Igor Sousa
2019-Apr-17 18:02 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
Rowland, My configure line is ./configure --enable-debug --enable-selftest --with-systemd. A hour ago, I ignored the inconsistency that I reported in the first e-mail of this topic and I proceeded as described at topic "Joining a Samba DC to an Existing Active Directory" and I joined new DC with command: samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" --dns-backend=BIND9_DLZ I've looked the output command and new DC seemly joined to mydomain.com. I've checked out /usr/local/samba/bind-dns/named.conf and, now, there is this file. But, when I've added 'include "/usr/local/samba/bind-dns/named.con"' into my BIND named.conf file, the named service has not started. I've got the following journalctl -xe output when it said "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf: permission denied". The file exists and I've tired to change permissions of this file to own to root:named, but journalctl -xe still shows the same error. [root at newdc ~]# journalctl -xe Apr 17 14:11:19 genos named[5041]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefi Apr 17 14:11:19 genos named[5041]: ---------------------------------------------------- Apr 17 14:11:19 genos named[5041]: BIND 9 is maintained by Internet Systems Consortium, Apr 17 14:11:19 genos named[5041]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Apr 17 14:11:19 genos named[5041]: corporation. Support and training for BIND 9 are Apr 17 14:11:19 genos named[5041]: available at https://www.isc.org/support Apr 17 14:11:19 genos named[5041]: ---------------------------------------------------- Apr 17 14:11:19 genos named[5041]: adjusted limit on open files from 4096 to 1048576 Apr 17 14:11:19 genos named[5041]: found 2 CPUs, using 2 worker threads Apr 17 14:11:19 genos named[5041]: using 2 UDP listeners per interface Apr 17 14:11:19 genos named[5041]: using up to 21000 sockets Apr 17 14:11:19 genos named[5041]: loading configuration from '/etc/named.conf' Apr 17 14:11:19 genos named[5041]: /etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf: permission denied Apr 17 14:11:19 genos named[5041]: loading configuration: permission denied Apr 17 14:11:19 genos named[5041]: exiting (due to fatal error) Apr 17 14:11:19 genos systemd[1]: named.service: control process exited, code=exited status=1 Apr 17 14:11:19 genos systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). -- Subject: Unit named.service has failed -- Igor Sousa Em qua, 17 de abr de 2019 às 12:45, Rowland Penny via samba < samba at lists.samba.org> escreveu:> On Wed, 17 Apr 2019 11:00:49 -0300 > Igor Sousa <igorvolt at gmail.com> wrote: > > > I'm sorry to I forgot answer appropriate. > > > > I'm running CentOS 7 with all packages upgraded. I've followed > > instruction in > > > https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba > > with > > some need modifications (yum line is bellow this text) and I've > > installed python 3.4. I've installed Bind9 from package manager where > > Bind9 version is 9.9.4. > > > > YUM command to install packages dependencies required to build samba: > > yum install attr bind-utils docbook-style-xsl gcc gdb krb5-workstation > > libsemanage-python libxslt perl perl-ExtUtils-MakeMaker > > perl-Parse-Yapp perl-Test-Base pkgconfig policycoreutils-python > > python2-crypto gnutls-devel libattr-devel keyutils-libs-devel > > libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel > > pam-devel popt-devel python-devel readline-devel zlib-devel > > systemd-devel lmdb-devel jansson-devel gpgme-devel pygpgme > > libarchive-devel > > There doesn't seem to be anything missing there (though I could be > wrong, I normally use Devuan), So what was your 'configure' line ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-17 19:02 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
