Hi,
We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6. The
DNS backend is DLZ
We are seeing DNS issues as per below
When using dnsupdate we get the following error. The server can resolve the
hostname(itself)
added interface eth0 ip=192.168.117.10 bcast=192.168.117.255
netmask=255.255.255.0
IPs: ['192.168.117.10']
need cache add: A server5.intdom.group 192.168.117.10
Looking for DNS entry A server5.intdom.group 192.168.117.10 as
server5.intdom.group.
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 827, in <module>
elif not check_dns_name(d):
File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
raise Exception("Timeout while waiting to contact a working DNS server
while looking for %s as %s" % (d, normalised_na$
Exception: Timeout while waiting to contact a working DNS server while
looking for A server5.intdom.group 192.168.117.10 $
;; connection timed out; no servers could be reached
;; connection timed out; no servers could be reached
;; connection timed out; no servers could be reached
service bind9 status
May 04 13:50:40 server5-new named[2079]: sizing zone task pool based on 5
zones
May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone' using
driver
dlopen
May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open library
'/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$
May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS Zone'
failed
May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to load.
May 04 13:50:40 server5-new named[2079]: DLZ driver failed to load.
May 04 13:50:40 server5-new named[2079]: loading configuration: failure
May 04 13:50:40 server5-new named[2079]: exiting (due to fatal error)
May 04 13:50:40 server5-new systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with result
'exit-code'.
/etc/bind/name.conf has the following
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
named.conf.options has
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
The following in /var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
/etc/krb5.conf has
[libdefaults]
default_realm = intdom.GROUP
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
intdom.GROUP = {
kdc = server5
admin_server = server5
}
/etc/resolv.conf has
nameserver 192.168.117.10
search intdom.group
smb.conf has
[global]
workgroup = intdom
realm = intdom.GROUP
netbios name = server5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%m
log level = 4
acl allow execute always = True
server services = -dns
allow dns updates = nonsecure
Any suggestions?
We tried changing the DNS to Samba Internal and then vice versa but the
same results
Thank you
RT
On Sun, 5 May 2019 00:11:40 +1000 Rob Thoman via samba <samba at lists.samba.org> wrote:> Hi, > > We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6. > The DNS backend is DLZ > > We are seeing DNS issues as per below > > When using dnsupdate we get the following error. The server can > resolve the hostname(itself) > > added interface eth0 ip=192.168.117.10 bcast=192.168.117.255 > netmask=255.255.255.0 > IPs: ['192.168.117.10'] > need cache add: A server5.intdom.group 192.168.117.10 > Looking for DNS entry A server5.intdom.group 192.168.117.10 as > server5.intdom.group. > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 827, in <module> > elif not check_dns_name(d): > File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name > raise Exception("Timeout while waiting to contact a working DNS > server while looking for %s as %s" % (d, normalised_na$ > Exception: Timeout while waiting to contact a working DNS server while > looking for A server5.intdom.group 192.168.117.10 $ > ;; connection timed out; no servers could be reached > ;; connection timed out; no servers could be reached > ;; connection timed out; no servers could be reached > > service bind9 status > > May 04 13:50:40 server5-new named[2079]: sizing zone task pool based > on 5 zonesWhy '5' zones ?> May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone' using > driver dlopen > May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open > library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$Does /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so exist and if so, who owns it and what are the permissions ?> May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS Zone' > failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to > load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to > load. May 04 13:50:40 server5-new named[2079]: loading configuration: > failure May 04 13:50:40 server5-new named[2079]: exiting (due to > fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service: > Main process exited, code=exited, status=1/FAILURE > May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with > result 'exit-code'. > > /etc/bind/name.conf has the following > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > named.conf.options has > > dnssec-validation auto; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; };If that is all there is, there isn't enough. If it isn't all there is, please post the entire contents.> /etc/krb5.conf has > > [libdefaults] > default_realm = intdom.GROUPAll the REALM should be in UPPERCASE> dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > intdom.GROUP = { > kdc = server5 > admin_server = server5You do not require the [realms] part.> } > > /etc/resolv.conf has > > nameserver 192.168.117.10 > search intdom.group > > smb.conf has > > [global] > workgroup = intdom > realm = intdom.GROUP > netbios name = server5 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 4 > acl allow execute always = True > server services = -dns > allow dns updates = nonsecure >Can you post the contents of /etc/hostname & /etc/hosts Rowland
Hi Rowland,
Thank you.
I think the 5 zones maybe a parsing issues somewhere. Also, the realms are
in capital, must have been a typo.
The UFW has been disabled and selinux is in a disbaled state
/etc/bind/named.conf.options has
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//=======================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
/usr/lib/x86_64-linux-gnu/samba/bind9
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9.so
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_10.so
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_11.so
-rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_9.so
/etc/hosts
192.168.117.10 server5
192.168.117.10 server5.intdom.group
/etc/hostname
server5
On Sun, May 5, 2019 at 12:58 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 5 May 2019 00:11:40 +1000
> Rob Thoman via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6.
> > The DNS backend is DLZ
> >
> > We are seeing DNS issues as per below
> >
> > When using dnsupdate we get the following error. The server can
> > resolve the hostname(itself)
> >
> > added interface eth0 ip=192.168.117.10 bcast=192.168.117.255
> > netmask=255.255.255.0
> > IPs: ['192.168.117.10']
> > need cache add: A server5.intdom.group 192.168.117.10
> > Looking for DNS entry A server5.intdom.group 192.168.117.10 as
> > server5.intdom.group.
> > Traceback (most recent call last):
> > File "/usr/sbin/samba_dnsupdate", line 827, in
<module>
> > elif not check_dns_name(d):
> > File "/usr/sbin/samba_dnsupdate", line 317, in
check_dns_name
> > raise Exception("Timeout while waiting to contact a working
DNS
> > server while looking for %s as %s" % (d, normalised_na$
> > Exception: Timeout while waiting to contact a working DNS server while
> > looking for A server5.intdom.group 192.168.117.10 $
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> > ;; connection timed out; no servers could be reached
> >
> > service bind9 status
> >
> > May 04 13:50:40 server5-new named[2079]: sizing zone task pool based
> > on 5 zones
>
> Why '5' zones ?
>
> > May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone'
using
> > driver dlopen
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open
> > library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$
>
> Does /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so exist and if
> so, who owns it and what are the permissions ?
>
> > May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS
Zone'
> > failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to
> > load. May 04 13:50:40 server5-new named[2079]: loading configuration:
> > failure May 04 13:50:40 server5-new named[2079]: exiting (due to
> > fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service:
> > Main process exited, code=exited, status=1/FAILURE
> > May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with
> > result 'exit-code'.
> >
> > /etc/bind/name.conf has the following
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> >
> > named.conf.options has
> >
> > dnssec-validation auto;
> > tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> > auth-nxdomain no; # conform to RFC1035
> > listen-on-v6 { any; };
>
> If that is all there is, there isn't enough.
> If it isn't all there is, please post the entire contents.
>
> > /etc/krb5.conf has
> >
> > [libdefaults]
> > default_realm = intdom.GROUP
>
> All the REALM should be in UPPERCASE
>
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > [realms]
> > intdom.GROUP = {
> > kdc = server5
> > admin_server = server5
>
> You do not require the [realms] part.
>
> > }
> >
> > /etc/resolv.conf has
> >
> > nameserver 192.168.117.10
> > search intdom.group
> >
> > smb.conf has
> >
> > [global]
> > workgroup = intdom
> > realm = intdom.GROUP
> > netbios name = server5
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > log file = /var/log/samba/log.%m
> > log level = 4
> > acl allow execute always = True
> > server services = -dns
> > allow dns updates = nonsecure
> >
>
> Can you post the contents of /etc/hostname & /etc/hosts
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>