samba - Nov 2016 - ERROR:connection refused after provision

See inline comments: 

----- Original Message -----


From: "Rowland Penny" <rpenny at samba.org> 
To: samba at lists.samba.org 
Sent: Tuesday, November 8, 2016 10:46:50 AM 
Subject: Re: [Samba] ERROR:connection refused after provision 

See inline comments: 

On Tue, 8 Nov 2016 09:08:34 -0500 (CST) 
Felipe_G0NZÁLEZ_SANTIAG0 via samba <samba at lists.samba.org> wrote: 
> Hello, I'm installing Samba4 AD from repo Ubuntu16.04. These are the 
> steps I've applied: 
> 
> 
> 1. editing fstab in EXT3 
Why are you using ext3 ? 


No, I'm not using EXT3, I'm using EXT4. I should've wrote edit
fstab. So, I add 'defaults,barrier=1' in fstab.

<blockquote>
> 2. install dependencies ( acl attr quota fam libnet-ldap-perl ) 
> 3. install krb5-user, bind9, ntp, winbind, ldbtools and samba. 
> 4. remove smb.conf, if exists 
> 5. samba-tool provision 
How are provisioning ? 
</blockquote>

#samba-tool domain provision --use-rfc2307 --realm=ejemplo.cu --domain=ejemplo
--adminpass=free.2016 --server-role=dc --dns-backend=BIND9_DLZ
--option="interfaces=lo enp0s3" --option="bind interfaces
only=yes"

<blockquote>
> 6. Restart services bind9, ntp and samba 
> 7. config Bind9 (add 'include' in /etc/bind/named.conf.local ) 
Please post your bind9 conf files. 
</blockquote>


This is my /etc/bind/named.conf content: 
include "/etc/bind/named.conf.options"; 
include "/etc/bind/named.conf.local"; 
include "/etc/bind/named.conf.default-zones"; 

This is my /etc/bind/named.conf.local content: 
include "/var/lib/samba/private/named.conf"; 

And This is my /etc/bind/named.conf.options content: 
options { 
directory "/var/cache/bind"; 

// If there is a firewall between you and nameservers you want 
// to talk to, you may need to fix the firewall to allow multiple 
// ports to talk. See http://www.kb.cert.org/vuls/id/800113 

// If your ISP provided one or more IP addresses for stable 
// nameservers, you probably want to use them as forwarders. 
// Uncomment the following block, and insert the addresses replacing 
// the all-0's placeholder. 

// forwarders { 
// 0.0.0.0; 
// }; 

//======================================================================== 
// If BIND logs error messages about the root key being expired, 
// you will need to update your keys. See https://www.isc.org/bind-keys 
//======================================================================== 
dnssec-validation auto; 

auth-nxdomain no; # conform to RFC1035 
listen-on-v6 { any; }; 
}; 


<blockquote>

> 8. set permissions to bind9 
> 9. set nameserver in resolv.conf 
What are you setting the nameserver to ? 
</blockquote>

The resolv.conf content is: 
nameserver 10.53.3.11 
domain ejemplo.cu 

<blockquote>

> 10. edit apparmor profile 
> 11. config Kerberos ( ln 
> -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf ) 12. set ntp 
> permissions 13. config ntp.conf 
> 
> THEN::: 
> add reverse zone 
> #samba-tool dns zonecreate 127.0.0.1 3.53.10.in-addr.arpa 
> -UAdministrator%free.2016 
> 
Try it like this: 

samba-tool dns zonecreate 127.0.0.1 3.53.10.in-addr.arpa -UAdministrator 

Rowland 



</blockquote>

Notice that after provisioning and configuring ntp, krb and bind9 services when
I try to create the DNS reverse zone I got this 'connection refused'
error. Then, I reboot the server I all work fine. My point is that I need this
work fine without rebooting.
Regards, 
Felipe-G-S. 

The University of Informatics Sciences invites you to participate in the
Scientific Conference UCIENCIA 2016, November 24-26.
Conferencia Científica UCIENCIA 2016, del 24 al 26 de noviembre.
http://uciencia.eventos.uci.cu/

On Thu, 10 Nov 2016 09:48:22 -0500 (CST)
Felipe_G0NZÁLEZ_SANTIAG0 <fgonzalez at uci.cu> wrote:
> See inline comments: 
> 
> ----- Original Message -----
> 
> No, I'm not using EXT3, I'm using EXT4. I should've wrote edit
fstab.
> So, I add 'defaults,barrier=1' in fstab.
No need to, it is one of the defaults
 
> And This is my /etc/bind/named.conf.options content: 
> options { 
> directory "/var/cache/bind"; 
> 
> // If there is a firewall between you and nameservers you want 
> // to talk to, you may need to fix the firewall to allow multiple 
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113 
> 
> // If your ISP provided one or more IP addresses for stable 
> // nameservers, you probably want to use them as forwarders. 
> // Uncomment the following block, and insert the addresses replacing 
> // the all-0's placeholder. 
> 
> // forwarders { 
> // 0.0.0.0; 
> // }; 
> 
> //======================================================================== 
> // If BIND logs error messages about the root key being expired, 
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
//========================================================================
> dnssec-validation auto; 
> 
> auth-nxdomain no; # conform to RFC1035 
> listen-on-v6 { any; }; 
> }; 
And this mine:

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; };
        allow-transfer { none; };
        dnssec-validation auto;

        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.2; 127.0.0.1; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
> 
> The resolv.conf content is: 
> nameserver 10.53.3.11 
> domain ejemplo.cu 
Is '10.53.3.11' the ip of the DC ? if not, change it to the ip of the
DC. I would also change 'domain' to 'search'

Rowland