Hi, ? I have just provisioned a new samba setup with 2 DCs running ISC DHCPd in failover and I?m trying to get it to play nice with samba internal DNS but I?m having some issues. 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant. 2) I added a reverse zone 80.16.172.in-addr.arpa and when I add records to it all lookups fail with samba saying it?s not authoritative for the lookup.I figured maybe it was a class B vs Class C thing so I created a 16.172.in-addr.arpa zone and tried that. It?s better, now I just get a SERVFAIL like it can?t find it. If I do a samba-tool query ALL I see records in the AD. I haven?t played with 4 since the early days, it?s come a long way. nice.? Any ideas for the problems above? Thanks, Greg --? Greg Dickie just a guy 514-983-5400
On 27/02/15 16:55, Greg Dickie wrote:> Hi, > > I have just provisioned a new samba setup with 2 DCs running ISC DHCPd in failover and I?m trying to get it to play nice with samba internal DNS but I?m having some issues. > > 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant. > > 2) I added a reverse zone 80.16.172.in-addr.arpa and when I add records to it all lookups fail with samba saying it?s not authoritative for the lookup.I figured maybe it was a class B vs Class C thing so I created a 16.172.in-addr.arpa zone and tried that. It?s better, now I just get a SERVFAIL like it can?t find it. If I do a samba-tool query ALL I see records in the AD. > > I haven?t played with 4 since the early days, it?s come a long way. nice. > > Any ideas for the problems above? > > Thanks, > Greg > > -- > Greg Dickie > just a guy > 514-983-5400Hi, if I remember correctly, samba-tool uses nsupdate to do the updates, so why not do the same as me and script around nsupdate, I can assure you this works, well it has for me for the last two years. care to share the failover bit? Rowland
Am 27.02.2015 um 17:55 schrieb Greg Dickie:> Hi, > > I have just provisioned a new samba setup with 2 DCs running ISC DHCPd in failover and I?m trying to get it to play nice with samba internal DNS but I?m having some issues. > > 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant. > > 2) I added a reverse zone 80.16.172.in-addr.arpa and when I add records to it all lookups fail with samba saying it?s not authoritative for the lookup.I figured maybe it was a class B vs Class C thing so I created a 16.172.in-addr.arpa zone and tried that. It?s better, now I just get a SERVFAIL like it can?t find it. If I do a samba-tool query ALL I see records in the AD. > > I haven?t played with 4 since the early days, it?s come a long way. nice. > > Any ideas for the problems above? > > Thanks, > Greg > > -- > Greg Dickie > just a guy > 514-983-5400 >afair - the internal dns server loads all zones on *startup only*. It allows to add new zones - and entries inside - but will "serve" them only after a restart (of samba). Cheers, G?nter PS - i don't know whether this behaviour has changed recently... --
On 27/02/15 18:15, G?nter Kukkukk wrote:> Am 27.02.2015 um 17:55 schrieb Greg Dickie: >> Hi, >> >> I have just provisioned a new samba setup with 2 DCs running ISC DHCPd in failover and I?m trying to get it to play nice with samba internal DNS but I?m having some issues. >> >> 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant. >> >> 2) I added a reverse zone 80.16.172.in-addr.arpa and when I add records to it all lookups fail with samba saying it?s not authoritative for the lookup.I figured maybe it was a class B vs Class C thing so I created a 16.172.in-addr.arpa zone and tried that. It?s better, now I just get a SERVFAIL like it can?t find it. If I do a samba-tool query ALL I see records in the AD. >> >> I haven?t played with 4 since the early days, it?s come a long way. nice. >> >> Any ideas for the problems above? >> >> Thanks, >> Greg >> >> -- >> Greg Dickie >> just a guy >> 514-983-5400 >> > afair - the internal dns server loads all zones on *startup only*. > It allows to add new zones - and entries inside - but will "serve" > them only after a restart (of samba). > > Cheers, G?nter > > PS - i don't know whether this behaviour has changed recently...I totally missed that the OP was using the internal dns server, I could never get dhcp to update records using the internal dns server and believe me I tried. I just installed bind9 and that worked correctly. Rowland
Hi G?nter, Thanks for the reply. I restarted samba. Same issue though. Thanks, Greg On Fri, 2015-02-27 at 19:15 +0100, G?nter Kukkukk wrote:> Am 27.02.2015 um 17:55 schrieb Greg Dickie: > > Hi, > > > > I have just provisioned a new samba setup with 2 DCs running ISC DHCPd in failover and I?m trying to get it to play nice with samba internal DNS but I?m having some issues. > > > > 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant. > > > > 2) I added a reverse zone 80.16.172.in-addr.arpa and when I add records to it all lookups fail with samba saying it?s not authoritative for the lookup.I figured maybe it was a class B vs Class C thing so I created a 16.172.in-addr.arpa zone and tried that. It?s better, now I just get a SERVFAIL like it can?t find it. If I do a samba-tool query ALL I see records in the AD. > > > > I haven?t played with 4 since the early days, it?s come a long way. nice. > > > > Any ideas for the problems above? > > > > Thanks, > > Greg > > > > -- > > Greg Dickie > > just a guy > > 514-983-5400 > > > > afair - the internal dns server loads all zones on *startup only*. > It allows to add new zones - and entries inside - but will "serve" > them only after a restart (of samba). > > Cheers, G?nter > > PS - i don't know whether this behaviour has changed recently... > -- >-- Greg Dickie 514-983-5400 just a guy
On Fri, 2015-02-27 at 17:08 +0000, Rowland Penny wrote:> On 27/02/15 16:55, Greg Dickie wrote: > > Hi, > > > > I have just provisioned a new samba setup with 2 DCs running ISC DHCPd in failover and I?m trying to get it to play nice with samba internal DNS but I?m having some issues. > > > > 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant. > > > > 2) I added a reverse zone 80.16.172.in-addr.arpa and when I add records to it all lookups fail with samba saying it?s not authoritative for the lookup.I figured maybe it was a class B vs Class C thing so I created a 16.172.in-addr.arpa zone and tried that. It?s better, now I just get a SERVFAIL like it can?t find it. If I do a samba-tool query ALL I see records in the AD. > > > > I haven?t played with 4 since the early days, it?s come a long way. nice. > > > > Any ideas for the problems above? > > > > Thanks, > > Greg > > > > -- > > Greg Dickie > > just a guy > > 514-983-5400 > > Hi, if I remember correctly, samba-tool uses nsupdate to do the updates, > so why not do the same as me and script around nsupdate, I can assure > you this works, well it has for me for the last two years.samba-tool dns uses the RPC management interface, not nsupdate. It also doesn't do a lot of error checking - for better or worse, what you put in will end up in the database, provided you have the right privileges (the username/password given to samba-tool). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Rowland, Your DHCP is updating bind DLZ directly right. Are you scripted with on commit, etc or just using ddns-update-style? Thanks, Greg On Fri, 2015-02-27 at 17:08 +0000, Rowland Penny wrote:> On 27/02/15 16:55, Greg Dickie wrote: > > Hi, > > > > I have just provisioned a new samba setup with 2 DCs running ISC DHCPd in failover and I?m trying to get it to play nice with samba internal DNS but I?m having some issues. > > > > 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant. > > > > 2) I added a reverse zone 80.16.172.in-addr.arpa and when I add records to it all lookups fail with samba saying it?s not authoritative for the lookup.I figured maybe it was a class B vs Class C thing so I created a 16.172.in-addr.arpa zone and tried that. It?s better, now I just get a SERVFAIL like it can?t find it. If I do a samba-tool query ALL I see records in the AD. > > > > I haven?t played with 4 since the early days, it?s come a long way. nice. > > > > Any ideas for the problems above? > > > > Thanks, > > Greg > > > > -- > > Greg Dickie > > just a guy > > 514-983-5400 > > Hi, if I remember correctly, samba-tool uses nsupdate to do the updates, > so why not do the same as me and script around nsupdate, I can assure > you this works, well it has for me for the last two years. > > care to share the failover bit? > > Rowland >-- Greg Dickie 514-983-5400 just a guy
El 27/02/15 a les 17:55, Greg Dickie ha escrit:> 1) I?m using on commit, etc triggers in the dhcpd config to call a script that calls samba-tool to add, delete or update DNS. This script works fine when I call it from the command line as the dhcpd user but when called from the dhcpd daemon it throws a WERR_INTERNAL_DB_ERROR which is scary. That is coming from the client I guess. What is the best way to figure out what is going on server side. I increased the log level but I get crazy amounts of info that does not seem relevant.Sorry for rehashing an old thread, but I found it while looking for a solution to the same problem *and* I also found a solution (or, at least, a workaround), so I hope that somebody looking for the same problem will also find this solution. I'm supposing you're using the scripts from here: https://wiki.archlinux.org/index.php/Samba_4_Active_Directory_domain_controller#DHCP To avoid the WERR_INTERNAL_DB_ERROR I had to add a USER=dhcpd export USER to the script in /etc/dhcp/update.sh (this is the path for ubuntu 14.04, instead of the /etc/dhcpd one for arch) Since ubuntu 14.04 uses apparmor, I also added a the line /etc/dhcp/update.sh Uxr, to /etc/apparmor.d/local/usr.sbin.dhcpd and put KRB5CC in /tmp instead of /run (where the dhcpd user cannot write). BTW samba-tool seems to ignore the -k option altogether (it uses kerberos if it can or asks for a password if it cannot, regardless of the presence or not of the -k option) Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
El 24/04/15 a les 12:45, Luca Olivetti ha escrit:> > BTW samba-tool seems to ignore the -k option altogether (it uses > kerberos if it can or asks for a password if it cannot, regardless of > the presence or not of the -k option)Oh, and one more thing: I followed the advice in https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Configure_Kerberos and symlinked the file. The problem is that the file in samba/private is only readable by root, so other users (in this case dhcpd) cannot use kerberos. It seems that the right thing to do is copy the file and *not* symlink it. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007