L.P.H. van Belle
2013-Dec-19 14:16 UTC
[Samba] question about zone and tsig verify failure
Hai?
?
Im running:?debian wheezy, sernet samba 4.1.3 , DC, in windows 2008 AD domain.
?
Im reading the wiki and i stumbled on this.
https://wiki.samba.org/index.php/Dns-backend_bind?
semanage fcontext -a -t named_var_run_t
/usr/local/samba/private/dns/${MYREALM}.zone
semanage fcontext -a -t named_var_run_t
/usr/local/samba/private/dns/${MYREALM}.zone.jnl
the strange thing is, and this is also my question,
Should there be the zone files, if you using bind9.
Since im not seeing these. the server ( samba 4.1.3) has joined a windows domain
as DC, no problems,
only the samba_dnsupdate --verbose --all-name give ; TSIG error with server:
tsig verify failure
all other tests are ok as far i can see.
if tested bind9 ( debian wheezy stable ) 9.8.4
and i backported bind from sid,
BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4
Both do not create these zone files.
dlopen is loaded:
Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating session key for dynamic
DNS
Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task pool based on 5
zones
Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS Zone' using
driver dlopen
when i run : samba_upgradedns --dns-backend=BIND9_DLZ it looks ok but no zone
file.
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone
DNS records will be automatically created
DNS partitions already exist
dns-WS005-S4DC-001 account already exists
See /var/lib/samba/private/named.conf for an example configuration include file
for BIND
and /var/lib/samba/private/named.txt for further documentation required for
secure DNS updates
Finished upgrading DNS
i also noticed that the output of these 2 are different.
ls -lai /var/lib/samba/private/sam.ldb.d/
ls -lai /var/lib/samba/private/dns/sam.ldb.d/
after restarting bind, i noticed that
samba_upgradedns --dns-backend=BIND9_DLZ
didnt seem my bind9 upgrade, and bind is not starting anymore, manually fixing
/var/lib/samba/private/named.conf changing bind9.8 to 9.9 dlopen fixed it.
bug ? shouldnt samba follow the installed bind version?
?
After reading a lot about the tsig message, i've read there is a fix,
if the fix already applied, or do i have an other problem.
?
?
best regards,
?
Louis
?
On 19/12/13 14:16, L.P.H. van Belle wrote:> Hai > > Im running: debian wheezy, sernet samba 4.1.3 , DC, in windows 2008 AD domain. > > Im reading the wiki and i stumbled on this. > > https://wiki.samba.org/index.php/Dns-backend_bind > > semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone > semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl > > the strange thing is, and this is also my question, > > Should there be the zone files, if you using bind9. > Since im not seeing these. the server ( samba 4.1.3) has joined a windows domain as DC, no problems, > only the samba_dnsupdate --verbose --all-name give ; TSIG error with server: tsig verify failure > > all other tests are ok as far i can see. > if tested bind9 ( debian wheezy stable ) 9.8.4 > and i backported bind from sid, > BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 > > Both do not create these zone files. > > > > dlopen is loaded: > Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating session key for dynamic DNS > Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task pool based on 5 zones > Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS Zone' using driver dlopen > > > when i run : samba_upgradedns --dns-backend=BIND9_DLZ it looks ok but no zone file. > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone > DNS records will be automatically created > DNS partitions already exist > dns-WS005-S4DC-001 account already exists > See /var/lib/samba/private/named.conf for an example configuration include file for BIND > and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates > Finished upgrading DNS > > i also noticed that the output of these 2 are different. > ls -lai /var/lib/samba/private/sam.ldb.d/ > ls -lai /var/lib/samba/private/dns/sam.ldb.d/ > > > after restarting bind, i noticed that > samba_upgradedns --dns-backend=BIND9_DLZ > > didnt seem my bind9 upgrade, and bind is not starting anymore, manually fixing > > /var/lib/samba/private/named.conf changing bind9.8 to 9.9 dlopen fixed it. > > bug ? shouldnt samba follow the installed bind version? > > > > After reading a lot about the tsig message, i've read there is a fix, > > if the fix already applied, or do i have an other problem. > > > > > > best regards, > > > > Louis > > > > >Hi Louis, I am running Samba 4.1.0 with Bind 9.9.4 ( both self compiled) and DHCP, everthing works ok for me and I also do not have the two zone files. I think that you only get them if you are running an earlier version of Bind with flat files. Rowland
L.P.H. van Belle
2013-Dec-19 14:51 UTC
[Samba] question about zone and tsig verify failure
Ok thank you for that info. I just got met new xen server and im testing a bit around. other question. when you run : samba_dnsupdate --verbose --all-name do you have any errors. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Rowland Penny [mailto:rowlandpenny at googlemail.com] >Verzonden: donderdag 19 december 2013 15:30 >Aan: L.P.H. van Belle; samba at lists.samba.org >Onderwerp: Re: [Samba] question about zone and tsig verify failure > >On 19/12/13 14:16, L.P.H. van Belle wrote: >> Hai >> >> Im running: debian wheezy, sernet samba 4.1.3 , DC, in >windows 2008 AD domain. >> >> Im reading the wiki and i stumbled on this. >> >> https://wiki.samba.org/index.php/Dns-backend_bind >> >> semanage fcontext -a -t named_var_run_t >/usr/local/samba/private/dns/${MYREALM}.zone >> semanage fcontext -a -t named_var_run_t >/usr/local/samba/private/dns/${MYREALM}.zone.jnl >> >> the strange thing is, and this is also my question, >> >> Should there be the zone files, if you using bind9. >> Since im not seeing these. the server ( samba 4.1.3) has >joined a windows domain as DC, no problems, >> only the samba_dnsupdate --verbose --all-name give ; TSIG >error with server: tsig verify failure >> >> all other tests are ok as far i can see. >> if tested bind9 ( debian wheezy stable ) 9.8.4 >> and i backported bind from sid, >> BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 >> >> Both do not create these zone files. >> >> >> >> dlopen is loaded: >> Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating >session key for dynamic DNS >> Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task >pool based on 5 zones >> Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS >Zone' using driver dlopen >> >> >> when i run : samba_upgradedns --dns-backend=BIND9_DLZ it >looks ok but no zone file. >> Reading domain information >> DNS accounts already exist >> No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone >> DNS records will be automatically created >> DNS partitions already exist >> dns-WS005-S4DC-001 account already exists >> See /var/lib/samba/private/named.conf for an example >configuration include file for BIND >> and /var/lib/samba/private/named.txt for further >documentation required for secure DNS updates >> Finished upgrading DNS >> >> i also noticed that the output of these 2 are different. >> ls -lai /var/lib/samba/private/sam.ldb.d/ >> ls -lai /var/lib/samba/private/dns/sam.ldb.d/ >> >> >> after restarting bind, i noticed that >> samba_upgradedns --dns-backend=BIND9_DLZ >> >> didnt seem my bind9 upgrade, and bind is not starting >anymore, manually fixing >> >> /var/lib/samba/private/named.conf changing bind9.8 to 9.9 >dlopen fixed it. >> >> bug ? shouldnt samba follow the installed bind version? >> >> >> >> After reading a lot about the tsig message, i've read there is a fix, >> >> if the fix already applied, or do i have an other problem. >> >> >> >> >> >> best regards, >> >> >> >> Louis >> >> >> >> >> >Hi Louis, I am running Samba 4.1.0 with Bind 9.9.4 ( both self >compiled) >and DHCP, everthing works ok for me and I also do not have the >two zone >files. I think that you only get them if you are running an earlier >version of Bind with flat files. > >Rowland > >
Am 19.12.2013 15:16, schrieb L.P.H. van Belle:> Hai > > Im running: debian wheezy, sernet samba 4.1.3 , DC, in windows 2008 AD domain. > > Im reading the wiki and i stumbled on this. > > https://wiki.samba.org/index.php/Dns-backend_bind > > semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone > semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl > > the strange thing is, and this is also my question, > > Should there be the zone files, if you using bind9. > Since im not seeing these. the server ( samba 4.1.3) has joined a windows domain as DC, no problems, > only the samba_dnsupdate --verbose --all-name give ; TSIG error with server: tsig verify failure > > all other tests are ok as far i can see. > if tested bind9 ( debian wheezy stable ) 9.8.4 > and i backported bind from sid, > BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 > > Both do not create these zone files. > > > > dlopen is loaded: > Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating session key for dynamic DNS > Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task pool based on 5 zones > Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS Zone' using driver dlopen > > > when i run : samba_upgradedns --dns-backend=BIND9_DLZ it looks ok but no zone file. > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone > DNS records will be automatically created > DNS partitions already exist > dns-WS005-S4DC-001 account already exists > See /var/lib/samba/private/named.conf for an example configuration include file for BIND > and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates > Finished upgrading DNS > > i also noticed that the output of these 2 are different. > ls -lai /var/lib/samba/private/sam.ldb.d/ > ls -lai /var/lib/samba/private/dns/sam.ldb.d/ > > > after restarting bind, i noticed that > samba_upgradedns --dns-backend=BIND9_DLZ > > didnt seem my bind9 upgrade, and bind is not starting anymore, manually fixing > > /var/lib/samba/private/named.conf changing bind9.8 to 9.9 dlopen fixed it. > > bug ? shouldnt samba follow the installed bind version? > > > > After reading a lot about the tsig message, i've read there is a fix, > > if the fix already applied, or do i have an other problem. > > > > > > best regards, > > > > Louis >Hi Louis, some clarifications: the samba AD DC can use two different dns servers - internal DNS (default) - ISC Bind DNS - using flat ASCII zone files (special setup, not tested too much these days) (*) - using the samba DLZ dynamic libraries - dlz_bind9.so (for bind versions 9.8.x) - dlz_bind9_9.so (for bind versions 9.9.x) atm the bind version must be manually selected/edited in ./samba/private/named.conf (*)Note - the ISC bind flat ASCII zone files are only used in this configuration! All other dns setups use ADS to store the zone infos. To see whether samba is using the internal DNS or ISC bind: samba-tool testparm -v --suppress-prompt | grep "server services" When "dns" is listed, the internal server is used. Btw - dnsupdate is used in both cases. Remove "dns" for the DLZ driver. (smb.conf) The [global] smb.conf option dns forwarder = ..... is also only used with the internal DNS server, bind uses it's /etc/named.conf for that. In case you want to use the DLZ driver, check the following 3 files 164962 -rw-rw---- 2 root named 4251648 Dec 19 14:44 DC=DOMAINDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb 164963 -rw-rw---- 2 root named 4251648 Dec 8 20:56 DC=FORESTDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb 164947 -rw-rw---- 2 root named 421888 Dec 19 14:44 metadata.tdb with both ls -lai /usr/local/samba/private/dns/sam.ldb.d/ (path might be different) ls -lai /usr/local/samba/private/sam.ldb.d/ (path might be different) to use the _same_ inodes. Also note that some distros run ISC bind as user "bind", others use "named". This user/group must have access to some already discussed samba files/paths .... I often use the following 2 root consoles for testing: 1.) named -g -u bind -d3 (Note that "-u bind" must be replaced with "-u named" on some distros) 2.) samba -i -M single -d3 Both programs should now run and send their debug 3 output to their consoles. When you see lines like Not authoritative for 'wiki.samba.org', forwarding in the samba log, the internal DNS is active. That output ; TSIG error with server: tsig verify failure is usually only seen when the internal DNS server is running. It's a glitch, which can be ignored atm (all dyn. updates are done OK). Cheers, G?nter
L.P.H. van Belle
2013-Dec-20 08:36 UTC
[Samba] question about zone and tsig verify failure
Hello G?nter, Thank you very much for this explaination. This makes sence. to bad for me i just removed my server for a new install.. :-/ but good to know TSIG error is only a glitch, maybe something for the wiki ? btw.. this explaination is also good for the wiki. Louis>-----Oorspronkelijk bericht----- >Van: G?nter Kukkukk [mailto:linux at kukkukk.com] >Verzonden: donderdag 19 december 2013 21:29 >Aan: L.P.H. van Belle; samba at lists.samba.org >Onderwerp: Re: [Samba] question about zone and tsig verify failure > >Am 19.12.2013 15:16, schrieb L.P.H. van Belle: >> Hai >> >> Im running: debian wheezy, sernet samba 4.1.3 , DC, in >windows 2008 AD domain. >> >> Im reading the wiki and i stumbled on this. >> >> https://wiki.samba.org/index.php/Dns-backend_bind >> >> semanage fcontext -a -t named_var_run_t >/usr/local/samba/private/dns/${MYREALM}.zone >> semanage fcontext -a -t named_var_run_t >/usr/local/samba/private/dns/${MYREALM}.zone.jnl >> >> the strange thing is, and this is also my question, >> >> Should there be the zone files, if you using bind9. >> Since im not seeing these. the server ( samba 