samba - Jan 2015 - cannot update W7 or linux clients

Here yau go: 

root at dc01:~# cat /etc/bind/named.conf.options
// Defined ACL Begin
acl thisserverip {
 192.168.16.54;
 };
acl all-networks {
 192.168.16.0/24;
 };
// Defined ACL End

options {
 directory "/var/cache/bind";
 version "0.0.7";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk. See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable
 // nameservers, you probably want to use them as forwarders.
 // Uncomment the following block, and insert the addresses replacing
 // the all-0's placeholder.

 forwarders {
 208.67.222.222; 208.67.220.220;
 };


//======================================================================= // If
BIND logs error messages about the root key being expired,
 // you will need to update your keys. See https://www.isc.org/bind-keys

//=======================================================================
dnssec-validation auto;

 auth-nxdomain yes; # conform to RFC1035 =no 
 listen-on-v6 { none; };
 listen-on port 53 { "thisserverip"; 127.0.0.1; };
 notify no;
 empty-zones-enable no;

 // Add any subnets or hosts you want to allow to use this DNS server
 allow-query { "all-networks"; 127.0.0.1/32; };
 // Add any subnets or hosts you want to allow to use recursive queries
 allow-recursion { "all-networks"; 127.0.0.1/32; };

 // https://wiki.samba.org/index.php/Dns-backend_bind
 // DNS dynamic updates via Kerberos (optional, but recommended)
 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

}; 
---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"

On 2015-01-19 14:16, Rowland Penny wrote: 
> On 19/01/15 20:14, Bob of Donelson Trophy wrote:
> 
>> My DC was installed with one of Louis' scripts. So, yes, bind9 was
setup and working.
> 
> OK, so what is in /etc/bind/named.conf.options ?
> 
> Rowland
 

Links:
------
[1] http://www.donelsontrophy.com

On 19/01/15 20:30, Bob of Donelson Trophy wrote:
>   
>
> Here yau go:
>
> root at dc01:~# cat /etc/bind/named.conf.options
> // Defined ACL Begin
> acl thisserverip {
>   192.168.16.54;
>   };
> acl all-networks {
>   192.168.16.0/24;
>   };
> // Defined ACL End
>
> options {
>   directory "/var/cache/bind";
>   version "0.0.7";
>
>   // If there is a firewall between you and nameservers you want
>   // to talk to, you may need to fix the firewall to allow multiple
>   // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
>   // If your ISP provided one or more IP addresses for stable
>   // nameservers, you probably want to use them as forwarders.
>   // Uncomment the following block, and insert the addresses replacing
>   // the all-0's placeholder.
>
>   forwarders {
>   208.67.222.222; 208.67.220.220;
>   };
>
>
>
//=======================================================================>  
// If BIND logs error messages about the root key being expired,
>   // you will need to update your keys. See https://www.isc.org/bind-keys
>
>
//=======================================================================>  
dnssec-validation auto;
>
>   auth-nxdomain yes; # conform to RFC1035 =no
>   listen-on-v6 { none; };
>   listen-on port 53 { "thisserverip"; 127.0.0.1; };
>   notify no;
>   empty-zones-enable no;
>
>   // Add any subnets or hosts you want to allow to use this DNS server
>   allow-query { "all-networks"; 127.0.0.1/32; };
>   // Add any subnets or hosts you want to allow to use recursive queries
>   allow-recursion { "all-networks"; 127.0.0.1/32; };
>
>   // https://wiki.samba.org/index.php/Dns-backend_bind
>   // DNS dynamic updates via Kerberos (optional, but recommended)
>   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
> };
> ---
>
> -------------------------
>
> Bob Wooden of Donelson Trophy
>
> 615.885.2846 (main)
> www.donelsontrophy.com [1]
>
> "Everyone deserves an award!!"
>
> On 2015-01-19 14:16, Rowland Penny wrote:
>
>> On 19/01/15 20:14, Bob of Donelson Trophy wrote:
>>
>>> My DC was installed with one of Louis' scripts. So, yes, bind9
was setup and working.
>> OK, so what is in /etc/bind/named.conf.options ?
>>
>> Rowland
>   
>
> Links:
> ------
> [1] http://www.donelsontrophy.com
OK, I had another look at what you posted earlier:

root at dc01:~# cat /etc/resolv.conf
search dtshrm.local
domain dtshrm.local
nameserver 192.168.16.54

firstly, remove the domain line, it is not required and in fact is ignored.

secondly, you have this in smb.conf: 'realm = DTSHRM.LAN'

which is it, 'local' or 'lan' ?

Also, is there connection from the gateway to the internet ?

Rowland

That was it! (Ugh, palm slap to forehead!!) 

Thanks, Rowland. 
---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [4]

"Everyone deserves an award!!"

On 2015-01-19 14:46, Rowland Penny wrote: 
> On 19/01/15 20:30, Bob of Donelson Trophy wrote:
> Here yau go: root at dc01:~# cat /etc/bind/named.conf.options // Defined
ACL Begin acl thisserverip { 192.168.16.54; }; acl all-networks {
192.168.16.0/24; }; // Defined ACL End options { directory
"/var/cache/bind"; version "0.0.7"; // If there is a
firewall between you and nameservers you want // to talk to, you may need to fix
the firewall to allow multiple // ports to talk. See
http://www.kb.cert.org/vuls/id/800113 [1] // If your ISP provided one or more IP
addresses for stable // nameservers, you probably want to use them as
forwarders. // Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder. forwarders { 208.67.222.222; 208.67.220.220; };
//======================================================================== // If
BIND logs error messages about the root key being expired, // you will need to
update your keys. See https://www.isc.org/bind-keys [2]
//=======================================================================dnssec-validation
auto; auth-nxdomain yes; # conform to RFC1035 =no listen-on-v6 { none; };
listen-on port 53 { "thisserverip"; 127.0.0.1; }; notify no;
empty-zones-enable no; // Add any subnets or hosts you want to allow to use this
DNS server allow-query { "all-networks"; 127.0.0.1/32; }; // Add any
subnets or hosts you want to allow to use recursive queries allow-recursion {
"all-networks"; 127.0.0.1/32; }; //
https://wiki.samba.org/index.php/Dns-backend_bind [3] // DNS dynamic updates via
Kerberos (optional, but recommended) tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab"; }; --- -------------------------
Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [4] [1
[4]] "Everyone deserves an award!!" On 2015-01-19 14:16, Rowland Penny
wrote: On 19/01/15 20:14, Bob of Donelson Trophy wrote: My DC was installed with
one of Louis' scripts. So, yes, bind9 was setup and working. OK, so what is
in /etc/bind/named.conf.options ? Rowland
 Links: ------ [1] http://www.donelsontrophy.com [4] 

OK, I had another look at what you posted earlier:

root at dc01:~# cat /etc/resolv.conf
search dtshrm.local
domain dtshrm.local
nameserver 192.168.16.54

firstly, remove the domain line, it is not required and in fact is
ignored.

secondly, you have this in smb.conf: 'realm = DTSHRM.LAN'

which is it, 'local' or 'lan' ?

Also, is there connection from the gateway to the internet ?

Rowland

 

Links:
------
[1] http://www.kb.cert.org/vuls/id/800113
[2] https://www.isc.org/bind-keys
[3] https://wiki.samba.org/index.php/Dns-backend_bind
[4] http://www.donelsontrophy.com