samba - Feb 2020 - Why are ForeignSecurityPrincipals and Managed Service Accounts empty with no entries?

Hi Rowland,

This is my full /etc/named.conf:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query     { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";

tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
      minimal-responses yes;

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/usr/local/samba/bind-dns/named.conf";
[root at dc1 bind-dns]# cd /usr/local/samba/etc
[root at dc1 etc]# cat smb.conf
# Global parameters
[global]
netbios name = DC1
realm = TEO-EN-MING.CORP
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = TEO-EN-MING
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/teo-en-ming.corp/scripts
read only = No
[root at dc1 etc]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query     { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";

tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
      minimal-responses yes;

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/usr/local/samba/bind-dns/named.conf";





________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Tuesday, February 18, 2020 10:11 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Why are ForeignSecurityPrincipals and Managed Service
Accounts empty with no entries?

On 18/02/2020 13:44, Turritopsis Dohrnii Teo En Ming via samba
wrote:
> Hi Louis,
>
> My /etc/named.conf has the following line:
>
> include "/usr/local/samba/bind-dns/named.conf";
>
That isn't helpful, all DC's get that (or a version of it), we need to
see what you have altered (or haven't altered).

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************


Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United
Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and
Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

Resend.


________________________________
From: Turritopsis Dohrnii Teo En Ming <ceo at teo-en-ming-corp.com>
Sent: Wednesday, February 19, 2020 8:07 AM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny
<rpenny at samba.org>
Cc: Turritopsis Dohrnii Teo En Ming <ceo at teo-en-ming-corp.com>
Subject: Re: [Samba] Why are ForeignSecurityPrincipals and Managed Service
Accounts empty with no entries?

Hi Rowland,

This is my full /etc/named.conf:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query     { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";

tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
      minimal-responses yes;

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/usr/local/samba/bind-dns/named.conf";
[root at dc1 bind-dns]# cd /usr/local/samba/etc
[root at dc1 etc]# cat smb.conf
# Global parameters
[global]
netbios name = DC1
realm = TEO-EN-MING.CORP
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = TEO-EN-MING
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/teo-en-ming.corp/scripts
read only = No
[root at dc1 etc]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query     { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";

tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
      minimal-responses yes;

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/usr/local/samba/bind-dns/named.conf";





________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Tuesday, February 18, 2020 10:11 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Why are ForeignSecurityPrincipals and Managed Service
Accounts empty with no entries?

On 18/02/2020 13:44, Turritopsis Dohrnii Teo En Ming via samba
wrote:
> Hi Louis,
>
> My /etc/named.conf has the following line:
>
> include "/usr/local/samba/bind-dns/named.conf";
>
That isn't helpful, all DC's get that (or a version of it), we need to
see what you have altered (or haven't altered).

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************


Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United
Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and
Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

Resend.

________________________________
From: Turritopsis Dohrnii Teo En Ming <ceo at teo-en-ming-corp.com>
Sent: Wednesday, February 19, 2020 8:09 AM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny
<rpenny at samba.org>
Cc: Turritopsis Dohrnii Teo En Ming <ceo at teo-en-ming-corp.com>
Subject: Re: [Samba] Why are ForeignSecurityPrincipals and Managed Service
Accounts empty with no entries?


Resend.


________________________________
From: Turritopsis Dohrnii Teo En Ming <ceo at teo-en-ming-corp.com>
Sent: Wednesday, February 19, 2020 8:07 AM
To: samba at lists.samba.org <samba at lists.samba.org>; Rowland penny
<rpenny at samba.org>
Cc: Turritopsis Dohrnii Teo En Ming <ceo at teo-en-ming-corp.com>
Subject: Re: [Samba] Why are ForeignSecurityPrincipals and Managed Service
Accounts empty with no entries?

Hi Rowland,

This is my full /etc/named.conf:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query     { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";

tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
      minimal-responses yes;

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/usr/local/samba/bind-dns/named.conf";
[root at dc1 bind-dns]# cd /usr/local/samba/etc
[root at dc1 etc]# cat smb.conf
# Global parameters
[global]
netbios name = DC1
realm = TEO-EN-MING.CORP
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = TEO-EN-MING
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/teo-en-ming.corp/scripts
read only = No
[root at dc1 etc]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query     { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";

tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
      minimal-responses yes;

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/usr/local/samba/bind-dns/named.conf";





________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Tuesday, February 18, 2020 10:11 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Why are ForeignSecurityPrincipals and Managed Service
Accounts empty with no entries?

On 18/02/2020 13:44, Turritopsis Dohrnii Teo En Ming via samba
wrote:
> Hi Louis,
>
> My /etc/named.conf has the following line:
>
> include "/usr/local/samba/bind-dns/named.conf";
>
That isn't helpful, all DC's get that (or a version of it), we need to
see what you have altered (or haven't altered).

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************


Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United
Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and
Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

On 19/02/2020 00:07, Turritopsis Dohrnii Teo En Ming
wrote:
> Hi Rowland,
>
> This is my full /etc/named.conf:
>
Try it like this:


options {
 ??? directory "/var/named";
 ??? notify no;
 ??? empty-zones-enable no;
 ??? allow-query { 127.0.0.1; 192.168.0.0/24; };
 ??? allow-recursion { 127.0.0.1/32; 192.168.0.0/24; };
 ??? forwarders { 8.8.8.8; 8.8.4.4; };
 ??? allow-transfer { none; };
 ??? dnssec-validation no;
 ??? dnssec-enable no;
 ??? dnssec-lookaside no;
 ??? listen-on port 53 { any; };
 ??? listen-on-v6 port 53 { any; };
 ??? pid-file "/run/named/named.pid";
 ??? tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
 ??? minimal-responses yes;
};

logging {
 ??????? channel default_debug {
 ??????????????? file "data/named.run";
 ??????????????? severity dynamic;
 ??????? };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/usr/local/samba/bind-dns/named.conf";


Replace '192.168.0.0' with your networks address.

You may also want to change the forwarders.


Rowland

Hi Rowland,

I tried your suggested /etc/named.conf. ForeignSecurityPrincipals and Managed
Service Accounts are still empty in Active Directory Users and Computers. Is it
more of an integrated LDAP issue than a DNS issue??

I also noticed that Network Manager keeps overwriting my /etc/resolv.conf. Is
there a way to solve this secondary issue?

Thank you.



________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Wednesday, February 19, 2020 5:37 PM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] Why are ForeignSecurityPrincipals and Managed Service
Accounts empty with no entries?

On 19/02/2020 00:07, Turritopsis Dohrnii Teo En Ming
wrote:
> Hi Rowland,
>
> This is my full /etc/named.conf:
>
Try it like this:


options {
     directory "/var/named";
     notify no;
     empty-zones-enable no;
     allow-query { 127.0.0.1; 192.168.0.0/24; };
     allow-recursion { 127.0.0.1/32; 192.168.0.0/24; };
     forwarders { 8.8.8.8; 8.8.4.4; };
     allow-transfer { none; };
     dnssec-validation no;
     dnssec-enable no;
     dnssec-lookaside no;
     listen-on port 53 { any; };
     listen-on-v6 port 53 { any; };
     pid-file "/run/named/named.pid";
     tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
     minimal-responses yes;
};

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/usr/local/samba/bind-dns/named.conf";


Replace '192.168.0.0' with your networks address.

You may also want to change the forwarders.


Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************


Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United
Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and
Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

Yes, configure it so it write the correct info in it. 
Something like this : 
https://pchelp.ricmedia.com/set-custom-dns-servers-linux-network-manager-resolv-conf/


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Turritopsis Dohrnii Teo En Ming via samba
> Verzonden: woensdag 19 februari 2020 14:24
> Aan: sambalist; Rowland penny
> CC: Turritopsis Dohrnii Teo En Ming
> Onderwerp: Re: [Samba] Why are ForeignSecurityPrincipals and 
> Managed Service Accounts empty with no entries?
> 
> 
> Hi Rowland,
> 
> I tried your suggested /etc/named.conf. 
> ForeignSecurityPrincipals and Managed Service Accounts are 
> still empty in Active Directory Users and Computers. Is it 
> more of an integrated LDAP issue than a DNS issue??
> 
> I also noticed that Network Manager keeps overwriting my 
> /etc/resolv.conf. Is there a way to solve this secondary issue?
> 
> Thank you.
> 
> 
> 
> ________________________________
> From: samba <samba-bounces at lists.samba.org> on behalf of 
> Rowland penny via samba <samba at lists.samba.org>
> Sent: Wednesday, February 19, 2020 5:37 PM
> To: sambalist <samba at lists.samba.org>
> Subject: Re: [Samba] Why are ForeignSecurityPrincipals and 
> Managed Service Accounts empty with no entries?
> 
> On 19/02/2020 00:07, Turritopsis Dohrnii Teo En Ming wrote:
> > Hi Rowland,
> >
> > This is my full /etc/named.conf:
> >
> Try it like this:
> 
> 
> options {
>      directory "/var/named";
>      notify no;
>      empty-zones-enable no;
>      allow-query { 127.0.0.1; 192.168.0.0/24; };
>      allow-recursion { 127.0.0.1/32; 192.168.0.0/24; };
>      forwarders { 8.8.8.8; 8.8.4.4; };
>      allow-transfer { none; };
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>      listen-on port 53 { any; };
>      listen-on-v6 port 53 { any; };
>      pid-file "/run/named/named.pid";
>      tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
>      minimal-responses yes;
> };
> 
> logging {
>          channel default_debug {
>                  file "data/named.run";
>                  severity dynamic;
>          };
> };
> 
> zone "." IN {
> type hint;
> file "named.ca";
> };
> 
> include "/etc/named.rfc1912.zones";
> include "/usr/local/samba/bind-dns/named.conf";
> 
> 
> Replace '192.168.0.0' with your networks address.
> 
> You may also want to change the forwarders.
> 
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> -----BEGIN EMAIL SIGNATURE-----
> 
> The Gospel for all Targeted Individuals (TIs):
> 
> [The New York Times] Microwave Weapons Are Prime Suspect in Ills of
> U.S. Embassy Workers
> 
> Link: 
> https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-m
> icrowave.html
> 
> **************************************************************
> ******************************
> 
> 
> Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
> Qualifications as at 14 Feb 2019 and refugee seeking attempts 
> at the United Nations Refugee Agency Bangkok (21 Mar 2017), 
> in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):
> 
> [1] https://tdtemcerts.wordpress.com/
> 
> [2] https://tdtemcerts.blogspot.sg/
> 
> [3] https://www.scribd.com/user/270125049/Teo-En-Ming
> 
> -----END EMAIL SIGNATURE-----
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>