Igor Sousa
2019-Apr-17 18:02 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
Rowland, My configure line is ./configure --enable-debug --enable-selftest --with-systemd. A hour ago, I ignored the inconsistency that I reported in the first e-mail of this topic and I proceeded as described at topic "Joining a Samba DC to an Existing Active Directory" and I joined new DC with command: samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" --dns-backend=BIND9_DLZ I've looked the output command and new DC seemly joined to mydomain.com. I've checked out /usr/local/samba/bind-dns/named.conf and, now, there is this file. But, when I've added 'include "/usr/local/samba/bind-dns/named.con"' into my BIND named.conf file, the named service has not started. I've got the following journalctl -xe output when it said "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf: permission denied". The file exists and I've tired to change permissions of this file to own to root:named, but journalctl -xe still shows the same error. [root at newdc ~]# journalctl -xe Apr 17 14:11:19 genos named[5041]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefi Apr 17 14:11:19 genos named[5041]: ---------------------------------------------------- Apr 17 14:11:19 genos named[5041]: BIND 9 is maintained by Internet Systems Consortium, Apr 17 14:11:19 genos named[5041]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Apr 17 14:11:19 genos named[5041]: corporation. Support and training for BIND 9 are Apr 17 14:11:19 genos named[5041]: available at https://www.isc.org/support Apr 17 14:11:19 genos named[5041]: ---------------------------------------------------- Apr 17 14:11:19 genos named[5041]: adjusted limit on open files from 4096 to 1048576 Apr 17 14:11:19 genos named[5041]: found 2 CPUs, using 2 worker threads Apr 17 14:11:19 genos named[5041]: using 2 UDP listeners per interface Apr 17 14:11:19 genos named[5041]: using up to 21000 sockets Apr 17 14:11:19 genos named[5041]: loading configuration from '/etc/named.conf' Apr 17 14:11:19 genos named[5041]: /etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf: permission denied Apr 17 14:11:19 genos named[5041]: loading configuration: permission denied Apr 17 14:11:19 genos named[5041]: exiting (due to fatal error) Apr 17 14:11:19 genos systemd[1]: named.service: control process exited, code=exited status=1 Apr 17 14:11:19 genos systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). -- Subject: Unit named.service has failed -- Igor Sousa Em qua, 17 de abr de 2019 às 12:45, Rowland Penny via samba < samba at lists.samba.org> escreveu:> On Wed, 17 Apr 2019 11:00:49 -0300 > Igor Sousa <igorvolt at gmail.com> wrote: > > > I'm sorry to I forgot answer appropriate. > > > > I'm running CentOS 7 with all packages upgraded. I've followed > > instruction in > > > https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba > > with > > some need modifications (yum line is bellow this text) and I've > > installed python 3.4. I've installed Bind9 from package manager where > > Bind9 version is 9.9.4. > > > > YUM command to install packages dependencies required to build samba: > > yum install attr bind-utils docbook-style-xsl gcc gdb krb5-workstation > > libsemanage-python libxslt perl perl-ExtUtils-MakeMaker > > perl-Parse-Yapp perl-Test-Base pkgconfig policycoreutils-python > > python2-crypto gnutls-devel libattr-devel keyutils-libs-devel > > libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel > > pam-devel popt-devel python-devel readline-devel zlib-devel > > systemd-devel lmdb-devel jansson-devel gpgme-devel pygpgme > > libarchive-devel > > There doesn't seem to be anything missing there (though I could be > wrong, I normally use Devuan), So what was your 'configure' line ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-17 19:02 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
On Wed, 17 Apr 2019 15:02:04 -0300 Igor Sousa <igorvolt at gmail.com> wrote:> Rowland, > > My configure line is ./configure --enable-debug --enable-selftest > --with-systemd. > > A hour ago, I ignored the inconsistency that I reported in the first > e-mail of this topic and I proceeded as described at topic "Joining a > Samba DC to an Existing Active Directory" and I joined new DC with > command: > > samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" > --dns-backend=BIND9_DLZ > > I've looked the output command and new DC seemly joined to > mydomain.com. I've checked out /usr/local/samba/bind-dns/named.conf > and, now, there is this file. But, when I've added 'include > "/usr/local/samba/bind-dns/named.con"' into my BIND named.conf file, > the named service has not started. > > I've got the following journalctl -xe output when it said > "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf: > permission denied". The file exists and I've tired to change > permissions of this file to own to root:named, but journalctl -xe > still shows the same error. >The permissions should be: ls -lad /usr/local/samba/bind-dns/ drwxrwx---. 3 root named 70 Apr 17 16:39 /usr/local/samba/bind-dns/ ls -la /usr/local/samba/bind-dns/ drwxrwx---. 3 root named 38 Apr 17 16:39 dns -rw-r-----. 2 root named 797 Apr 17 16:39 dns.keytab -rw-r--r--. 1 root root 830 Apr 17 16:39 named.conf -rw-r--r--. 1 root root 2096 Apr 17 16:39 named.txt Can you post /etc/named.conf Rowland
Igor Sousa
2019-Apr-17 20:45 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
Rowland,
I've done almost all permissions change, I forgot bind-dns directory. Now,
the named service still doesn't start and journalctl -xe showed me that
this occurs because permission denied to run dlz_bind9_9.so. I've checked
out and the lib and directory /usr/local/samba/lib/bind9/ have execute
permission to named group. The output of ls command, journalctl -xe and
/etc/named.conf. In my samba, the dns.keytab there isn't into
/usr/local/samba/bind-dns/. This file there is into
/usr/local/samba/private/ and I do pointing to it into /etc/named.conf as
said at "Setting up Dynamic DNS Updates Using Kerberos" into
"BIND9 DLZ DNS
Back End".
[root at newdc ~]# ls -lad /usr/local/samba/bind-dns/
drwxrwx---. 3 root named 4096 Apr 17 17:04 /usr/local/samba/bind-dns/
[root at newdc ~]# ls -la /usr/local/samba/bind-dns/
total 24
drwxrwx---. 3 root named 4096 Apr 17 17:05 .
drwxr-xr-x. 12 root root 4096 Nov 29 19:46 ..
drwxrwx---. 3 root named 4096 Apr 17 11:29 dns
-rw-r--r--. 1 root named 830 Apr 17 11:29 named.conf
-r--r--r--. 1 root root 331 Apr 17 15:05 named.conf.update
-rw-r--r--. 1 root root 2096 Apr 17 11:29 named.txt
[root at newdc ~]# ls -lad /usr/local/samba/lib/bind9/
drwxr-xr-x. 2 root named 4096 Apr 16 17:44 /usr/local/samba/lib/bind9/
[root at newdc ~]# ls -la /usr/local/samba/lib/bind9/
total 308
drwxr-xr-x. 2 root named 4096 Apr 16 17:44 .
drwxr-xr-x. 15 root root 4096 Apr 16 17:44 ..
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_10.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_11.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_12.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_9.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9.so
[root at newdc ~]# ls -lad /usr/local/samba/private/
drwx------. 7 root root 4096 Apr 17 15:05 /usr/local/samba/private/
[root at newdc ~]# ls -la /usr/local/samba/private/
total 10988
drwx------. 7 root root 4096 Apr 17 15:05 .
drwxr-xr-x. 12 root root 4096 Nov 29 19:46 ..
-rw-r-----. 1 root named 722 Apr 17 11:29 dns.keytab
-rw-r--r--. 1 root root 3663 Apr 17 11:29 dns_update_list
-rw-------. 1 root root 16 Apr 17 11:29 encrypted_secrets.key
-rw-------. 1 root root 1286144 Apr 17 11:29 hklm.ldb
-rw-------. 1 root root 1286144 Apr 17 15:05 idmap.ldb
-rw-r--r--. 1 root root 91 Apr 17 11:29 krb5.conf
srwxrwxrwx. 1 root root 0 Apr 17 15:05 ldapi
drwxr-x---. 2 root root 4096 Apr 17 15:05 ldap_priv
drwx------. 2 root root 4096 Apr 17 17:20 msg.sock
-rw-------. 1 root root 8888 Apr 17 15:05 netlogon_creds_cli.tdb
-rw-------. 1 root root 1286144 Apr 17 11:29 privilege.ldb
-rw-------. 1 root root 4247552 Apr 17 11:29 sam.ldb
drwx------. 2 root root 4096 Apr 17 11:29 sam.ldb.d
-rw-------. 1 root root 696 Apr 17 15:05 schannel_store.tdb
-rw-------. 1 root root 1052 Apr 17 11:29 secrets.keytab
-rw-------. 1 root root 1286144 Apr 17 11:29 secrets.ldb
-rw-------. 1 root root 499712 Apr 17 15:05 secrets.tdb
-rw-------. 1 root root 1286144 Apr 17 11:29 share.ldb
drwxr-xr-x. 2 root root 4096 Apr 17 15:05 smbd.tmp
-rw-r--r--. 1 root root 955 Apr 17 11:29 spn_update_list
drwxr-xr-x. 2 root root 4096 Apr 17 15:05 tls
[root at newdc ~]# journalctl -xe
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 2) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 6) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 30) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 31) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 3) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 7) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP ISP (type 4) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Org (type 5) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP AS (type 9) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Domain (type 11) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP NetSpeed (type 10) DB not available
Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv4 port range:
[1024, 65535]
Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv6 port range:
[1024, 65535]
Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface lo,
127.0.0.1#53
Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface eth0,
10.41.20.115#53
Apr 17 17:43:08 newdc named[6011]: generating session key for dynamic DNS
Apr 17 17:43:08 newdc named[6011]: sizing zone task pool based on 3 zones
Apr 17 17:43:08 newdc named[6011]: Loading 'AD DNS Zone' using driver
dlopen
Apr 17 17:43:08 newdc named[6011]: dlz_dlopen failed to open library
'/usr/local/samba/lib/bind9/dlz_bind9_9.so' -
/usr/local/samba/lib/bind9/dlz_bind9_9.so: cannot open shared object file:
Permission denied
Apr 17 17:43:08 newdc named[6011]: dlz_dlopen of 'AD DNS Zone' failed
Apr 17 17:43:08 newdc kernel: named[6012]: segfault at a8 ip
0000556333f0e299 sp 00007f66404c7320 error 4 in named[556333e9e000+88000]
Apr 17 17:43:08 newdc systemd[1]: named.service: control process exited,
code=exited status=1
Apr 17 17:43:08 newdc systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS).
-- Subject: Unit named.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit named.service has failed.
--
-- The result is failed.
[root at newdc ~]# cat /etc/named.conf
#Global Configuration Options
options {
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;
# Dynamic DNS
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
172.16.0.0/16;
};
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
172.16.0.0/16;
};
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
172.16.20.211;
172.16.20.212;
};
# Disable zone transfers
allow-transfer {
none;
};
};
# Root Servers
# (Required for recursive DNS queries)
zone "." {
type hint;
file "named.root";
};
# localhost zone
zone "localhost" {
type master;
file "master/localhost.zone";
};
# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
include "/usr/local/samba/bind-dns/named.conf";
--
Igor Sousa
Em qua, 17 de abr de 2019 às 16:03, Rowland Penny via samba <
samba at lists.samba.org> escreveu:
> On Wed, 17 Apr 2019 15:02:04 -0300
> Igor Sousa <igorvolt at gmail.com> wrote:
>
> > Rowland,
> >
> > My configure line is ./configure --enable-debug --enable-selftest
> > --with-systemd.
> >
> > A hour ago, I ignored the inconsistency that I reported in the first
> > e-mail of this topic and I proceeded as described at topic
"Joining a
> > Samba DC to an Existing Active Directory" and I joined new DC
with
> > command:
> >
> > samba-tool domain join mydomain.com DC
-U"MYDOMAIN\administrator"
> > --dns-backend=BIND9_DLZ
> >
> > I've looked the output command and new DC seemly joined to
> > mydomain.com. I've checked out
/usr/local/samba/bind-dns/named.conf
> > and, now, there is this file. But, when I've added 'include
> > "/usr/local/samba/bind-dns/named.con"' into my BIND
named.conf file,
> > the named service has not started.
> >
> > I've got the following journalctl -xe output when it said
> > "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf:
> > permission denied". The file exists and I've tired to change
> > permissions of this file to own to root:named, but journalctl -xe
> > still shows the same error.
> >
>
> The permissions should be:
>
> ls -lad /usr/local/samba/bind-dns/
> drwxrwx---. 3 root named 70 Apr 17 16:39 /usr/local/samba/bind-dns/
>
> ls -la /usr/local/samba/bind-dns/
>
> drwxrwx---. 3 root named 38 Apr 17 16:39 dns
> -rw-r-----. 2 root named 797 Apr 17 16:39 dns.keytab
> -rw-r--r--. 1 root root 830 Apr 17 16:39 named.conf
> -rw-r--r--. 1 root root 2096 Apr 17 16:39 named.txt
>
> Can you post /etc/named.conf
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>