On Wed, 1 May 2024 06:51:00 -0700
Peter Carlson via samba <samba at lists.samba.org> wrote:
>
> On 5/1/24 02:02, Rowland Penny via samba wrote:
> > On Wed, 1 May 2024 09:18:54 +0100
> > Rowland Penny via samba<samba at lists.samba.org> wrote:
> >
> >> On Tue, 30 Apr 2024 07:54:15 -0700
> >> Peter Carlson via samba<samba at lists.samba.org> wrote:
> >>
> >>> Not sure if this library is provided by samba team or isc, but
I
> >>> can no longer start my named service if I connect it with
samba.
> >>> brief history: I am having problems with named hanging, isc
says
> >>> step1 is to upgrade to the latest bind.? As soon as I upgrade
to
> >>> latest bind, it wont start. Now the first step is to figure
out
> >>> which mailing list to talk to
> >>>
> >>> ?syslog:
> >>>
> >>> Apr 30 07:43:02 nc1 named[27557]: Loading 'AD DNS
Zone' using
> >>> driver dlopen
> >>> Apr 30 07:43:02 nc1 named[27557]: free(): invalid pointer
> >>> Apr 30 07:43:03 nc1 systemd[1]: named.service: Main
process
> >>> exited, code=killed, status=6/ABRT
> >>>
> >>> if I comment out the include it works
> >>> include "/var/lib/samba/bind-dns/named.conf";
> >>>
> >>> versions:
> >>> root at nc1:/etc/bind# named -version
> >>> BIND 9.18.26-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu
(Extended
> >>> Support Version) <id:>
> >>> root at nc1:/etc/bind# smbd --version
> >>> Version 4.20.0-Ubuntu
> >>>
> >> OK, this works for myself, but using Samba 4.19.5 and named
> >> 9.18.24 on aarch64.
> >> It looks like something changed, but where.
> >>
> >> Does named start if you use the latest Ubuntu package (9.18.18
from
> >> security) with Samba 4.20.0 ?
> >>
> >> As far as I am aware, there have been no recent major changes in
> >> the Samba bind9_dlz code.
> >>
> >> Rowland
> >>
> I will try that combo this afternoon.? BTW, I was running on MJTs
> repo using the latest 4.17 version and it also has the same error. It
> was the error that moved me to try 4.20 branch.
> > I found your named.conf files on the bind9 mailing lists, why are
> > you using 'views' ?
> >
> > Also to raise the log level, you need to add '-d3' to the end
of the
> > database line in /var/lib/samba/bind-dns/named.conf, for example:
> >
> > database "dlopen
> > /usr/lib/aarch64-linux-gnu/samba/bind9/dlz_bind9_18.so" -d3;
> >
> > NOTE: You can use higher numbers than '3' which will give you
more
> > output.
> >
> > Rowland
>
> I will also add the debug this afternoon.? Views....I need diiferent
> resolution for internal users vs vpn users vs external users
>
> users.internal: all external resources, all domain resources, 3CX
> resolves directly to internal PBX? (override for XYZ.3cx.us)
>
> users.vpn: all external resources, all domain resources, 3CX resolves
> vi 3CX's domain servers
>
> users.external: all external resources
>
> Internal vs external is? easy with split level.? However the mess
> came from needing internal users to use the internal address of the
> PBX and vpn users needing the public ip of the pbx.
>
> Peter
I think your problems could be all down to the way that your dns is set
up, I do not think the Samba bind_dlz module knows anything about
'views'.
In an ideal world, the Samba dns server (be it the internal or Bind9)
should just be responsible for the AD domain and forward anything
unknown to another dns server (which is how dns servers generally work).
One of the reasons that people try to use a setup like yours, is that
they have a registered dns domain (lets say 'example.com') and then use
that domain for AD instead of something like 'ad.example.com'. This is
definitely not a good idea and isn't best practice.
If your AD is using something like 'ad.example.com' and your registered
dns domain is 'example.com', then I suggest you setup a dns server on a
non domain machine to work with your 'view' and forward everything for
'ad.example.com' to a DC.
If your external and AD dns domains are both the same, then you either
put up with the problems you are having or you rebuild your AD using a
supported dns domain.
As I said, it works for myself using the Debian Bookworm Bind9 package
and Samba 4.19.5 from BookWorm-backports (which from my understanding
is built exactly like the 4.20.0 mjt package), however, I do not use a
'view'
Rowland