Hi, We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6. The DNS backend is DLZ We are seeing DNS issues as per below When using dnsupdate we get the following error. The server can resolve the hostname(itself) added interface eth0 ip=192.168.117.10 bcast=192.168.117.255 netmask=255.255.255.0 IPs: ['192.168.117.10'] need cache add: A server5.intdom.group 192.168.117.10 Looking for DNS entry A server5.intdom.group 192.168.117.10 as server5.intdom.group. Traceback (most recent call last): File "/usr/sbin/samba_dnsupdate", line 827, in <module> elif not check_dns_name(d): File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_na$ Exception: Timeout while waiting to contact a working DNS server while looking for A server5.intdom.group 192.168.117.10 $ ;; connection timed out; no servers could be reached ;; connection timed out; no servers could be reached ;; connection timed out; no servers could be reached service bind9 status May 04 13:50:40 server5-new named[2079]: sizing zone task pool based on 5 zones May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone' using driver dlopen May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$ May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS Zone' failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to load. May 04 13:50:40 server5-new named[2079]: loading configuration: failure May 04 13:50:40 server5-new named[2079]: exiting (due to fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with result 'exit-code'. /etc/bind/name.conf has the following include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/private/named.conf"; named.conf.options has dnssec-validation auto; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; The following in /var/lib/samba/private/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; # For BIND 9.11.x database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; }; /etc/krb5.conf has [libdefaults] default_realm = intdom.GROUP dns_lookup_realm = false dns_lookup_kdc = true [realms] intdom.GROUP = { kdc = server5 admin_server = server5 } /etc/resolv.conf has nameserver 192.168.117.10 search intdom.group smb.conf has [global] workgroup = intdom realm = intdom.GROUP netbios name = server5 server role = active directory domain controller idmap_ldb:use rfc2307 = yes log file = /var/log/samba/log.%m log level = 4 acl allow execute always = True server services = -dns allow dns updates = nonsecure Any suggestions? We tried changing the DNS to Samba Internal and then vice versa but the same results Thank you RT
On Sun, 5 May 2019 00:11:40 +1000 Rob Thoman via samba <samba at lists.samba.org> wrote:> Hi, > > We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6. > The DNS backend is DLZ > > We are seeing DNS issues as per below > > When using dnsupdate we get the following error. The server can > resolve the hostname(itself) > > added interface eth0 ip=192.168.117.10 bcast=192.168.117.255 > netmask=255.255.255.0 > IPs: ['192.168.117.10'] > need cache add: A server5.intdom.group 192.168.117.10 > Looking for DNS entry A server5.intdom.group 192.168.117.10 as > server5.intdom.group. > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 827, in <module> > elif not check_dns_name(d): > File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name > raise Exception("Timeout while waiting to contact a working DNS > server while looking for %s as %s" % (d, normalised_na$ > Exception: Timeout while waiting to contact a working DNS server while > looking for A server5.intdom.group 192.168.117.10 $ > ;; connection timed out; no servers could be reached > ;; connection timed out; no servers could be reached > ;; connection timed out; no servers could be reached > > service bind9 status > > May 04 13:50:40 server5-new named[2079]: sizing zone task pool based > on 5 zonesWhy '5' zones ?> May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone' using > driver dlopen > May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open > library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$Does /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so exist and if so, who owns it and what are the permissions ?> May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS Zone' > failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to > load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to > load. May 04 13:50:40 server5-new named[2079]: loading configuration: > failure May 04 13:50:40 server5-new named[2079]: exiting (due to > fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service: > Main process exited, code=exited, status=1/FAILURE > May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with > result 'exit-code'. > > /etc/bind/name.conf has the following > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > named.conf.options has > > dnssec-validation auto; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; };If that is all there is, there isn't enough. If it isn't all there is, please post the entire contents.> /etc/krb5.conf has > > [libdefaults] > default_realm = intdom.GROUPAll the REALM should be in UPPERCASE> dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > intdom.GROUP = { > kdc = server5 > admin_server = server5You do not require the [realms] part.> } > > /etc/resolv.conf has > > nameserver 192.168.117.10 > search intdom.group > > smb.conf has > > [global] > workgroup = intdom > realm = intdom.GROUP > netbios name = server5 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 4 > acl allow execute always = True > server services = -dns > allow dns updates = nonsecure >Can you post the contents of /etc/hostname & /etc/hosts Rowland
Hi Rowland, Thank you. I think the 5 zones maybe a parsing issues somewhere. Also, the realms are in capital, must have been a typo. The UFW has been disabled and selinux is in a disbaled state /etc/bind/named.conf.options has options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================= // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================= dnssec-validation auto; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; /usr/lib/x86_64-linux-gnu/samba/bind9 -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9.so -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_10.so -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_11.so -rw-r--r-- 1 root root 38904 Apr 4 18:05 dlz_bind9_9.so /etc/hosts 192.168.117.10 server5 192.168.117.10 server5.intdom.group /etc/hostname server5 On Sun, May 5, 2019 at 12:58 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 5 May 2019 00:11:40 +1000 > Rob Thoman via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > We migrated the domain to AD on a ubuntu 18.04 box with samba 4.7.6. > > The DNS backend is DLZ > > > > We are seeing DNS issues as per below > > > > When using dnsupdate we get the following error. The server can > > resolve the hostname(itself) > > > > added interface eth0 ip=192.168.117.10 bcast=192.168.117.255 > > netmask=255.255.255.0 > > IPs: ['192.168.117.10'] > > need cache add: A server5.intdom.group 192.168.117.10 > > Looking for DNS entry A server5.intdom.group 192.168.117.10 as > > server5.intdom.group. > > Traceback (most recent call last): > > File "/usr/sbin/samba_dnsupdate", line 827, in <module> > > elif not check_dns_name(d): > > File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name > > raise Exception("Timeout while waiting to contact a working DNS > > server while looking for %s as %s" % (d, normalised_na$ > > Exception: Timeout while waiting to contact a working DNS server while > > looking for A server5.intdom.group 192.168.117.10 $ > > ;; connection timed out; no servers could be reached > > ;; connection timed out; no servers could be reached > > ;; connection timed out; no servers could be reached > > > > service bind9 status > > > > May 04 13:50:40 server5-new named[2079]: sizing zone task pool based > > on 5 zones > > Why '5' zones ? > > > May 04 13:50:40 server5-new named[2079]: Loading 'AD DNS Zone' using > > driver dlopen > > May 04 13:50:40 server5-new named[2079]: dlz_dlopen failed to open > > library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9$ > > Does /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so exist and if > so, who owns it and what are the permissions ? > > > May 04 13:50:40 server5-new named[2079]: dlz_dlopen of 'AD DNS Zone' > > failed May 04 13:50:40 server5-new named[2079]: SDLZ driver failed to > > load. May 04 13:50:40 server5-new named[2079]: DLZ driver failed to > > load. May 04 13:50:40 server5-new named[2079]: loading configuration: > > failure May 04 13:50:40 server5-new named[2079]: exiting (due to > > fatal error) May 04 13:50:40 server5-new systemd[1]: bind9.service: > > Main process exited, code=exited, status=1/FAILURE > > May 04 13:50:40 server5-new systemd[1]: bind9.service: Failed with > > result 'exit-code'. > > > > /etc/bind/name.conf has the following > > > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/named.conf.local"; > > include "/etc/bind/named.conf.default-zones"; > > include "/var/lib/samba/private/named.conf"; > > > > named.conf.options has > > > > dnssec-validation auto; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > auth-nxdomain no; # conform to RFC1035 > > listen-on-v6 { any; }; > > If that is all there is, there isn't enough. > If it isn't all there is, please post the entire contents. > > > /etc/krb5.conf has > > > > [libdefaults] > > default_realm = intdom.GROUP > > All the REALM should be in UPPERCASE > > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [realms] > > intdom.GROUP = { > > kdc = server5 > > admin_server = server5 > > You do not require the [realms] part. > > > } > > > > /etc/resolv.conf has > > > > nameserver 192.168.117.10 > > search intdom.group > > > > smb.conf has > > > > [global] > > workgroup = intdom > > realm = intdom.GROUP > > netbios name = server5 > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > log file = /var/log/samba/log.%m > > log level = 4 > > acl allow execute always = True > > server services = -dns > > allow dns updates = nonsecure > > > > Can you post the contents of /etc/hostname & /etc/hosts > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >