On Sun, 2 Apr 2017 19:02:35 +0200 Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:> Hallo Marc > > I change the loglevel to 10 > > > database > "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so -d 10"; > > and i get following errors: > > 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_asprintf/set_errstring: > No such Base DN: > DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de > 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_response: DONE > 02-Apr-2017 18:47:44.389 samba_dlz: error: 32 > 02-Apr-2017 18:47:44.389 samba_dlz: msg: No such Base DN: > DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de > 02-Apr-2017 18:47:44.389 samba_dlz: > 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_request: SEARCH > 02-Apr-2017 18:47:44.389 samba_dlz: dn: > DC=client008.my.domain.de,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=de > 02-Apr-2017 18:47:44.389 samba_dlz: scope: base > 02-Apr-2017 18:47:44.389 samba_dlz: expr: (objectClass=dnsZone) > 02-Apr-2017 18:47:44.389 samba_dlz: control: <NONE> > > and > > 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC mechanism spnego > 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC submechanism > gssapi_krb5 02-Apr-2017 18:47:41.373 samba_dlz: spnego update failed > 02-Apr-2017 18:47:41.374 client 192.168.99.6#58125/key > CLIENT\$\@my.domain.de: updating zone 'my.domain.de/NONE': update > failed: rejected by secure update (REFUSED) > 02-Apr-2017 18:47:41.374 samba_dlz: ldb: cancel ldb transaction > (nesting: 0) > >Try adding 'allow dns updates = nonsecure' to smb.conf Rowland
Hallo Rowland If this parameter not for the internal dns? Ok. I changed the parameter. The same problem. The test with the internal dns. It looks good. service sernet-samba-ad stop service bind9 stop change server services = -dns to # server services = -dns samba_upgradedns --dns-backend=SAMBA_INTERNAL service sernet-samba-ad start netstat -tulpen | grep 53 (dns in running) I think i found the error. bind9 at debian 8.7 was default not compiled with "--with-dlopen=yes" only with '--with-gssapi=/usr' named -V -------- BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' compiled by GCC 4.9.2 using OpenSSL version: OpenSSL 1.0.1t 3 May 2016 using libxml2 version: 2.9.1 Regards, Karl Heinz Am 02.04.2017 um 19:21 schrieb Rowland Penny:> On Sun, 2 Apr 2017 19:02:35 +0200 > Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote: > >> Hallo Marc >> >> I change the loglevel to 10 >> >> >> database >> "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so -d 10"; >> >> and i get following errors: >> >> 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_asprintf/set_errstring: >> No such Base DN: >> DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de >> 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_response: DONE >> 02-Apr-2017 18:47:44.389 samba_dlz: error: 32 >> 02-Apr-2017 18:47:44.389 samba_dlz: msg: No such Base DN: >> DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de >> 02-Apr-2017 18:47:44.389 samba_dlz: >> 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_request: SEARCH >> 02-Apr-2017 18:47:44.389 samba_dlz: dn: >> DC=client008.my.domain.de,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=de >> 02-Apr-2017 18:47:44.389 samba_dlz: scope: base >> 02-Apr-2017 18:47:44.389 samba_dlz: expr: (objectClass=dnsZone) >> 02-Apr-2017 18:47:44.389 samba_dlz: control: <NONE> >> >> and >> >> 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC mechanism spnego >> 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC submechanism >> gssapi_krb5 02-Apr-2017 18:47:41.373 samba_dlz: spnego update failed >> 02-Apr-2017 18:47:41.374 client 192.168.99.6#58125/key >> CLIENT\$\@my.domain.de: updating zone 'my.domain.de/NONE': update >> failed: rejected by secure update (REFUSED) >> 02-Apr-2017 18:47:41.374 samba_dlz: ldb: cancel ldb transaction >> (nesting: 0) >> >> > > Try adding 'allow dns updates = nonsecure' to smb.conf > > Rowland >
On Sun, 2 Apr 2017 19:39:22 +0200 Karl Heinz Wichmann <wichmann-karl at web.de> wrote:> Hallo Rowland > > If this parameter not for the internal dns? > > Ok. I changed the parameter. The same problem. > > The test with the internal dns. It looks good. > > service sernet-samba-ad stop > service bind9 stop > > change > server services = -dns > to > # server services = -dns > > samba_upgradedns --dns-backend=SAMBA_INTERNAL > > service sernet-samba-ad start > > netstat -tulpen | grep 53 (dns in running) > > > > I think i found the error. > > bind9 at debian 8.7 was default not compiled with "--with-dlopen=yes" > only with '--with-gssapi=/usr' >No it isn't, but only because that option no longer exists ;-) It is now built in, you cannot build Bind9 without dlopen. I use Bind9 with Samba, I always have and I do not have and never have had any problems at all (apart from the odd self-inflicted ones) There is however probably one big difference between my setup and yours, but we will get to that after you answer one more question: Where do your clients get their ipaddresses from ? Rowland
On Sun, 2 Apr 2017 20:37:00 +0200 Karl Heinz Wichmann <wichmann-karl at web.de> wrote:> Hallo Rowland > > At the moment we use the internal samba dns. > > I have startet dcpromo and we get every second following message: > > [2017/04/02 20:26:29.712194, 2] > ../source4/rpc_server/drsuapi/getncchanges.c:1483(getncchanges_collect_objects) > ../source4/rpc_server/drsuapi/getncchanges.c:1483: getncchanges on > CN=Configuration,DC=my,DC=domain,DC=de using filter (uSNChanged>=1) > [2017/04/02 20:26:30.869447, 2] > ../source4/rpc_server/drsuapi/getncchanges.c:2641(dcesrv_drsuapi_DsGetNCChanges) > DsGetNCChanges with uSNChanged >= 1 flags 0x90200070 on > CN=Configuration,DC=my,DC=domain,DC=de gave 716 objects (done > 1714/1714) 58 links (done 58/58 (as > S-1-5-21-415187870-2947746733-3939352424-500)) [2017/04/02 > 20:26:31.068768, > 2] ../source4/rpc_server/drsuapi/getncchanges.c:1483(getncchanges_collect_objects) ../source4/rpc_server/drsuapi/getncchanges.c:1483: > getncchanges on CN=Configuration,DC=my,DC=domain,DC=de using filter > (uSNChanged>=1) [2017/04/02 20:26:32.212824, 2] > ../source4/rpc_server/drsuapi/getncchanges.c:2641(dcesrv_drsuapi_DsGetNCChanges) > DsGetNCChanges with uSNChanged >= 1 flags 0x90200070 on > CN=Configuration,DC=my,DC=domain,DC=de gave 716 objects (done > 1714/1714) 58 links (done 58/58 (as > S-1-5-21-415187870-2947746733-3939352424-500)) [2017/04/02 > 20:26:32.429001, > 2] ../source4/rpc_server/drsuapi/getncchanges.c:1483(getncchanges_collect_objects) ../source4/rpc_server/drsuapi/getncchanges.c:1483: > getncchanges on CN=Configuration,DC=my,DC=domain,DC=de using filter > (uSNChanged>=1) > > > And only 1682 of 1714 entrys received. See the picture attached. This > is running for hours. >Never tried dcpromo and sorry but I don't read German, but 'translate' seems to suggest that it could take hours. I think you will just have to wait it out, unless someone who has run 'dcpromo' can help here. Rowland