samba - Sep 2015 - samba_dlz: Failed to configure zone... already exists

Hi All,

Finally got BIND_DLZ going.  Last errors were:

    samba_dlz: Failed to configure zone 'example.com'
    loading configuration: already exists
    exiting (due to fatal error)
    samba_dlz: shutting down

And, indeed, I had, in /etc/bind/named.local.conf:

    zone "example.com" in {
        type master;
        file "named.hosts";
    };

Commenting that out solved the problem and BIND started up.

Problem is: I *need* that (static) zone.  This server will be not only
the Samba AD DC, but primary nameserver and a bunch of other stuff.  So
I imagine I have to start over, making the zone in which the AD DC
stuff resides "pdc.example.com"?

Only not certain about interaction between the Samba AD DC zone and the
Kerberos default_realm?

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

On 03/09/15 14:28, Jim Seymour wrote:
> Hi All,
>
> Finally got BIND_DLZ going.  Last errors were:
>
>      samba_dlz: Failed to configure zone 'example.com'
>      loading configuration: already exists
>      exiting (due to fatal error)
>      samba_dlz: shutting down
>
> And, indeed, I had, in /etc/bind/named.local.conf:
>
>      zone "example.com" in {
>          type master;
>          file "named.hosts";
>      };
>
> Commenting that out solved the problem and BIND started up.
>
> Problem is: I *need* that (static) zone.  This server will be not only
> the Samba AD DC, but primary nameserver and a bunch of other stuff.  So
> I imagine I have to start over, making the zone in which the AD DC
> stuff resides "pdc.example.com"?
>
> Only not certain about interaction between the Samba AD DC zone and the
> Kerberos default_realm?
>
> Thanks,
> Jim
The kerberos default_realm must be the samba AD DC domain name and 
usually the samba DNS server (internal or bind) is just the dns server 
for the samba4 AD DC. This does not mean that you cannot add other zones 
to AD, this is easily done with samba-tool, in fact as standard, you 
have to create the reverse zone if you require it.

I wouldn't use 'pdc.example.com' as you do not have a pdc and should
get
out of the habit of referring to it as the PDC, a PDC is a very 
different thing from an AD DC, all DCs are equal apart from the FSMO 
roles. How about 'ad.example.com' or 'samba.example.com'

Rowland

On Thu, 3 Sep 2015 15:07:37 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

[snip]
> 
> The kerberos default_realm must be the samba AD DC domain name and 
> usually
So if I put the Samba AD DC in, say, "addc.example.com,"
"addc.example.com" must be the Kerberos default_realm?
> the samba DNS server (internal or bind) is just the dns
> server for the samba4 AD DC.
Yes, but I need example.com's zone to be a "normal" (i.e.: static)
zone.  It is now, and will remain, *the* zone for the corporate LAN at
this location.

So, since a Samba AD DC must have dynamic zones, I guess that means
Samba must "run in" a sub-zone.

This is the problem to which I referred a couple days ago.

I find it odd that this seems to be such an unusual configuration.  Has
the *nix world become contaminated with typical MS-Win server thinking:
That a server can do only one thing at a time?  It's an AD DC, to it
can't do anything else?
> This does not mean that you cannot add
> other zones to AD, this is easily done with samba-tool, in fact as
> standard, you have to create the reverse zone if you require it.
Don't see how that solves the problem.
> 
> I wouldn't use 'pdc.example.com' as you do not have a pdc and
should
> get out of the habit of referring to it as the PDC, a PDC is a very 
> different thing from an AD DC, all DCs are equal apart from the FSMO 
> roles. How about 'ad.example.com' or 'samba.example.com'
Very well.  I defaulted to that because I keep seeing references to
it.  I'll call it "addc.example.com".

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.