samba - Apr 2020 - bind9 refuses to start -> zone has no NS records

Hi, 

I have to add a second DC to a Zone. 
I use the sernet packages Version 4.11 on a debian 10 host.

The bind refuses to start:

root at addc-zone02:~# systemctl status bind9
? bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset:
enabled)
   Active: failed (Result: exit-code) since Thu 2020-04-30 14:51:58 EEST; 5s ago
     Docs: man:named(8)
  Process: 3733 ExecStart=/usr/sbin/named $OPTIONS (code=exited,
status=1/FAILURE)
    Tasks: 0 (limit: 4701)
   Memory: 624.0K
   CGroup: /system.slice/bind9.service

Apr 30 14:51:58 addc-zone02 named[3734]: Loading 'AD DNS Zone' using
driver dlopen
Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: started for DN
DC=example,DC=com
Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: starting configure
Apr 30 14:51:58 addc-zone02 named[3734]: zone 21.168.192.in-addr.arpa/NONE: has
no NS records
Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: Failed to configure zone
'21.168.192.in-addr.arpa'
Apr 30 14:51:58 addc-zone02 named[3734]: loading configuration: bad zone
Apr 30 14:51:58 addc-zone02 named[3734]: exiting (due to fatal error)
Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Control process exited,
code=exited, status=1/FAILURE
Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Failed with result
'exit-code'.
Apr 30 14:51:58 addc-zone02 systemd[1]: Failed to start BIND Domain Name Server.

21.168.192.in-addr.arpa is an empty zone and I deleted that zone with the
Windows DNS tool.

I have another DC where bind9 is running. I copied /etc/bind/named.conf.options
and /etc/bind/named.conf.local
I also double checked permissions in /var/lib/samba/bind-dns and
/var/lib/samba/private

Any tips are welcome. How can I start bind9 or where should I look for errors?

Best
Benedikt

-- 
forumZFD
Entschieden f?r Frieden|Committed to Peace

Benedikt Kale?
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX

Try this. 

systemctl edit bind9 
#/etc/systemd/system/bind9.service.d/override.conf
[Service]
ExecReload
sytemctl edit samba-ad-dc.service
#/etc/systemd/system/samba-ad-dc.service.d/override.conf
[Unit]
After=network.target network-online.target bind9.service

systemctl daemon-reload

systemctl restart bind9 samba-ad-dc

If that does not work, then, can you run this script: 
https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh

Anonimize where needed, shows all i want to know.
At least, its a good start ;-) 

Greetz, 

Louis 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Benedikt Kale? via samba
> Verzonden: donderdag 30 april 2020 14:09
> Aan: samba at lists.samba.org >> samba
> Onderwerp: [Samba] bind9 refuses to start -> zone has no NS records
> 
> Hi, 
> 
> I have to add a second DC to a Zone. 
> I use the sernet packages Version 4.11 on a debian 10 host.
> 
> The bind refuses to start:
> 
> root at addc-zone02:~# systemctl status bind9
> ??? bind9.service - BIND Domain Name Server
>    Loaded: loaded (/lib/systemd/system/bind9.service; 
> enabled; vendor preset: enabled)
>    Active: failed (Result: exit-code) since Thu 2020-04-30 
> 14:51:58 EEST; 5s ago
>      Docs: man:named(8)
>   Process: 3733 ExecStart=/usr/sbin/named $OPTIONS 
> (code=exited, status=1/FAILURE)
>     Tasks: 0 (limit: 4701)
>    Memory: 624.0K
>    CGroup: /system.slice/bind9.service
> 
> Apr 30 14:51:58 addc-zone02 named[3734]: Loading 'AD DNS 
> Zone' using driver dlopen
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: started 
> for DN DC=example,DC=com
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: starting configure
> Apr 30 14:51:58 addc-zone02 named[3734]: zone 
> 21.168.192.in-addr.arpa/NONE: has no NS records
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: Failed to 
> configure zone '21.168.192.in-addr.arpa'
> Apr 30 14:51:58 addc-zone02 named[3734]: loading 
> configuration: bad zone
> Apr 30 14:51:58 addc-zone02 named[3734]: exiting (due to fatal error)
> Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: 
> Control process exited, code=exited, status=1/FAILURE
> Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Failed 
> with result 'exit-code'.
> Apr 30 14:51:58 addc-zone02 systemd[1]: Failed to start BIND 
> Domain Name Server.
> 
> 21.168.192.in-addr.arpa is an empty zone and I deleted that 
> zone with the Windows DNS tool.
> 
> I have another DC where bind9 is running. I copied 
> /etc/bind/named.conf.options and /etc/bind/named.conf.local
> I also double checked permissions in /var/lib/samba/bind-dns 
> and /var/lib/samba/private
> 
> Any tips are welcome. How can I start bind9 or where should I 
> look for errors?
> 
> Best
> Benedikt
> 
> -- 
> forumZFD
> Entschieden f?r Frieden|Committed to Peace
> 
> Benedikt Kale?
> Leiter Team IT|Head team IT
> 
> Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> Am K?lner Brett 8 | 50825 K?ln | Germany  
> 
> Tel 0221 91273233 | Fax 0221 91273299 | 
> http://www.forumZFD.de 
> 
> Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
> Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> Alexander Mauz  
> VR 17651 Amtsgericht K?ln
> 
> Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 30/04/2020 13:09, Benedikt Kale? via samba wrote:
> Hi,
>
> I have to add a second DC to a Zone.
> I use the sernet packages Version 4.11 on a debian 10 host.
>
> The bind refuses to start:
>
> root at addc-zone02:~# systemctl status bind9
> ? bind9.service - BIND Domain Name Server
>     Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor
preset: enabled)
>     Active: failed (Result: exit-code) since Thu 2020-04-30 14:51:58 EEST;
5s ago
>       Docs: man:named(8)
>    Process: 3733 ExecStart=/usr/sbin/named $OPTIONS (code=exited,
status=1/FAILURE)
>      Tasks: 0 (limit: 4701)
>     Memory: 624.0K
>     CGroup: /system.slice/bind9.service
>
> Apr 30 14:51:58 addc-zone02 named[3734]: Loading 'AD DNS Zone'
using driver dlopen
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: started for DN
DC=example,DC=com
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: starting configure
> Apr 30 14:51:58 addc-zone02 named[3734]: zone 21.168.192.in-addr.arpa/NONE:
has no NS records
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: Failed to configure
zone '21.168.192.in-addr.arpa'
> Apr 30 14:51:58 addc-zone02 named[3734]: loading configuration: bad zone
> Apr 30 14:51:58 addc-zone02 named[3734]: exiting (due to fatal error)
> Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Control process
exited, code=exited, status=1/FAILURE
> Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Failed with result
'exit-code'.
> Apr 30 14:51:58 addc-zone02 systemd[1]: Failed to start BIND Domain Name
Server.
>
> 21.168.192.in-addr.arpa is an empty zone and I deleted that zone with the
Windows DNS tool.
>
> I have another DC where bind9 is running. I copied
/etc/bind/named.conf.options and /etc/bind/named.conf.local
> I also double checked permissions in /var/lib/samba/bind-dns and
/var/lib/samba/private
>
> Any tips are welcome. How can I start bind9 or where should I look for
errors?
>
> Best
> Benedikt
>
The reverse zone is the easiest to fix, just delete it (which you say 
you have) and then recreate it.

Get Louis's script and run it, the output should show any potential 
configuration problems.

Rowland

Thanks for the tip. I have still "zone has no NS records"

This is the output (anonymized) of the script -- sorry, I will post it
directly next time ;)

Collected config? --- 2020-04-30-15:25 -----------

Hostname: addc-jor02
DNS Domain: example.com
FQDN: addc-jor02.example.com
ipaddress: 192.168.40.24

-----------

Kerberos SRV _kerberos._tcp.example.com record verified ok, sample output:
Server:??? ??? 192.168.168.48
Address:??? 192.168.168.48#53

_kerberos._tcp.example.com ?? service = 0 100 88 addc-ho-1.example.com.
_kerberos._tcp.example.com ?? service = 0 100 88 addc-jor01.example.com.
_kerberos._tcp.example.com ?? service = 0 100 88 addc-lbn1.example.com.
_kerberos._tcp.example.com ?? service = 0 100 88 addc-ho-hos1.example.com.
Samba is not being run as a DC or a Unix domain member.

-----------
?????? Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.3 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
??? inet 127.0.0.1/8 scope host lo
??? inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
??? link/ether 52:54:00:9d:c7:c1 brd ff:ff:ff:ff:ff:ff
??? inet 192.168.40.24/24 brd 192.168.40.255 scope global ens3
??? inet6 fe80::5054:ff:fe9d:c7c1/64 scope link

-----------
?????? Checking file: /etc/hosts

127.0.0.1??? localhost
192.168.40.24??? addc-jor02.example.com ?? addc-jor02

# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------


?????? Checking file: /etc/resolv.conf

domain example.com
search example.com.
#nameserver 192.168.40.22
#nameserver 192.168.168.46
nameserver 192.168.168.48

-----------

?????? Checking file: /etc/krb5.conf

[libdefaults]
??? default_realm = example.com
??? dns_lookup_realm = false
??? dns_lookup_kdc = true

-----------

?????? Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:???????? files systemd
group:????????? files systemd
shadow:???????? files
gshadow:??????? files

hosts:????????? files dns
networks:?????? files

protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files

netgroup:?????? nis

-----------

??? Warning,? does not exist

-----------


Installed packages:
ii? krb5-config????????????????????? 2.6????????????????????????
all????????? Configuration files for Kerberos Version 5
ii? krb5-locales???????????????????? 1.17-3?????????????????????
all????????? internationalization support for MIT Kerberos
ii? libacl1:amd64??????????????????? 2.2.53-4???????????????????
amd64??????? access control list - shared library
ii? libattr1:amd64?????????????????? 1:2.4.48-4?????????????????
amd64??????? extended attribute handling - shared library
ii? libgssapi-krb5-2:amd64?????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii? libkrb5-26-heimdal:amd64???????? 7.5.0+dfsg-3???????????????
amd64??????? Heimdal Kerberos - libraries
ii? libkrb5-3:amd64????????????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries
ii? libkrb5support0:amd64??????????? 1.17-3?????????????????????
amd64??????? MIT Kerberos runtime libraries - Support library
ii? libwbclient0:amd64?????????????? 99:4.11.8-7????????????????
amd64??????? Glue package for sernet-samba-libs.
ii? sernet-samba???????????????????? 99:4.11.8-7????????????????
amd64??????? SMB/CIFS file, print, and login server for Unix
ii? sernet-samba-ad????????????????? 99:4.11.8-7????????????????
amd64??????? Samba Active Directory Domain Controller
ii? sernet-samba-client????????????? 99:4.11.8-7????????????????
amd64??????? a LanManager-like simple client for Unix
ii? sernet-samba-common????????????? 99:4.11.8-7????????????????
all????????? Samba common files used by both the server and the client
ii? sernet-samba-keyring???????????? 1.9????????????????????????
all????????? GnuPG archive keys of the SerNet Samba archive
ii? sernet-samba-libs:amd64????????? 99:4.11.8-7????????????????
amd64??????? Samba common library files used by both the server and the
client
ii? sernet-samba-libsmbclient0:amd64 99:4.11.8-7????????????????
amd64??????? Shared library that allows applications to talk to SMB servers
ii? sernet-samba-winbind???????????? 99:4.11.8-7????????????????
amd64??????? Samba nameservice integration server

-----------

Am 30.04.20 um 14:17 schrieb L.P.H. van Belle via samba:
> Try this. 
>
> systemctl edit bind9 
> #/etc/systemd/system/bind9.service.d/override.conf
> [Service]
> ExecReload>
> sytemctl edit samba-ad-dc.service
> #/etc/systemd/system/samba-ad-dc.service.d/override.conf
> [Unit]
> After=network.target network-online.target bind9.service
>
> systemctl daemon-reload
>
> systemctl restart bind9 samba-ad-dc
>
> If that does not work, then, can you run this script: 
> https://github.com/thctlo/samba4/raw/master/samba-collect-debug-info.sh
>
> Anonimize where needed, shows all i want to know.
> At least, its a good start ;-) 
>
> Greetz, 
>
> Louis 
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Benedikt Kale? via samba
> > Verzonden: donderdag 30 april 2020 14:09
> > Aan: samba at lists.samba.org >> samba
> > Onderwerp: [Samba] bind9 refuses to start -> zone has no NS records
> > 
> > Hi, 
> > 
> > I have to add a second DC to a Zone. 
> > I use the sernet packages Version 4.11 on a debian 10 host.
> > 
> > The bind refuses to start:
> > 
> > root at addc-zone02:~# systemctl status bind9
> > ??? bind9.service - BIND Domain Name Server
> >    Loaded: loaded (/lib/systemd/system/bind9.service; 
> > enabled; vendor preset: enabled)
> >    Active: failed (Result: exit-code) since Thu 2020-04-30 
> > 14:51:58 EEST; 5s ago
> >      Docs: man:named(8)
> >   Process: 3733 ExecStart=/usr/sbin/named $OPTIONS 
> > (code=exited, status=1/FAILURE)
> >     Tasks: 0 (limit: 4701)
> >    Memory: 624.0K
> >    CGroup: /system.slice/bind9.service
> > 
> > Apr 30 14:51:58 addc-zone02 named[3734]: Loading 'AD DNS 
> > Zone' using driver dlopen
> > Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: started 
> > for DN DC=example,DC=com
> > Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: starting configure
> > Apr 30 14:51:58 addc-zone02 named[3734]: zone 
> > 21.168.192.in-addr.arpa/NONE: has no NS records
> > Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: Failed to 
> > configure zone '21.168.192.in-addr.arpa'
> > Apr 30 14:51:58 addc-zone02 named[3734]: loading 
> > configuration: bad zone
> > Apr 30 14:51:58 addc-zone02 named[3734]: exiting (due to fatal error)
> > Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: 
> > Control process exited, code=exited, status=1/FAILURE
> > Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Failed 
> > with result 'exit-code'.
> > Apr 30 14:51:58 addc-zone02 systemd[1]: Failed to start BIND 
> > Domain Name Server.
> > 
> > 21.168.192.in-addr.arpa is an empty zone and I deleted that 
> > zone with the Windows DNS tool.
> > 
> > I have another DC where bind9 is running. I copied 
> > /etc/bind/named.conf.options and /etc/bind/named.conf.local
> > I also double checked permissions in /var/lib/samba/bind-dns 
> > and /var/lib/samba/private
> > 
> > Any tips are welcome. How can I start bind9 or where should I 
> > look for errors?
> > 
> > Best
> > Benedikt
> > 
> > -- 
> > forumZFD
> > Entschieden f?r Frieden|Committed to Peace
> > 
> > Benedikt Kale?
> > Leiter Team IT|Head team IT
> > 
> > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > Am K?lner Brett 8 | 50825 K?ln | Germany  
> > 
> > Tel 0221 91273233 | Fax 0221 91273299 | 
> > http://www.forumZFD.de 
> > 
> > Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
> > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> > Alexander Mauz  
> > VR 17651 Amtsgericht K?ln
> > 
> > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
>
>
-- 
forumZFD
Entschieden f?r Frieden|Committed to Peace

Benedikt Kale?
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX

See in between below, base config. ... Thumps up.. 

