samba - Apr 2015 - Winbind not able to start

On 11/04/15 18:54, Timo Altun wrote:
> Good evening,
>
> unfortunately one problem emerged during the change from my testing 
> environment to a small portion of the live environment.
> The automatic dns updates of the windows clients do not seem to work 
> in the live environment. I changed the AD DC IP from another subnet to 
> 192.168.111.90, without reprovisioning. Everything else seems to work 
> fine though (e.g. domain joins, shares and DNS forwarding, looking up 
> manually added entries). I could also add entries manually with 
> samba-tool dns add, but keeping in mind that it worked in the other 
> subnet I would like to avoid that.
> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
> As I don't receive any real error messages (looked in syslog, 
> messages, /var/log/samba/log.smbd) I don't have a clue where the 
> problem is. Maybe somebody has an idea?!
>
> The startup seems fine in the log:
> Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f 
> -u bind
> Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr' 
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' 
> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
> '--enable-largefile' '--with-libtool'
'--enable-shared'
> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6'
> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
> -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
> Apr 11 18:53:42 server06 named[4141]: 
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet 
> Systems Consortium,
> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit 
> 501(c)(3) public-benefit
> Apr 11 18:53:42 server06 named[4141]: corporation. Support and 
> training for BIND 9 are
> Apr 11 18:53:42 server06 named[4141]: available at 
> https://www.isc.org/support
> Apr 11 18:53:42 server06 named[4141]: 
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files 
> from 4096 to 1048576
> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads
> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface
> Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
> Apr 11 18:53:42 server06 named[4141]: loading configuration from 
> '/etc/bind/named.conf'
> Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys 
> from file '/etc/bind/bind.keys'
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port 
> range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port 
> range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo, 
> 127.0.0.1#53
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface 
> eth0, 192.168.111.90#53
> Apr 11 18:53:42 server06 named[4141]: generating session key for 
> dynamic DNS
> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 
> zones
> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using 
> driver dlopen
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN 
> DC=intranet,DC=mayweg,DC=net
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone '111.168.192.in-addr.arpa'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone 'intranet.mayweg.net <http://intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone '_msdcs.intranet.mayweg.net
<http://msdcs.intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for 
> view _default, file 'managed-keys.bind'
> [...]
> Apr 11 18:53:42 server06 named[4141]: command channel listening on 
> 127.0.0.1#953
> Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953
> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3
> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2
> Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: all zones loaded
> Apr 11 18:53:42 server06 named[4141]: running
>
> The only thing I find a bit strange is "command channel listening on 
> ::1#953" instead of the actual IPv4 address.
> My smb.conf on the AD DC can be found in the e-mail before. Here is 
> the rest:
>
> *krb5.conf:*
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
> dns_lookup_realm = false
> dns_lookup_kdc = true
> *
> *
> *named.conf:*
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> *named.conf.default-zones:*
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> *named.conf.options:*
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 192.168.111.79;
> };
>
> dnssec-validation no;
>
> auth-nxdomain no;    # conform to RFC1035
> listen-on { any; };
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> *
> *
> *named.conf.local:*
> //empty
>
> */var/lib/samba/private/named.conf:*
> dlz "AD DNS Zone" {
>     # For BIND 9.9.x
>     database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> };
>
> I also checked the permissions on /etc/krb5.keytab and 
> /var/lib/samba/private/dns.keytab. Both should be accessible by bind 
> and samba.
>
> Greetings,
> Timo
Your files are the same as mine and mine works (mind you I use dhcp 
running on the first DC), If something does go wrong It shows errors in 
syslog. I take it that the clients are set up to do their own updates.

The '953' number you are worrying about is the command channel listening
on the ipv6 localhost address.

I am not entirely sure you can use the DNS server on an AD DC for more 
than one domain, it usually just updates the one forward zone. I am 
still not happy with the workgroup with a dot in it.

Rowland

Rowland

Hi and thank you for the answers!

How do I setup the clients to do their own updates? I do not recall doing
anything on the windows client side to setup the automatic dns updates. The
linux wheezy clients with samba 3.6.6. actually never managed to
automatically update dns during domain join, not even in the test
environment. I settled for manually adding those to the dns, as they're
just a handful.

One of my priorities during domain provision (during classicupgrade in
fact), was to not have to manually join the windows clients to the new
domain. This works with this configuration. The old NT-4 Domain also had
that dot in MAYWEG.NET. This is also what I was referring to when I said,
the windows clients do not "notice" the change. I knew that
there's no
"automatic" going back to the old NT-4 domain, once they've seen
the new AD
DC (Rowland enlightened me a couple of days ago).

Is there maybe a deeper logging level I can turn on somewhere? Or is there
a log on the windows client side?

Greetings,
Timo

On 11 April 2015 at 20:29, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 11/04/15 18:54, Timo Altun wrote:
>
>> Good evening,
>>
>> unfortunately one problem emerged during the change from my testing
>> environment to a small portion of the live environment.
>> The automatic dns updates of the windows clients do not seem to work in
>> the live environment. I changed the AD DC IP from another subnet to
>> 192.168.111.90, without reprovisioning. Everything else seems to work
fine
>> though (e.g. domain joins, shares and DNS forwarding, looking up
manually
>> added entries). I could also add entries manually with samba-tool dns
add,
>> but keeping in mind that it worked in the other subnet I would like to
>> avoid that.
>> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
>> As I don't receive any real error messages (looked in syslog,
messages,
>> /var/log/samba/log.smbd) I don't have a clue where the problem is.
Maybe
>> somebody has an idea?!
>>
>> The startup seems fine in the log:
>> Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f
-u
>> bind
>> Apr 11 18:53:42 server06 named[4141]: built with
'--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
>> '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static'
>> '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
>> '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6' '--enable-rrl'
>> '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
>> -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
>> Apr 11 18:53:42 server06 named[4141]: ------------------------------
>> ----------------------
>> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet
>> Systems Consortium,
>> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit
501(c)(3)
>> public-benefit
>> Apr 11 18:53:42 server06 named[4141]: corporation. Support and training
>> for BIND 9 are
>> Apr 11 18:53:42 server06 named[4141]: available at
>> https://www.isc.org/support
>> Apr 11 18:53:42 server06 named[4141]: ------------------------------
>> ----------------------
>> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files from
>> 4096 to 1048576
>> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker
threads
>> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per
interface
>> Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
>> Apr 11 18:53:42 server06 named[4141]: loading configuration from
>> '/etc/bind/named.conf'
>> Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys
from
>> file '/etc/bind/bind.keys'
>> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port
range:
>> [1024, 65535]
>> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port
range:
>> [1024, 65535]
>> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo,
>> 127.0.0.1#53
>> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface eth0,
>> 192.168.111.90#53
>> Apr 11 18:53:42 server06 named[4141]: generating session key for
dynamic
>> DNS
>> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5
>> zones
>> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone'
using driver
>> dlopen
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN
>> DC=intranet,DC=mayweg,DC=net
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable
>> zone '111.168.192.in-addr.arpa'
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable
>> zone 'intranet.mayweg.net <http://intranet.mayweg.net>'
>> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable
>> zone '_msdcs.intranet.mayweg.net
<http://msdcs.intranet.mayweg.net>'
>> Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for view
>> _default, file 'managed-keys.bind'
>> [...]
>> Apr 11 18:53:42 server06 named[4141]: command channel listening on
>> 127.0.0.1#953
>> Apr 11 18:53:42 server06 named[4141]: command channel listening on
::1#953
>> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial
3
>> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded
>> serial 1
>> Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded
>> serial 1
>> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial
2
>> Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded
>> serial 1
>> Apr 11 18:53:42 server06 named[4141]: all zones loaded
>> Apr 11 18:53:42 server06 named[4141]: running
>>
>> The only thing I find a bit strange is "command channel listening
on
>> ::1#953" instead of the actual IPv4 address.
>> My smb.conf on the AD DC can be found in the e-mail before. Here is the
>> rest:
>>
>> *krb5.conf:*
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> *
>> *
>> *named.conf:*
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/private/named.conf";
>>
>> *named.conf.default-zones:*
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>>
>> // be authoritative for the localhost forward and reverse zones, and
for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>> type master;
>> file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>> type master;
>> file "/etc/bind/db.255";
>> };
>>
>> *named.conf.options:*
>> options {
>> directory "/var/cache/bind";
>>
>> forwarders {
>> 192.168.111.79;
>> };
>>
>> dnssec-validation no;
>>
>> auth-nxdomain no;    # conform to RFC1035
>> listen-on { any; };
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>> *
>> *
>> *named.conf.local:*
>> //empty
>>
>> */var/lib/samba/private/named.conf:*
>> dlz "AD DNS Zone" {
>>     # For BIND 9.9.x
>>     database "dlopen /usr/lib/x86_64-linux-gnu/
>> samba/bind9/dlz_bind9_9.so";
>> };
>>
>> I also checked the permissions on /etc/krb5.keytab and
>> /var/lib/samba/private/dns.keytab. Both should be accessible by bind
and
>> samba.
>>
>> Greetings,
>> Timo
>>
>
> Your files are the same as mine and mine works (mind you I use dhcp
> running on the first DC), If something does go wrong It shows errors in
> syslog. I take it that the clients are set up to do their own updates.
>
> The '953' number you are worrying about is the command channel
listening
> on the ipv6 localhost address.
>
> I am not entirely sure you can use the DNS server on an AD DC for more
> than one domain, it usually just updates the one forward zone. I am still
> not happy with the workgroup with a dot in it.
>
> Rowland
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 11/04/15 20:38, Timo Altun wrote:
> Hi and thank you for the answers!
>
> How do I setup the clients to do their own updates? I do not recall 
> doing anything on the windows client side to setup the automatic dns 
> updates.
You can turn off the windows clients ability to update their own dns 
records, if you don't know about it then it is doubtful this is your 
problem.
> The linux wheezy clients with samba 3.6.6. actually never managed to 
> automatically update dns during domain join, not even in the test 
> environment. I settled for manually adding those to the dns, as 
> they're just a handful.
This is one of the reasons why I run bind9 and a dhcp server on the AD 
DC, the AD DC already has the clients dns records before the join.
>
> One of my priorities during domain provision (during classicupgrade in 
> fact), was to not have to manually join the windows clients to the new 
> domain. This works with this configuration. The old NT-4 Domain also 
> had that dot in MAYWEG.NET <http://MAYWEG.NET>. This is also what I 
> was referring to when I said, the windows clients do not "notice"
the
> change. I knew that there's no "automatic" going back to the
old NT-4
> domain, once they've seen the new AD DC (Rowland enlightened me a 
> couple of days ago).
Have a look here: https://support.microsoft.com/en-us/kb/909264

