samba - Jan 2019 - samba_dns_question

Hello,

We have fairly large computer park ~100 computers and we want to switch 
to samba. I installed a new Ubuntu 18.04 LTS fully updated installed 
samba, after AD join the domain part works i can see users computers and 
the server, the samba machine is a domain controller the problem is the 
DNS with this much machines i wanted to use the BIND back-end. The 
existing environment has 5 vlans with different IP networks the Windows 
DNS has five reverse zones every time when i join samba creates 10 
reverse zones five with a CNF name and gives this error:

zone 
100.168.192.in-addr.arpa\010CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3/NONE: 
has 0 SOA records
named[3700]: zone 
100.168.192.in-addr.arpa\010CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3/NONE: 
has no NS records
named[3700]: samba_dlz: Failed to configure zone '100.168.192.in-addr.arpa
CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3'
named[3700]: loading configuration: bad zone
named[3700]: exiting (due to fatal error)

if i do a samba-tool dns zoneinfo only the samba server has this zone 
the rest doesn't and I can't delete it with samba-tool dns zonedelete.

Somebody has a solution for this problem i have to delete the reverse 
zones from the AD forest?

Thank you

Szabolcs

On Mon, 21 Jan 2019 15:17:28 +0200
Hajdu Szabolcs via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> We have fairly large computer park ~100 computers and we want to
> switch to samba. I installed a new Ubuntu 18.04 LTS fully updated
> installed samba, after AD join the domain part works i can see users
> computers and the server, the samba machine is a domain controller
> the problem is the DNS with this much machines i wanted to use the
> BIND back-end. The existing environment has 5 vlans with different IP
> networks the Windows DNS has five reverse zones every time when i
> join samba creates 10 reverse zones five with a CNF name and gives
> this error:
> 
> zone 
> 100.168.192.in-addr.arpa\010CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3/NONE: 
> has 0 SOA records
> named[3700]: zone 
> 100.168.192.in-addr.arpa\010CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3/NONE: 
> has no NS records
> named[3700]: samba_dlz: Failed to configure zone
> '100.168.192.in-addr.arpa CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3'
> named[3700]: loading configuration: bad zone
> named[3700]: exiting (due to fatal error)
> 
> if i do a samba-tool dns zoneinfo only the samba server has this zone 
> the rest doesn't and I can't delete it with samba-tool dns
zonedelete.
> 
> Somebody has a solution for this problem i have to delete the reverse 
> zones from the AD forest?
> 
> Thank you
> 
> Szabolcs
> 
> 
> 
Please post your smb.conf and your named.conf files.

Rowland

here is my smb.conf:

# Global parameters
[global]
         netbios name = AD1
         realm = KVM.DOMAIN.RO
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = KVM

[netlogon]
         path = /var/lib/samba/sysvol/kvm.domain.ro/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

my named.conf.options only this is changed ubuntu pulls it a part with 
includes but only this was modified:

options {
     directory "/var/cache/bind";

      forwarders {
          208.67.222.222; 208.67.220.220;
      };
     dnssec-validation auto;

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { any; };
     notify no;
     empty-zones-enable no;
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

dlz "AD DNS Zone" {
      database "dlopen 
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};

Szabolcs

Did you configure or disable apparmor?

Am 21.01.19 um 14:17 schrieb Hajdu Szabolcs via samba:
> Hello,
>
> We have fairly large computer park ~100 computers and we want to
> switch to samba. I installed a new Ubuntu 18.04 LTS fully updated
> installed samba, after AD join the domain part works i can see users
> computers and the server, the samba machine is a domain controller the
> problem is the DNS with this much machines i wanted to use the BIND
> back-end. The existing environment has 5 vlans with different IP
> networks the Windows DNS has five reverse zones every time when i join
> samba creates 10 reverse zones five with a CNF name and gives this error:
>
> zone
> 100.168.192.in-addr.arpa\010CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3/NONE:
> has 0 SOA records
> named[3700]: zone
> 100.168.192.in-addr.arpa\010CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3/NONE:
> has no NS records
> named[3700]: samba_dlz: Failed to configure zone
> '100.168.192.in-addr.arpa
> CNF:afe341a2-4c56-4061-bd9f-60277bfc75b3'
> named[3700]: loading configuration: bad zone
> named[3700]: exiting (due to fatal error)
>
> if i do a samba-tool dns zoneinfo only the samba server has this zone
> the rest doesn't and I can't delete it with samba-tool dns
zonedelete.
>
> Somebody has a solution for this problem i have to delete the reverse
> zones from the AD forest?
>
> Thank you
>
> Szabolcs
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190122/82ff722c/signature.sig>

apparmor is configured bind can access samba files.

Szabolcs

Try again with these settings. 

auth-nxdomain no;   
dnssec-validation no;

I suggest review you settings 
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration 


Stop and start bind and samba (first bind) 
Try again. 


Greetz, 

Louis 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Hajdu Szabolcs via samba
> Verzonden: dinsdag 22 januari 2019 7:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba_dns_question
> 
> here is my smb.conf:
> 
> # Global parameters
> [global]
>          netbios name = AD1
>          realm = KVM.DOMAIN.RO
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = KVM
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/kvm.domain.ro/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> my named.conf.options only this is changed ubuntu pulls it a 
> part with 
> includes but only this was modified:
> 
> options {
>      directory "/var/cache/bind";
> 
>       forwarders {
>           208.67.222.222; 208.67.220.220;
>       };
>      dnssec-validation auto;
> 
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { any; };
>      notify no;
>      empty-zones-enable no;
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> dlz "AD DNS Zone" {
>       database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
> };
> 
> Szabolcs
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>