Only minor parts.. Untill the end.. ;-) 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Benedikt Kale? via samba
> Verzonden: donderdag 30 april 2020 14:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] bind9 refuses to start -> zone has no 
> NS records
> 
> Thanks for the tip. I have still "zone has no NS records"
> 
> This is the output (anonymized) of the script -- sorry, I will post it
> directly next time ;)
> 
> Collected config? --- 2020-04-30-15:25 -----------
> 
> Hostname: addc-jor02
> DNS Domain: example.com
> FQDN: addc-jor02.example.com
> ipaddress: 192.168.40.24
> 
> -----------
> 
> Kerberos SRV _kerberos._tcp.example.com record verified ok, 
> sample output:
> Server:??? ??? 192.168.168.48
> Address:??? 192.168.168.48#53
> 
> _kerberos._tcp.example.com ?? service = 0 100 88 
> addc-ho-1.example.com.
> _kerberos._tcp.example.com ?? service = 0 100 88 
> addc-jor01.example.com.
> _kerberos._tcp.example.com ?? service = 0 100 88 
> addc-lbn1.example.com.
> _kerberos._tcp.example.com ?? service = 0 100 88 
> addc-ho-hos1.example.com.
> Samba is not being run as a DC or a Unix domain member.
> 
> -----------
> ?????? Checking file: /etc/os-release
> 
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
> 
> -----------
> 
> 
> This computer is running Debian 10.3 x86_64
> 
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> ??? inet 127.0.0.1/8 scope host lo
> ??? inet6 ::1/128 scope host
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> ??? link/ether 52:54:00:9d:c7:c1 brd ff:ff:ff:ff:ff:ff
> ??? inet 192.168.40.24/24 brd 192.168.40.255 scope global ens3
> ??? inet6 fe80::5054:ff:fe9d:c7c1/64 scope link
> 
> -----------
> ?????? Checking file: /etc/hosts
> 
> 127.0.0.1??? localhost
> 192.168.40.24??? addc-jor02.example.com ?? addc-jor02
> 
> # The following lines are desirable for IPv6 capable hosts
> ::1???? localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 
> -----------
> 
> 
Minor change here : 
> ?????? Checking file: /etc/resolv.conf
> 
> domain example.com	< remove this line, search replaces it already only 1
rules, the last..
> search example.com.	< remove the last .  
> #nameserver 192.168.40.22
> #nameserver 192.168.168.46
> nameserver 192.168.168.48
Add optional the other AD-DC's. 
> 
> -----------
> 
> ?????? Checking file: /etc/krb5.conf
> 
> [libdefaults]
> ??? default_realm = example.com		< I assumt this is original in CAPS 
;-)
> ??? dns_lookup_realm = false
> ??? dns_lookup_kdc = true
> 
> -----------
> 
> ?????? Checking file: /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:???????? files systemd
> group:????????? files systemd
> shadow:???????? files
> gshadow:??????? files
> 
> hosts:????????? files dns
> networks:?????? files
> 
> protocols:????? db files
> services:?????? db files
> ethers:???????? db files
> rpc:??????????? db files
> 
> netgroup:?????? nis
> 
> -----------
My script output misses idmap.conf, but thats ok, most probely not needed. 
> ??? Warning,? does not exist
> 
> -----------
> 
The Samba need also : 

Where is bind ?   
>From the AD-DC here im using with bind9 
ii  acl                              2.2.53-4                    amd64       
access control list - utilities
ii  attr                             1:2.4.48-4                  amd64       
utilities for manipulating filesystem extended attributes
ii  bind9                            1:9.11.5.P4+dfsg-5.1        amd64       
Internet Domain Name Server
ii  bind9-host                       1:9.11.5.P4+dfsg-5.1        amd64       
DNS lookup utility (deprecated)
ii  bind9utils                       1:9.11.5.P4+dfsg-5.1        amd64       
Utilities for BIND
ii  xattr                            0.9.6-1                     amd64       
tool for manipulating filesystem extended attributes

Check/install where these are? 

apt install acl attr xattr bind9 bind9utils 

> 
> Installed packages:
> ii? krb5-config????????????????????? 2.6????????????????????????
> all????????? Configuration files for Kerberos Version 5
> ii? krb5-locales???????????????????? 1.17-3?????????????????????
> all????????? internationalization support for MIT Kerberos
> ii? libacl1:amd64??????????????????? 2.2.53-4???????????????????
> amd64??????? access control list - shared library
> ii? libattr1:amd64?????????????????? 1:2.4.48-4?????????????????
> amd64??????? extended attribute handling - shared library
> ii? libgssapi-krb5-2:amd64?????????? 1.17-3?????????????????????
> amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii? libkrb5-26-heimdal:amd64???????? 7.5.0+dfsg-3???????????????
> amd64??????? Heimdal Kerberos - libraries
> ii? libkrb5-3:amd64????????????????? 1.17-3?????????????????????
> amd64??????? MIT Kerberos runtime libraries
> ii? libkrb5support0:amd64??????????? 1.17-3?????????????????????
> amd64??????? MIT Kerberos runtime libraries - Support library
> ii? libwbclient0:amd64?????????????? 99:4.11.8-7????????????????
> amd64??????? Glue package for sernet-samba-libs.
> ii? sernet-samba???????????????????? 99:4.11.8-7????????????????
> amd64??????? SMB/CIFS file, print, and login server for Unix
> ii? sernet-samba-ad????????????????? 99:4.11.8-7????????????????
> amd64??????? Samba Active Directory Domain Controller
> ii? sernet-samba-client????????????? 99:4.11.8-7????????????????
> amd64??????? a LanManager-like simple client for Unix
> ii? sernet-samba-common????????????? 99:4.11.8-7????????????????
> all????????? Samba common files used by both the server and the client
> ii? sernet-samba-keyring???????????? 1.9????????????????????????
> all????????? GnuPG archive keys of the SerNet Samba archive
> ii? sernet-samba-libs:amd64????????? 99:4.11.8-7????????????????
> amd64??????? Samba common library files used by both the 
> server and the
> client
> ii? sernet-samba-libsmbclient0:amd64 99:4.11.8-7????????????????
> amd64??????? Shared library that allows applications to talk 
> to SMB servers
> ii? sernet-samba-winbind???????????? 99:4.11.8-7????????????????
> amd64??????? Samba nameservice integration server
> 
> -----------
> 
> Am 30.04.20 um 14:17 schrieb L.P.H. van Belle via samba:
> > Try this. 
> >
> > systemctl edit bind9 
> > #/etc/systemd/system/bind9.service.d/override.conf
> > [Service]
> > ExecReload> >
> > sytemctl edit samba-ad-dc.service
> > #/etc/systemd/system/samba-ad-dc.service.d/override.conf
> > [Unit]
> > After=network.target network-online.target bind9.service
> >
> > systemctl daemon-reload
> >
> > systemctl restart bind9 samba-ad-dc
> >
> > If that does not work, then, can you run this script: 
> > 
> https://github.com/thctlo/samba4/raw/master/samba-collect-debu
> g-info.sh
> >
> > Anonimize where needed, shows all i want to know.
> > At least, its a good start ;-) 
> >
> > Greetz, 
> >
> > Louis 
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > Benedikt Kale? via samba
> > > Verzonden: donderdag 30 april 2020 14:09
> > > Aan: samba at lists.samba.org >> samba
> > > Onderwerp: [Samba] bind9 refuses to start -> zone has no 
> NS records
> > > 
> > > Hi, 
> > > 
> > > I have to add a second DC to a Zone. 
> > > I use the sernet packages Version 4.11 on a debian 10 host.
> > > 
> > > The bind refuses to start:
> > > 
> > > root at addc-zone02:~# systemctl status bind9
> > > ??? bind9.service - BIND Domain Name Server
> > >    Loaded: loaded (/lib/systemd/system/bind9.service; 
> > > enabled; vendor preset: enabled)
> > >    Active: failed (Result: exit-code) since Thu 2020-04-30 
> > > 14:51:58 EEST; 5s ago
> > >      Docs: man:named(8)
> > >   Process: 3733 ExecStart=/usr/sbin/named $OPTIONS 
> > > (code=exited, status=1/FAILURE)
> > >     Tasks: 0 (limit: 4701)
> > >    Memory: 624.0K
> > >    CGroup: /system.slice/bind9.service
> > > 
> > > Apr 30 14:51:58 addc-zone02 named[3734]: Loading 'AD DNS 
> > > Zone' using driver dlopen
> > > Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: started 
> > > for DN DC=example,DC=com
> > > Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: 
> starting configure
> > > Apr 30 14:51:58 addc-zone02 named[3734]: zone 
> > > 21.168.192.in-addr.arpa/NONE: has no NS records
> > > Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: Failed to 
> > > configure zone '21.168.192.in-addr.arpa'
> > > Apr 30 14:51:58 addc-zone02 named[3734]: loading 
> > > configuration: bad zone
> > > Apr 30 14:51:58 addc-zone02 named[3734]: exiting (due to 
> fatal error)
> > > Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: 
> > > Control process exited, code=exited, status=1/FAILURE
> > > Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Failed 
> > > with result 'exit-code'.
> > > Apr 30 14:51:58 addc-zone02 systemd[1]: Failed to start BIND 
> > > Domain Name Server.
> > > 
> > > 21.168.192.in-addr.arpa is an empty zone and I deleted that 
> > > zone with the Windows DNS tool.
> > > 
> > > I have another DC where bind9 is running. I copied 
> > > /etc/bind/named.conf.options and /etc/bind/named.conf.local
> > > I also double checked permissions in /var/lib/samba/bind-dns 
> > > and /var/lib/samba/private
> > > 
> > > Any tips are welcome. How can I start bind9 or where should I 
> > > look for errors?
> > > 
> > > Best
> > > Benedikt
> > > 
> > > -- 
> > > forumZFD
> > > Entschieden f?r Frieden|Committed to Peace
> > > 
> > > Benedikt Kale?
> > > Leiter Team IT|Head team IT
> > > 
> > > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > > Am K?lner Brett 8 | 50825 K?ln | Germany  
> > > 
> > > Tel 0221 91273233 | Fax 0221 91273299 | 
> > > http://www.forumZFD.de 
> > > 
> > > Vorstand nach ? 26 BGB, 
> einzelvertretungsberechtigt|Executive Board:
> > > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> > > Alexander Mauz  
> > > VR 17651 Amtsgericht K?ln
> > > 
> > > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC 
> BFSWDE33XXX
> > > 
> > > 
> > > -- 
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > > 
> >
> >
> -- 
> forumZFD
> Entschieden f?r Frieden|Committed to Peace
> 
> Benedikt Kale?
> Leiter Team IT|Head team IT
> 
> Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> Am K?lner Brett 8 | 50825 K?ln | Germany  
> 
> Tel 0221 91273233 | Fax 0221 91273299 | 
> http://www.forumZFD.de 
> 
> Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
> Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> Alexander Mauz  
> VR 17651 Amtsgericht K?ln
> 
> Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Benedikt,
> 
> I have to add a second DC to a Zone.
> I use the sernet packages Version 4.11 on a debian 10 host.
> 
> The bind refuses to start:
> 
> root at addc-zone02:~# systemctl status bind9
> ? bind9.service - BIND Domain Name Server
>     Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor
preset: enabled)
>     Active: failed (Result: exit-code) since Thu 2020-04-30 14:51:58 EEST;
5s ago
>       Docs: man:named(8)
>    Process: 3733 ExecStart=/usr/sbin/named $OPTIONS (code=exited,
status=1/FAILURE)
>      Tasks: 0 (limit: 4701)
>     Memory: 624.0K
>     CGroup: /system.slice/bind9.service
> 
> Apr 30 14:51:58 addc-zone02 named[3734]: Loading 'AD DNS Zone'
using driver dlopen
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: started for DN
DC=example,DC=com
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: starting configure
> Apr 30 14:51:58 addc-zone02 named[3734]: zone 21.168.192.in-addr.arpa/NONE:
has no NS records
> Apr 30 14:51:58 addc-zone02 named[3734]: samba_dlz: Failed to configure
zone '21.168.192.in-addr.arpa'
> Apr 30 14:51:58 addc-zone02 named[3734]: loading configuration: bad zone
> Apr 30 14:51:58 addc-zone02 named[3734]: exiting (due to fatal error)
> Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Control process
exited, code=exited, status=1/FAILURE
> Apr 30 14:51:58 addc-zone02 systemd[1]: bind9.service: Failed with result
'exit-code'.
> Apr 30 14:51:58 addc-zone02 systemd[1]: Failed to start BIND Domain Name
Server.
you said that the zone is empty. It is not a problem per se but for some 
time Bind-DLZ has been a bit more strict and ask for a NS record for 
every zone. So you just have to create a NS field in your zone pointing 
to one of your DC and you should be fine. Internal DNS does not have 
this requirements.

samba-tool dns mydc 21.168.192.in-addr.arpa @ NS mydc.mydomain.lan. -P

Cheers,

Denis

> 
> 21.168.192.in-addr.arpa is an empty zone and I deleted that zone with the
Windows DNS tool.
> 
> I have another DC where bind9 is running. I copied
/etc/bind/named.conf.options and /etc/bind/named.conf.local
> I also double checked permissions in /var/lib/samba/bind-dns and
/var/lib/samba/private
> 
> Any tips are welcome. How can I start bind9 or where should I look for
errors?
> 
> Best
> Benedikt
>

Hi Denis,

thanks a lot!
> you said that the zone is empty. It is not a problem per se but for some 
> time Bind-DLZ has been a bit more strict and ask for a NS record for 
> every zone. So you just have to create a NS field in your zone pointing 
> to one of your DC and you should be fine. Internal DNS does not have 
> this requirements.
>
> samba-tool dns mydc 21.168.192.in-addr.arpa @ NS mydc.mydomain.lan. -P
>
There is something missing, right?

perhaps this way:

samba-tool dns add|update mydc 21.168.192.in-addr.arpa NS
mydc.mydomain.lan -Uadministrator

-- 

forumZFD
Entschieden f?r Frieden|Committed to Peace

Benedikt Kale?
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am K?lner Brett 8 | 50825 K?ln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht K?ln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX

Now this looks all ok. Really wrong here. 

All you zones as far i can see are there. 

Just setup resolv.conf like this. And remove domain, its not needed anymore.. 

Now search order is important the first domain here is always the domain with
the AD-DC in that zone.
And add the other (if needed localy on the server) to search primary.dom.tld
second.dom.tld dom.tld

Like this : 
# /etc/resolv.conf
search zone-ad-dc-example.com example.com other.example.com 
nameserver 192.168.40.24
nameserver 192.168.168.48
nameserver 192.168.168.44

So if the AD-DC is in reverse zone  192.168.40 then lookup 
the named.example.conf zone and make sure that first in the search line 

man resolv.conf :  states : 
The domain and search keywords are mutually exclusive.  
If more than one instance of these keywords is present, the last instance wins.

In your case search.. So just remove domain, not needed. 

Then reboot the server. 
Check again, 

Run : dig NS $(hostname -d) 
dig NS $(hostname -d)
If its all ok, you should see ALL the NS records. 

Not ok, on the AD-DC. 
dig NS $(hostname -d) @$(hostname -i)

So that i suspect here. 
example.com, if you starting and it resolvs.. And the resolving errors.
.com is requested to locate example (in .com) and that tries to find the NS
record.
But.. Most probley on an internet DNS server. 

Thats what i think


Greetz, 

Louis


 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Benedikt Kale? via samba
> Verzonden: donderdag 30 april 2020 15:19
> Aan: samba
> Onderwerp: Re: [Samba] bind9 refuses to start -> zone has no 
> NS records
> 
> Hi Denis,
> 
> thanks a lot!
> > you said that the zone is empty. It is not a problem per se 
> but for some 
> > time Bind-DLZ has been a bit more strict and ask for a NS 
> record for 
> > every zone. So you just have to create a NS field in your 
> zone pointing 
> > to one of your DC and you should be fine. Internal DNS does 
> not have 
> > this requirements.
> >
> > samba-tool dns mydc 21.168.192.in-addr.arpa @ NS 
> mydc.mydomain.lan. -P
> >
> There is something missing, right?
> 
> perhaps this way:
> 
> samba-tool dns add|update mydc 21.168.192.in-addr.arpa NS
> mydc.mydomain.lan -Uadministrator
> 
> -- 
> 
> forumZFD
> Entschieden f?r Frieden|Committed to Peace
> 
> Benedikt Kale?
> Leiter Team IT|Head team IT
> 
> Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> Am K?lner Brett 8 | 50825 K?ln | Germany  
> 
> Tel 0221 91273233 | Fax 0221 91273299 | 
> http://www.forumZFD.de 
> 
> Vorstand nach ? 26 BGB, einzelvertretungsberechtigt|Executive Board:
> Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> Alexander Mauz  
> VR 17651 Amtsgericht K?ln
> 
> Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>