4.1.3) has >joined a windows domain as DC, no problems, >> only the samba_dnsupdate --verbose --all-name give ; TSIG >error with server: tsig verify failure >> >> all other tests are ok as far i can see. >> if tested bind9 ( debian wheezy stable ) 9.8.4 >> and i backported bind from sid, >> BIND 9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 >> >> Both do not create these zone files. >> >> >> >> dlopen is loaded: >> Dec 19 14:50:58 ws005-s4dc-001 named[301]: generating >session key for dynamic DNS >> Dec 19 14:50:58 ws005-s4dc-001 named[301]: sizing zone task >pool based on 5 zones >> Dec 19 14:50:58 ws005-s4dc-001 named[301]: Loading 'AD DNS >Zone' using driver dlopen >> >> >> when i run : samba_upgradedns --dns-backend=BIND9_DLZ it >looks ok but no zone file. >> Reading domain information >> DNS accounts already exist >> No zone file /var/lib/samba/private/dns/subdomain.domain.tld.zone >> DNS records will be automatically created >> DNS partitions already exist >> dns-WS005-S4DC-001 account already exists >> See /var/lib/samba/private/named.conf for an example >configuration include file for BIND >> and /var/lib/samba/private/named.txt for further >documentation required for secure DNS updates >> Finished upgrading DNS >> >> i also noticed that the output of these 2 are different. >> ls -lai /var/lib/samba/private/sam.ldb.d/ >> ls -lai /var/lib/samba/private/dns/sam.ldb.d/ >> >> >> after restarting bind, i noticed that >> samba_upgradedns --dns-backend=BIND9_DLZ >> >> didnt seem my bind9 upgrade, and bind is not starting >anymore, manually fixing >> >> /var/lib/samba/private/named.conf changing bind9.8 to 9.9 >dlopen fixed it. >> >> bug ? shouldnt samba follow the installed bind version? >> >> >> >> After reading a lot about the tsig message, i've read there >is a fix, >> >> if the fix already applied, or do i have an other problem. >> >> >> >> >> >> best regards, >> >> >> >> Louis >> > >Hi Louis, > >some clarifications: > >the samba AD DC can use two different dns servers > - internal DNS (default) > - ISC Bind DNS > - using flat ASCII zone files (special setup, not tested >too much these days) (*) > - using the samba DLZ dynamic libraries > - dlz_bind9.so (for bind versions 9.8.x) > - dlz_bind9_9.so (for bind versions 9.9.x) > atm the bind version must be manually >selected/edited in ./samba/private/named.conf > >(*)Note - the ISC bind flat ASCII zone files are only used in >this configuration! >All other dns setups use ADS to store the zone infos. > >To see whether samba is using the internal DNS or ISC bind: > samba-tool testparm -v --suppress-prompt | grep "server services" >When "dns" is listed, the internal server is used. Btw - >dnsupdate is used in both cases. >Remove "dns" for the DLZ driver. (smb.conf) >The [global] smb.conf option > dns forwarder = ..... >is also only used with the internal DNS server, bind uses it's >/etc/named.conf for that. > >In case you want to use the DLZ driver, check the following 3 files > >164962 -rw-rw---- 2 root named 4251648 Dec 19 14:44 >DC=DOMAINDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb >164963 -rw-rw---- 2 root named 4251648 Dec 8 20:56 >DC=FORESTDNSZONES,DC=ADDLZ,DC=KUKKUKK,DC=COM.ldb >164947 -rw-rw---- 2 root named 421888 Dec 19 14:44 metadata.tdb > >with both > ls -lai /usr/local/samba/private/dns/sam.ldb.d/ (path >might be different) > ls -lai /usr/local/samba/private/sam.ldb.d/ (path >might be different) >to use the _same_ inodes. > >Also note that some distros run ISC bind as user "bind", >others use "named". This user/group >must have access to some already discussed samba files/paths .... > >I often use the following 2 root consoles for testing: >1.) named -g -u bind -d3 (Note that "-u bind" must be >replaced with "-u named" on some distros) >2.) samba -i -M single -d3 >Both programs should now run and send their debug 3 output to >their consoles. >When you see lines like > Not authoritative for 'wiki.samba.org', forwarding >in the samba log, the internal DNS is active. > >That output > ; TSIG error with server: tsig verify failure >is usually only seen when the internal DNS server is running. >It's a glitch, which can be ignored atm (all dyn. updates are done OK). > >Cheers, G?nter > > >
Reasonably Related Threads
- Having problem with Samba Internal DNS
- samba4 as PDC: tsig verify failure
- Samba4 DC with 2003 domain in w2k foresta level
- RPC server not available when windows client attempts to join samba AD
- samba4+bind9.9 will not start: samba_dlz: dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 'hostmaster.domain.de': not a valid number