samba - May 2018 - Bind_DLZ krb errors @ startup.

Hi,

I have 2 self compiled samba 4 DCs running 4.7.7 on Centos 7.5. One of them
is operating normally. On the other DC bind will not start. I turned up
debugging on dlz_bind as per 
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module
When I try to start named I get the following in the logs:

May 10 13:19:44 vdc2 named[23773]: starting BIND 9.9.4-RedHat-9.9.4-61.el7 -u
named -c /etc/named.conf
May 10 13:19:44 vdc2 named[23773]: built with
'--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--with-geoip'
'--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl'
'--with-pic' '--disable-static'
'--disable-openssl-version-check' '--enable-exportlib'
'--with-export-libdir=/usr/lib64'
'--with-export-includedir=/usr/include'
'--includedir=/usr/include/bind9' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
'--with-dlopen=yes' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
'--with-gssapi=yes' '--disable-isc-spnego'
'--enable-fixed-rrset' '--with-tuning=large'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
May 10 13:19:44 vdc2 named[23773]:
----------------------------------------------------
May 10 13:19:44 vdc2 named[23773]: BIND 9 is maintained by Internet Systems
Consortium,
May 10 13:19:44 vdc2 named[23773]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
May 10 13:19:44 vdc2 named[23773]: corporation.  Support and training for BIND 9
are
May 10 13:19:44 vdc2 named[23773]: available at https://www.isc.org/support
May 10 13:19:44 vdc2 named[23773]:
----------------------------------------------------
May 10 13:19:44 vdc2 named[23773]: adjusted limit on open files from 4096 to
1048576
May 10 13:19:44 vdc2 named[23773]: found 2 CPUs, using 2 worker threads
May 10 13:19:44 vdc2 named[23773]: using 2 UDP listeners per interface
May 10 13:19:44 vdc2 named[23773]: using up to 21000 sockets
May 10 13:19:44 vdc2 named[23773]: loading configuration from
'/etc/named.conf'
May 10 13:19:44 vdc2 named[23773]: reading built-in trusted keys from file
'/etc/named.iscdlv.key'
May 10 13:19:44 vdc2 named[23773]: initializing GeoIP Country (IPv4) (type 1) DB
May 10 13:19:44 vdc2 named[23773]: GEO-106FREE 20160607 Build 1 Copyright (c)
2016 MaxMind
May 10 13:19:44 vdc2 named[23773]: initializing GeoIP Country (IPv6) (type 12)
DB
May 10 13:19:44 vdc2 named[23773]: GEO-106FREE 20160607 Build 1 Copy
May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv4) (type 2) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv4) (type 6) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv6) (type 30) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv6) (type 31) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP Region (type 3) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP Region (type 7) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP ISP (type 4) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP Org (type 5) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP AS (type 9) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP Domain (type 11) DB not available
May 10 13:19:44 vdc2 named[23773]: GeoIP NetSpeed (type 10) DB not available
May 10 13:19:44 vdc2 named[23773]: using default UDP/IPv4 port range: [1024,
65535]
May 10 13:19:44 vdc2 named[23773]: using default UDP/IPv6 port range: [1024,
65535]
May 10 13:19:44 vdc2 named[23773]: listening on IPv4 interface lo, 127.0.0.1#53
May 10 13:19:44 vdc2 named[23773]: listening on IPv4 interface eno16780032,
172.25.0.7#53
May 10 13:19:44 vdc2 named[23773]: generating session key for dynamic DNS
May 10 13:19:44 vdc2 named[23773]: sizing zone task pool based on 5 zones
May 10 13:19:44 vdc2 named[23773]: Loading 'AD DNS Zone' using driver
dlopen
May 10 13:19:44 vdc2 named[23773]: samba_dlz: INFO: Current debug levels:
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   all: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   tdb: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   printdrivers: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   lanman: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   smb: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   rpc_parse: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   rpc_srv: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   rpc_cli: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   passdb: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   sam: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   auth: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   winbind: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   vfs: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   idmap: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   quota: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   acls: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   locking: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   msdfs: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   dmapi: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   registry: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   scavenger: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   dns: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   ldb: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   tevent: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   auth_audit: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   auth_json_audit: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   kerberos: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   drs_repl: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   smb2: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz:   smb2_credits: 10
May 10 13:19:44 vdc2 named[23773]: samba_dlz: krb5_init_context failed (Invalid
argument)
May 10 13:19:44 vdc2 named[23773]: samba_dlz: smb_krb5_context_init_basic failed
(Invalid argument)
May 10 13:19:44 vdc2 named[23773]: dlz_dlopen of 'AD DNS Zone' failed
May 10 13:19:44 vdc2 named[23773]: SDLZ driver failed to load.
May 10 13:19:44 vdc2 named[23773]: DLZ driver failed to load.
May 10 13:19:44 vdc2 named[23773]: loading configuration: out of memory
May 10 13:19:44 vdc2 named[23773]: exiting (due to fatal error)
May 10 13:19:44 vdc2 systemd: named.service: control process exited, code=exited
status=1
May 10 13:19:44 vdc2 systemd: Unit named.service entered failed state.
May 10 13:19:44 vdc2 systemd: named.service failed

The only thing I see of significance is:
May 10 13:19:44 vdc2 named[23773]: samba_dlz: krb5_init_context failed (Invalid
argument)
May 10 13:19:44 vdc2 named[23773]: samba_dlz: smb_krb5_context_init_basic failed
(Invalid argument)

Both DC's use the same smb.conf and named.conf and were working fine
until this AM.

The only thing that has changed is both machines were upgraded from Centos
7.4 to Centos 7.5. and restarted.

Google is not helping with the above errors. Can someone point me towards what
might be causing this?

Regards,

-- 
Tom			me at tdiehl.org

I"m seeing this as well, after I updated my CentOS 7 hosts to the latest
release.
Something seems to have broken!

On 10 May 2018 at 17:54, Tom Diehl via samba <samba at lists.samba.org>
wrote:
> Hi,
>
> I have 2 self compiled samba 4 DCs running 4.7.7 on Centos 7.5. One of them
> is operating normally. On the other DC bind will not start. I turned up
> debugging on dlz_bind as per https://wiki.samba.org/index.p
> hp/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module
> When I try to start named I get the following in the logs:
>
> May 10 13:19:44 vdc2 named[23773]: starting BIND 9.9.4-RedHat-9.9.4-61.el7
> -u named -c /etc/named.conf
> May 10 13:19:44 vdc2 named[23773]: built with
> '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu'
> '--program-prefix=' '--disable-dependency-tracking'
'--prefix=/usr'
> '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin'
> '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include'
> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var'
> '--enable-threads' '--with-geoip' '--enable-ipv6'
'--enable-filter-aaaa'
> '--enable-rrl' '--with-pic' '--disable-static'
> '--disable-openssl-version-check' '--enable-exportlib'
> '--with-export-libdir=/usr/lib64'
'--with-export-includedir=/usr/include'
> '--includedir=/usr/include/bind9' '--enable-native-pkcs11'
> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
'--with-dlopen=yes'
> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
'--with-dlz-mysql=yes'
> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
'--with-gssapi=yes'
> '--disable-isc-spnego' '--enable-fixed-rrset'
'--with-tuning=large'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
> -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS=
-DDIG_SIGCHASE'
> May 10 13:19:44 vdc2 named[23773]: ------------------------------
> ----------------------
> May 10 13:19:44 vdc2 named[23773]: BIND 9 is maintained by Internet
> Systems Consortium,
> May 10 13:19:44 vdc2 named[23773]: Inc. (ISC), a non-profit 501(c)(3)
> public-benefit
> May 10 13:19:44 vdc2 named[23773]: corporation.  Support and training for
> BIND 9 are
> May 10 13:19:44 vdc2 named[23773]: available at
> https://www.isc.org/support
> May 10 13:19:44 vdc2 named[23773]: ------------------------------
> ----------------------
> May 10 13:19:44 vdc2 named[23773]: adjusted limit on open files from 4096
> to 1048576
> May 10 13:19:44 vdc2 named[23773]: found 2 CPUs, using 2 worker threads
> May 10 13:19:44 vdc2 named[23773]: using 2 UDP listeners per interface
> May 10 13:19:44 vdc2 named[23773]: using up to 21000 sockets
> May 10 13:19:44 vdc2 named[23773]: loading configuration from
> '/etc/named.conf'
> May 10 13:19:44 vdc2 named[23773]: reading built-in trusted keys from file
> '/etc/named.iscdlv.key'
> May 10 13:19:44 vdc2 named[23773]: initializing GeoIP Country (IPv4) (type
> 1) DB
> May 10 13:19:44 vdc2 named[23773]: GEO-106FREE 20160607 Build 1 Copyright
> (c) 2016 MaxMind
> May 10 13:19:44 vdc2 named[23773]: initializing GeoIP Country (IPv6) (type
> 12) DB
> May 10 13:19:44 vdc2 named[23773]: GEO-106FREE 20160607 Build 1 Copy
> May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv4) (type 2) DB not
> available
> May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv4) (type 6) DB not
> available
> May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv6) (type 30) DB not
> available
> May 10 13:19:44 vdc2 named[23773]: GeoIP City (IPv6) (type 31) DB not
> available
> May 10 13:19:44 vdc2 named[23773]: GeoIP Region (type 3) DB not available
> May 10 13:19:44 vdc2 named[23773]: GeoIP Region (type 7) DB not available
> May 10 13:19:44 vdc2 named[23773]: GeoIP ISP (type 4) DB not available
> May 10 13:19:44 vdc2 named[23773]: GeoIP Org (type 5) DB not available
> May 10 13:19:44 vdc2 named[23773]: GeoIP AS (type 9) DB not available
> May 10 13:19:44 vdc2 named[23773]: GeoIP Domain (type 11) DB not available
> May 10 13:19:44 vdc2 named[23773]: GeoIP NetSpeed (type 10) DB not
> available
> May 10 13:19:44 vdc2 named[23773]: using default UDP/IPv4 port range:
> [1024, 65535]
> May 10 13:19:44 vdc2 named[23773]: using default UDP/IPv6 port range:
> [1024, 65535]
> May 10 13:19:44 vdc2 named[23773]: listening on IPv4 interface lo,
> 127.0.0.1#53
> May 10 13:19:44 vdc2 named[23773]: listening on IPv4 interface
> eno16780032, 172.25.0.7#53
> May 10 13:19:44 vdc2 named[23773]: generating session key for dynamic DNS
> May 10 13:19:44 vdc2 named[23773]: sizing zone task pool based on 5 zones
> May 10 13:19:44 vdc2 named[23773]: Loading 'AD DNS Zone' using
driver
> dlopen
> May 10 13:19:44 vdc2 named[23773]: samba_dlz: INFO: Current debug levels:
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   all: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   tdb: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   printdrivers: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   lanman: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   smb: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   rpc_parse: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   rpc_srv: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   rpc_cli: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   passdb: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   sam: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   auth: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   winbind: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   vfs: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   idmap: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   quota: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   acls: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   locking: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   msdfs: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   dmapi: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   registry: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   scavenger: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   dns: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   ldb: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   tevent: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   auth_audit: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   auth_json_audit: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   kerberos: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   drs_repl: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   smb2: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz:   smb2_credits: 10
> May 10 13:19:44 vdc2 named[23773]: samba_dlz: krb5_init_context failed
> (Invalid argument)
> May 10 13:19:44 vdc2 named[23773]: samba_dlz: smb_krb5_context_init_basic
> failed (Invalid argument)
> May 10 13:19:44 vdc2 named[23773]: dlz_dlopen of 'AD DNS Zone'
failed
> May 10 13:19:44 vdc2 named[23773]: SDLZ driver failed to load.
> May 10 13:19:44 vdc2 named[23773]: DLZ driver failed to load.
> May 10 13:19:44 vdc2 named[23773]: loading configuration: out of memory
> May 10 13:19:44 vdc2 named[23773]: exiting (due to fatal error)
> May 10 13:19:44 vdc2 systemd: named.service: control process exited,
> code=exited status=1
> May 10 13:19:44 vdc2 systemd: Unit named.service entered failed state.
> May 10 13:19:44 vdc2 systemd: named.service failed
>
> The only thing I see of significance is:
> May 10 13:19:44 vdc2 named[23773]: samba_dlz: krb5_init_context failed
> (Invalid argument)
> May 10 13:19:44 vdc2 named[23773]: samba_dlz: smb_krb5_context_init_basic
> failed (Invalid argument)
>
> Both DC's use the same smb.conf and named.conf and were working fine
> until this AM.
>
> The only thing that has changed is both machines were upgraded from Centos
> 7.4 to Centos 7.5. and restarted.
>
> Google is not helping with the above errors. Can someone point me towards
> what
> might be causing this?
>
> Regards,
>
> --
> Tom                     me at tdiehl.org
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Kv,
Kristján Valur Jónsson, RVX

On Fri, 11 May 2018 14:14:39 +0000
Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:
> I"m seeing this as well, after I updated my CentOS 7 hosts to the
> latest release.
> Something seems to have broken!
> 
Do you have a 'include' line in krb5.conf ?
If you do, remove it.

Rowland