especially under the heading 'Domain names'

Names can contain a period (.). However, the name cannot start with a 
period. The use of non-DNS names with periods is allowed in Microsoft 
Windows NT. However, periods should not be used in Active Directory 
domains. If you are upgrading a domain whose NetBIOS name contains a 
period, change the name by migrating the domain to a new domain 
structure. Do not use periods in new NetBIOS domain names.
>
> Is there maybe a deeper logging level I can turn on somewhere? Or is 
> there a log on the windows client side?
>
You could have a look in the event log on a client that isn't updating 
its records, is there anything in any of the samba logs ?

Have you looked at this wiki page: 
https://wiki.samba.org/index.php/DNS_Backend_BIND

Rowland
> Greetings,
> Timo
>
> On 11 April 2015 at 20:29, Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 11/04/15 18:54, Timo Altun wrote:
>
>         Good evening,
>
>         unfortunately one problem emerged during the change from my
>         testing environment to a small portion of the live environment.
>         The automatic dns updates of the windows clients do not seem
>         to work in the live environment. I changed the AD DC IP from
>         another subnet to 192.168.111.90, without reprovisioning.
>         Everything else seems to work fine though (e.g. domain joins,
>         shares and DNS forwarding, looking up manually added entries).
>         I could also add entries manually with samba-tool dns add, but
>         keeping in mind that it worked in the other subnet I would
>         like to avoid that.
>         My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
>         As I don't receive any real error messages (looked in syslog,
>         messages, /var/log/samba/log.smbd) I don't have a clue where
>         the problem is. Maybe somebody has an idea?!
>
>         The startup seems fine in the log:
>         Apr 11 18:53:42 server06 named[4141]: starting BIND
>         9.9.5-9-Debian -f -u bind
>         Apr 11 18:53:42 server06 named[4141]: built with
>         '--prefix=/usr' '--mandir=/usr/share/man'
>         '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind'
>         '--localstatedir=/var' '--enable-threads'
'--enable-largefile'
>         '--with-libtool' '--enable-shared'
'--enable-static'
>         '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
>         '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6'
>         '--enable-rrl' '--enable-filter-aaaa'
>         'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
>         -DDIG_SIGCHASE -O2'
>         Apr 11 18:53:42 server06 named[4141]:
>         ----------------------------------------------------
>         Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by
>         Internet Systems Consortium,
>         Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit
>         501(c)(3) public-benefit
>         Apr 11 18:53:42 server06 named[4141]: corporation. Support and
>         training for BIND 9 are
>         Apr 11 18:53:42 server06 named[4141]: available at
>         https://www.isc.org/support
>         Apr 11 18:53:42 server06 named[4141]:
>         ----------------------------------------------------
>         Apr 11 18:53:42 server06 named[4141]: adjusted limit on open
>         files from 4096 to 1048576
>         Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4
>         worker threads
>         Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners
>         per interface
>         Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
>         Apr 11 18:53:42 server06 named[4141]: loading configuration
>         from '/etc/bind/named.conf'
>         Apr 11 18:53:42 server06 named[4141]: reading built-in trusted
>         keys from file '/etc/bind/bind.keys'
>         Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4
>         port range: [1024, 65535]
>         Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6
>         port range: [1024, 65535]
>         Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>         interface lo, 127.0.0.1#53
>         Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>         interface eth0, 192.168.111.90#53
>         Apr 11 18:53:42 server06 named[4141]: generating session key
>         for dynamic DNS
>         Apr 11 18:53:42 server06 named[4141]: sizing zone task pool
>         based on 5 zones
>         Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone'
>         using driver dlopen
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for
>         DN DC=intranet,DC=mayweg,DC=net
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting
>         configure
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>         writeable zone '111.168.192.in-addr.arpa'
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>         writeable zone 'intranet.mayweg.net
>         <http://intranet.mayweg.net>
<http://intranet.mayweg.net>'
>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>         writeable zone '_msdcs.intranet.mayweg.net
>         <http://msdcs.intranet.mayweg.net>
>         <http://msdcs.intranet.mayweg.net>'
>         Apr 11 18:53:42 server06 named[4141]: set up managed keys zone
>         for view _default, file 'managed-keys.bind'
>         [...]
>         Apr 11 18:53:42 server06 named[4141]: command channel
>         listening on 127.0.0.1#953
>         Apr 11 18:53:42 server06 named[4141]: command channel
>         listening on ::1#953
>         Apr 11 18:53:42 server06 named[4141]: managed-keys-zone:
>         loaded serial 3
>         Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN:
>         loaded serial 1
>         Apr 11 18:53:42 server06 named[4141]: zone
>         127.in-addr.arpa/IN: loaded serial 1
>         Apr 11 18:53:42 server06 named[4141]: zone localhost/IN:
>         loaded serial 2
>         Apr 11 18:53:42 server06 named[4141]: zone
>         255.in-addr.arpa/IN: loaded serial 1
>         Apr 11 18:53:42 server06 named[4141]: all zones loaded
>         Apr 11 18:53:42 server06 named[4141]: running
>
>         The only thing I find a bit strange is "command channel
>         listening on ::1#953" instead of the actual IPv4 address.
>         My smb.conf on the AD DC can be found in the e-mail before.
>         Here is the rest:
>
>         *krb5.conf:*
>         [libdefaults]
>         default_realm = INTRANET.MAYWEG.NET
>         <http://INTRANET.MAYWEG.NET>
<http://INTRANET.MAYWEG.NET>
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         *
>         *
>         *named.conf:*
>         include "/etc/bind/named.conf.options";
>         include "/etc/bind/named.conf.local";
>         include "/etc/bind/named.conf.default-zones";
>         include "/var/lib/samba/private/named.conf";
>
>         *named.conf.default-zones:*
>         // prime the server with knowledge of the root servers
>         zone "." {
>         type hint;
>         file "/etc/bind/db.root";
>         };
>
>         // be authoritative for the localhost forward and reverse
>         zones, and for
>         // broadcast zones as per RFC 1912
>
>         zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
>         };
>
>         zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
>         };
>
>         zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
>         };
>
>         zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
>         };
>
>         *named.conf.options:*
>         options {
>         directory "/var/cache/bind";
>
>         forwarders {
>         192.168.111.79;
>         };
>
>         dnssec-validation no;
>
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on { any; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         };
>         *
>         *
>         *named.conf.local:*
>         //empty
>
>         */var/lib/samba/private/named.conf:*
>         dlz "AD DNS Zone" {
>             # For BIND 9.9.x
>             database "dlopen
>         /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>         };
>
>         I also checked the permissions on /etc/krb5.keytab and
>         /var/lib/samba/private/dns.keytab. Both should be accessible
>         by bind and samba.
>
>         Greetings,
>         Timo
>
>
>     Your files are the same as mine and mine works (mind you I use
>     dhcp running on the first DC), If something does go wrong It shows
>     errors in syslog. I take it that the clients are set up to do
>     their own updates.
>
>     The '953' number you are worrying about is the command channel
>     listening on the ipv6 localhost address.
>
>     I am not entirely sure you can use the DNS server on an AD DC for
>     more than one domain, it usually just updates the one forward
>     zone. I am still not happy with the workgroup with a dot in it.
>
>     Rowland
>
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

and.. 

change your nsswitch.conf 
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
to at least. 
>> hosts:          files dns mdns4_minimal [NOTFOUND=return] mdns4
Louis


>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: zaterdag 11 april 2015 22:38
>Aan: sambalist
>Onderwerp: Re: [Samba] Winbind not able to start
>
>On 11/04/15 20:38, Timo Altun wrote:
>> Hi and thank you for the answers!
>>
>> How do I setup the clients to do their own updates? I do not recall 
>> doing anything on the windows client side to setup the automatic dns 
>> updates.
>
>You can turn off the windows clients ability to update their own dns 
>records, if you don't know about it then it is doubtful this is your 
>problem.
>
>> The linux wheezy clients with samba 3.6.6. actually never managed to 
>> automatically update dns during domain join, not even in the test 
>> environment. I settled for manually adding those to the dns, as 
>> they're just a handful.
>
>This is one of the reasons why I run bind9 and a dhcp server on the AD 
>DC, the AD DC already has the clients dns records before the join.
>
>>
>> One of my priorities during domain provision (during 
>classicupgrade in 
>> fact), was to not have to manually join the windows clients 
>to the new 
>> domain. This works with this configuration. The old NT-4 Domain also 
>> had that dot in MAYWEG.NET <http://MAYWEG.NET>. This is also what
I
>> was referring to when I said, the windows clients do not 
>"notice" the 
>> change. I knew that there's no "automatic" going back to
the
>old NT-4 
>> domain, once they've seen the new AD DC (Rowland enlightened me a 
>> couple of days ago).
>
>Have a look here: https://support.microsoft.com/en-us/kb/909264
>
>especially under the heading 'Domain names'
>
>Names can contain a period (.). However, the name cannot start with a 
>period. The use of non-DNS names with periods is allowed in Microsoft 
>Windows NT. However, periods should not be used in Active Directory 
>domains. If you are upgrading a domain whose NetBIOS name contains a 
>period, change the name by migrating the domain to a new domain 
>structure. Do not use periods in new NetBIOS domain names.
>
>>
>> Is there maybe a deeper logging level I can turn on somewhere? Or is 
>> there a log on the windows client side?
>>
>
>You could have a look in the event log on a client that isn't updating 
>its records, is there anything in any of the samba logs ?
>
>Have you looked at this wiki page: 
>https://wiki.samba.org/index.php/DNS_Backend_BIND
>
>Rowland
>
>> Greetings,
>> Timo
>>
>> On 11 April 2015 at 20:29, Rowland Penny 
><rowlandpenny at googlemail.com 
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>     On 11/04/15 18:54, Timo Altun wrote:
>>
>>         Good evening,
>>
>>         unfortunately one problem emerged during the change from my
>>         testing environment to a small portion of the live 
>environment.
>>         The automatic dns updates of the windows clients do not seem
>>         to work in the live environment. I changed the AD DC IP from
>>         another subnet to 192.168.111.90, without reprovisioning.
>>         Everything else seems to work fine though (e.g. domain joins,
>>         shares and DNS forwarding, looking up manually added 
>entries).
>>         I could also add entries manually with samba-tool 
>dns add, but
>>         keeping in mind that it worked in the other subnet I would
>>         like to avoid that.
>>         My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
>>         As I don't receive any real error messages (looked in
syslog,
>>         messages, /var/log/samba/log.smbd) I don't have a clue
where
>>         the problem is. Maybe somebody has an idea?!
>>
>>         The startup seems fine in the log:
>>         Apr 11 18:53:42 server06 named[4141]: starting BIND
>>         9.9.5-9-Debian -f -u bind
>>         Apr 11 18:53:42 server06 named[4141]: built with
>>         '--prefix=/usr' '--mandir=/usr/share/man'
>>         '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind'
>>         '--localstatedir=/var' '--enable-threads' 
>'--enable-largefile'
>>         '--with-libtool' '--enable-shared'
'--enable-static'
>>         '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
>>         '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6'
>>         '--enable-rrl' '--enable-filter-aaaa'
>>         'CFLAGS=-fno-strict-aliasing
-fno-delete-null-pointer-checks
>>         -DDIG_SIGCHASE -O2'
>>         Apr 11 18:53:42 server06 named[4141]:
>>         ----------------------------------------------------
>>         Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by
>>         Internet Systems Consortium,
>>         Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a 
>non-profit
>>         501(c)(3) public-benefit
>>         Apr 11 18:53:42 server06 named[4141]: corporation. 
>Support and
>>         training for BIND 9 are
>>         Apr 11 18:53:42 server06 named[4141]: available at
>>         https://www.isc.org/support
>>         Apr 11 18:53:42 server06 named[4141]:
>>         ----------------------------------------------------
>>         Apr 11 18:53:42 server06 named[4141]: adjusted limit on open
>>         files from 4096 to 1048576
>>         Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4
>>         worker threads
>>         Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners
>>         per interface
>>         Apr 11 18:53:42 server06 named[4141]: using up to 
>4096 sockets
>>         Apr 11 18:53:42 server06 named[4141]: loading configuration
>>         from '/etc/bind/named.conf'
>>         Apr 11 18:53:42 server06 named[4141]: reading 
>built-in trusted
>>         keys from file '/etc/bind/bind.keys'
>>         Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4
>>         port range: [1024, 65535]
>>         Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6
>>         port range: [1024, 65535]
>>         Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>>         interface lo, 127.0.0.1#53
>>         Apr 11 18:53:42 server06 named[4141]: listening on IPv4
>>         interface eth0, 192.168.111.90#53
>>         Apr 11 18:53:42 server06 named[4141]: generating session key
>>         for dynamic DNS
>>         Apr 11 18:53:42 server06 named[4141]: sizing zone task pool
>>         based on 5 zones
>>         Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS
Zone'
>>         using driver dlopen
>>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for
>>         DN DC=intranet,DC=mayweg,DC=net
>>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting
>>         configure
>>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>>         writeable zone '111.168.192.in-addr.arpa'
>>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>>         writeable zone 'intranet.mayweg.net
>>         <http://intranet.mayweg.net>
<http://intranet.mayweg.net>'
>>         Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured
>>         writeable zone '_msdcs.intranet.mayweg.net
>>         <http://msdcs.intranet.mayweg.net>
>>         <http://msdcs.intranet.mayweg.net>'
>>         Apr 11 18:53:42 server06 named[4141]: set up managed 
>keys zone
>>         for view _default, file 'managed-keys.bind'
>>         [...]
>>         Apr 11 18:53:42 server06 named[4141]: command channel
>>         listening on 127.0.0.1#953
>>         Apr 11 18:53:42 server06 named[4141]: command channel
>>         listening on ::1#953
>>         Apr 11 18:53:42 server06 named[4141]: managed-keys-zone:
>>         loaded serial 3
>>         Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN:
>>         loaded serial 1
>>         Apr 11 18:53:42 server06 named[4141]: zone
>>         127.in-addr.arpa/IN: loaded serial 1
>>         Apr 11 18:53:42 server06 named[4141]: zone localhost/IN:
>>         loaded serial 2
>>         Apr 11 18:53:42 server06 named[4141]: zone
>>         255.in-addr.arpa/IN: loaded serial 1
>>         Apr 11 18:53:42 server06 named[4141]: all zones loaded
>>         Apr 11 18:53:42 server06 named[4141]: running
>>
>>         The only thing I find a bit strange is "command channel
>>         listening on ::1#953" instead of the actual IPv4 address.
>>         My smb.conf on the AD DC can be found in the e-mail before.
>>         Here is the rest:
>>
>>         *krb5.conf:*
>>         [libdefaults]
>>         default_realm = INTRANET.MAYWEG.NET
>>         <http://INTRANET.MAYWEG.NET>
<http://INTRANET.MAYWEG.NET>
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         *
>>         *
>>         *named.conf:*
>>         include "/etc/bind/named.conf.options";
>>         include "/etc/bind/named.conf.local";
>>         include "/etc/bind/named.conf.default-zones";
>>         include "/var/lib/samba/private/named.conf";
>>
>>         *named.conf.default-zones:*
>>         // prime the server with knowledge of the root servers
>>         zone "." {
>>         type hint;
>>         file "/etc/bind/db.root";
>>         };
>>
>>         // be authoritative for the localhost forward and reverse
>>         zones, and for
>>         // broadcast zones as per RFC 1912
>>
>>         zone "localhost" {
>>         type master;
>>         file "/etc/bind/db.local";
>>         };
>>
>>         zone "127.in-addr.arpa" {
>>         type master;
>>         file "/etc/bind/db.127";
>>         };
>>
>>         zone "0.in-addr.arpa" {
>>         type master;
>>         file "/etc/bind/db.0";
>>         };
>>
>>         zone "255.in-addr.arpa" {
>>         type master;
>>         file "/etc/bind/db.255";
>>         };
>>
>>         *named.conf.options:*
>>         options {
>>         directory "/var/cache/bind";
>>
>>         forwarders {
>>         192.168.111.79;
>>         };
>>
>>         dnssec-validation no;
>>
>>         auth-nxdomain no;    # conform to RFC1035
>>         listen-on { any; };
>>         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
>>         };
>>         *
>>         *
>>         *named.conf.local:*
>>         //empty
>>
>>         */var/lib/samba/private/named.conf:*
>>         dlz "AD DNS Zone" {
>>             # For BIND 9.9.x
>>             database "dlopen
>>         /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>>         };
>>
>>         I also checked the permissions on /etc/krb5.keytab and
>>         /var/lib/samba/private/dns.keytab. Both should be accessible
>>         by bind and samba.
>>
>>         Greetings,
>>         Timo
>>
>>
>>     Your files are the same as mine and mine works (mind you I use
>>     dhcp running on the first DC), If something does go 
>wrong It shows
>>     errors in syslog. I take it that the clients are set up to do
>>     their own updates.
>>
>>     The '953' number you are worrying about is the command
channel
>>     listening on the ipv6 localhost address.
>>
>>     I am not entirely sure you can use the DNS server on an AD DC for
>>     more than one domain, it usually just updates the one forward
>>     zone. I am still not happy with the workgroup with a dot in it.
>>
>>     Rowland
>>
>>
>>     Rowland
>>
>>     -- 
>>     To unsubscribe from this list go to the following URL 
>and read the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>