Switching from Internal DNS to Bind9_DLZ

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
Hello,

     Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
following options.

  #named -V
BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version) <id:f9b8a50e>
built by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'

The Samba wiki states I should see;

named -V
BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...

As you can see I have;

'--with-gssapi=/usr' and *NO* '--with-dlopen=yes'

Is it possible to enable '--with-dlopen=yes' without compiling? Thanks.



--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On Tue, 2 Jan 2018 12:09:33 -0500
lingpanda101 via samba <[hidden email]> wrote:

> Hello,
>
>      Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
> following options.
>
>   #named -V
> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
> <id:f9b8a50e> built by make with '--prefix=/usr'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
> '--enable-largefile' '--with-libtool' '--enable-shared'
> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
> -DDIG_SIGCHASE -O2'
>
> The Samba wiki states I should see;
>
> named -V
> BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
>
> As you can see I have;
>
> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>
> Is it possible to enable '--with-dlopen=yes' without compiling?
> Thanks.
>
>
>

No, but funnily enough, you won't be able enable it by compiling it
either ;-)

It is now built into the standard compiled Bind9, so I suppose the real
answer to your question is that you can use the standard Bind9 package
on 14.04 with Samba.

I will update the wiki page.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On 1/2/2018 12:25 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <[hidden email]> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>> '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland

Thank you.

I notice that when installing bind9 via apt-get, I get a user and group
created called 'bind' rather then 'named'. I assume I can just use
'bind' when  following the wiki here;

Enable the BIND user to read the root servers list:
# chown root:named /var/named/named.root
# chmod 640 /var/named/named.root


--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 1/2/2018 12:25 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <[hidden email]> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>> '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland

I compiled Samba 4.7.4 from source(/configure, make, make install) but
do not have the following.

/usr/local/samba/private/named.conf


Therefore I'm unable to complete the next step in the wiki;

Edit the /usr/local/samba/private/named.conf file and uncomment the
module for your BIND version. For example:

dlz "AD DNS Zone" {
     # For BIND 9.8
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

     # For BIND 9.9
     database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

     # For BIND 9.10
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";

     # For BIND 9.11
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
};

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 1/2/2018 12:25 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <[hidden email]> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>> '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland

On second read through.  I assume the only contents in named.conf is

dlz "AD DNS Zone" {
     # For BIND 9.8
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

     # For BIND 9.9
      # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

     # For BIND 9.10
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";

     # For BIND 9.11
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
};


It's safe to create this file myself then I would suppose?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 2 Jan 2018 12:43:40 -0500
lingpanda101 <[hidden email]> wrote:

> On 1/2/2018 12:25 PM, Rowland Penny wrote:
> > On Tue, 2 Jan 2018 12:09:33 -0500
> > lingpanda101 via samba <[hidden email]> wrote:
> >
> >> Hello,
> >>
> >>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
> >> following options.
> >>
> >>    #named -V
> >> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
> >> <id:f9b8a50e> built by make with '--prefix=/usr'
> >> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> >> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
> >> '--enable-largefile' '--with-libtool' '--enable-shared'
> >> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
> >> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
> >> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
> >> -DDIG_SIGCHASE -O2'
> >>
> >> The Samba wiki states I should see;
> >>
> >> named -V
> >> BIND 9.x.y built with ... '--with-dlopen=yes'
> >> '--with-gssapi=yes' ...
> >>
> >> As you can see I have;
> >>
> >> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
> >>
> >> Is it possible to enable '--with-dlopen=yes' without compiling?
> >> Thanks.
> >>
> >>
> >>
> > No, but funnily enough, you won't be able enable it by compiling it
> > either ;-)
> >
> > It is now built into the standard compiled Bind9, so I suppose the
> > real answer to your question is that you can use the standard Bind9
> > package on 14.04 with Samba.
> >
> > I will update the wiki page.
> >
> > Rowland
>
> Thank you.
>
> I notice that when installing bind9 via apt-get, I get a user and
> group created called 'bind' rather then 'named'. I assume I can just
> use 'bind' when  following the wiki here;
>
> Enable the BIND user to read the root servers list:
> # chown root:named /var/named/named.root
> # chmod 640 /var/named/named.root
>
>

