samba - Jul 2013 - Samba4 DNS (bind_dlz) management issue on CentOS

To whom it may concern,

Not long ago, I joined a Samba4 box as a DC to a single DC Windows 2003 
Active Directory domain to begin the process of learning Samba4. 
Unfortunately, before I was ready to make the total switch, my Windows 
2003 server died, and the remnants of my domain were left with Samba4. 
While I have got my Samba4 running fairly smoothly (after forcing it to 
take on fsmo roles), there are still a few snags - and DNS happens to be 
one of them.

Right now I'm running two CentOS 6.4 (x64) servers that are operating as 
Active Directory DCs. Both are utilizing Samba 4.0.7 (provided by 
SerNet) on Linux kernel 2.6.32. Both are running BIND 9.8.2 with the 
Samba DLZ plugin for DNS (and for the record, these servers do more than 
run Samba and require BIND for DNS).

I have two primary problems with DNS. One, I can't manage any of my AD 
DNS zones from Windows using MMC, or from samba-tool. MMC either 
complains the DNS server is unreachable, or that the Active Directory 
service is unavailable. The samba-tool utility returns the error code 
ERROR(runtime): uncaught exception - (-1073741249, 
'NT_STATUS_PORT_UNREACHABLE'). Two, while my reverse zone (for a 
10.0.0.0/24 subnet) is being served out of the DLZ, my forward Active 
Directory "office" zone is not. Right now it is running as a master
zone
in BIND.

Employees can login via AD without issue. Replication appears to be 
working correctly so far as I can tell.

------------------------------------------------------------------------------
Here's my smb.conf file:

# Global parameters
[global]
     workgroup = OFFICE
     realm = office.domain.com
     netbios name = CARBON
     netbios aliases = COBALT COBALT-DC FS1
     server role = active directory domain controller
     server services = +web -smb +s3fs -dns +dns_update +kdc +rpc +nbt 
+wrepl +drepl +ldap +cldap +ntp_signd +kcc
     dcerpc endpoint servers = +epmapper +wkssvc +rpcecho +samr 
+netlogon +lsarpc +spoolss +drsuapi +dssetup +unixinfo +browser 
+eventlog6 +backupkey -winreg -srvsvc -dnsserver -dns
     load printers = no
     log file = /var/log/samba/log.%m
     log level = 5
     encrypt passwords = yes
     idmap config *:backend = tdb
     idmap config *:range = 70001-80000
     idmap config OFFICE:backend = ad
     idmap config OFFICE:schema_mode = rfc2307
     idmap config OFFICE:range = 10000-40000
     winbind nss info = rfc2307
     winbind trusted domains only = no
     winbind use default domain = yes
     winbind enum users  = yes
     winbind enum groups = yes
         vfs objects = acl_xattr recycle shadow_copy2
         acl_xattr:ignore system acls = no
         recycle:keeptree = True
         recycle:versions = False
         recycle:touch = False
         recycle:repository = .recycle
         recycle:exclude = *.tmp
         recycle:exclude_dir      logon drive = U:
     logon script = \\CARBON\netlogon\NetDrives.vbs
     logon path = \\CARBON\data\users\%U
------------------------------------------------------------------------------

Here's my named.conf file:

# Loads Samba Active Directory zone
include "/var/lib/samba/private/named.conf";

# Global options
options {

        auth-nxdomain yes;

        directory "/var/named";

        notify no;

        empty-zones-enable no;

        allow-query {
         127.0.0.0/8; 10.0.0.0/24;
        };

        allow-recursion {
             127.0.0.0/8; 10.0.0.0/24;
        };

        allow-transfer {
             10.0.0.0/24; 127.0.0.1;
        };

        forwarders {
             66.111.113.7; 66.111.113.8;
        };

        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        tkey-domain "OFFICE.DOMAIN.COM";


};

controls {
        inet 127.0.0.1 port 953
        allow { 10.0.0.0/24; 127.0.0.1; } keys { "rndc-key"; };
};

key "rndc-key" {
        algorithm hmac-md5;
        secret << OMMITTED >>;
};


# Root servers (required zone for recursive queries)
zone "." {
        type hint;
        file "named.root";
};


# Required localhost forward-/reverse zones
  zone "localhost" {
        type master;
        file "master/localhost.zone";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "master/0.0.127.zone";
};

#zone "0.0.10.in-addr.arpa" {
#       type master;
#       file "master/0.0.10.in-addr.arpa.zone";
#       update-policy {
#            grant *.COM wildcard *.0.0.10.in-addr.arpa. PTR;
#            grant OFFICE.DOMAIN.COM ms-self * A AAAA;
#       };
#};

zone "domain.com" {
        type master;
        file "master/domain.com.zone";
};

zone "office.domain.com" {
        type master;
        check-names ignore; # Required for MS AD domain
        file "master/office.domain.com.zone";
        include "/var/lib/samba/private/named.conf.update";
};

------------------------------------------------------------------------------

The "office.domain.com" zone file came of the fact that I had a backup
of the zone file because one of my Samba servers was once a slave DNS 
server to the Windows 2003 server that I lost (it was running Samba3 
before my move to Samba4).

The command samba_dnsupdate --all-names completes without error.

There's nothing in the logs that jumps out at me. I can provide log data 
if I know what to look for.

All in all, I am having a hard time troubleshooting because the 
documentation that I can find for Samba4 seems to be a bit lacking at 
the present time. I might be able troubleshoot this by process of 
elimination if I could find the information that I needed.

Any suggestions? Thanks in advance!

-- 
Jason Bailey
Region IT/IS Manager
Gull Communications
jason.bailey at sunad.com
(435) 637-0732 x31
(435) 637-2716 Fax

* Emery County Progress
* Richfield Reaper
* Sun Advocate
* Uintah Basin Standard
* Vernal Express