Hi all
I've given up on the idea that I can make a script to import our
<domain>-zone into samba internal dns with samba-tool as it gets really
messy with subdomains. Instead I'm now trying to get samba4 to let bind
handle the <domain>-zone as well als dynamic updates and such.
The problem is that once I've started named and samba4 after
provisioning, I try to test dynamic updates and it oopses with the message:
root at puppettest01 var]# samba_dnsupdate --verbose --all-names
IPs: ['192.168.0.1']
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 506, in <module>
get_credentials(lp)
File "/usr/sbin/samba_dnsupdate", line 119, in get_credentials
creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for PUPPETTEST01$@NIEUWLAND.NL failed (Cannot
contact any KDC for requested realm)
When looking at the debug output of bind, it doesn't seem to have loaded
the DLZ module from samba4.
I tried this: named -g -c /etc/bind/named.conf -u named -d3 2>&1 |grep
-i dlz
07-Jun-2013 14:18:24.514 built with '--host=x86_64-redhat-linux-gnu'
'--build=x86_64-redhat-linux-gnu' '--program-prefix='
'--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--with-pic'
'--disable-static'
'--disable-openssl-version-check' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
'--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-stub=yes'
'--with-gssapi=yes'
'--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g'
'CPPFLAGS=
-DDIG_SIGCHASE'
07-Jun-2013 14:18:24.516 Registering DLZ_dlopen driver
07-Jun-2013 14:18:24.516 Registering SDLZ driver 'dlopen'
07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'
The packages samba4 (using git master from 2 days ago) and bind are
self-compiled on another centos 6.4 machine. As you can see, the options
'--with-gssapi=yes' and '--with-dlopen=yes' are set (this is
9.8.2 from
the source rpm)
I followed the instructions on how to include
/var/lib/samba4/private/named.conf and named.txt, however, that didn't
work as advertised (cannot read /var/lib/samba4/private/named.conf,
though it was readable by user named???), so I included the stuff in
...private/named.conf literally in the /etc/bind/named.conf (as you can
see, the named.conf location is nonstandard, this is handled in
/etc/sysconfig/named).
samba4 was provisioned for NIEUWLAND.NL as dc and BIND9_DLZ
I figure the problem lies in not loading the dlopen driver, which should
probably look like:
03-Jun-2013 14:38:43.370 Loading 'AD DNS Zone' using driver dlopen
03-Jun-2013 14:38:43.371 Loading SDLZ driver.
03-Jun-2013 14:38:47.233 samba_dlz: started for DN DC=intranet01,DC=hom
03-Jun-2013 14:38:47.234 SDLZ driver loaded successfully.
03-Jun-2013 14:38:47.234 DLZ driver loaded successfully.
03-Jun-2013 14:38:47.235 samba_dlz: starting configure
03-Jun-2013 14:38:47.275 zone 200.168.192.in-addr.arpa/NONE: number of nodes in
database: 0
03-Jun-2013 14:38:47.278 zone 200.168.192.in-addr.arpa/NONE: loaded; checking
validity
03-Jun-2013 14:38:47.281 zone_settimer: zone 200.168.192.in-addr.arpa/NONE:
enter
03-Jun-2013 14:38:47.282 samba_dlz: configured writeable zone
'200.168.192.in-addr.arpa'
03-Jun-2013 14:38:47.284 zone intranet01.hom/NONE: number of nodes in database:
0
03-Jun-2013 14:38:47.286 zone intranet01.hom/NONE: loaded; checking validity
(I saw this in another mail to this list, but there bind was compiled from
original sources and version 9.9.3)
I wonder which steps would be most likely to let bind load the driver for dlz?
Should I suspect all the patches redhat includes in their source rpm? or is it a
configuration issue?
Cheers
Simon
On Fri, Jun 7, 2013 at 5:45 AM, NOC <noc at nieuwland.nl> wrote:> '--disable-isc-spnego''--disable-isc-spnego' it will not work with this in the BIND build, see my previous thread on the mailing list, I just spent roughly 200 man hours working out samba 4 bind DLZ dynamic updates on centos 6.4 myself and finally got it to work after removing that from the bind build, changing --with-gssapi=yes to (i believe it was --with-gssapi=/usr/include/GSSAPI) and adding the with dlopen flag as well, with these 3 things done bind DLZ work, without these 3 things done exactly this way it will not. 'gssapi yes' did not work for me, and you can NOT have disable-isp-spnegu
Hello NOC, you didn't provide any configuration so I'm just guessing using my new crystal ball. Fri, Jun 07, 2013 at 02:45:09PM +0200, NOC napsal(a):> Hi all > > root at puppettest01 var]# samba_dnsupdate --verbose --all-names > IPs: ['192.168.0.1'] > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 506, in <module> > get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 119, in get_credentials > creds.get_named_ccache(lp, ccachename) > RuntimeError: kinit for PUPPETTEST01$@NIEUWLAND.NL failed (Cannot > contact any KDC for requested realm)You have configured kerberos to look for KDC using DNS and DNS server is not running.> When looking at the debug output of bind, it doesn't seem to have > loaded the DLZ module from samba4. > > I tried this: named -g -c /etc/bind/named.conf -u named -d3 2>&1 > |grep -i dlz > 07-Jun-2013 14:18:24.514 built with '--host=x86_64-redhat-linux-gnu' > '--build=x86_64-redhat-linux-gnu' '--program-prefix=' > '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' > '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' > '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--with-libtool' '--localstatedir=/var' '--enable-threads' > '--enable-ipv6' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--with-dlopen=yes' > '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' > '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' > '--with-dlz-stub=yes' '--with-gssapi=yes' '--disable-isc-spnego' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS> -DDIG_SIGCHASE' > 07-Jun-2013 14:18:24.516 Registering DLZ_dlopen driver > 07-Jun-2013 14:18:24.516 Registering SDLZ driver 'dlopen' > 07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen' > > The packages samba4 (using git master from 2 days ago) and bind are > self-compiled on another centos 6.4 machine. As you can see, the > options '--with-gssapi=yes' and '--with-dlopen=yes' are set (this is > 9.8.2 from the source rpm) > > I followed the instructions on how to include > /var/lib/samba4/private/named.conf and named.txt, however, that > didn't work as advertised (cannot read > /var/lib/samba4/private/named.conf, though it was readable by user > named???), so I included the stuff in ...private/named.conf > literally in the /etc/bind/named.conf (as you can see, the > named.conf location is nonstandard, this is handled in > /etc/sysconfig/named).What about selinux? Also giving us only grep of logs are useless. There should be very interesting lines below: 07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'> samba4 was provisioned for NIEUWLAND.NL as dc and BIND9_DLZ > > I wonder which steps would be most likely to let bind load the driver > for dlz? Should I suspect all the patches redhat includes in their > source rpm? or is it a configuration issue?This part is working with plain CentOS named for me. The problem mentioned with --disable-isc-spnego is only with Windows client updates to the dns. Please give us the named.conf (at least the part you copied from samba) and also the named output from /var/log/messages during startup (no debug is needed usually). Best regards, Luf
Apparently Analagous Threads
- Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)
- Bind9 AD SDLZ driver failed to load
- CentOS 6.8 named won't start after upgrade
- Fwd: Dynamic DNS Updates not working. samba_dnsupdate : (sambalist: message 3 of 20) RuntimeError: (sambalist: to exclusive) kinit for [DC@Realm] failed (Cannot contact any KDC for requested realm)