On 31/08/2020 19:59, Peter Pollock wrote:> Yes, it is 192.168.2.0/24 <http://192.168.2.0/24> > > Thank you.OK, try these files: /etc/bind/named.conf -----------start--------------- // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; ----------end---------------- /etc/bind/named.conf.options -------------start-------------------- options { ??????? directory "/var/cache/bind"; ??????? notify no; ??????? empty-zones-enable no; ??????? allow-query { 127.0.0.1; 192.168.2.0/24; }; ??????? allow-recursion { 192.168.2.0/24;? 127.0.0.1/32; }; ??????? forwarders { ??????????????? 208.67.222.123; ??????????????? 208.67.220.123; ??????? }; ??????? allow-transfer { none; }; ??????? dnssec-validation no; ??????? dnssec-enable no; ??????? dnssec-lookaside no; ??????? listen-on-v6 { none; }; ??????? listen-on port 53 { 192.168.2.8; 127.0.0.1; }; ??????? tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; --------------------end---------------- /etc/bind/named.conf.local ----------------------start------------------- // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // adding the Samba dlopen ( Bind DLZ ) module include "/var/lib/samba/bind-dns/named.conf"; -----------------end------------------ /etc/bind/named.conf.default-zones -------------------start---------------- // prime the server with knowledge of the root servers zone "." { ??? type hint; ??? file "/usr/share/dns/root.hints"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { ??? type master; ??? file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.255"; }; ----------------------end--------------------- /var/lib/samba/bind-dns/named.conf ------------------start-------------------- # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # # This file should be included in your main BIND configuration file # # For example with # include "/var/lib/samba/bind-dns/named.conf"; # # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version # dlz "AD DNS Zone" { ??? # For BIND 9.8.x ??? # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; ??? # For BIND 9.9.x ??? # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; ??? # For BIND 9.10.x ??? # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; ??? # For BIND 9.11.x ???? database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; ??? # For BIND 9.12.x ??? # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so"; }; --------------------------end------------------------ They are based on my working Bind9 files and that the Samba keytab etc are now in /var/lib/samba/bind-dns. Also that you are using Debian with Bind9.11.x Any questions, please ask. Rowland
Thanks Rowland. I need to do a backup before I try any changes so I'll try to get that done tonight and apply this. Maybe if I can get the DNS right, Zentyal won't be so unhappy and will actually allow me to update! <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Mon, Aug 31, 2020 at 12:09 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 31/08/2020 19:59, Peter Pollock wrote: > > Yes, it is 192.168.2.0/24 <http://192.168.2.0/24> > > > > Thank you. > > OK, try these files: > > /etc/bind/named.conf > > -----------start--------------- > // This is the primary configuration file for the BIND DNS server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for information on the > // structure of BIND configuration files in Debian, *BEFORE* you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > ----------end---------------- > > /etc/bind/named.conf.options > > -------------start-------------------- > options { > directory "/var/cache/bind"; > notify no; > empty-zones-enable no; > allow-query { 127.0.0.1; 192.168.2.0/24; }; > allow-recursion { 192.168.2.0/24; 127.0.0.1/32; }; > forwarders { > 208.67.222.123; > 208.67.220.123; > }; > allow-transfer { none; }; > dnssec-validation no; > dnssec-enable no; > dnssec-lookaside no; > listen-on-v6 { none; }; > listen-on port 53 { 192.168.2.8; 127.0.0.1; }; > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > }; > --------------------end---------------- > > /etc/bind/named.conf.local > > ----------------------start------------------- > // > // Do any local configuration here > // > > // Consider adding the 1918 zones here, if they are not used in your > // organization > //include "/etc/bind/zones.rfc1918"; > > // adding the Samba dlopen ( Bind DLZ ) module > include "/var/lib/samba/bind-dns/named.conf"; > -----------------end------------------ > > /etc/bind/named.conf.default-zones > > -------------------start---------------- > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/usr/share/dns/root.hints"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > ----------------------end--------------------- > > /var/lib/samba/bind-dns/named.conf > > ------------------start-------------------- > # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen > support. > # > # This file should be included in your main BIND configuration file > # > # For example with > # include "/var/lib/samba/bind-dns/named.conf"; > > # > # This configures dynamically loadable zones (DLZ) from AD schema > # Uncomment only single database line, depending on your BIND version > # > dlz "AD DNS Zone" { > # For BIND 9.8.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; > > # For BIND 9.9.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > > # For BIND 9.10.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; > > # For BIND 9.11.x > database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; > > # For BIND 9.12.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so"; > }; > --------------------------end------------------------ > > They are based on my working Bind9 files and that the Samba keytab etc > are now in /var/lib/samba/bind-dns. Also that you are using Debian with > Bind9.11.x > > Any questions, please ask. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba ><http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avg.com <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
I just ran samba_dnsupdate --all-names and got this:
itadmin at genesis:~$ sudo samba_dnsupdate --all-names
add_interface: not adding duplicate interface 192.168.1.11
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
update failed: NOTAUTH
update failed: NOTAUTH
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 925, in <module>
call_nsupdate(d)
File "/usr/sbin/samba_dnsupdate", line 498, in call_nsupdate
server = get_krb5_rw_dns_server(creds, zone)
File "/usr/sbin/samba_dnsupdate", line 156, in
get_krb5_rw_dns_server
rw_dns_servers = get_possible_rw_dns_server(creds, domain)
File "/usr/sbin/samba_dnsupdate", line 140, in
get_possible_rw_dns_server
ans_ns = check_one_dns_name(domain, 'NS')
File "/usr/sbin/samba_dnsupdate", line 291, in check_one_dns_name
ans = resolver.query(name, name_type)
File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 1053,
in
query
raise_on_no_answer)
File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 234,
in
__init__
raise NoAnswer(response=response)
dns.resolver.NoAnswer: The DNS response does not contain an answer to the
question: _msdcs.kcs.local. IN NS
It looks to me like there is an NS record missing. Do I create this through
Samba somehow or should I use Windows RSAT tools to create the missing
entry. I'm not 100% certain what answer it is looking for though.
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.
www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Mon, Aug 31, 2020 at 12:09 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 31/08/2020 19:59, Peter Pollock wrote:
> > Yes, it is 192.168.2.0/24 <http://192.168.2.0/24>
> >
> > Thank you.
>
> OK, try these files:
>
> /etc/bind/named.conf
>
> -----------start---------------
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> ----------end----------------
>
> /etc/bind/named.conf.options
>
> -------------start--------------------
> options {
> directory "/var/cache/bind";
> notify no;
> empty-zones-enable no;
> allow-query { 127.0.0.1; 192.168.2.0/24; };
> allow-recursion { 192.168.2.0/24; 127.0.0.1/32; };
> forwarders {
> 208.67.222.123;
> 208.67.220.123;
> };
> allow-transfer { none; };
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on-v6 { none; };
> listen-on port 53 { 192.168.2.8; 127.0.0.1; };
>
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> };
> --------------------end----------------
>
> /etc/bind/named.conf.local
>
> ----------------------start-------------------
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> // adding the Samba dlopen ( Bind DLZ ) module
> include "/var/lib/samba/bind-dns/named.conf";
> -----------------end------------------
>
> /etc/bind/named.conf.default-zones
>
> -------------------start----------------
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/usr/share/dns/root.hints";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
> ----------------------end---------------------
>
> /var/lib/samba/bind-dns/named.conf
>
> ------------------start--------------------
> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
> support.
> #
> # This file should be included in your main BIND configuration file
> #
> # For example with
> # include "/var/lib/samba/bind-dns/named.conf";
>
> #
> # This configures dynamically loadable zones (DLZ) from AD schema
> # Uncomment only single database line, depending on your BIND version
> #
> dlz "AD DNS Zone" {
> # For BIND 9.8.x
> # database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
>
> # For BIND 9.9.x
> # database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
>
> # For BIND 9.10.x
> # database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
>
> # For BIND 9.11.x
> database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
>
> # For BIND 9.12.x
> # database "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so";
> };
> --------------------------end------------------------
>
> They are based on my working Bind9 files and that the Samba keytab etc
> are now in /var/lib/samba/bind-dns. Also that you are using Debian with
> Bind9.11.x
>
> Any questions, please ask.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.
www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On 01/09/2020 00:33, Peter Pollock wrote:> I just ran? samba_dnsupdate --all-names and got this: > > itadmin at genesis:~$ sudo samba_dnsupdate --all-names > add_interface: not adding duplicate interface 192.168.1.11You said that you were using the 192.168.2.0/24 network, where is that ipaddress coming from ?> ldb_wrap open of secrets.ldb > > update failed: NOTAUTH > update failed: NOTAUTH > Traceback (most recent call last): > ? File "/usr/sbin/samba_dnsupdate", line 925, in <module> > ? ? call_nsupdate(d) > ? File "/usr/sbin/samba_dnsupdate", line 498, in call_nsupdate > ? ? server = get_krb5_rw_dns_server(creds, zone) > ? File "/usr/sbin/samba_dnsupdate", line 156, in get_krb5_rw_dns_server > ? ? rw_dns_servers = get_possible_rw_dns_server(creds, domain) > ? File "/usr/sbin/samba_dnsupdate", line 140, in > get_possible_rw_dns_server > ? ? ans_ns = check_one_dns_name(domain, 'NS') > ? File "/usr/sbin/samba_dnsupdate", line 291, in check_one_dns_name > ? ? ans = resolver.query(name, name_type) > ? File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 1053, > in query > ? ? raise_on_no_answer) > ? File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 234, > in __init__ > ? ? raise NoAnswer(response=response) > dns.resolver.NoAnswer: The DNS response does not contain an answer to > the question: _msdcs.kcs.local. IN NSIs your TLD really '.local' ? If it is, ensure that Avahi is turned off.> > It looks to me like there is an NS record missing. Do I create this > through Samba somehow or should I use Windows RSAT tools to create the > missing entry. I'm not 100% certain what answer it is looking for though.Can you please download this script: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Run it on a DC and post the output (sanitised if required) into a reply to this, do not attach it, this list removes attachments. Rowland