On 1/2/2018 3:37 PM, Rowland Penny wrote:> On Tue, 2 Jan 2018 15:23:18 -0500 > lingpanda101 <lingpanda101 at gmail.com> wrote: > > >> Actually it looks as if Bind isn't running. Though I could've sworn >> it did at one point. >> >> service bind9 restart >> * Stopping domain name service... bind9 >> rndc: connect failed: 127.0.0.1#953: connection refused >> [ OK ] >> * Starting domain name service... bind9 [fail] >> >> Log shows; >> >> Jan 2 15:20:51 ddc2 named[2793]: >> ---------------------------------------------------- >> Jan 2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet >> Systems Consortium, >> Jan 2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit 501(c)(3) >> public-benefit >> Jan 2 15:20:51 ddc2 named[2793]: corporation. Support and training >> for BIND 9 are >> Jan 2 15:20:51 ddc2 named[2793]: available at >> https://www.isc.org/support Jan 2 15:20:51 ddc2 named[2793]: >> ---------------------------------------------------- >> Jan 2 15:20:51 ddc2 named[2793]: adjusted limit on open files from >> 4096 to 1048576 >> Jan 2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker threads >> Jan 2 15:20:51 ddc2 named[2793]: using 2 UDP listeners per interface >> Jan 2 15:20:51 ddc2 named[2793]: using up to 4096 sockets >> Jan 2 15:20:51 ddc2 named[2793]: loading configuration from >> '/etc/bind/named.conf' >> Jan 2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: 'options' >> redefined near 'options' >> Jan 2 15:20:51 ddc2 named[2793]: loading configuration: already >> exists Jan 2 15:20:51 ddc2 named[2793]: exiting (due to fatal error) >> >> It seems to stem from the issue I had before >> "/etc/bind/named.conf:15: 'options' redefined near 'options'" >> > I reread your earlier post and noticed something I missed earlier, do > you normally use red-hat ? > I ask this because you have this line in /etc/bind/named.conf: > > include "/etc/bind/named.conf.options"; > > Followed by: > # Global Configuration Options > options { > ......... > ...... > > > > If this is all in the one file (ala red-hat), then this is your > problem, debian splits up Bind9 into separate conf files and you will > have two 'options' > > RowlandI do not. Ubuntu but I do have two CentOS systems. The config file was auto-generated when I installed via. apt-get. This is what it originally contained before I made any modifications. // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; If I comment out these include files, Bind9 starts. However I do still get rndc: connect failed: 127.0.0.1#953: connection refused However I'm still getting the TSIG errors. -- -- James
On Tue, 2 Jan 2018 15:52:57 -0500 lingpanda101 <lingpanda101 at gmail.com> wrote:> On 1/2/2018 3:37 PM, Rowland Penny wrote: > > On Tue, 2 Jan 2018 15:23:18 -0500 > > lingpanda101 <lingpanda101 at gmail.com> wrote: > > > > > >> Actually it looks as if Bind isn't running. Though I could've sworn > >> it did at one point. > >> > >> service bind9 restart > >> * Stopping domain name service... bind9 > >> rndc: connect failed: 127.0.0.1#953: connection > >> refused [ OK ] > >> * Starting domain name service... bind9 [fail] > >> > >> Log shows; > >> > >> Jan 2 15:20:51 ddc2 named[2793]: > >> ---------------------------------------------------- > >> Jan 2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet > >> Systems Consortium, > >> Jan 2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit > >> 501(c)(3) public-benefit > >> Jan 2 15:20:51 ddc2 named[2793]: corporation. Support and > >> training for BIND 9 are > >> Jan 2 15:20:51 ddc2 named[2793]: available at > >> https://www.isc.org/support Jan 2 15:20:51 ddc2 named[2793]: > >> ---------------------------------------------------- > >> Jan 2 15:20:51 ddc2 named[2793]: adjusted limit on open files from > >> 4096 to 1048576 > >> Jan 2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker > >> threads Jan 2 15:20:51 ddc2 named[2793]: using 2 UDP listeners > >> per interface Jan 2 15:20:51 ddc2 named[2793]: using up to 4096 > >> sockets Jan 2 15:20:51 ddc2 named[2793]: loading configuration > >> from '/etc/bind/named.conf' > >> Jan 2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: > >> 'options' redefined near 'options' > >> Jan 2 15:20:51 ddc2 named[2793]: loading configuration: already > >> exists Jan 2 15:20:51 ddc2 named[2793]: exiting (due to fatal > >> error) > >> > >> It seems to stem from the issue I had before > >> "/etc/bind/named.conf:15: 'options' redefined near 'options'" > >> > > I reread your earlier post and noticed something I missed earlier, > > do you normally use red-hat ? > > I ask this because you have this line in /etc/bind/named.conf: > > > > include "/etc/bind/named.conf.options"; > > > > Followed by: > > # Global Configuration Options > > options { > > ......... > > ...... > > > > > > > > If this is all in the one file (ala red-hat), then this is your > > problem, debian splits up Bind9 into separate conf files and you > > will have two 'options' > > > > Rowland > > I do not. Ubuntu but I do have two CentOS systems. > > The config file was auto-generated when I installed via. apt-get. > This is what it originally contained before I made any modifications. > > // This is the primary configuration file for the BIND DNS server > named. // > // Please read /usr/share/doc/bind9/README.Debian.gz for information > on the // structure of BIND configuration files in Debian, *BEFORE* > you customize // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > If I comment out these include files, Bind9 starts. However I do > still get > > rndc: connect failed: 127.0.0.1#953: connection refused > > However I'm still getting the TSIG errors. >These are my named.conf files (with any comments stripped out), they have worked for me for the last 5 years ;-) /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; /etc/bind/named.conf.options options { directory "/var/cache/bind"; version "0.0.7"; notify no; empty-zones-enable no; allow-query { 127.0.0.1; 192.168.0.0/24; }; allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; forwarders { 8.8.8.8; 8.8.4.4; }; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; listen-on-v6 { none; }; listen-on port 53 { 192.168.0.7; 127.0.0.1; }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; }; /etc/bind/named.conf.local include "/usr/local/samba/private/named.conf"; /etc/bind/named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; Rowland
On 1/2/2018 4:05 PM, Rowland Penny wrote:> On Tue, 2 Jan 2018 15:52:57 -0500 > lingpanda101 <lingpanda101 at gmail.com> wrote: > >> On 1/2/2018 3:37 PM, Rowland Penny wrote: >>> On Tue, 2 Jan 2018 15:23:18 -0500 >>> lingpanda101 <lingpanda101 at gmail.com> wrote: >>> >>> >>>> Actually it looks as if Bind isn't running. Though I could've sworn >>>> it did at one point. >>>> >>>> service bind9 restart >>>> * Stopping domain name service... bind9 >>>> rndc: connect failed: 127.0.0.1#953: connection >>>> refused [ OK ] >>>> * Starting domain name service... bind9 [fail] >>>> >>>> Log shows; >>>> >>>> Jan 2 15:20:51 ddc2 named[2793]: >>>> ---------------------------------------------------- >>>> Jan 2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet >>>> Systems Consortium, >>>> Jan 2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit >>>> 501(c)(3) public-benefit >>>> Jan 2 15:20:51 ddc2 named[2793]: corporation. Support and >>>> training for BIND 9 are >>>> Jan 2 15:20:51 ddc2 named[2793]: available at >>>> https://www.isc.org/support Jan 2 15:20:51 ddc2 named[2793]: >>>> ---------------------------------------------------- >>>> Jan 2 15:20:51 ddc2 named[2793]: adjusted limit on open files from >>>> 4096 to 1048576 >>>> Jan 2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker >>>> threads Jan 2 15:20:51 ddc2 named[2793]: using 2 UDP listeners >>>> per interface Jan 2 15:20:51 ddc2 named[2793]: using up to 4096 >>>> sockets Jan 2 15:20:51 ddc2 named[2793]: loading configuration >>>> from '/etc/bind/named.conf' >>>> Jan 2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: >>>> 'options' redefined near 'options' >>>> Jan 2 15:20:51 ddc2 named[2793]: loading configuration: already >>>> exists Jan 2 15:20:51 ddc2 named[2793]: exiting (due to fatal >>>> error) >>>> >>>> It seems to stem from the issue I had before >>>> "/etc/bind/named.conf:15: 'options' redefined near 'options'" >>>> >>> I reread your earlier post and noticed something I missed earlier, >>> do you normally use red-hat ? >>> I ask this because you have this line in /etc/bind/named.conf: >>> >>> include "/etc/bind/named.conf.options"; >>> >>> Followed by: >>> # Global Configuration Options >>> options { >>> ......... >>> ...... >>> >>> >>> >>> If this is all in the one file (ala red-hat), then this is your >>> problem, debian splits up Bind9 into separate conf files and you >>> will have two 'options' >>> >>> Rowland >> I do not. Ubuntu but I do have two CentOS