Ian Coetzee
2017-Oct-24 12:52 UTC
[Samba] Samba 4.6.8 (Non packaged version) dns update issue
On 24 October 2017 at 14:33, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 24 Oct 2017 13:51:27 +0200 > Ian Coetzee <samba at iancoetzee.za.net> wrote: > >> Hi Rowland, >> >> Sure, I have pastebinned the configs (and done some public ip masking) >> DC1 - bind config >> https://www.jacklin.co.za/privatebin/?be125b7e578c53d4#q9nGwU3f9Tz7wtHLTf3UIcFhz/GIJjryq6/cN2rip1k>> DC2 - bind config >> https://www.jacklin.co.za/privatebin/?c1c921a4289a4e91#URHcPgK0B1fgeoTCeWXL6QDKdUxR6YpHZ1dcwXR44Iw>> >> DC1 - Samba Config >> https://www.jacklin.co.za/privatebin/?ed9cb025a144be44#NA4HNPN/ms8wZfxWI9FaPN4TZpGA7DhB/d/VCXakR4E>> DC2 - Samba Config >> https://www.jacklin.co.za/privatebin/?ab6a4260f9c0dc5e#ogp+o+xRmd4tMJYNaHZFEZPcvqqzyDPIJARe2W6FnDI>> > > There isn't much wrong there, except: > > What is in '/etc/named/zones/internal.zones' ? > > do you really need 'response-policy { zone "zone-overrides"; };' ? > > I would try removing 'allow-update { none; };' > > This is from my named conf files: > > options { > directory "/var/cache/bind"; > version "0.0.7"; > notify no; > empty-zones-enable no; > allow-query { 127.0.0.1; 192.168.0.0/24; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > forwarders { 8.8.8.8; }; > allow-transfer { none; }; > dnssec-validation no; > dnssec-enable no; > > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.2; 127.0.0.1; }; > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > }; > > RowlandHi Rowland, I just noticed while I was removing the "allow-update {none; };" directive, that the directive is only present on dc1. Yet as luck would have it, the server in my example was trying to push the update to dc2. Contents of /etc/named/zones/internal.zones https://www.jacklin.co.za/privatebin/?39cb9c2d39a5a6cb#BRBE/5LatQ4mcXd/qXa0QBWODbMA9rLjizTJM1slqiA Kind regards> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2017-Oct-24 13:11 UTC
[Samba] Samba 4.6.8 (Non packaged version) dns update issue
On Tue, 24 Oct 2017 14:52:37 +0200 Ian Coetzee via samba <samba at lists.samba.org> wrote:> Hi Rowland, > > I just noticed while I was removing the "allow-update {none; };" > directive, that the directive is only present on dc1. Yet as luck > would have it, the server in my example was trying to push the update > to dc2. > > Contents of /etc/named/zones/internal.zones > https://www.jacklin.co.za/privatebin/?39cb9c2d39a5a6cb#BRBE/5LatQ4mcXd/qXa0QBWODbMA9rLjizTJM1slqiA> > Kind regards >Are any of the zones there the AD domain zones ? I personally would stop using the 'internal.zones' file These are the rest of my named conf files; cat /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; cat /etc/bind/named.conf.local // adding the Samba dlopen ( Bind DLZ ) module include "/usr/local/samba/private/named.conf"; cat /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; Rowland
Ian Coetzee
2017-Oct-24 13:28 UTC
[Samba] Samba 4.6.8 (Non packaged version) dns update issue
On 24 October 2017 at 15:11, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 24 Oct 2017 14:52:37 +0200 > Ian Coetzee via samba <samba at lists.samba.org> wrote: > >> Hi Rowland, >> >> I just noticed while I was removing the "allow-update {none; };" >> directive, that the directive is only present on dc1. Yet as luck >> would have it, the server in my example was trying to push the update >> to dc2. >> >> Contents of /etc/named/zones/internal.zones >> https://www.jacklin.co.za/privatebin/?39cb9c2d39a5a6cb#BRBE/5LatQ4mcXd/qXa0QBWODbMA9rLjizTJM1slqiA>> >> Kind regards >> > > Are any of the zones there the AD domain zones ? > I personally would stop using the 'internal.zones' file > > These are the rest of my named conf files; > > cat /etc/bind/named.conf > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > cat /etc/bind/named.conf.local > > // adding the Samba dlopen ( Bind DLZ ) module > include "/usr/local/samba/private/named.conf"; > > cat /etc/bind/named.conf.default-zones > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > RowlandHi Rowland, None of these zones is part of the domain, not even (sub|parent)domains (thank the stars). Although there are references in the zones to AD entries. I am trying to push the move towards full domain integrated zones. Unfortunately some of these old zone files are quite huge... Thinking I might need to create a script that creates the integrated entries for me, that is unless someone else on here already created something like that, that I could use. Kind regards> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba