On 11/04/15 18:54, Timo Altun wrote:> Good evening, > > unfortunately one problem emerged during the change from my testing > environment to a small portion of the live environment. > The automatic dns updates of the windows clients do not seem to work > in the live environment. I changed the AD DC IP from another subnet to > 192.168.111.90, without reprovisioning. Everything else seems to work > fine though (e.g. domain joins, shares and DNS forwarding, looking up > manually added entries). I could also add entries manually with > samba-tool dns add, but keeping in mind that it worked in the other > subnet I would like to avoid that. > My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources. > As I don't receive any real error messages (looked in syslog, > messages, /var/log/samba/log.smbd) I don't have a clue where the > problem is. Maybe somebody has an idea?! > > The startup seems fine in the log: > Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f > -u bind > Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' > '--enable-largefile' '--with-libtool' '--enable-shared' > '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' > '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' > '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing > -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' > Apr 11 18:53:42 server06 named[4141]: > ---------------------------------------------------- > Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet > Systems Consortium, > Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit > 501(c)(3) public-benefit > Apr 11 18:53:42 server06 named[4141]: corporation. Support and > training for BIND 9 are > Apr 11 18:53:42 server06 named[4141]: available at > https://www.isc.org/support > Apr 11 18:53:42 server06 named[4141]: > ---------------------------------------------------- > Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files > from 4096 to 1048576 > Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads > Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface > Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets > Apr 11 18:53:42 server06 named[4141]: loading configuration from > '/etc/bind/named.conf' > Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys > from file '/etc/bind/bind.keys' > Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port > range: [1024, 65535] > Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port > range: [1024, 65535] > Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo, > 127.0.0.1#53 > Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface > eth0, 192.168.111.90#53 > Apr 11 18:53:42 server06 named[4141]: generating session key for > dynamic DNS > Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 > zones > Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using > driver dlopen > Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN > DC=intranet,DC=mayweg,DC=net > Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable > zone '111.168.192.in-addr.arpa' > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable > zone 'intranet.mayweg.net <http://intranet.mayweg.net>' > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable > zone '_msdcs.intranet.mayweg.net <http://msdcs.intranet.mayweg.net>' > Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for > view _default, file 'managed-keys.bind' > [...] > Apr 11 18:53:42 server06 named[4141]: command channel listening on > 127.0.0.1#953 > Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953 > Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3 > Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded > serial 1 > Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded > serial 1 > Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2 > Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded > serial 1 > Apr 11 18:53:42 server06 named[4141]: all zones loaded > Apr 11 18:53:42 server06 named[4141]: running > > The only thing I find a bit strange is "command channel listening on > ::1#953" instead of the actual IPv4 address. > My smb.conf on the AD DC can be found in the e-mail before. Here is > the rest: > > *krb5.conf:* > [libdefaults] > default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> > dns_lookup_realm = false > dns_lookup_kdc = true > * > * > *named.conf:* > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > *named.conf.default-zones:* > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > *named.conf.options:* > options { > directory "/var/cache/bind"; > > forwarders { > 192.168.111.79; > }; > > dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on { any; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > * > * > *named.conf.local:* > //empty > > */var/lib/samba/private/named.conf:* > dlz "AD DNS Zone" { > # For BIND 9.9.x > database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > }; > > I also checked the permissions on /etc/krb5.keytab and > /var/lib/samba/private/dns.keytab. Both should be accessible by bind > and samba. > > Greetings, > TimoYour files are the same as mine and mine works (mind you I use dhcp running on the first DC), If something does go wrong It shows errors in syslog. I take it that the clients are set up to do their own updates. The '953' number you are worrying about is the command channel listening on the ipv6 localhost address. I am not entirely sure you can use the DNS server on an AD DC for more than one domain, it usually just updates the one forward zone. I am still not happy with the workgroup with a dot in it. Rowland Rowland
Hi and thank you for the answers! How do I setup the clients to do their own updates? I do not recall doing anything on the windows client side to setup the automatic dns updates. The linux wheezy clients with samba 3.6.6. actually never managed to automatically update dns during domain join, not even in the test environment. I settled for manually adding those to the dns, as they're just a handful. One of my priorities during domain provision (during classicupgrade in fact), was to not have to manually join the windows clients to the new domain. This works with this configuration. The old NT-4 Domain also had that dot in MAYWEG.NET. This is also what I was referring to when I said, the windows clients do not "notice" the change. I knew that there's no "automatic" going back to the old NT-4 domain, once they've seen the new AD DC (Rowland enlightened me a couple of days ago). Is there maybe a deeper logging level I can turn on somewhere? Or is there a log on the windows client side? Greetings, Timo On 11 April 2015 at 20:29, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 11/04/15 18:54, Timo Altun wrote: > >> Good evening, >> >> unfortunately one problem emerged during the change from my testing >> environment to a small portion of the live environment. >> The automatic dns updates of the windows clients do not seem to work in >> the live environment. I changed the AD DC IP from another subnet to >> 192.168.111.90, without reprovisioning. Everything else seems to work fine >> though (e.g. domain joins, shares and DNS forwarding, looking up manually >> added entries). I could also add entries manually with samba-tool dns add, >> but keeping in mind that it worked in the other subnet I would like to >> avoid that. >> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources. >> As I don't receive any real error messages (looked in syslog, messages, >> /var/log/samba/log.smbd) I don't have a clue where the problem is. Maybe >> somebody has an idea?! >> >> The startup seems fine in the log: >> Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f -u >> bind >> Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr' >> '--mandir=/usr/share/man' '--infodir=/usr/share/info' >> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' >> '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' >> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' >> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' >> '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing >> -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' >> Apr 11 18:53:42 server06 named[4141]: ------------------------------ >> ---------------------- >> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet >> Systems Consortium, >> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit 501(c)(3) >> public-benefit >> Apr 11 18:53:42 server06 named[4141]: corporation. Support and training >> for BIND 9 are >> Apr 11 18:53:42 server06 named[4141]: available at >> https://www.isc.org/support >> Apr 11 18:53:42 server06 named[4141]: ------------------------------ >> ---------------------- >> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files from >> 4096 to 1048576 >> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads >> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface >> Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets >> Apr 11 18:53:42 server06 named[4141]: loading configuration from >> '/etc/bind/named.conf' >> Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys from >> file '/etc/bind/bind.keys' >> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port range: >> [1024, 65535] >> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port range: >> [1024, 65535] >> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo, >> 127.0.0.1#53 >> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface eth0, >> 192.168.111.90#53 >> Apr 11 18:53:42 server06 named[4141]: generating session key for dynamic >> DNS >> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 >> zones >> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using driver >> dlopen >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN >> DC=intranet,DC=mayweg,DC=net >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable >> zone '111.168.192.in-addr.arpa' >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable >> zone 'intranet.mayweg.net <http://intranet.mayweg.net>' >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable >> zone '_msdcs.intranet.mayweg.net <http://msdcs.intranet.mayweg.net>' >> Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for view >> _default, file 'managed-keys.bind' >> [...] >> Apr 11 18:53:42 server06 named[4141]: command channel listening on >> 127.0.0.1#953 >> Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953 >> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3 >> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded >> serial 1 >> Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded >> serial 1 >> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2 >> Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded >> serial 1 >> Apr 11 18:53:42 server06 named[4141]: all zones loaded >> Apr 11 18:53:42 server06 named[4141]: running >> >> The only thing I find a bit strange is "command channel listening on >> ::1#953" instead of the actual IPv4 address. >> My smb.conf on the AD DC can be found in the e-mail before. Here is the >> rest: >> >> *krb5.conf:* >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> * >> * >> *named.conf:* >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> *named.conf.default-zones:* >> // prime the server with knowledge of the root servers >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> >> // be authoritative for the localhost forward and reverse zones, and for >> // broadcast zones as per RFC 1912 >> >> zone "localhost" { >> type master; >> file "/etc/bind/db.local"; >> }; >> >> zone "127.in-addr.arpa" { >> type master; >> file "/etc/bind/db.127"; >> }; >> >> zone "0.in-addr.arpa" { >> type master; >> file "/etc/bind/db.0"; >> }; >> >> zone "255.in-addr.arpa" { >> type master; >> file "/etc/bind/db.255"; >> }; >> >> *named.conf.options:* >> options { >> directory "/var/cache/bind"; >> >> forwarders { >> 192.168.111.79; >> }; >> >> dnssec-validation no; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on { any; }; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> }; >> * >> * >> *named.conf.local:* >> //empty >> >> */var/lib/samba/private/named.conf:* >> dlz "AD DNS Zone" { >> # For BIND 9.9.x >> database "dlopen /usr/lib/x86_64-linux-gnu/ >> samba/bind9/dlz_bind9_9.so"; >> }; >> >> I also checked the permissions on /etc/krb5.keytab and >> /var/lib/samba/private/dns.keytab. Both should be accessible by bind and >> samba. >> >> Greetings, >> Timo >> > > Your files are the same as mine and mine works (mind you I use dhcp > running on the first DC), If something does go wrong It shows errors in > syslog. I take it that the clients are set up to do their own updates. > > The '953' number you are worrying about is the command channel listening > on the ipv6 localhost address. > > I am not entirely sure you can use the DNS server on an AD DC for more > than one domain, it usually just updates the one forward zone. I am still > not happy with the workgroup with a dot in it. > > Rowland > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 11/04/15 20:38, Timo Altun wrote:> Hi and thank you for the answers! > > How do I setup the clients to do their own updates? I do not recall > doing anything on the windows client side to setup the automatic dns > updates.You can turn off the windows clients ability to update their own dns records, if you don't know about it then it is doubtful this is your problem.> The linux wheezy clients with samba 3.6.6. actually never managed to > automatically update dns during domain join, not even in the test > environment. I settled for manually adding those to the dns, as > they're just a handful.This is one of the reasons why I run bind9 and a dhcp server on the AD DC, the AD DC already has the clients dns records before the join.> > One of my priorities during domain provision (during classicupgrade in > fact), was to not have to manually join the windows clients to the new > domain. This works with this configuration. The old NT-4 Domain also > had that dot in MAYWEG.NET <http://MAYWEG.NET>. This is also what I > was referring to when I said, the windows clients do not "notice" the > change. I knew that there's no "automatic" going back to the old NT-4 > domain, once they've seen the new AD DC (Rowland enlightened me a > couple of days ago).Have a look here: https://support.microsoft.com/en-us/kb/909264 especially under the heading 'Domain names' Names can contain a period (.). However, the name cannot start with a period. The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name contains a period, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names.> > Is there maybe a deeper logging level I can turn on somewhere? Or is > there a log on the windows client side? >You could have a look in the event log on a client that isn't updating its records, is there anything in any of the samba logs ? Have you looked at this wiki page: https://wiki.samba.org/index.php/DNS_Backend_BIND Rowland> Greetings, > Timo > > On 11 April 2015 at 20:29, Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>> wrote: > > On 11/04/15 18:54, Timo Altun wrote: > > Good evening, > > unfortunately one problem emerged during the change from my > testing environment to a small portion of the live environment. > The automatic dns updates of the windows clients do not seem > to work in the live environment. I changed the AD DC IP from > another subnet to 192.168.111.90, without reprovisioning. > Everything else seems to work fine though (e.g. domain joins, > shares and DNS forwarding, looking up manually added entries). > I could also add entries manually with samba-tool dns add, but > keeping in mind that it worked in the other subnet I would > like to avoid that. > My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources. > As I don't receive any real error messages (looked in syslog, > messages, /var/log/samba/log.smbd) I don't have a clue where > the problem is. Maybe somebody has an idea?! > > The startup seems fine in the log: > Apr 11 18:53:42 server06 named[4141]: starting BIND > 9.9.5-9-Debian -f -u bind > Apr 11 18:53:42 server06 named[4141]: built with > '--prefix=/usr' '--mandir=/usr/share/man' > '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' > '--localstatedir=/var' '--enable-threads' '--enable-largefile' > '--with-libtool' '--enable-shared' '--enable-static' > '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' > '--enable-rrl' '--enable-filter-aaaa' > 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks > -DDIG_SIGCHASE -O2' > Apr 11 18:53:42 server06 named[4141]: > ---------------------------------------------------- > Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by > Internet Systems Consortium, > Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit > 501(c)(3) public-benefit > Apr 11 18:53:42 server06 named[4141]: corporation. Support and > training for BIND 9 are > Apr 11 18:53:42 server06 named[4141]: available at > https://www.isc.org/support > Apr 11 18:53:42 server06 named[4141]: > ---------------------------------------------------- > Apr 11 18:53:42 server06 named[4141]: adjusted limit on open > files from 4096 to 1048576 > Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 > worker threads > Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners > per interface > Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets > Apr 11 18:53:42 server06 named[4141]: loading configuration > from '/etc/bind/named.conf' > Apr 11 18:53:42 server06 named[4141]: reading built-in trusted > keys from file '/etc/bind/bind.keys' > Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 > port range: [1024, 65535] > Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 > port range: [1024, 65535] > Apr 11 18:53:42 server06 named[4141]: listening on IPv4 > interface lo, 127.0.0.1#53 > Apr 11 18:53:42 server06 named[4141]: listening on IPv4 > interface eth0, 192.168.111.90#53 > Apr 11 18:53:42 server06 named[4141]: generating session key > for dynamic DNS > Apr 11 18:53:42 server06 named[4141]: sizing zone task pool > based on 5 zones > Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' > using driver dlopen > Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for > DN DC=intranet,DC=mayweg,DC=net > Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting > configure > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured > writeable zone '111.168.192.in-addr.arpa' > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured > writeable zone 'intranet.mayweg.net > <http://intranet.mayweg.net> <http://intranet.mayweg.net>' > Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured > writeable zone '_msdcs.intranet.mayweg.net > <http://msdcs.intranet.mayweg.net> > <http://msdcs.intranet.mayweg.net>' > Apr 11 18:53:42 server06 named[4141]: set up managed keys zone > for view _default, file 'managed-keys.bind' > [...] > Apr 11 18:53:42 server06 named[4141]: command channel > listening on 127.0.0.1#953 > Apr 11 18:53:42 server06 named[4141]: command channel > listening on ::1#953 > Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: > loaded serial 3 > Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: > loaded serial 1 > Apr 11 18:53:42 server06 named[4141]: zone > 127.in-addr.arpa/IN: loaded serial 1 > Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: > loaded serial 2 > Apr 11 18:53:42 server06 named[4141]: zone > 255.in-addr.arpa/IN: loaded serial 1 > Apr 11 18:53:42 server06 named[4141]: all zones loaded > Apr 11 18:53:42 server06 named[4141]: running > > The only thing I find a bit strange is "command channel > listening on ::1#953" instead of the actual IPv4 address. > My smb.conf on the AD DC can be found in the e-mail before. > Here is the rest: > > *krb5.conf:* > [libdefaults] > default_realm = INTRANET.MAYWEG.NET > <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET> > dns_lookup_realm = false > dns_lookup_kdc = true > * > * > *named.conf:* > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > *named.conf.default-zones:* > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse > zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > *named.conf.options:* > options { > directory "/var/cache/bind"; > > forwarders { > 192.168.111.79; > }; > > dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on { any; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > * > * > *named.conf.local:* > //empty > > */var/lib/samba/private/named.conf:* > dlz "AD DNS Zone" { > # For BIND 9.9.x > database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > }; > > I also checked the permissions on /etc/krb5.keytab and > /var/lib/samba/private/dns.keytab. Both should be accessible > by bind and samba. > > Greetings, > Timo > > > Your files are the same as mine and mine works (mind you I use > dhcp running on the first DC), If something does go wrong It shows > errors in syslog. I take it that the clients are set up to do > their own updates. > > The '953' number you are worrying about is the command channel > listening on the ipv6 localhost address. > > I am not entirely sure you can use the DNS server on an AD DC for > more than one domain, it usually just updates the one forward > zone. I am still not happy with the workgroup with a dot in it. > > Rowland > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
and.. change your nsswitch.conf>> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4to at least.>> hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: zaterdag 11 april 2015 22:38 >Aan: sambalist >Onderwerp: Re: [Samba] Winbind not able to start > >On 11/04/15 20:38, Timo Altun wrote: >> Hi and thank you for the answers! >> >> How do I setup the clients to do their own updates? I do not recall >> doing anything on the windows client side to setup the automatic dns >> updates. > >You can turn off the windows clients ability to update their own dns >records, if you don't know about it then it is doubtful this is your >problem. > >> The linux wheezy clients with samba 3.6.6. actually never managed to >> automatically update dns during domain join, not even in the test >> environment. I settled for manually adding those to the dns, as >> they're just a handful. > >This is one of the reasons why I run bind9 and a dhcp server on the AD >DC, the AD DC already has the clients dns records before the join. > >> >> One of my priorities during domain provision (during >classicupgrade in >> fact), was to not have to manually join the windows clients >to the new >> domain. This works with this configuration. The old NT-4 Domain also >> had that dot in MAYWEG.NET <http://MAYWEG.NET>. This is also what I >> was referring to when I said, the windows clients do not >"notice" the >> change. I knew that there's no "automatic" going back to the >old NT-4 >> domain, once they've seen the new AD DC (Rowland enlightened me a >> couple of days ago). > >Have a look here: https://support.microsoft.com/en-us/kb/909264 > >especially under the heading 'Domain names' > >Names can contain a period (.). However, the name cannot start with a >period. The use of non-DNS names with periods is allowed in Microsoft >Windows NT. However, periods should not be used in Active Directory >domains. If you are upgrading a domain whose NetBIOS name contains a >period, change the name by migrating the domain to a new domain >structure. Do not use periods in new NetBIOS domain names. > >> >> Is there maybe a deeper logging level I can turn on somewhere? Or is >> there a log on the windows client side? >> > >You could have a look in the event log on a client that isn't updating >its records, is there anything in any of the samba logs ? > >Have you looked at this wiki page: >https://wiki.samba.org/index.php/DNS_Backend_BIND > >Rowland > >> Greetings, >> Timo >> >> On 11 April 2015 at 20:29, Rowland Penny ><rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>> wrote: >> >> On 11/04/15 18:54, Timo Altun wrote: >> >> Good evening, >> >> unfortunately one problem emerged during the change from my >> testing environment to a small portion of the live >environment. >> The automatic dns updates of the windows clients do not seem >> to work in the live environment. I changed the AD DC IP from >> another subnet to 192.168.111.90, without reprovisioning. >> Everything else seems to work fine though (e.g. domain joins, >> shares and DNS forwarding, looking up manually added >entries). >> I could also add entries manually with samba-tool >dns add, but >> keeping in mind that it worked in the other subnet I would >> like to avoid that. >> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources. >> As I don't receive any real error messages (looked in syslog, >> messages, /var/log/samba/log.smbd) I don't have a clue where >> the problem is. Maybe somebody has an idea?! >> >> The startup seems fine in the log: >> Apr 11 18:53:42 server06 named[4141]: starting BIND >> 9.9.5-9-Debian -f -u bind >> Apr 11 18:53:42 server06 named[4141]: built with >> '--prefix=/usr' '--mandir=/usr/share/man' >> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' >> '--localstatedir=/var' '--enable-threads' >'--enable-largefile' >> '--with-libtool' '--enable-shared' '--enable-static' >> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' >> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' >> '--enable-rrl' '--enable-filter-aaaa' >> 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks >> -DDIG_SIGCHASE -O2' >> Apr 11 18:53:42 server06 named[4141]: >> ---------------------------------------------------- >> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by >> Internet Systems Consortium, >> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a >non-profit >> 501(c)(3) public-benefit >> Apr 11 18:53:42 server06 named[4141]: corporation. >Support and >> training for BIND 9 are >> Apr 11 18:53:42 server06 named[4141]: available at >> https://www.isc.org/support >> Apr 11 18:53:42 server06 named[4141]: >> ---------------------------------------------------- >> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open >> files from 4096 to 1048576 >> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 >> worker threads >> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners >> per interface >> Apr 11 18:53:42 server06 named[4141]: using up to >4096 sockets >> Apr 11 18:53:42 server06 named[4141]: loading configuration >> from '/etc/bind/named.conf' >> Apr 11 18:53:42 server06 named[4141]: reading >built-in trusted >> keys from file '/etc/bind/bind.keys' >> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 >> port range: [1024, 65535] >> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 >> port range: [1024, 65535] >> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 >> interface lo, 127.0.0.1#53 >> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 >> interface eth0, 192.168.111.90#53 >> Apr 11 18:53:42 server06 named[4141]: generating session key >> for dynamic DNS >> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool >> based on 5 zones >> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' >> using driver dlopen >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for >> DN DC=intranet,DC=mayweg,DC=net >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting >> configure >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured >> writeable zone '111.168.192.in-addr.arpa' >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured >> writeable zone 'intranet.mayweg.net >> <http://intranet.mayweg.net> <http://intranet.mayweg.net>' >> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured >> writeable zone '_msdcs.intranet.mayweg.net >> <http://msdcs.intranet.mayweg.net> >> <http://msdcs.intranet.mayweg.net>' >> Apr 11 18:53:42 server06 named[4141]: set up managed >keys zone >> for view _default, file 'managed-keys.bind' >> [...] >> Apr 11 18:53:42 server06 named[4141]: command channel >> listening on 127.0.0.1#953 >> Apr 11 18:53:42 server06 named[4141]: command channel >> listening on ::1#953 >> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: >> loaded serial 3 >> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: >> loaded serial 1 >> Apr 11 18:53:42 server06 named[4141]: zone >> 127.in-addr.arpa/IN: loaded serial 1 >> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: >> loaded serial 2 >> Apr 11 18:53:42 server06 named[4141]: zone >> 255.in-addr.arpa/IN: loaded serial 1 >> Apr 11 18:53:42 server06 named[4141]: all zones loaded >> Apr 11 18:53:42 server06 named[4141]: running >> >> The only thing I find a bit strange is "command channel >> listening on ::1#953" instead of the actual IPv4 address. >> My smb.conf on the AD DC can be found in the e-mail before. >> Here is the rest: >> >> *krb5.conf:* >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> <http://INTRANET.MAYWEG.NET> <http://INTRANET.MAYWEG.NET> >> dns_lookup_realm = false >> dns_lookup_kdc = true >> * >> * >> *named.conf:* >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> *named.conf.default-zones:* >> // prime the server with knowledge of the root servers >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> >> // be authoritative for the localhost forward and reverse >> zones, and for >> // broadcast zones as per RFC 1912 >> >> zone "localhost" { >> type master; >> file "/etc/bind/db.local"; >> }; >> >> zone "127.in-addr.arpa" { >> type master; >> file "/etc/bind/db.127"; >> }; >> >> zone "0.in-addr.arpa" { >> type master; >> file "/etc/bind/db.0"; >> }; >> >> zone "255.in-addr.arpa" { >> type master; >> file "/etc/bind/db.255"; >> }; >> >> *named.conf.options:* >> options { >> directory "/var/cache/bind"; >> >> forwarders { >> 192.168.111.79; >> }; >> >> dnssec-validation no; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on { any; }; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> }; >> * >> * >> *named.conf.local:* >> //empty >> >> */var/lib/samba/private/named.conf:* >> dlz "AD DNS Zone" { >> # For BIND 9.9.x >> database "dlopen >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; >> }; >> >> I also checked the permissions on /etc/krb5.keytab and >> /var/lib/samba/private/dns.keytab. Both should be accessible >> by bind and samba. >> >> Greetings, >> Timo >> >> >> Your files are the same as mine and mine works (mind you I use >> dhcp running on the first DC), If something does go >wrong It shows >> errors in syslog. I take it that the clients are set up to do >> their own updates. >> >> The '953' number you are worrying about is the command channel >> listening on the ipv6 localhost address. >> >> I am not entirely sure you can use the DNS server on an AD DC for >> more than one domain, it usually just updates the one forward >> zone. I am still not happy with the workgroup with a dot in it. >> >> Rowland >> >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL >and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >