On Tue, 22 Jan 2019 11:12:37 +0200 Hajdu Szabolcs via samba <samba at lists.samba.org> wrote:> I configured it but no luck apparmor is configured as the link > suggests i tried to rejoin and deleted the local database manually > but then still recreates these five zones with CNF and gives the > error. > >CNF = Collision Something is creating the objects in AD and then something else is coming along and creating them again, marking the originals with 'CNF' Please post your entire named.conf files. Rowland
named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.options:
options {
     directory "/var/cache/bind";
      forwarders {
          208.67.222.222; 208.67.220.220;
      };
     dnssec-validation no;
     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { any; };
     notify no;
     empty-zones-enable no;
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
named.conf.local:
include "/var/lib/samba/private/named.conf";
named.conf.default-zones:
zone "." {
     type hint;
     file "/etc/bind/db.root";
};
zone "localhost" {
     type master;
     file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
     type master;
     file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
     type master;
     file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
     type master;
     file "/etc/bind/db.255";
};
Szabolcs
On Tue, 22 Jan 2019 13:18:40 +0200 Hajdu Szabolcs via samba <samba at lists.samba.org> wrote:> options { > directory "/var/cache/bind"; > > forwarders { > 208.67.222.222; 208.67.220.220; > }; > > dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > notify no; > empty-zones-enable no; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; >My name,conf.options file is a bit different to yours, but I don't think any of the differences would stop your problem. The 'CNF' is coming from something creating the records and then, very shortly afterwards, something else creates the same records. This could something on the same DC, but it is most likely to be replication. Whatever it is, the first record gets marked with 'CNF' and the second record is used. As your Samba and Bind files seem to be OK, I think we need to step back a bit. From what you posted, you installed Samba and then joined it as a DC to an existing AD domain, what is this AD domain composed of and did the DNS records already exist in AD ? You are having problems with reverse zones, these are not created automatically, are you creating these manually and if so, how ? Rowland
I really suggest that you change this. Disable :> include "/etc/bind/named.conf.default-zones";And this supports it :> empty-zones-enable no;These to my cause your problem. Might load zones that bind9_DLZ is trying to load also. Set to yes:> auth-nxdomain no; # conform to RFC1035The AD is the AUTHORITIVE Server. For that you need : auth-nxdomain yes; Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Hajdu Szabolcs via samba > Verzonden: dinsdag 22 januari 2019 12:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba_dns_question > > named.conf: > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > named.conf.options: > > options { > directory "/var/cache/bind"; > > forwarders { > 208.67.222.222; 208.67.220.220; > }; > > dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > notify no; > empty-zones-enable no; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > named.conf.local: > > include "/var/lib/samba/private/named.conf"; > > named.conf.default-zones: > > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > > Szabolcs > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 22 Jan 2019 13:54:00 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> I really suggest that you change this. > > Disable : > > include "/etc/bind/named.conf.default-zones";I have this and have never had the OP's problem> And this supports it : > > empty-zones-enable no;Again, I have this.> > These to my cause your problem. > Might load zones that bind9_DLZ is trying to load also. > > Set to yes: > > auth-nxdomain no; # conform to RFC1035 > The AD is the AUTHORITIVE Server. > For that you need : auth-nxdomain yes;Sorry, but no you don't, well I don't rowland at Computer4:~$ nslookup> set querytype=soa > samdom.example.comServer: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc4.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 2533 refresh = 900 retry = 600 expire = 86400 minimum = 3600>Rowland
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 22 januari 2019 14:12 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba_dns_question > > On Tue, 22 Jan 2019 13:54:00 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > I really suggest that you change this. > > > > Disable : > > > include "/etc/bind/named.conf.default-zones"; > > I have this and have never had the OP's problem > > > And this supports it : > > > empty-zones-enable no; > > Again, I have this.Then you are using a zone that is not in the default zone. The problem occurs only when you bind-DLZ is trying to load a zone defined in the default. Same for the empty-zones-enable> > > > > These to my cause your problem. > > Might load zones that bind9_DLZ is trying to load also. > > > > Set to yes: > > > auth-nxdomain no; # conform to RFC1035 > > The AD is the AUTHORITIVE Server. > > For that you need : auth-nxdomain yes; > > Sorry, but no you don't, well I don't > > rowland at Computer4:~$ nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc4.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 2533 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600Yes, lookups work fine, but ddns updates wont work now. https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server Greetz, Louis