Billy Bob
2019-Jan-11 18:43 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Friday, January 11, 2019 12:04 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> OK, you are now running my scripts as found on the Samba wiki, so it > should work. > > Lets check some things, can you post the contents of the following > files: > > /etc/resolv.confsearch corp.<DOMAIN>.com# nameserver 172.20.10.131nameserver 172.20.10.130> /etc/hostnamedc01> /etc/hosts127.0.0.1 localhost172.20.10.130 dc01.corp.<DOMAIN>.com dc01 # The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters> /etc/krb5.conf[libdefaults] default_realm = CORP.<DOMAIN>.COM dns_lookup_realm = false dns_lookup_kdc = true> smb.confIs at /usr/local/samba/etc/smb.conf, and contains: # Global parameters[global] bind interfaces only = Yes interfaces = lo eno1 netbios name = DC01 realm = CORP.<DOMAIN>.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = CORP idmap_ldb:use rfc2307 = yes dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool [netlogon] path = /usr/local/samba/var/locks/sysvol/corp.<DOMAIN>.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No> your named.conf file(s)Is at /etc/bind/named.conf, and contains: # Global Configuration Optionsoptions { auth-nxdomain yes; directory "/var/cache/bind"; notify no; empty-zones-enable no; # Enable dynamic DNS updates using Kerberos tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # IP addresses and network ranges allowed to query the DNS server: allow-query { 127.0.0.1; 172.20.10.128/25; }; # IP addresses and network ranges allowed to run recursive queries: # (Zones not served by this DNS server) allow-recursion { 127.0.0.1; 172.20.10.128/25; }; # Forward queries that can not be answered from own zones # to these DNS servers: forwarders { 172.20.10.129; }; # Disable zone transfers allow-transfer { none; }; }; # Configure dynamically loadable zones (DLZ) from AD schemadlz "AD DNS Zone" { database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";}; # Root Servers# (Required for recursive DNS queries)zone "." { type hint; file "named.root";}; # localhost zonezone "localhost" { type master; file "master/localhost.zone";}; # 127.0.0. zone.zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone";};> What OS is this on ?Ubuntu 18.04.1, fully updated On startup, no systemctl status errors for system, samba-ad-dc, bind9, ntp or isc-dhcp-server> What version of Bind9 ?$ sudo named -V BIND 9.11.3-1ubuntu1.3-Ubuntu ... built by make with ... '--sysconfdir=/etc' ... '--sysconfdir=/etc/bind' ... '--with-gssapi=/usr' ...> Is a firewall running ?Not on the server> Is Selinux or Apparmor running ?AppArmor is running, with dhcpd, named and ntpd in Complain mode; in any case, no violations are being logged as DENIED
Rowland Penny
2019-Jan-11 19:39 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Fri, 11 Jan 2019 18:43:39 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote:> > > On Friday, January 11, 2019 12:04 PM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > OK, you are now running my scripts as found on the Samba wiki, so it > > should work. > > >There doesn't seem to be anything really wrong there,the only really difference between your named.conf and mine is that I have: dnssec-validation no; dnssec-enable no; dnssec-lookaside no; listen-on-v6 { none; }; listen-on port 53 { 192.168.0.6; 127.0.0.1; }; as well. Rowland
Billy Bob
2019-Jan-11 20:12 UTC
[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> There doesn't seem to be anything really wrong there,the only really > difference between your named.conf and mine is that I have: > > dnssec-validation no; > dnssec-enable no; > dnssec-lookaside no; > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.6; 127.0.0.1; }; > > as well.> > > Rowland >Thank you. I am going back to bare metal, and we'll see where it ends up. I will leave script intact as presented in WIki. Are you going to change it today per comment on other thread at https://lists.samba.org/archive/samba/2019-January/220369.html ?