Igor Sousa
2019-Apr-17 20:45 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
Rowland,
I've done almost all permissions change, I forgot bind-dns directory. Now,
the named service still doesn't start and journalctl -xe showed me that
this occurs because permission denied to run dlz_bind9_9.so. I've checked
out and the lib and directory /usr/local/samba/lib/bind9/ have execute
permission to named group. The output of ls command, journalctl -xe and
/etc/named.conf. In my samba, the dns.keytab there isn't into
/usr/local/samba/bind-dns/. This file there is into
/usr/local/samba/private/ and I do pointing to it into /etc/named.conf as
said at "Setting up Dynamic DNS Updates Using Kerberos" into
"BIND9 DLZ DNS
Back End".
[root at newdc ~]# ls -lad /usr/local/samba/bind-dns/
drwxrwx---. 3 root named 4096 Apr 17 17:04 /usr/local/samba/bind-dns/
[root at newdc ~]# ls -la /usr/local/samba/bind-dns/
total 24
drwxrwx---. 3 root named 4096 Apr 17 17:05 .
drwxr-xr-x. 12 root root 4096 Nov 29 19:46 ..
drwxrwx---. 3 root named 4096 Apr 17 11:29 dns
-rw-r--r--. 1 root named 830 Apr 17 11:29 named.conf
-r--r--r--. 1 root root 331 Apr 17 15:05 named.conf.update
-rw-r--r--. 1 root root 2096 Apr 17 11:29 named.txt
[root at newdc ~]# ls -lad /usr/local/samba/lib/bind9/
drwxr-xr-x. 2 root named 4096 Apr 16 17:44 /usr/local/samba/lib/bind9/
[root at newdc ~]# ls -la /usr/local/samba/lib/bind9/
total 308
drwxr-xr-x. 2 root named 4096 Apr 16 17:44 .
drwxr-xr-x. 15 root root 4096 Apr 16 17:44 ..
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_10.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_11.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_12.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9_9.so
-rwxr-xr-x. 1 root named 59648 Apr 16 17:43 dlz_bind9.so
[root at newdc ~]# ls -lad /usr/local/samba/private/
drwx------. 7 root root 4096 Apr 17 15:05 /usr/local/samba/private/
[root at newdc ~]# ls -la /usr/local/samba/private/
total 10988
drwx------. 7 root root 4096 Apr 17 15:05 .
drwxr-xr-x. 12 root root 4096 Nov 29 19:46 ..
-rw-r-----. 1 root named 722 Apr 17 11:29 dns.keytab
-rw-r--r--. 1 root root 3663 Apr 17 11:29 dns_update_list
-rw-------. 1 root root 16 Apr 17 11:29 encrypted_secrets.key
-rw-------. 1 root root 1286144 Apr 17 11:29 hklm.ldb
-rw-------. 1 root root 1286144 Apr 17 15:05 idmap.ldb
-rw-r--r--. 1 root root 91 Apr 17 11:29 krb5.conf
srwxrwxrwx. 1 root root 0 Apr 17 15:05 ldapi
drwxr-x---. 2 root root 4096 Apr 17 15:05 ldap_priv
drwx------. 2 root root 4096 Apr 17 17:20 msg.sock
-rw-------. 1 root root 8888 Apr 17 15:05 netlogon_creds_cli.tdb
-rw-------. 1 root root 1286144 Apr 17 11:29 privilege.ldb
-rw-------. 1 root root 4247552 Apr 17 11:29 sam.ldb
drwx------. 2 root root 4096 Apr 17 11:29 sam.ldb.d
-rw-------. 1 root root 696 Apr 17 15:05 schannel_store.tdb
-rw-------. 1 root root 1052 Apr 17 11:29 secrets.keytab
-rw-------. 1 root root 1286144 Apr 17 11:29 secrets.ldb
-rw-------. 1 root root 499712 Apr 17 15:05 secrets.tdb
-rw-------. 1 root root 1286144 Apr 17 11:29 share.ldb
drwxr-xr-x. 2 root root 4096 Apr 17 15:05 smbd.tmp
-rw-r--r--. 1 root root 955 Apr 17 11:29 spn_update_list
drwxr-xr-x. 2 root root 4096 Apr 17 15:05 tls
[root at newdc ~]# journalctl -xe
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 2) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 6) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 30) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 31) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 3) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 7) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP ISP (type 4) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Org (type 5) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP AS (type 9) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Domain (type 11) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP NetSpeed (type 10) DB not available
Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv4 port range:
[1024, 65535]
Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv6 port range:
[1024, 65535]
Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface lo,
127.0.0.1#53
Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface eth0,
10.41.20.115#53
Apr 17 17:43:08 newdc named[6011]: generating session key for dynamic DNS
Apr 17 17:43:08 newdc named[6011]: sizing zone task pool based on 3 zones
Apr 17 17:43:08 newdc named[6011]: Loading 'AD DNS Zone' using driver
dlopen
Apr 17 17:43:08 newdc named[6011]: dlz_dlopen failed to open library
'/usr/local/samba/lib/bind9/dlz_bind9_9.so' -
/usr/local/samba/lib/bind9/dlz_bind9_9.so: cannot open shared object file:
Permission denied
Apr 17 17:43:08 newdc named[6011]: dlz_dlopen of 'AD DNS Zone' failed
Apr 17 17:43:08 newdc kernel: named[6012]: segfault at a8 ip
0000556333f0e299 sp 00007f66404c7320 error 4 in named[556333e9e000+88000]
Apr 17 17:43:08 newdc systemd[1]: named.service: control process exited,
code=exited status=1
Apr 17 17:43:08 newdc systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS).
-- Subject: Unit named.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit named.service has failed.
--
-- The result is failed.
[root at newdc ~]# cat /etc/named.conf
#Global Configuration Options
options {
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;
# Dynamic DNS
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
172.16.0.0/16;
};
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
172.16.0.0/16;
};
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
172.16.20.211;
172.16.20.212;
};
# Disable zone transfers
allow-transfer {
none;
};
};
# Root Servers
# (Required for recursive DNS queries)
zone "." {
type hint;
file "named.root";
};
# localhost zone
zone "localhost" {
type master;
file "master/localhost.zone";
};
# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
include "/usr/local/samba/bind-dns/named.conf";
--
Igor Sousa
Em qua, 17 de abr de 2019 às 16:03, Rowland Penny via samba <
samba at lists.samba.org> escreveu:
> On Wed, 17 Apr 2019 15:02:04 -0300
> Igor Sousa <igorvolt at gmail.com> wrote:
>
> > Rowland,
> >
> > My configure line is ./configure --enable-debug --enable-selftest
> > --with-systemd.
> >
> > A hour ago, I ignored the inconsistency that I reported in the first
> > e-mail of this topic and I proceeded as described at topic
"Joining a
> > Samba DC to an Existing Active Directory" and I joined new DC
with
> > command:
> >
> > samba-tool domain join mydomain.com DC
-U"MYDOMAIN\administrator"
> > --dns-backend=BIND9_DLZ
> >
> > I've looked the output command and new DC seemly joined to
> > mydomain.com. I've checked out
/usr/local/samba/bind-dns/named.conf
> > and, now, there is this file. But, when I've added 'include
> > "/usr/local/samba/bind-dns/named.con"' into my BIND
named.conf file,
> > the named service has not started.
> >
> > I've got the following journalctl -xe output when it said
> > "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf:
> > permission denied". The file exists and I've tired to change
> > permissions of this file to own to root:named, but journalctl -xe
> > still shows the same error.
> >
>
> The permissions should be:
>
> ls -lad /usr/local/samba/bind-dns/
> drwxrwx---. 3 root named 70 Apr 17 16:39 /usr/local/samba/bind-dns/
>
> ls -la /usr/local/samba/bind-dns/
>
> drwxrwx---. 3 root named 38 Apr 17 16:39 dns
> -rw-r-----. 2 root named 797 Apr 17 16:39 dns.keytab
> -rw-r--r--. 1 root root 830 Apr 17 16:39 named.conf
> -rw-r--r--. 1 root root 2096 Apr 17 16:39 named.txt
>
> Can you post /etc/named.conf
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland Penny
2019-Apr-18 06:55 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
On Wed, 17 Apr 2019 17:45:50 -0300 Igor Sousa <igorvolt at gmail.com> wrote:> Rowland, > > I've done almost all permissions change,Try turning off selinux Rowland
Igor Sousa
2019-Apr-18 13:06 UTC
[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?
Rowland, Thank you a lot. Both, named and samba are running now. I disabled firewalld, but I didn't disable SELinux before I read your e-mail. I'll study the wiki and other sources to implement Samba using SELinux and Firewalld with no issues. Best regards and thanks a lot again, -- Igor Sousa Em qui, 18 de abr de 2019 às 03:56, Rowland Penny via samba < samba at lists.samba.org> escreveu:> On Wed, 17 Apr 2019 17:45:50 -0300 > Igor Sousa <igorvolt at gmail.com> wrote: > > > Rowland, > > > > I've done almost all permissions change, > > Try turning off selinux > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >