compeilermail-openbc at yahoo.de
2023-Sep-15 13:30 UTC
[Samba] Problems with Samba as an AD and named
Hi, I have Zentyal as an AD Server installed on an Ubuntu 20.04.6 System.All fine. It acts as an PDC. (in the past there was another, which broke and was not replaced and the server is demoted and removed).I have now problems with starting bind. I am unsure what led to that situation. But named does not want to start: --------------------- Sep 15 15:17:01 bombadil named[1936]: unable to set effective uid to 0: Operation not permitted Sep 15 15:17:01 bombadil named[1936]: generating session key for dynamic DNS Sep 15 15:17:01 bombadil named[1936]: unable to set effective uid to 0: Operation not permitted Sep 15 15:17:01 bombadil named[1936]: sizing zone task pool based on 24 zones Sep 15 15:17:01 bombadil named[1936]: Loading 'AD DNS Zone' using driver dlopen Sep 15 15:17:01 bombadil CRON[1987]: (root) CMD (?? cd / && run-parts --report /etc/cron.hourly) Sep 15 15:17:01 bombadil named[1936]: samba_dlz: started for DN DC=compeiler,DC=windows Sep 15 15:17:01 bombadil named[1936]: samba_dlz: starting configure Sep 15 15:17:01 bombadil named[1936]: samba_dlz: configured writeable zone 'compeiler.windows' Sep 15 15:17:01 bombadil named[1936]: zone _msdcs.compeiler.windows/NONE: has no NS records Sep 15 15:17:01 bombadil named[1936]: samba_dlz: Failed to configure zone '_msdcs.compeiler.windows' Sep 15 15:17:01 bombadil named[1936]: loading configuration: bad zone Sep 15 15:17:01 bombadil named[1936]: exiting (due to fatal error) --------------------- A few days ago it still worked.I did updates on zentyal and on Linux. But I cannot distinguish if one of them caused that situation or not. I also tried the following to "repair" the samba installation: samba_upgradedns --dns-backend=BIND9_DLZ but this did not change anything.I read many things but until now I am unable to start named and so the AD Clients can't check - my children are worse than clients at work. So I hope someone could help fast ;-) Here the output of all relevant files from samba-collect-debug-info.sh from github. If some information is missing - I will add... Thank you...Matthias Config collected --- 2023-09-15-14:06 ----------- Hostname:?? bombadil DNS Domain: compeiler.windows Realm:????? COMPEILER.WINDOWS FQDN:?????? bombadil.compeiler.windows ipaddress:? 192.168.178.205 ----------- This computer is running Ubuntu 20.04.6 LTS x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 ??? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ??? inet 127.0.0.1/8 scope host lo ??? inet 127.0.1.1/8 scope host secondary lo 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 ??? link/ether 5c:26:0a:58:c9:92 brd ff:ff:ff:ff:ff:ff ??? inet 192.168.178.205/24 brd 192.168.178.255 scope global eno1 3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 ??? link/ether a0:88:b4:35:1a:98 brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1?????? localhost.localdomain localhost 127.0.1.1?????? bombadil.compeiler.windows bombadil # The following lines are desirable for IPv6 capable hosts ::1???? ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # and managed by Zentyal. # #???? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # nameserver 127.0.0.1 nameserver 192.168.178.1 ----------- WARNING: 'kinit Administrator' will fail, you need to fix this. Unable to verify DNS kerberos._tcp SRV records ----------- 'kinit Administrator' password checked failed. Wrong password or kerberos REALM problems. ----------- Samba is running as an AD DC ----------- Checking file: /etc/krb5.conf [libdefaults] ??? default_realm = COMPEILER.WINDOWS ??? dns_lookup_kdc = true ??? dns_lookup_realm = false ??? rdns = no ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. # pre_auth-client-config # passwd:???????? files systemd passwd: compat winbind # pre_auth-client-config # group:????????? files systemd group: compat winbind # pre_auth-client-config # shadow:???????? files shadow: compat gshadow:??????? files hosts:????????? files dns networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files # pre_auth-client-config # netgroup:?????? nis netgroup: nis ----------- Checking file: /etc/samba/smb.conf [global] ??? workgroup = compeiler ??? realm = COMPEILER.WINDOWS ??? netbios name = bombadil ??? server string = Zentyal Server ??? server role = dc ??? server role check:inhibit = yes ??? server services = -dns ??? server signing = auto ??? dsdb:schema update allowed = yes ??? ldap server require strong auth = no ??? drs:max object sync = 1200 ??? idmap_ldb:use rfc2307 = yes ??? winbind enum users = yes ??? winbind enum groups = yes ??? template shell = /usr/bin/bash ??? template homedir = /home/%U ??? rpc server dynamic port range = 49152-65535 ??? interfaces = lo,eno1 ??? bind interfaces only = yes ??? map to guest = Bad User ??? log level = 3 ??? log file = /var/log/samba/samba.log ??? max log size = 100000 ??? include = /etc/samba/shares.conf [netlogon] ??? path = /var/lib/samba/sysvol/compeiler.windows/scripts ??? browseable = no ??? read only = yes [sysvol] ??? path = /var/lib/samba/sysvol ??? read only = no ----------- This DC is being used as a fileserver Detected bind DLZ enabled.. Checking file: /etc/bind/named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/keys"; // prime the server with knowledge of the root servers zone "." { ??????? type hint; ??????? file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { ??????? type master; ??????? file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { ??????? type master; ??????? file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { ??????? type master; ??????? file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { ??????? type master; ??????? file "/etc/bind/db.255"; }; include "/etc/bind/named.conf.local"; ----------- Checking file: /etc/bind/named.conf.options options { ??????? sortlist { ??????????????? 192.168.178.0/24; ??????? }; ??? directory "/var/cache/bind"; ??? // If there is a firewall between you and nameservers you want ??? // to talk to, you might need to uncomment the query-source ??? // directive below.? Previous versions of BIND always asked ??? // questions using port 53, but BIND 8.1 and later use an unprivileged ??? // port by default. ??? //query-source address * port 53; ??? //transfer-source * port 53; ??? //notify-source * port 53; ??? // DNSSEC configuration ??? dnssec-enable yes; ??? dnssec-validation yes; ??????? // If your ISP provided one or more IP addresses for stable ??????? // nameservers, you probably want to use them as forwarders. ??????? forward first; ??????? forwarders { ??????????????? 192.168.178.1; ??????? }; ??????? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; ??? auth-nxdomain no;??? # conform to RFC1035 ??? allow-query { any; }; ??? allow-recursion { trusted; }; ??? allow-query-cache { trusted; }; ??? allow-transfer { internal-local-nets; }; }; logging { category lame-servers { null; }; }; ----------- Checking file: /etc/bind/named.conf.local // Generated by Zentyal acl "trusted" { ??? localhost; ??? localnets; }; acl "internal-local-nets" { ??? 192.168.178.0/24; }; dlz "AD DNS Zone" { ??? database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; }; zone "178.168.192.in-addr.arpa" { ??? type master; ??? file "/var/lib/bind/db.178.168.192"; ??? update-policy { ??????? // The only allowed dynamic updates are PTR records ??????? grant compeiler.windows. subdomain 178.168.192.in-addr.arpa. PTR TXT; ??????? // Grant from localhost ??????? grant local-ddns zonesub any; ??? }; }; zone "10.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; zone "168.192.in-addr.arpa" { ??? type master; ??? file "/etc/bind/db.empty"; }; ----------- Checking file: /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." { ??????? type hint; ??????? file "/usr/share/dns/root.hints"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { ??????? type master; ??????? file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { ??????? type master; ??????? file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { ??????? type master; ??????? file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { ??????? type master; ??????? file "/etc/bind/db.255"; }; ----------- Samba DNS zone list check : ERROR: AD DC zones found in the Bind flat-files ?????? This is not allowed, you must remove them. ?????? Conflicting zone name : compeiler.windows ?????? File in question is : /etc/bind/named.conf.local:??????? grant compeiler.windows. subdomain 178.168.192.in-addr.arpa. PTR TXT; /etc/bind/keys:key "compeiler.windows" { ----------- ERROR: AD DC zones found in the Bind flat-files ?????? This is not allowed, you must remove them. ?????? Conflicting zone name : _msdcs.compeiler.windows ?????? File in question is : ----------- ----------- unknown 'include' file '/etc/bind/keys' in /etc/bind/named.conf ----------- Time on the DC with PDC Emulator role is: 2023-09-15T14:23:20 Time on this computer is:???????????????? 2023-09-15T14:23:21 Time verified ok, within the allowed 300sec margin. Time offset is currently : 0 seconds ----------- Installed packages: ii? acl?????????????????????????????????? 2.2.53-6??????????????????????????????????????????????????????????????????????? amd64??????? access control list - utilities ii? attr????????????????????????????????? 1:2.4.48-5????????????????????????????????????????????????????????????????????? amd64??????? utilities for manipulating filesystem extended attributes ii? bind9???????????????????????????????? 1:9.16.1-0ubuntu2.15??????????????????????????????????????????????????????????? amd64??????? Internet Domain Name Server ii? bind9-dnsutils??????????????????????? 1:9.16.1-0ubuntu2.15??????????????????????????????????????????????????????????? amd64??????? Clients provided with BIND 9 ii? bind9-host??????????????????????????? 1:9.16.1-0ubuntu2.15??????????????????????????????????????????????????????????? amd64??????? DNS Lookup Utility ii? bind9-libs:amd64????????????????????? 1:9.16.1-0ubuntu2.15??????????????????????????????????????????????????????????? amd64??????? Shared Libraries used by BIND 9 ii? bind9-utils?????????????????????????? 1:9.16.1-0ubuntu2.15??????????????????????????????????????????????????????????? amd64??????? Utilities for BIND 9 ii? krb5-config?????????????????????????? 2.6ubuntu1????????????????????????????????????????????????????????????????????? all????????? Configuration files for Kerberos Version 5 ii? krb5-locales????????????????????????? 1.17-6ubuntu4.3???????????????????????????????????????????????????????????????? all????????? internationalization support for MIT Kerberos ii? libacl1:amd64???????????????????????? 2.2.53-6??????????????????????????????????????????????????????????????????????? amd64??????? access control list - shared library ii? libattr1:amd64??????????????????????? 1:2.4.48-5????????????????????????????????????????????????????????????????????? amd64??????? extended attribute handling - shared library ii? libauthen-krb5-easy-perl????????????? 0.92-0????????????????????????????????????????????????????????????????????????? amd64??????? Simple Kerberos 5 interaction ii? libgssapi-krb5-2:amd64??????????????? 1.17-6ubuntu4.3???????????????????????????????????????????????????????????????? amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii? libkrb5-26-heimdal:amd64????????????? 7.7.0+dfsg-1ubuntu1.4?????????????????????????????????????????????????????????? amd64??????? Heimdal Kerberos - libraries ii? libkrb5-3:amd64?????????????????????? 1.17-6ubuntu4.3???????????????????????????????????????????????????????????????? amd64??????? MIT Kerberos runtime libraries ii? libkrb5support0:amd64???????????????? 1.17-6ubuntu4.3???????????????????????????????????????????????????????????????? amd64??????? MIT Kerberos runtime libraries - Support library ii? libnss-winbind:amd64????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Samba nameservice integration plugins ii? libpam-winbind:amd64????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Windows domain authentication integration plugin ii? libwbclient0:amd64??????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Samba winbind client library ii? python3-attr????????????????????????? 19.3.0-2??????????????????????????????????????????????????????????????????????? all????????? Attributes without boilerplate (Python 3) ii? python3-nacl????????????????????????? 1.3.0-5???????????????????????????????????????????????????????????????????????? amd64??????? Python bindings to libsodium (Python 3) ii? python3-samba???????????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Python 3 bindings for Samba ii? samba???????????????????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? SMB/CIFS file, print, and login server for Unix ii? samba-common????????????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? all????????? common files used by both the Samba server and client ii? samba-common-bin????????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Samba common files used by both the server and the client ii? samba-dsdb-modules:amd64????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Samba Directory Services Database ii? samba-libs:amd64????????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Samba core libraries ii? samba-vfs-modules:amd64?????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? Samba Virtual FileSystem plugins ii? winbind?????????????????????????????? 2:4.15.13+dfsg-0ubuntu0.20.04.5???????????????????????????????????????????????? amd64??????? service to resolve user and group information from Windows NT servers ii? zentyal-samba???????????????????????? 7.1.0?????????????????????????????????????????????????????????????????????????? all????????? Zentyal - Domain Controller and File Sharing
##### Please see inline comments ##### Note, my first inclination was to send you to zentyal, they are probably responsible for all the mistakes. On Fri, 15 Sep 2023 13:30:43 +0000 (UTC) compeilermail-openbc--- via samba <samba at lists.samba.org> wrote:> Hi, > I have Zentyal as an AD Server installed on an Ubuntu 20.04.6 > System.All fine. It acts as an PDC.I certainly hope it doesn't act as a PDC, that is something else entirely, I think you mean that it is an AD DC that holds all the FSMO roles. All AD DCs are equal, except some hold FSMO roles.> (in the past there was another, > which broke and was not replaced and the server is demoted and > removed).I have now problems with starting bind. I am unsure what led > to that situation. But named does not want to start: > --------------------- > > Sep 15 15:17:01 bombadil named[1936]: unable to set effective uid to > 0: Operation not permitted Sep 15 15:17:01 bombadil named[1936]: > generating session key for dynamic DNS Sep 15 15:17:01 bombadil > named[1936]: unable to set effective uid to 0: Operation not > permitted Sep 15 15:17:01 bombadil named[1936]: sizing zone task pool > based on 24 zones Sep 15 15:17:01 bombadil named[1936]: Loading 'AD > DNS Zone' using driver dlopen Sep 15 15:17:01 bombadil CRON[1987]: > (root) CMD (?? cd / && run-parts --report /etc/cron.hourly) Sep 15 > 15:17:01 bombadil named[1936]: samba_dlz: started for DN > DC=compeiler,DC=windows Sep 15 15:17:01 bombadil named[1936]: > samba_dlz: starting configure Sep 15 15:17:01 bombadil named[1936]: > samba_dlz: configured writeable zone 'compeiler.windows' Sep 15 > 15:17:01 bombadil named[1936]: zone _msdcs.compeiler.windows/NONE: > has no NS records Sep 15 15:17:01 bombadil named[1936]: samba_dlz: > Failed to configure zone '_msdcs.compeiler.windows' Sep 15 15:17:01 > bombadil named[1936]: loading configuration: bad zone Sep 15 15:17:01 > bombadil named[1936]: exiting (due to fatal error)You appear to have serious problems, you do not seem to be able to become root and your forward zones do not seem to have the required records.> > --------------------- > A few days ago it still worked.I did updates on zentyal and on Linux. > But I cannot distinguish if one of them caused that situation or not. > I also tried the following to "repair" the samba installation: > samba_upgradedns --dns-backend=BIND9_DLZ but this did not change > anything.I read many things but until now I am unable to start named > and so the AD Clients can't check - my children are worse than > clients at work. So I hope someone could help fast ;-)You could try upgrading to the internal dns server and then upgrade to bind again.> > Here the output of all relevant files from > samba-collect-debug-info.sh from github. If some information is > missing - I will add... Thank you...Matthias > > Config collected --- 2023-09-15-14:06 ----------- > > Hostname:?? bombadil > DNS Domain: compeiler.windows > Realm:????? COMPEILER.WINDOWS > FQDN:?????? bombadil.compeiler.windows > ipaddress:? 192.168.178.205 > > ----------- > > This computer is running Ubuntu 20.04.6 LTS x86_64 > > ----------- > > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 link/loopback 00:00:00:00:00:00 brd > 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo > ??? inet 127.0.1.1/8 scope host secondary lo > 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel > state UP group default qlen 1000 link/ether 5c:26:0a:58:c9:92 brd > ff:ff:ff:ff:ff:ff inet 192.168.178.205/24 brd 192.168.178.255 scope > global eno1 3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop > state DOWN group default qlen 1000 link/ether a0:88:b4:35:1a:98 brd > ff:ff:ff:ff:ff:ff > > ----------- > > Checking file: /etc/hosts > > 127.0.0.1?????? localhost.localdomain localhost > 127.0.1.1?????? bombadil.compeiler.windows bombadilThis is a DC, so it should be '192.168.178.205' not '127.0.1.1'> > # The following lines are desirable for IPv6 capable hosts > ::1???? ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) # and managed by Zentyal. > # > #???? DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE > OVERWRITTEN # > nameserver 127.0.0.1 > nameserver 192.168.178.1Absolutely, totally wrong, it should be: search compeiler.windows nameserver 192.168.178.205> > ----------- > > WARNING: 'kinit Administrator' will fail, you need to fix this. > Unable to verify DNS kerberos._tcp SRV recordsThis is possibly because /etc/hosts and /etc/resolv.conf are wrong.> > ----------- > > 'kinit Administrator' password checked failed. > Wrong password or kerberos REALM problems. > > ----------- > > Samba is running as an AD DC > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > ??? default_realm = COMPEILER.WINDOWS > ??? dns_lookup_kdc = true > ??? dns_lookup_realm = false > ??? rdns = noWhy not do reverse zone lookups ?> > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > # pre_auth-client-config # passwd:???????? files systemd > passwd: compat winbind > # pre_auth-client-config # group:????????? files systemd > group: compat winbind > # pre_auth-client-config # shadow:???????? files > shadow: compat > gshadow:??????? files > > hosts:????????? files dns > networks:?????? files > > protocols:????? db files > services:?????? db files > ethers:???????? db files > rpc:??????????? db files > > # pre_auth-client-config # netgroup:?????? nis > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > [global] > ??? workgroup = compeiler > ??? realm = COMPEILER.WINDOWS > ??? netbios name = bombadil > ??? server string = Zentyal Server > ??? server role = dc > ??? server role check:inhibit = yesWhy is 'server role check: inhibit = yes' set ? Are you really trying to run nmbd ?> ??? server services = -dns > ??? server signing = auto > ??? dsdb:schema update allowed = yesDo you update the schema that regularly, that you need 'dsdb:schema update allowed = yes' set ?> ??? ldap server require strong auth = no > ??? drs:max object sync = 1200 > > ??? idmap_ldb:use rfc2307 = yes > > ??? winbind enum users = yes > ??? winbind enum groups = yesThe 'winbind enum' lines should only be set for testing purposes, they can slow things down.> ??? template shell = /usr/bin/bash > ??? template homedir = /home/%U > > ??? rpc server dynamic port range = 49152-65535No need to set that, the ports listed are the defaults.> > ??? interfaces = lo,eno1 > ??? bind interfaces only = yes > > ??? map to guest = Bad User'map to guest' on a DC ???????> > ??? log level = 3 > ??? log file = /var/log/samba/samba.log > ??? max log size = 100000 > > > > ??? include = /etc/samba/shares.confSamba does not recommend using a DC as a fileserver.> > > > > [netlogon] > ??? path = /var/lib/samba/sysvol/compeiler.windows/scripts > ??? browseable = no > ??? read only = yes > > [sysvol] > ??? path = /var/lib/samba/sysvol > ??? read only = no > > ----------- > > This DC is being used as a fileserver > > Detected bind DLZ enabled.. > Checking file: /etc/bind/named.conf > > include "/etc/bind/named.conf.options"; > include "/etc/bind/keys"; > > // prime the server with knowledge of the root servers > zone "." { > ??????? type hint; > ??????? file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and > for // broadcast zones as per RFC 1912 > > zone "localhost" { > ??????? type master; > ??????? file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > ??????? type master; > ??????? file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > ??????? type master; > ??????? file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > ??????? type master; > ??????? file "/etc/bind/db.255"; > }; > > include "/etc/bind/named.conf.local"; > > ----------- > > Checking file: /etc/bind/named.conf.options > > > options { > ??????? sortlist { > ??????????????? 192.168.178.0/24; > ??????? }; > ??? directory "/var/cache/bind"; > > ??? // If there is a firewall between you and nameservers you want > ??? // to talk to, you might need to uncomment the query-source > ??? // directive below.? Previous versions of BIND always asked > ??? // questions using port 53, but BIND 8.1 and later use an > unprivileged // port by default. > > ??? //query-source address * port 53; > ??? //transfer-source * port 53; > ??? //notify-source * port 53; > > ??? // DNSSEC configuration > ??? dnssec-enable yes; > ??? dnssec-validation yes; > > ??????? // If your ISP provided one or more IP addresses for stable > ??????? // nameservers, you probably want to use them as forwarders. > ??????? forward first;Do not 'forward first' on a Samba AD DC, it is supposed to be authoritative for your AD domain, it is anything outside the domain that is supposed to be forwarded.> ??????? forwarders { > ??????????????? 192.168.178.1; > ??????? }; > > ??????? tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";That is the old path, it probably should be: /var/lib/samba/bind-dns/dns/dns.keytab> > ??? auth-nxdomain no;??? # conform to RFC1035 > > ??? allow-query { any; }; > ??? allow-recursion { trusted; }; > ??? allow-query-cache { trusted; }; > ??? allow-transfer { internal-local-nets; }; > }; > > logging { category lame-servers { null; }; }; > > ----------- > > Checking file: /etc/bind/named.conf.local > > // Generated by Zentyal > > acl "trusted" { > ??? localhost; > ??? localnets; > }; > > acl "internal-local-nets" { > ??? 192.168.178.0/24; > }; > > dlz "AD DNS Zone" { > ??? database > "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; }; > > > > zone "178.168.192.in-addr.arpa" { > ??? type master; > ??? file "/var/lib/bind/db.178.168.192"; > ??? update-policy { > ??????? // The only allowed dynamic updates are PTR records > ??????? grant compeiler.windows. subdomain 178.168.192.in-addr.arpa. > PTR TXT; // Grant from localhost > ??????? grant local-ddns zonesub any; > ??? }; > };That appears to be your reverse zone and shouldn't be in your bind conf files, it is in AD> > zone "10.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "16.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "17.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "18.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "19.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "20.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "21.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "22.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "23.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "24.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "25.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "26.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "27.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "28.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "29.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "30.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "31.172.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > }; > zone "168.192.in-addr.arpa" { > ??? type master; > ??? file "/etc/bind/db.empty"; > };Why all the reverse zones ? Do you actually use them ? If you do, they shouldn't be here, they should be in AD.> > ----------- > > Checking file: /etc/bind/named.conf.default-zones > > // prime the server with knowledge of the root servers > zone "." { > ??????? type hint; > ??????? file "/usr/share/dns/root.hints"; > }; > > // be authoritative for the localhost forward and reverse zones, and > for // broadcast zones as per RFC 1912 > > zone "localhost" { > ??????? type master; > ??????? file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > ??????? type master; > ??????? file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > ??????? type master; > ??????? file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > ??????? type master; > ??????? file "/etc/bind/db.255"; > }; > > ----------- > > Samba DNS zone list check : > > ERROR: AD DC zones found in the Bind flat-files > ?????? This is not allowed, you must remove them. > ?????? Conflicting zone name : compeiler.windows > ?????? File in question is : /etc/bind/named.conf.local:??????? grant > compeiler.windows. subdomain 178.168.192.in-addr.arpa. PTR > TXT; /etc/bind/keys:key "compeiler.windows" { > > ----------- > > > ERROR: AD DC zones found in the Bind flat-files > ?????? This is not allowed, you must remove them. > ?????? Conflicting zone name : _msdcs.compeiler.windows > ?????? File in question is : > > -----------You need to fix your bind conf files.> > > ----------- > > unknown 'include' file '/etc/bind/keys' in /etc/bind/named.conf > ----------- > > > Time on the DC with PDC Emulator role is: 2023-09-15T14:23:20 > > > Time on this computer is:???????????????? 2023-09-15T14:23:21 > > > Time verified ok, within the allowed 300sec margin. > Time offset is currently : 0 seconds > > ----------- > > Installed packages: > ii? acl > 2.2.53-6 > amd64??????? access control list - utilities ii > attr > 1:2.4.48-5 > amd64??????? utilities for manipulating filesystem extended > attributes ii? bind9 > 1:9.16.1-0ubuntu2.15 > amd64??????? Internet Domain Name Server ii > bind9-dnsutils > 1:9.16.1-0ubuntu2.15 > amd64??????? Clients provided with BIND 9 ii > bind9-host > 1:9.16.1-0ubuntu2.15 > amd64??????? DNS Lookup Utility ii > bind9-libs:amd64 > 1:9.16.1-0ubuntu2.15 > amd64??????? Shared Libraries used by BIND 9 ii > bind9-utils > 1:9.16.1-0ubuntu2.15 > amd64??????? Utilities for BIND 9 ii > krb5-config > 2.6ubuntu1 > all????????? Configuration files for Kerberos Version 5 ii > krb5-locales > 1.17-6ubuntu4.3 > all????????? internationalization support for MIT Kerberos ii > libacl1:amd64 > 2.2.53-6 > amd64??????? access control list - shared library ii > libattr1:amd64 > 1:2.4.48-5 > amd64??????? extended attribute handling - shared library ii > libauthen-krb5-easy-perl > 0.92-0 > amd64??????? Simple Kerberos 5 interaction ii > libgssapi-krb5-2:amd64 > 1.17-6ubuntu4.3 > amd64??????? MIT Kerberos runtime libraries - krb5 GSS-API Mechanism > ii? libkrb5-26-heimdal:amd64 > 7.7.0+dfsg-1ubuntu1.4 > amd64??????? Heimdal Kerberos - libraries ii > libkrb5-3:amd64 > 1.17-6ubuntu4.3 > amd64??????? MIT Kerberos runtime libraries ii > libkrb5support0:amd64 > 1.17-6ubuntu4.3 > amd64??????? MIT Kerberos runtime libraries - Support library ii > libnss-winbind:amd64 > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Samba nameservice integration plugins ii > libpam-winbind:amd64 > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Windows domain authentication integration plugin ii > libwbclient0:amd64 > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Samba winbind client library ii > python3-attr > 19.3.0-2 > all????????? Attributes without boilerplate (Python 3) ii > python3-nacl > 1.3.0-5 > amd64??????? Python bindings to libsodium (Python 3) ii > python3-samba > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Python 3 bindings for Samba ii > samba > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? SMB/CIFS file, print, and login server for Unix ii > samba-common > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > all????????? common files used by both the Samba server and client > ii? samba-common-bin > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Samba common files used by both the server and the > client ii? samba-dsdb-modules:amd64 > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Samba Directory Services Database ii > samba-libs:amd64 > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Samba core libraries ii > samba-vfs-modules:amd64 > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? Samba Virtual FileSystem plugins ii > winbind > 2:4.15.13+dfsg-0ubuntu0.20.04.5 > amd64??????? service to resolve user and group information from > Windows NT servers ii? zentyal-samba > 7.1.0 > all????????? Zentyal - Domain Controller and File Sharing > > >##### Please see inline comments ##### Rowland