3316 Nov 14 13:00 named.root
$ sudo ls -la /var/tmp
total 16
drwxrwxrwt 4 root root 4096 Jan 7 10:27 .
drwxr-xr-x 13 root root 4096 Jan 6 15:48 ..
(3) Temporarily switch backends ...
$ sudo samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/CORP.<DOMAIN>.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
You have switched to using SAMBA_INTERNAL as your dns backend, but you still
have samba starting looking for a BIND backend. Please remove the -dns from your
server services line.
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/CORP.<DOMAIN>.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-dc01 account
See /usr/local/samba/bind-dns/named.conf for an example configuration include
file for BIND
and /usr/local/samba/bind-dns/named.txt for further documentation required for
secure DNS updates
Finished upgrading DNS
(4) Remove and recreate keytab and user
$ sudo rm /usr/local/samba/private/dns.keytab
$ sudo samba-tool user delete dns-dc01
Deleted user dns-dc01
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/bind-dns/dns/CORP.<DOMAIN>.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-dc01 account
See /usr/local/samba/bind-dns/named.conf for an example configuration include
file for BIND
and /usr/local/samba/bind-dns/named.txt for further documentation required for
secure DNS updates
Finished upgrading DNS
$ sudo systemctl restart bind9
$ sudo systemctl status bind9 -n 500
$ sudo reboot
$ sudo klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM
1 DNS/dc01.corp.<DOMAIN>.com at CORP.<DOMAIN>.COM
1 dns-dc01 at CORP.<DOMAIN>.COM$ sudo ldbsearch -H
/usr/local/samba/private/sam.ldb 'cn=dns-dc01' dn
# record 1
dn: CN=dns-dc01,CN=Users,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref:
ldap://corp.<DOMAIN>.com/CN=Configuration,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref:
ldap://corp.<DOMAIN>.com/DC=DomainDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# Referral
ref:
ldap://corp.<DOMAIN>.com/DC=ForestDnsZones,DC=corp,DC=<DOMAIN>,DC=com
# returned 4 records
# 1 entries
# 3 referrals
FOR ALL OF THE ABOVE (after restarting BIND, rebooting system, etc.), the
problem persists as follows:
$ sudo samba_dnsupdate --verbose --all-names
IPs: ['172.20.10.130']
force update: A dc01.corp.<DOMAIN>.com 172.20.10.130
* * * * *
29 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as
DC01$
update(nsupdate): A dc01.corp.<DOMAIN>.com 172.20.10.130
Calling nsupdate for A dc01.corp.<DOMAIN>.com 172.20.10.130 (add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as
DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc01.corp.<DOMAIN>.com. 900 IN A
172.20.10.130dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
update(nsupdate): NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com
Calling nsupdate for NS corp.<DOMAIN>.com dc01.corp.<DOMAIN>.com
(add)
Successfully obtained Kerberos ticket to DNS/dc01.corp.<DOMAIN>.com as
DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
corp.<DOMAIN>.com. 900 IN NS
dc01.corp.<DOMAIN>.com. * * * * *dns_tkey_gssnegotiate: TKEY is
unacceptable
Failed nsupdate: 1
Failed update of 29 entries
==================================BACKGROUND/CONFIGURATION:
==================================(1) /etc/bind/named.conf file (NOTE: BIND9_DLZ
and tkey settings uncommented/added at proper time during installation):
# Global Configuration Options
options { auth-nxdomain yes;
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
# Enable dynamic DNS updates using Kerberos
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
172.20.10.128/25;
}; # IP addresses and network ranges allowed to run recursive
queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
172.20.10.128/25;
}; # Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
172.20.10.129;
}; # Disable zone transfers
allow-transfer {
none;
};
}; # Configure dynamically loadable zones (DLZ) from AD schema
dlz "AD DNS Zone" {
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
}; # Root Servers
# (Required for recursive DNS queries)
zone "." {
type hint;
file "named.root";
}; # localhost zone
zone "localhost" {
type master;
file "master/localhost.zone";
}; # 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
(2) AppArmor - BIND Placed in Complain Mode, and, in any case, no violations
noted:
$ sudo aa-complain /usr/sbin/named
Setting /usr/sbin/named to complain mode.
$ sudo aa-status
1 profiles are in complain mode.
/usr/sbin/named
1 processes are in complain mode.
/usr/sbin/named (1038)
$ sudo journalctl -b | grep ALLOWED
(3) Samba 4.9.4 Build and provision:
$ ./configure --enable-selftest --enable-gnutls --with-systemd
--accel-aes=intelaesni
$ sudo smbd -b
Paths:
SBINDIR: /usr/local/samba/sbin
BINDIR: /usr/local/samba/bin
CONFIGFILE: /usr/local/samba/etc/smb.conf
LOGFILEBASE: /usr/local/samba/var
LMHOSTSFILE: /usr/local/samba/etc/lmhosts
LIBDIR: /usr/local/samba/lib
MODULESDIR: /usr/local/samba/lib
SHLIBEXT: so
LOCKDIR: /usr/local/samba/var/lock
STATEDIR: /usr/local/samba/var/locks
CACHEDIR: /usr/local/samba/var/cache
PIDDIR: /usr/local/samba/var/run
SMB_PASSWD_FILE: /usr/local/samba/private/smbpasswd
PRIVATE_DIR: /usr/local/samba/private
BINDDNS_DIR: /usr/local/samba/bind-dns
$ sudo samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=BIND9_DLZ --realm=CORP.<DOMAIN>.COM --domain=CORP
--option="interfaces=lo eno1" --option="bind interfaces
only=yes" --adminpass=<PASSWORD>
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on
local domainSIDs Adding DomainDN: DC=corp,DC=<DOMAIN>,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=corp,DC=<DOMAIN>,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /usr/local/samba/bind-dns/named.conf for an example configuration
include file for BIND
and /usr/local/samba/bind-dns/named.txt for further documentation required
for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at
/usr/local/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it
with this one. Do not create a symlink!
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to
use
Server Role: active directory domain controller
Hostname: dc01
NetBIOS Domain: CORP
DNS Domain: corp.<DOMAIN>.com
DOMAIN SID: <SID>
(4) Verify BIND access for DLZ
Verify or make /usr/local/samba/private/dns.keytab readable by BIND user:
$ sudo chmod 640 /usr/local/samba/private/dns.keytab
$ sudo chown root:bind /usr/local/samba/private/dns.keytab
$ sudo ls -la /usr/local/samba/private/dns.keytab
-rw-r----- 2 root bind 757 Jan 6 17:59 /usr/local/samba/private/dns.keytab
Verify or make /usr/local/samba/bind-dns/dns.keytab readable by BIND user:
$ sudo chmod 640 /usr/local/samba/bind-dns/dns.keytab
$ sudo chown root:bind /usr/local/samba/bind-dns/dns.keytab
$ sudo ls -la /usr/local/samba/bind-dns/dns.keytab
-rw-r----- 2 root bind 757 Jan 6 17:59 /usr/local/samba/bind-dns/dns.keytab
Add new krb5.conf file (configure Kerberos), and verify or make readable by BIND
user [if necessary, chmod 644]:
$ sudo cp /usr/local/samba/private/krb5.conf /etc
$ sudo ls -la /etc/krb5.conf
-rw-r--r-- 1 root root 94 Jan 6 18:18 /etc/krb5.conf
Verify that nsupdate utility exists on domain controller:
$ sudo which nsupdate
/usr/bin/nsupdate
(5) Configure DNS resolver:
Delete symlink in /etc:
$ sudo rm /etc/resolv.conf
Create and set permissions for new /etc/resolv.conf file:
$ sudo nano /etc/resolv.conf
domain corp.<DOMAIN>.com
# nameserver 172.20.10.131
nameserver 172.20.10.130
$ sudo chmod 777 /etc/resolv.conf
$ sudo ls -la /etc/resolv.conf
-rwxrwxrwx 1 root root 73 Jan 6 18:24 /etc/resolv.conf
(6) Test Samba AD DC
Verify File Server
List all shares provided by the DC:
$ smbclient -L localhost -U% Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.9.4)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- ------- Workgroup Master
--------- -------
Connect to netlogon share using domain administrator account to verify
authentication:
$ smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter
CORP\administrator's password: [wjcStrong]
. D 0 Sun Jan 6 17:59:44 2019
.. D 0 Sun Jan 6 17:59:48
2019 243559804 blocks of size 1024. 227614076 blocks
available
Verify DNS (query some DNS records)
Query tcp-based _ldap SRV record in the domain: $ host -t SRV
_ldap._tcp.corp.<DOMAIN>.com.
_ldap._tcp.corp.<DOMAIN>.com has SRV record 0 100 389
dc01.corp.<DOMAIN>.com.
Query udp-based _kerberos SRV resource record in the domain: $ host -t SRV
_kerberos._udp.corp.<DOMAIN>.com.
_kerberos._udp.corp.<DOMAIN>.com has SRV record 0 100 88
dc01.corp.<DOMAIN>.com.
Query A record of the domain controller: $ host -t A
dc01.corp.<DOMAIN>.com.
dc01.corp.<DOMAIN>.com has address 172.20.10.130
Verify Kerberos
Request Kerberos ticket for domain administrator account: $ kinit
administrator
Password for administrator at CORP.<DOMAIN>.COM: [wjcStrong]
List cached Kerberos tickets: $ klist Ticket cache:
FILE:/tmp/krb5cc_1000
Default principal: administrator at CORP.<DOMAIN>.COM Valid
starting Expires Service principal
01/07/2019 09:08:35 01/07/2019 19:08:35 krbtgt/CORP.<DOMAIN>.COM
at CORP.<DOMAIN>.COM
renew until 01/08/2019 09:08:31
(7) Test Dynamic DNS Updates
Verify domain and forest partitions, as well as metadata.tdb database, are hard
linked in both directories:
$ sudo ls -lai /usr/local/samba/private/sam.ldb.d/
6167165 -rw-rw---- 2 root bind 4247552 Jan 6 17:59
'DC=DOMAINDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
6167166 -rw-rw---- 2 root bind 4247552 Jan 6 17:59
'DC=FORESTDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
6167161 -rw-rw---- 2 root bind 421888 Jan 7 09:06 metadata.tdb
$ sudo ls -lai /usr/local/samba/bind-dns/dns/sam.ldb.d/
6167165 -rw-rw---- 2 root bind 4247552 Jan 6 17:59
'DC=DOMAINDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
6167166 -rw-rw---- 2 root bind 4247552 Jan 6 17:59
'DC=FORESTDNSZONES,DC=CORP,DC=<DOMAIN>,DC=COM.ldb'
6167161 -rw-rw---- 2 root bind 421888 Jan 7 09:06 metadata.tdb
$ sudo samba_dnsupdate --verbose --all-names
Resulting in above noted failures, steps taken ...
==================================OTHER CONFIGURATION FILES
==================================/usr/local/samba/etc/smb.conf
# Global parameters
[global]
bind interfaces only = Yes
interfaces = lo eno1
netbios name = DC01
realm = CORP.<DOMAIN>.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = CORP
idmap_ldb:use rfc2307 = yes[netlogon]
path = /usr/local/samba/var/locks/sysvol/corp.<DOMAIN>.com/scripts
read only = No[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
/etc/krb5.conf
[libdefaults]
default_realm = CORP.<DOMAIN>.COM
dns_lookup_realm = false
dns_lookup_kdc = true
==================================LOGS FROM FIRST STARTUP OF AD-DC
PRIOR TO AD-DC TESTING
==================================$ sudo systemctl status --all --state=failed
? dc01
State: running
Jobs: 0 queued
Failed: 0 units
Since: Sun 2019-01-06 18:27:44 CST; 36s ago
CGroup: /
+-user.slice
¦ +-user-1000.slice
¦ +-user at 1000.service
¦ ¦ +-init.scope
¦ ¦ +-1348 /lib/systemd/systemd --user
¦ ¦ +-1356 (sd-pam)
¦ +-session-1.scope
¦ +-1329 sshd: cadmin [priv]
¦ +-1467 sshd: cadmin at pts/0
¦ +-1468 -bash
¦ +-1481 sudo systemctl status --all --state=failed
¦ +-1489 systemctl status --all --state=failed
¦ +-1490 pager
+-init.scope
¦ +-1 /sbin/init
+-system.slice
+-irqbalance.service
¦ +-842 /usr/sbin/irqbalance --foreground
+-system-systemd\x2dfsck.slice
+-samba-ad-dc.service
¦ +-1171 samba: root process .
¦ +-1286 samba: task[s3fs_parent] .
¦ +-1288 samba: task[dcesrv] .
¦ +-1289 samba: tfork waiter process
¦ +-1290 samba: task[nbtd] .
¦ +-1291 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
¦ +-1293 samba: task[wrepl] .
¦ +-1303 samba: task[ldapsrv] .
¦ +-1304 samba: task[cldapd] .
¦ +-1305 samba: task[kdc] .
¦ +-1306 samba: task[dreplsrv] .
¦ +-1307 samba: task[winbindd_parent]
¦ +-1308 samba: task[ntp_signd] .
¦ +-1309 samba: task[kccsrv] .
¦ +-1310 samba: task[dnsupdate] .
¦ +-1315 samba: tfork waiter process
¦ +-1320 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
¦ +-1337 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
¦ +-1338 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
¦ +-1340 winbindd: domain child [CORP] .
¦ +-1342 winbindd: idmap child .
¦ +-1344 winbindd: domain child [BUILTIN]
¦ +-1345 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
+-systemd-networkd.service
¦ +-712 /lib/systemd/systemd-networkd
+-systemd-udevd.service
¦ +-474 /lib/systemd/systemd-udevd
+-cron.service
¦ +-802 /usr/sbin/cron -f
+-sys-fs-fuse-connections.mount
+-sys-kernel-config.mount
+-polkit.service
¦ +-994 /usr/lib/policykit-1/polkitd --no-debug
+-networkd-dispatcher.service
¦ +-880 /usr/bin/python3 /usr/bin/networkd-dispatcher
--run-startup-triggers
+-sys-kernel-debug.mount
+-bind9.service
¦ +-864 /usr/sbin/named -f -u bind
+-accounts-daemon.service
¦ +-915 /usr/lib/accountsservice/accounts-daemon
+-systemd-journald.service
¦ +-450 /lib/systemd/systemd-journald
+-atd.service
¦ +-887 /usr/sbin/atd -f
+-lxd.socket
+-unattended-upgrades.service
¦ +-968 /usr/bin/python3
/usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
+-ssh.service
¦ +-1167 /usr/sbin/sshd -D
+-dev-mqueue.mount
+-snapd.service
¦ +-979 /usr/lib/snapd/snapd
+-rsyslog.service
¦ +-902 /usr/sbin/rsyslogd -n
+-boot-efi.mount
+-lxcfs.service
¦ +-794 /usr/bin/lxcfs /var/lib/lxcfs/
+-snapd.socket
+-lvm2-lvmetad.service
¦ +-464 /sbin/lvmetad -f
+-systemd-resolved.service
¦ +-744 /lib/systemd/systemd-resolved
+-system-lvm2\x2dpvscan.slice
+-dev-mapper-dc01\x2d\x2dvg\x2dswap_1.swap
+-dev-hugepages.mount
+-dbus.service
¦ +-920 /usr/bin/dbus-daemon --system --address=systemd: --nofork
--nopidfile --systemd-activation --syslog-only
+-systemd-timesyncd.service
¦ +-621 /lib/systemd/systemd-timesyncd
+-system-getty.slice
¦ +-getty at tty1.service
¦ +-1233 /sbin/agetty -o -p -- \u --noclear tty1 linux
+-systemd-logind.service
+-814 /lib/systemd/systemd-logind
$ sudo systemctl status samba-ad-dc -n 500
? samba-ad-dc.service - Samba Active Directory Domain Controller
Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor
preset: enabled)
Active: active (running) since Sun 2019-01-06 18:27:50 CST; 48s ago
Process: 1151 ExecStart=/usr/local/samba/sbin/samba -D (code=exited,
status=0/SUCCESS)
Main PID: 1171 (samba)
Tasks: 23 (limit: 4915)
CGroup: /system.slice/samba-ad-dc.service
+-1171 samba: root process .
+-1286 samba: task[s3fs_parent] .
+-1288 samba: task[dcesrv] .
+-1289 samba: tfork waiter process
+-1290 samba: task[nbtd] .
+-1291 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
+-1293 samba: task[wrepl] .
+-1303 samba: task[ldapsrv] .
+-1304 samba: task[cldapd] .
+-1305 samba: task[kdc] .
+-1306 samba: task[dreplsrv] .
+-1307 samba: task[winbindd_parent]
+-1308 samba: task[ntp_signd] .
+-1309 samba: task[kccsrv] .
+-1310 samba: task[dnsupdate] .
+-1315 samba: tfork waiter process
+-1320 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
+-1337 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
+-1338 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
+-1340 winbindd: domain child [CORP] .
+-1342 winbindd: idmap child .
+-1344 winbindd: domain child [BUILTIN]
+-1345 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foregroundJan 06 18:27:50 dc01 systemd[1]: Starting Samba
Active Directory Domain Controller...
Jan 06 18:27:50 dc01 samba[1151]: root process[1151]: [2019/01/06
18:27:50.631690, 0] ../source4/smbd/server.c:510(binary_smbd_main)
Jan 06 18:27:50 dc01 samba[1151]: root process[1151]: samba version 4.9.4
started.
Jan 06 18:27:50 dc01 samba[1151]: root process[1151]: Copyright Andrew
Tridgell and the Samba Team 1992-2018
Jan 06 18:27:50 dc01 systemd[1]: Started Samba Active Directory Domain
Controller.
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]: [2019/01/06
18:27:50.867193, 0] ../source4/smbd/server.c:696(binary_smbd_main)
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]: binary_smbd_main: samba:
using 'standard' process model
Jan 06 18:27:50 dc01 samba[1303]: task[ldapsrv][1303]: [2019/01/06
18:27:50.875460, 0] ../source4/lib/tls/tlscert.c:72(tls_cert_generate)
Jan 06 18:27:50 dc01 samba[1303]: task[ldapsrv][1303]: Attempting to
autogenerate TLS self-signed keys for https for hostname
'DC01.corp.<DOMAIN>.com'
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]: [2019/01/06
18:27:50.883033, 0] ../lib/util/become_daemon.c:138(daemon_ready)
Jan 06 18:27:50 dc01 samba[1171]: root process[1171]: daemon_ready:
STATUS=daemon 'samba' finished starting up and ready to serve
connections
Jan 06 18:27:51 dc01 winbindd[1320]: [2019/01/06 18:27:51.049802, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Jan 06 18:27:51 dc01 winbindd[1320]: initialize_winbindd_cache: clearing cache
and re-creating with version number 2
Jan 06 18:27:51 dc01 winbindd[1320]: [2019/01/06 18:27:51.056143, 0]
../lib/util/become_daemon.c:138(daemon_ready)
Jan 06 18:27:51 dc01 winbindd[1320]: daemon_ready: STATUS=daemon
'winbindd' finished starting up and ready to serve connections
Jan 06 18:27:51 dc01 smbd[1291]: [2019/01/06 18:27:51.225640, 0]
../lib/util/become_daemon.c:138(daemon_ready)
Jan 06 18:27:51 dc01 smbd[1291]: daemon_ready: STATUS=daemon 'smbd'
finished starting up and ready to serve connections
Jan 06 18:27:52 dc01 samba[1303]: task[ldapsrv][1303]: [2019/01/06
18:27:52.496784, 0] ../source4/lib/tls/tlscert.c:170(tls_cert_generate)
Jan 06 18:27:52 dc01 samba[1303]: task[ldapsrv][1303]: TLS self-signed keys
generated OK
$ sudo systemctl status bind9 -n 500
? bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset:
enabled)
Active: active (running) since Sun 2019-01-06 18:27:46 CST; 1min 54s ago
Docs: man:named(8)
Main PID: 864 (named)
Tasks: 7 (limit: 4915)
CGroup: /system.slice/bind9.service
+-864 /usr/sbin/named -f -u bindJan 06 18:27:46 dc01 systemd[1]:
Started BIND Domain Name Server.
Jan 06 18:27:46 dc01 named[864]: starting BIND 9.11.3-1ubuntu1.3-Ubuntu
(Extended Support Version) <id:a375815>
Jan 06 18:27:46 dc01 named[864]: running on Linux x86_64 4.15.0-43-generic
#46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018
Jan 06 18:27:46 dc01 named[864]: built with '--build=x86_64-linux-gnu'
'--prefix=/usr' '--includedir=/usr/include'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc' '--localstatedir=/var'
'--disable-silent-rules'
Jan 06 18:27:46 dc01 named[864]: running as: named -f -u bind
Jan 06 18:27:46 dc01 named[864]:
----------------------------------------------------
Jan 06 18:27:46 dc01 named[864]: BIND 9 is maintained by Internet Systems
Consortium,
Jan 06 18:27:46 dc01 named[864]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Jan 06 18:27:46 dc01 named[864]: corporation. Support and training for BIND 9
are
Jan 06 18:27:46 dc01 named[864]: available at https://www.isc.org/support
Jan 06 18:27:46 dc01 named[864]:
----------------------------------------------------
Jan 06 18:27:46 dc01 named[864]: adjusted limit on open files from 4096 to
1048576
Jan 06 18:27:46 dc01 named[864]: found 4 CPUs, using 4 worker threads
Jan 06 18:27:46 dc01 named[864]: using 3 UDP listeners per interface
Jan 06 18:27:46 dc01 named[864]: using up to 4096 sockets
Jan 06 18:27:46 dc01 named[864]: loading configuration from
'/etc/bind/named.conf'
Jan 06 18:27:46 dc01 named[864]: reading built-in trust anchors from file
'/etc/bind/bind.keys'
Jan 06 18:27:46 dc01 named[864]: initializing GeoIP Country (IPv4) (type 1) DB
Jan 06 18:27:46 dc01 named[864]: GEO-106FREE 20180315 Build
Jan 06 18:27:46 dc01 named[864]: initializing GeoIP Country (IPv6) (type 12) DB
Jan 06 18:27:46 dc01 named[864]: GEO-106FREE 20180315 Build
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv4) (type 2) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv4) (type 6) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv6) (type 30) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP City (IPv6) (type 31) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Region (type 3) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Region (type 7) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP ISP (type 4) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Org (type 5) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP AS (type 9) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP Domain (type 11) DB not available
Jan 06 18:27:46 dc01 named[864]: GeoIP NetSpeed (type 10) DB not available
Jan 06 18:27:46 dc01 named[864]: using default UDP/IPv4 port range: [32768,
60999]
Jan 06 18:27:46 dc01 named[864]: using default UDP/IPv6 port range: [32768,
60999]
Jan 06 18:27:46 dc01 named[864]: listening on IPv6 interfaces, port 53
Jan 06 18:27:46 dc01 named[864]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 06 18:27:46 dc01 named[864]: generating session key for dynamic DNS
Jan 06 18:27:46 dc01 named[864]: sizing zone task pool based on 3 zones
Jan 06 18:27:46 dc01 named[864]: Loading 'AD DNS Zone' using driver
dlopen
Jan 06 18:27:47 dc01 named[864]: samba_dlz: started for DN
DC=corp,DC=<DOMAIN>,DC=com
Jan 06 18:27:47 dc01 named[864]: samba_dlz: starting configure
Jan 06 18:27:47 dc01 named[864]: samba_dlz: configured writeable zone
'corp.<DOMAIN>.com'
Jan 06 18:27:47 dc01 named[864]: samba_dlz: configured writeable zone
'_msdcs.corp.<DOMAIN>.com'
Jan 06 18:27:47 dc01 named[864]: none:103: 'max-cache-size 90%' -
setting to 14399MB (out of 15999MB)
Jan 06 18:27:47 dc01 named[864]: set up managed keys zone for view _default,
file 'managed-keys.bind'
Jan 06 18:27:47 dc01 named[864]: none:103: 'max-cache-size 90%' -
setting to 14399MB (out of 15999MB)
Jan 06 18:27:47 dc01 named[864]: configuring command channel from
'/etc/bind/rndc.key'
Jan 06 18:27:47 dc01 named[864]: command channel listening on 127.0.0.1#953
Jan 06 18:27:47 dc01 named[864]: configuring command channel from
'/etc/bind/rndc.key'
Jan 06 18:27:47 dc01 named[864]: command channel listening on ::1#953
Jan 06 18:27:47 dc01 named[864]: managed-keys-zone: journal file is out of date:
removing journal file
Jan 06 18:27:47 dc01 named[864]: managed-keys-zone: loaded serial 4
Jan 06 18:27:47 dc01 named[864]: zone 0.0.127.in-addr.arpa/IN: loaded serial
2018120901
Jan 06 18:27:47 dc01 named[864]: zone localhost/IN: loaded serial 2018120901
Jan 06 18:27:47 dc01 named[864]: all zones loaded
Jan 06 18:27:47 dc01 named[864]: running
Jan 06 18:27:49 dc01 named[864]: listening on IPv4 interface eno1,
172.20.10.130#53
Jan 06 18:27:50 dc01 named[864]: resolver priming query complete