systems. >> >> The config file was auto-generated when I installed via. apt-get. >> This is what it originally contained before I made any modifications. >> >> // This is the primary configuration file for the BIND DNS server >> named. // >> // Please read /usr/share/doc/bind9/README.Debian.gz for information >> on the // structure of BIND configuration files in Debian, *BEFORE* >> you customize // this configuration file. >> // >> // If you are just adding zones, please do that in >> /etc/bind/named.conf.local >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> >> If I comment out these include files, Bind9 starts. However I do >> still get >> >> rndc: connect failed: 127.0.0.1#953: connection refused >> >> However I'm still getting the TSIG errors. >> > These are my named.conf files (with any comments stripped out), they > have worked for me for the last 5 years ;-) > > /etc/bind/named.conf > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > version "0.0.7"; > notify no; > empty-zones-enable no; > allow-query { 127.0.0.1; 192.168.0.0/24; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > forwarders { 8.8.8.8; 8.8.4.4; }; > allow-transfer { none; }; > dnssec-validation no; > dnssec-enable no; > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.7; 127.0.0.1; }; > > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > }; > > /etc/bind/named.conf.local > > include "/usr/local/samba/private/named.conf"; > > > /etc/bind/named.conf.default-zones > > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > RowlandSplitting up the config files per your template works for me. Bind starts without any errors. Now it's just the TSIG issue now as far as I can tell. Thank you. -- -- James
As I proceed to setup Bind on my other DC's, how often should the root server list be updated? The wiki merely states it's optional via. cron. I'm initially using once a day. Thanks. -- -- James
On 1/2/2018 4:05 PM, Rowland Penny wrote:> On Tue, 2 Jan 2018 15:52:57 -0500 > lingpanda101 <lingpanda101 at gmail.com> wrote: > >> On 1/2/2018 3:37 PM, Rowland Penny wrote: >>> On Tue, 2 Jan 2018 15:23:18 -0500 >>> lingpanda101 <lingpanda101 at gmail.com> wrote: >>> >>> >>>> Actually it looks as if Bind isn't running. Though I could've sworn >>>> it did at one point. >>>> >>>> service bind9 restart >>>> * Stopping domain name service... bind9 >>>> rndc: connect failed: 127.0.0.1#953: connection >>>> refused [ OK ] >>>> * Starting domain name service... bind9 [fail] >>>> >>>> Log shows; >>>> >>>> Jan 2 15:20:51 ddc2 named[2793]: >>>> ---------------------------------------------------- >>>> Jan 2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet >>>> Systems Consortium, >>>> Jan 2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit >>>> 501(c)(3) public-benefit >>>> Jan 2 15:20:51 ddc2 named[2793]: corporation. Support and >>>> training for BIND 9 are >>>> Jan 2 15:20:51 ddc2 named[2793]: available at >>>> https://www.isc.org/support Jan 2 15:20:51 ddc2 named[2793]: >>>> ---------------------------------------------------- >>>> Jan 2 15:20:51 ddc2 named[2793]: adjusted limit on open files from >>>> 4096 to 1048576 >>>> Jan 2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker >>>> threads Jan 2 15:20:51 ddc2 named[2793]: using 2 UDP listeners >>>> per interface Jan 2 15:20:51 ddc2 named[2793]: using up to 4096 >>>> sockets Jan 2 15:20:51 ddc2 named[2793]: loading configuration >>>> from '/etc/bind/named.conf' >>>> Jan 2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: >>>> 'options' redefined near 'options' >>>> Jan 2 15:20:51 ddc2 named[2793]: loading configuration: already >>>> exists Jan 2 15:20:51 ddc2 named[2793]: exiting (due to fatal >>>> error) >>>> >>>> It seems to stem from the issue I had before >>>> "/etc/bind/named.conf:15: 'options' redefined near 'options'" >>>> >>> I reread your earlier post and noticed something I missed earlier, >>> do you normally use red-hat ? >>> I ask this because you have this line in /etc/bind/named.conf: >>> >>> include "/etc/bind/named.conf.options"; >>> >>> Followed by: >>> # Global Configuration Options >>> options { >>> ......... >>> ...... >>> >>> >>> >>> If this is all in the one file (ala red-hat), then this is your >>> problem, debian splits up Bind9 into separate conf files and you >>> will have two 'options' >>> >>> Rowland >> I do not. Ubuntu but I do have two CentOS systems. >> >> The config file was auto-generated when I installed via. apt-get. >> This is what it originally contained before I made any modifications. >> >> // This is the primary configuration file for the BIND DNS server >> named. // >> // Please read /usr/share/doc/bind9/README.Debian.gz for information >> on the // structure of BIND configuration files in Debian, *BEFORE* >> you customize // this configuration file. >> // >> // If you are just adding zones, please do that in >> /etc/bind/named.conf.local >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> >> If I comment out these include files, Bind9 starts. However I do >> still get >> >> rndc: connect failed: 127.0.0.1#953: connection refused >> >> However I'm still getting the TSIG errors. >> > These are my named.conf files (with any comments stripped out), they > have worked for me for the last 5 years ;-) > > /etc/bind/named.conf > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > version "0.0.7"; > notify no; > empty-zones-enable no; > allow-query { 127.0.0.1; 192.168.0.0/24; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > forwarders { 8.8.8.8; 8.8.4.4; }; > allow-transfer { none; }; > dnssec-validation no; > dnssec-enable no; > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.7; 127.0.0.1; }; > > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > }; > > /etc/bind/named.conf.local > > include "/usr/local/samba/private/named.conf"; > > > /etc/bind/named.conf.default-zones > > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > Rowland_It looks as if I have a issue with the switch to Bind on one of my 6 DC's. Samba log gives the following. _ [2018/01/08 10:59:19.002290, 0, pid=968, effective(0, 0), real(0, 0)] ../lib/util/fault.c:79(fault_report) INTERNAL ERROR: Signal 7 in pid 968 (4.7.4) Please read the Trouble-Shooting section of the Samba HOWTO [2018/01/08 10:59:19.002521, 0, pid=968, effective(0, 0), real(0, 0)] ../lib/util/fault.c:81(fault_report) ==============================================================[2018/01/08 10:59:19.002712, 0, pid=968, effective(0, 0), real(0, 0)] ../lib/util/fault.c:151(smb_panic_default) PANIC: internal error [2018/01/08 10:59:19.873041, 0, pid=948, effective(0, 0), real(0, 0)] ../source4/smbd/process_standard.c:161(standard_child_pipe_handler) Child 968 (drepl) terminated with signal 6 [2018/01/08 11:00:39.091609, 0, pid=960, effective(0, 0), real(0, 0)] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback) IRPC callback failed for DsReplicaSync - NT_STATUS_OBJECT_NAME_NOT_FOUND _I get repeated errors over and over for the following._ IRPC callback failed for DsReplicaSync - NT_STATUS_OBJECT_NAME_NOT_FOUND _I tried switching back to the internal but it didn't resolve. Running 'samba-tool drs showrepl' shows a issue with the Domain DnsZones partition. I tried manual replication but that to failed._ /usr/local/samba/bin/samba-tool drs replicate ddc2 ddc1 DC=DomainDnsZones,DC=domain,DC=local -U Administrator Password for [DOMAIN\Administrator]: ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073610699, 'The operation cannot be performed.') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 386, in run drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 85, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) _Raising the log level to 3 didn't give me anything other than this._ [2018/01/08 12:40:05.883956, 3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler) Registered DDC2<00> with 172.16.22.27 on interface 172.16.22.255 [2018/01/08 12:40:05.886205, 3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler) Registered DDC2<03> with 172.16.22.27 on interface 172.16.22.255 [2018/01/08 12:40:05.886324, 3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler) Registered DDC2<20> with 172.16.22.27 on interface 172.16.22.255 [2018/01/08 12:40:05.915493, 3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler) Registered DOMAIN<1c> with 172.16.22.27 on interface 172.16.22.255 [2018/01/08 12:40:05.915654, 3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler) Registered DOMAIN<00> with 172.16.22.27 on interface 172.16.22.255 [2018/01/08 12:40:06.183365, 3, pid=2282, effective(0, 0), real(0, 0)] ../lib/util/util_runcmd.c:291(samba_runcmd_io_handler) samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_dnsupdate exited 0 _Why would the DC register itself on the broadcast address? Any harm in simply demoting and rejoin the DC? Do I need to clean up all the meta data before rejoin? Thanks._ -- -- James