samba - May 2014 - CentOS 6, BIND_DLZ and kinit errors (Cannot contact any KDC for requested realm)

It seems like the BIND 9.8 that ships with CentOS 6.x (and probably RHEL
6.x) is not built with --with-dlopen option.

Platform: CentOS 6.5
BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1

Error seen:

RuntimeError: kinit for HOSTNAME$EXAMPLE.COM failed (Cannot contact any
KDC for requested realm)

Background:

Trying to setup Samba 4 using an existing install of BIND 9.8 as the DNS
backend.  However, even though the configuration files are correct, I'm
still stuck at the "kinit" errors.

Looking at the output from starting 'named' in debug mode:

named -g -c /etc/bind/named.conf -u named -d3
03-May-2014 10:33:42.456 starting BIND
9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -g -c /etc/bind/named.conf -u
named -d3
03-May-2014 10:33:42.456 built with '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--with-libtool'
'--localstatedir=/var' '--enable-threads'
'--enable-ipv6' '--with-pic'
'--disable-static' '--disable-openssl-version-check'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
'--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes'
'--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
-DDIG_SIGCHASE'

There is no mention of --with-dlopen=yes in there.  That is even though
the bind-9.8.2/README file states that as of 9.8.1, dlopen is built by
default.

...

Am I on the right track here that the base install of BIND on CentOS 6.x
does not include --with-dlopen=yes, even as of the 9.8.2 build?

On Sat, 2014-05-03 at 10:48 -0400, Thomas Harold wrote:
> It seems like the BIND 9.8 that ships with CentOS 6.x (and probably RHEL
> 6.x) is not built with --with-dlopen option.
> 
> Platform: CentOS 6.5
> BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
> 
> Error seen:
> 
> RuntimeError: kinit for HOSTNAME$EXAMPLE.COM failed (Cannot contact any
> KDC for requested realm)
Hi
What do you have for krb5.conf?

On 03/05/14 15:48, Thomas Harold wrote:
> It seems like the BIND 9.8 that ships with CentOS 6.x (and probably RHEL
> 6.x) is not built with --with-dlopen option.
>
> Platform: CentOS 6.5
> BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
>
> Error seen:
>
> RuntimeError: kinit for HOSTNAME$EXAMPLE.COM failed (Cannot contact any
> KDC for requested realm)
>
> Background:
>
> Trying to setup Samba 4 using an existing install of BIND 9.8 as the DNS
> backend.  However, even though the configuration files are correct, I'm
> still stuck at the "kinit" errors.
>
> Looking at the output from starting 'named' in debug mode:
>
> named -g -c /etc/bind/named.conf -u named -d3
> 03-May-2014 10:33:42.456 starting BIND
> 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -g -c /etc/bind/named.conf -u
> named -d3
> 03-May-2014 10:33:42.456 built with
'--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu'
> '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc'
> '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--with-libtool'
> '--localstatedir=/var' '--enable-threads'
'--enable-ipv6' '--with-pic'
> '--disable-static' '--disable-openssl-version-check'
> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
'--with-dlz-mysql=yes'
> '--with-dlz-filesystem=yes' '--with-gssapi=yes'
'--disable-isc-spnego'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> '--enable-fixed-rrset'
'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu'
> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe
-Wall
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS=
-DDIG_SIGCHASE'
>
> There is no mention of --with-dlopen=yes in there.  That is even though
> the bind-9.8.2/README file states that as of 9.8.1, dlopen is built by
> default.
>
> ...
>
> Am I on the right track here that the base install of BIND on CentOS 6.x
> does not include --with-dlopen=yes, even as of the 9.8.2 build?
Hi, you should get something like this in syslog when named starts:

May  3 16:23:17 dc1 named[15789]: Loading 'AD DNS Zone' using driver
dlopen
May  3 16:23:18 dc1 named[15789]: samba_dlz: started for DN 
DC=example,DC=com
May  3 16:23:18 dc1 named[15789]: samba_dlz: starting configure
May  3 16:23:18 dc1 named[15789]: samba_dlz: configured writeable zone 
'0.168.192.in-addr.arpa'
May  3 16:23:18 dc1 named[15789]: samba_dlz: configured writeable zone 
'example.com'
May  3 16:23:18 dc1 named[15789]: samba_dlz: configured writeable zone 
'_msdcs.example.com'

If you haven't got the above, then yes, bind is probably not built with 
dlopen.

Rowland

On Sat, 3 May 2014, Thomas Harold wrote:
> It seems like the BIND 9.8 that ships with CentOS 6.x (and probably RHEL
> 6.x) is not built with --with-dlopen option.
You need to install the bind-sdb package.  This one is built with DLZ support.