thr3ads.net - samba - [Samba] samba AD-DC with bind9, dyn-dns complains that "No AD dhcp user exists" [Sep 2021]

If this information is useful, please help other people find it:
Share via:

Carlos Jesus

2021-Sep-09 00:30 UTC

[Samba] samba AD-DC with bind9, dyn-dns complains that "No AD dhcp user exists"

Hey Roland,thanks for the files. I've been "on the road" and only
now
(1:25AM) could do some tests
I think that when you say     allow-query { acl internals; }; and
allow-recursion { acl internals; }; you actually mean  allow-query
{internals; }; and
    allow-recursion { internals; }; refering to the "acl internals"
previously created? Well, after that modification, the files worked and
everything is now cleaner.
It's still throwing errors, but I have a few theories about the keytab but
I'll try again tomorrow. Well, later on today anyway...
I'll probably ask for more help, but thanks again.

best regards
CJ

Rowland Penny <rpenny at samba.org> escreveu no dia quarta, 8/09/2021 ?(s)
16:59:
> On Wed, 2021-09-08 at 16:29 +0100, Carlos Jesus wrote:
> > They're here....
>
> OK, try these, based on my working (for the last 9 years) files, with
> data from yours:
>
> /etc/bind/named.conf
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> /etc/bind/named.conf.options
>
> acl internals {
>    127.0.0.0/8;
>    192.168.1.0/24;
> };
>
> options {
>     directory "/var/cache/bind";
>     auth-nxdomain yes;
>     notify no;
>     empty-zones-enable no;
>     allow-query { acl internals; };
>     allow-recursion { acl internals; };
>     listen-on-v6 { none; };
>     forwarders {
>         8.8.8.8;
>         8.8.4.4;
>     };
>     dnssec-enable no;
>     dnssec-validation no;
>     tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
>     minimal-responses yes;
> };
>
> logging {
>   channel bind_log {
>     file "/var/log/bind/bind.log" versions 3 size 5m;
>     severity notice;
>     print-category yes;
>     print-severity yes;
>     print-time yes;
>   };
>   category default { bind_log; };
>   category update { bind_log; };
>   category update-security { bind_log; };
>   category security { bind_log; };
>   category queries { bind_log; };
>   category lame-servers { null; };
> };
>
> /etc/bind/named.conf.local
> include "/usr/local/samba/bind-dns/named.conf";
>
> /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/usr/share/dns/root.hints";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
>
> Rowland
>
>
>

Carlos Jesus

2021-Sep-09 10:18 UTC

head link

[Samba] samba AD-DC with bind9, dyn-dns complains that "No AD dhcp user exists"

Hello again,
As you have suggested, I've replaced all named files on both DC's,
restarted bind and noticed some  dns_tkey_gssnegotiate: TKEY is
unacceptable errors on samba.log. So I did
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
which worked as expected, but the errors persist.
So I tried something else; on a windoze machine I tried to use RSAT do
manage the DNS. It complains that the "Active Directory Service is not
available" and doesn't let me add any of the 2 servers. However, ADUC
works
fine and I can join machines to the domain.
I've also noticed that _msdcs is missing. Trying to create it with
samba-tool dns zonecreate DC1 _msdcs.SAMDOM.EXAMPLE gives back the same old
error
ERROR(runtime): uncaught exception - (9717,
'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/dns.py",
line 737, in run
    zone_create_info)

Any more clues?
Best regard
CJ


Carlos Jesus <camjesus2 at gmail.com> escreveu no dia quinta, 9/09/2021
?(s)
01:30:
> Hey Roland,thanks for the files. I've been "on the road" and
only now
> (1:25AM) could do some tests
> I think that when you say     allow-query { acl internals; }; and
> allow-recursion { acl internals; }; you actually mean  allow-query
> {internals; }; and
>     allow-recursion { internals; }; refering to the "acl
internals"
> previously created? Well, after that modification, the files worked and
> everything is now cleaner.
> It's still throwing errors, but I have a few theories about the keytab
but
> I'll try again tomorrow. Well, later on today anyway...
> I'll probably ask for more help, but thanks again.
>
> best regards
> CJ
>
> Rowland Penny <rpenny at samba.org> escreveu no dia quarta, 8/09/2021
?(s)
> 16:59:
>
>> On Wed, 2021-09-08 at 16:29 +0100, Carlos Jesus wrote:
>> > They're here....
>>
>> OK, try these, based on my working (for the last 9 years) files, with
>> data from yours:
>>
>> /etc/bind/named.conf
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> /etc/bind/named.conf.options
>>
>> acl internals {
>>    127.0.0.0/8;
>>    192.168.1.0/24;
>> };
>>
>> options {
>>     directory "/var/cache/bind";
>>     auth-nxdomain yes;
>>     notify no;
>>     empty-zones-enable no;
>>     allow-query { acl internals; };
>>     allow-recursion { acl internals; };
>>     listen-on-v6 { none; };
>>     forwarders {
>>         8.8.8.8;
>>         8.8.4.4;
>>     };
>>     dnssec-enable no;
>>     dnssec-validation no;
>>     tkey-gssapi-keytab
"/usr/local/samba/bind-dns/dns.keytab";
>>     minimal-responses yes;
>> };
>>
>> logging {
>>   channel bind_log {
>>     file "/var/log/bind/bind.log" versions 3 size 5m;
>>     severity notice;
>>     print-category yes;
>>     print-severity yes;
>>     print-time yes;
>>   };
>>   category default { bind_log; };
>>   category update { bind_log; };
>>   category update-security { bind_log; };
>>   category security { bind_log; };
>>   category queries { bind_log; };
>>   category lame-servers { null; };
>> };
>>
>> /etc/bind/named.conf.local
>> include "/usr/local/samba/bind-dns/named.conf";
>>
>> /etc/bind/named.conf.default-zones
>>
>> // prime the server with knowledge of the root servers
>> zone "." {
>>         type hint;
>>         file "/usr/share/dns/root.hints";
>> };
>>
>> // be authoritative for the localhost forward and reverse zones, and
>> for
>> // broadcast zones as per RFC 1912
>>
>> zone "localhost" {
>>         type master;
>>         file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>>         type master;
>>         file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>>         type master;
>>         file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>>         type master;
>>         file "/etc/bind/db.255";
>> };
>>
>> Rowland
>>
>>
>>

samba - Sep 2021 - samba AD-DC with bind9, dyn-dns complains that "No AD dhcp user exists"

[Samba] samba AD-DC with bind9, dyn-dns complains that "No AD dhcp user exists"

[Samba] samba AD-DC with bind9, dyn-dns complains that "No AD dhcp user exists"