On Wed, 17 Apr 2019 15:02:04 -0300 Igor Sousa <igorvolt at gmail.com> wrote:> Rowland, > > My configure line is ./configure --enable-debug --enable-selftest > --with-systemd. > > A hour ago, I ignored the inconsistency that I reported in the first > e-mail of this topic and I proceeded as described at topic "Joining a > Samba DC to an Existing Active Directory" and I joined new DC with > command: > > samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" > --dns-backend=BIND9_DLZ > > I've looked the output command and new DC seemly joined to > mydomain.com. I've checked out /usr/local/samba/bind-dns/named.conf > and, now, there is this file. But, when I've added 'include > "/usr/local/samba/bind-dns/named.con"' into my BIND named.conf file, > the named service has not started. > > I've got the following journalctl -xe output when it said > "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf: > permission denied". The file exists and I've tired to change > permissions of this file to own to root:named, but journalctl -xe > still shows the same error. >The permissions should be: ls -lad /usr/local/samba/bind-dns/ drwxrwx---. 3 root named 70 Apr 17 16:39 /usr/local/samba/bind-dns/ ls -la /usr/local/samba/bind-dns/ drwxrwx---. 3 root named 38 Apr 17 16:39 dns -rw-r-----. 2 root named 797 Apr 17 16:39 dns.keytab -rw-r--r--. 1 root root 830 Apr 17 16:39 named.conf -rw-r--r--. 1 root root 2096 Apr 17 16:39 named.txt Can you post /etc/named.conf Rowland
Igor Sousa
2019-Apr-17 20:45 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
Rowland, I've done almost all permissions change, I forgot bind-dns directory. Now, the named service still doesn't start and journalctl -xe showed me that this occurs because permission denied to run dlz_bind9_9.so. I've checked out and the lib and directory /usr/local/samba/lib/bind9/ have execute permission to named group. The output of ls command, journalctl -xe and /etc/named.conf. In my samba, the dns.keytab there isn't into /usr/local/samba/bind-dns/. This file there is into /usr/local/samba/private/ and I do pointing to it into /etc/named.conf as said at "Setting up Dynamic DNS Updates Using Kerberos" into "BIND9 DLZ DNS Back End". [root at newdc ~]# ls -lad /usr/local/samba/bind-dns/ drwxrwx---. 3 root named 4096 Apr 17 17:04 /usr/local/samba/bind-dns/ [root at newdc ~]# ls -la /usr/local/samba/bind-dns/ total 24 drwxrwx---. 3 root named 4096 Apr 17 17:05 . drwxr-xr-x. 12 root root 4096 Nov 29 19:46 .. drwxrwx---. 3 root named 4096 Apr 17 11:29 dns -rw-r--r--. 1 root named 830 Apr 17 11:29 named.conf -r--r--r--. 1 root root 331 Apr 17 15:05 named.conf.update -rw-r--r--. 1 root root 2096 Apr 17 11:29 named.txt [root at newdc ~]# ls -lad /usr/local/samba/lib/bind9/ drwxr-xr-x. 2 root named 4096 Apr 16 17:44 /usr/local/samba/lib/bind9/ [root at newdc ~]# ls -la /usr/local/samba/lib/bind9/ total 308 drwxr-xr-x. 2 root named 4096 Apr 16 17:44 . drwxr-xr-x. 15 root root 4096 Apr 16 17:44 .. -rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_10.so -rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_11.so -rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_12.so -rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_9.so -rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9.so [root at newdc ~]# ls -lad /usr/local/samba/private/ drwx------. 7 root root 4096 Apr 17 15:05 /usr/local/samba/private/ [root at newdc ~]# ls -la /usr/local/samba/private/ total 10988 drwx------. 7 root root 4096 Apr 17 15:05 . drwxr-xr-x. 12 root root 4096 Nov 29 19:46 .. -rw-r-----. 1 root named 722 Apr 17 11:29 dns.keytab -rw-r--r--. 1 root root 3663 Apr 17 11:29 dns_update_list -rw-------. 1 root root 16 Apr 17 11:29 encrypted_secrets.key -rw-------. 1 root root 1286144 Apr 17 11:29 hklm.ldb -rw-------. 1 root root 1286144 Apr 17 15:05 idmap.ldb -rw-r--r--. 1 root root 91 Apr 17 11:29 krb5.conf srwxrwxrwx. 1 root root 0 Apr 17 15:05 ldapi drwxr-x---. 2 root root 4096 Apr 17 15:05 ldap_priv drwx------. 2 root root 4096 Apr 17 17:20 msg.sock -rw-------. 1 root root 8888 Apr 17 15:05 netlogon_creds_cli.tdb -rw-------. 1 root root 1286144 Apr 17 11:29 privilege.ldb -rw-------. 1 root root 4247552 Apr 17 11:29 sam.ldb drwx------. 2 root root 4096 Apr 17 11:29 sam.ldb.d -rw-------. 1 root root 696 Apr 17 15:05 schannel_store.tdb -rw-------. 1 root root 1052 Apr 17 11:29 secrets.keytab -rw-------. 1 root root 1286144 Apr 17 11:29 secrets.ldb -rw-------. 1 root root 499712 Apr 17 15:05 secrets.tdb -rw-------. 1 root root 1286144 Apr 17 11:29 share.ldb drwxr-xr-x. 2 root root 4096 Apr 17 15:05 smbd.tmp -rw-r--r--. 1 root root 955 Apr 17 11:29 spn_update_list drwxr-xr-x. 2 root root 4096 Apr 17 15:05 tls [root at newdc ~]# journalctl -xe Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 2) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 6) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 30) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 31) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 3) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 7) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP ISP (type 4) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP Org (type 5) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP AS (type 9) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP Domain (type 11) DB not available Apr 17 17:43:08 newdc named[6011]: GeoIP NetSpeed (type 10) DB not available Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv4 port range: [1024, 65535] Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv6 port range: [1024, 65535] Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface lo, 127.0.0.1#53 Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface eth0, 10.41.20.115#53 Apr 17 17:43:08 newdc named[6011]: generating session key for dynamic DNS Apr 17 17:43:08 newdc named[6011]: sizing zone task pool based on 3 zones Apr 17 17:43:08 newdc named[6011]: Loading 'AD DNS Zone' using driver dlopen Apr 17 17:43:08 newdc named[6011]: dlz_dlopen failed to open library '/usr/local/samba/lib/bind9/dlz_bind9_9.so' - /usr/local/samba/lib/bind9/dlz_bind9_9.so: cannot open shared object file: Permission denied Apr 17 17:43:08 newdc named[6011]: dlz_dlopen of 'AD DNS Zone' failed Apr 17 17:43:08 newdc kernel: named[6012]: segfault at a8 ip 0000556333f0e299 sp 00007f66404c7320 error 4 in named[556333e9e000+88000] Apr 17 17:43:08 newdc systemd[1]: named.service: control process exited, code=exited status=1 Apr 17 17:43:08 newdc systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). -- Subject: Unit named.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit named.service has failed. -- -- The result is failed. [root at newdc ~]# cat /etc/named.conf #Global Configuration Options options { auth-nxdomain yes; directory "/var/named"; notify no; empty-zones-enable no; # Dynamic DNS tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # IP addresses and network ranges allowed to query the DNS server: allow-query { 127.0.0.1; 172.16.0.0/16; }; # IP addresses and network ranges allowed to run recursive queries: # (Zones not served by this DNS server) allow-recursion { 127.0.0.1; 172.16.0.0/16; }; # Forward queries that can not be answered from own zones # to these DNS servers: forwarders { 172.16.20.211; 172.16.20.212; }; # Disable zone transfers allow-transfer { none; }; }; # Root Servers # (Required for recursive DNS queries) zone "." { type hint; file "named.root"; }; # localhost zone zone "localhost" { type master; file "master/localhost.zone"; }; # 127.0.0. zone. zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone"; }; include "/usr/local/samba/bind-dns/named.conf"; -- Igor Sousa Em qua, 17 de abr de 2019 às 16:03, Rowland Penny via samba < samba at lists.samba.org> escreveu:> On Wed, 17 Apr 2019 15:02:04 -0300 > Igor Sousa <igorvolt at gmail.com> wrote: > > > Rowland, > > > > My configure line is ./configure --enable-debug --enable-selftest > > --with-systemd. > > > > A hour ago, I ignored the inconsistency that I reported in the first > > e-mail of this topic and I proceeded as described at topic "Joining a > > Samba DC to an Existing Active Directory" and I joined new DC with > > command: > > > > samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" > > --dns-backend=BIND9_DLZ > > > > I've looked the output command and new DC seemly joined to > > mydomain.com. I've checked out /usr/local/samba/bind-dns/named.conf > > and, now, there is this file. But, when I've added 'include > > "/usr/local/samba/bind-dns/named.con"' into my BIND named.conf file, > > the named service has not started. > > > > I've got the following journalctl -xe output when it said > > "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf: > > permission denied". The file exists and I've tired to change > > permissions of this file to own to root:named, but journalctl -xe > > still shows the same error. > > > > The permissions should be: > > ls -lad /usr/local/samba/bind-dns/ > drwxrwx---. 3 root named 70 Apr 17 16:39 /usr/local/samba/bind-dns/ > > ls -la /usr/local/samba/bind-dns/ > > drwxrwx---. 3 root named 38 Apr 17 16:39 dns > -rw-r-----. 2 root named 797 Apr 17 16:39 dns.keytab > -rw-r--r--. 1 root root 830 Apr 17 16:39 named.conf > -rw-r--r--. 1 root root 2096 Apr 17 16:39 named.txt > > Can you post /etc/named.conf > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >