Am 05.02.2014 02:18, schrieb David Kirk:> Hi,
>
>
> Ok. I'm stumped, so I'm finally going to ask for help.
>
> I'm testing a brand new setup of Samba4 as an AD DC with Bind9 for DNS.
> The problem I'm having is when I create a new A record using the
Windows
> DNS tools. I tick the box to create a corresponding PTR record, but it
> never does.
>
> I've created the reverse zone. I've tried using the Windows DNS
tools to
> create it, and I've also tried samba-tool to create it. Either way, it
> gets created, but no records go in there when I create my A records.
>
> What I want to end up with is a system where servers have static IP
> addresses. I manually add an A record for them and the PTR should be
> created automatically. Clients should get their IP address from DHCP and
> an A record and PTR record should automatically get created.
>
> I'm installing on Centos 6.5 with Samba Version
4.1.4-SerNet-RedHat-7.el6.
> Bind is bind-9.8.2-0.17.rc1.el6.6.x86_64.
>
> I've had 3 attempts to get this working. The first one, I installed
samba
> from git. Bind was from Centos. For attempt 2 I did the same, but found
> some instructions to install Bind from SRPM and update the spec file to use
> the gssapi and dlopen options. Then I compiled and installed. The final
> attempt was using the sernet package listed above and the Bind RPM from the
> previous server instance.
>
> I've followed the instructions on the Samba wiki very carefully. The
only
> thing I haven't tried yet is to build Bind from source from isc.org.
>
> Does anyone else have this working? Is it achievable?
>
>
> Thanks
>
> David
>
Hi David,
i'm atm analyzing the problems, my view is mostly at the bind DLZ module,
but i also do similar tests against the internal dns server.
There are (at least) 2 ways to modify dns entries with the usual windows
and samba (plus ISC) tools:
1.) Using normal dyn. DNS updates, e.g.
- windows: ipconfig /registerdns
- linux: nsupdate -g ...
2.) Using RPC calls:
- windows: DNS-GUI applet, DNSCMD (?) must check this
- linux: samba-tool
Obviously both methods use completely different (wire) transfer
methods (protocols) and code paths.
My test environment is atm (neither samba nor bind is running already):
- start samba inside a root console as: samba -i -M single -d3 (or higher
level)
- start ISC bind inside a 2nd root console as: named -g -u named -d1 (or
higher level)
Note that "-u named" specifies the name of the running dns daemon.
Some distros use "named", others use "bind". This must
be checked when the "normal"
daemon has been started as a test.
Note also that the usual init/systemd bind dns daemon possibly must have
been started once after
boot to create the needed subdirs on nonpermanent file systems like
/var/run/ (distro dependent)
So carefully watch _all_ bind startup messages!
To get more debug info from the DLZ module itself, modify
/usr/local/samba/private/named.conf (or whereever this info is stored):
dlz "AD DNS Zone" {
# For BIND 9.8.0
#database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so -d6";
<<<=== debug level !!!
};
Now when you use any client dns tools - and have both consoles side-by-side -
you can watch
how both daemons react on each command.
In addition, there are smb.conf options to selectively set debug levels for
different actions...
My test setup is:
- VM host: running samba AD DC with internal dns (opensuse 12.3)
- VM guest: running samba AD DC with DLZ module (opensuse 13.1)
- VM guest: windows server 2008r2
- VM guest: windows server 2012r2 (was not able to join it, some
"exchange ldif" problem)
- VM guest: windows 7
- VM guest: windows 8.1
All these have been joined to the same domain.
Atm i also see the same as you. When using the MS DNSGUI to add a new host and
set the checkmark
to also create the reverse PTR entry - the reverse entry is not created.
In addition, atm the windows 8.1 box _can_ use "IPCONFIG /registerdns"
successfully here, when
doing the same with windows 7, the DLZ module shows "denied" for
_signed_ updates...
Don't get confused with some denied msgs from the DLZ module. Even when you
configure the windows clients
to _only_ use signed dyn. DNS updates - they try unsigned first. O_o
I must admit that this testing environment is also new to me (bought new
hardware to be able to
run many VMs side by side) - but i get more familiar with it every new day :-)
I'll post all my findings on the mailing list.
Also this samba output should be explained further:
Calling samba_kcc script
/usr/local/samba/sbin/samba_kcc: 'DirectoryServiceAgent' object has no
attribute 'create_connection'
Child /usr/local/samba/sbin/samba_kcc exited with status 1 - Operation not
permitted
../source4/dsdb/kcc/kcc_periodic.c:646: Failed samba_kcc -
NT_STATUS_ACCESS_DENIED
Cheers, G?nter
--