If you use a red-hat based distro and install Bind9, you get a user &
group called 'named' and if you use a debian based distro, you get a
user & group called 'bind'.
This means where you find a user or group called 'named' and you
are on debian, you can replace this with 'bind'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 2 Jan 2018 13:20:40 -0500
lingpanda101 via samba <[hidden email]> wrote:

> On 1/2/2018 12:25 PM, Rowland Penny wrote:
> > On Tue, 2 Jan 2018 12:09:33 -0500
> > lingpanda101 via samba <[hidden email]> wrote:
> >
> >> Hello,
> >>
> >>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
> >> following options.
> >>
> >>    #named -V
> >> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
> >> <id:f9b8a50e> built by make with '--prefix=/usr'
> >> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> >> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
> >> '--enable-largefile' '--with-libtool' '--enable-shared'
> >> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
> >> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
> >> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
> >> -DDIG_SIGCHASE -O2'
> >>
> >> The Samba wiki states I should see;
> >>
> >> named -V
> >> BIND 9.x.y built with ... '--with-dlopen=yes'
> >> '--with-gssapi=yes' ...
> >>
> >> As you can see I have;
> >>
> >> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
> >>
> >> Is it possible to enable '--with-dlopen=yes' without compiling?
> >> Thanks.
> >>
> >>
> >>
> > No, but funnily enough, you won't be able enable it by compiling it
> > either ;-)
> >
> > It is now built into the standard compiled Bind9, so I suppose the
> > real answer to your question is that you can use the standard Bind9
> > package on 14.04 with Samba.
> >
> > I will update the wiki page.
> >
> > Rowland
>
> On second read through.  I assume the only contents in named.conf is
>
> dlz "AD DNS Zone" {
>      # For BIND 9.8
>      # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
>
>      # For BIND 9.9
>       # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
>
>      # For BIND 9.10
>      # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";
>
>      # For BIND 9.11
>      # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
> };
>
>
> It's safe to create this file myself then I would suppose?
>

if you didn't have Bind9 installed when you compiled Samba, you will
not have the file. You will have a file called 'samba_upgradedns'
though and guess what you use this for ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 1/2/2018 12:25 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <[hidden email]> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>> '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland

A few other observations while attempting to switch.

  * I do not have a dns.keytab file. Should I or is created after
    attempting to switch?
  * running 'named-checkconf' throws an error.

named-checkconf
/etc/bind/named.conf:15: 'options' redefined near 'options'

My 'named.conf' is the following

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/usr/local/samba/private/named.conf";

# Global Configuration Options
options {

     auth-nxdomain yes;
     directory "/var/named";
     notify no;
     empty-zones-enable no;
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

     # IP addresses and network ranges allowed to query the DNS server:
     allow-query {
         127.0.0.1;
         172.0.0.0/8;
     };

     # IP addresses and network ranges allowed to run recursive queries:
     # (Zones not served by this DNS server)
     allow-recursion {
         127.0.0.1;
         172.0.0.0/8;
     };

     # Forward queries that can not be answered from own zones
     # to these DNS servers:
     forwarders {
         8.8.8.8;
         8.8.4.4;
     };

     # Disable zone transfers
     allow-transfer {
         none;
     };
  };

# Root Servers
# (Required for recursive DNS queries)
zone "." {
    type hint;
    file "named.root";
};

# localhost zone
zone "localhost" {
     type master;
     file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
     type master;
     file "master/0.0.127.zone";
};


--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On Tue, 2 Jan 2018 13:38:52 -0500
lingpanda101 via samba <[hidden email]> wrote:


>
> A few other observations while attempting to switch.
>
>   * I do not have a dns.keytab file. Should I or is created after
>     attempting to switch?

See my earlier post about samba_dnsupgrade.

>   * running 'named-checkconf' throws an error.

It would, it cannot find the zones files that are now in AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On 1/2/2018 1:51 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 13:38:52 -0500
> lingpanda101 via samba <[hidden email]> wrote:
>
>
>> A few other observations while attempting to switch.
>>
>>    * I do not have a dns.keytab file. Should I or is created after
>>      attempting to switch?
> See my earlier post about samba_dnsupgrade.
>
>>    * running 'named-checkconf' throws an error.
> It would, it cannot find the zones files that are now in AD.
>
> Rowland

Rowland,

     I think I'm on the home stretch :). However I am running into a
issue after switching the backend. The switch command completes
successfully. Bind starts but I get errors when attempting to run this
command after reboot.

samba_dnsupdate --verbose --all-names

I get this error for all updates.

TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as DDC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.domain.local.   900     IN      A       172.16.22.27


I can connect to the server via. Windows DNS Manager and browse.


--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On Tue, 2 Jan 2018 14:15:11 -0500
lingpanda101 <[hidden email]> wrote:

> On 1/2/2018 1:51 PM, Rowland Penny wrote:
> > On Tue, 2 Jan 2018 13:38:52 -0500
> > lingpanda101 via samba <[hidden email]> wrote:
> >
> >
> >> A few other observations while attempting to switch.
> >>
> >>    * I do not have a dns.keytab file. Should I or is created after
> >>      attempting to switch?
> > See my earlier post about samba_dnsupgrade.
> >
> >>    * running 'named-checkconf' throws an error.
> > It would, it cannot find the zones files that are now in AD.
> >
> > Rowland
>
> Rowland,
>
>      I think I'm on the home stretch :). However I am running into a
> issue after switching the backend. The switch command completes
> successfully. Bind starts but I get errors when attempting to run
> this command after reboot.
>
> samba_dnsupdate --verbose --all-names
>
> I get this error for all updates.
>
> TSIG error with server: tsig indicates error
> update failed: NOTAUTH(BADSIG)
> Failed nsupdate: 2
> update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
> Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
> Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as
> DDC2$ Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.domain.local.   900     IN      A       172.16.22.27
>
>
> I can connect to the server via. Windows DNS Manager and browse.
>
>

Try adding '--use-samba-tool' to the 'samba_dnsupdate' command

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On 1/2/2018 2:23 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 14:15:11 -0500
> lingpanda101 <[hidden email]> wrote:
>
>> On 1/2/2018 1:51 PM, Rowland Penny wrote:
>>> On Tue, 2 Jan 2018 13:38:52 -0500
>>> lingpanda101 via samba <[hidden email]> wrote:
>>>
>>>
>>>> A few other observations while attempting to switch.
>>>>
>>>>     * I do not have a dns.keytab file. Should I or is created after
>>>>       attempting to switch?
>>> See my earlier post about samba_dnsupgrade.
>>>
>>>>     * running 'named-checkconf' throws an error.
>>> It would, it cannot find the zones files that are now in AD.
>>>
>>> Rowland
>> Rowland,
>>
>>       I think I'm on the home stretch :). However I am running into a
>> issue after switching the backend. The switch command completes
>> successfully. Bind starts but I get errors when attempting to run
>> this command after reboot.
>>
>> samba_dnsupdate --verbose --all-names
>>
>> I get this error for all updates.
>>
>> TSIG error with server: tsig indicates error
>> update failed: NOTAUTH(BADSIG)
>> Failed nsupdate: 2
>> update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
>> Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
>> Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as
>> DDC2$ Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.domain.local.   900     IN      A       172.16.22.27
>>
>>
>> I can connect to the server via. Windows DNS Manager and browse.
>>
>>
> Try adding '--use-samba-tool' to the 'samba_dnsupdate' command
>
> Rowland

Rowland,

     All kinds of errors now with that command;

20 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as DDC2$
update (samba-tool): A domain.local 172.16.22.27
Calling samba-tool dns for A domain.local 172.16.22.27 (add)
Calling samba-tool dns add -k no -P ['172.16.22.27', 'domain.local',
'@', 'A', '172.16.22.27']
ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
940, in run
     raise e
Failed 'samba-tool dns' based update of A domain.local 172.16.22.27

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 1/2/2018 2:23 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 14:15:11 -0500
> lingpanda101 <[hidden email]> wrote:
>
>> On 1/2/2018 1:51 PM, Rowland Penny wrote:
>>> On Tue, 2 Jan 2018 13:38:52 -0500
>>> lingpanda101 via samba <[hidden email]> wrote:
>>>
>>>
>>>> A few other observations while attempting to switch.
>>>>
>>>>     * I do not have a dns.keytab file. Should I or is created after
>>>>       attempting to switch?
>>> See my earlier post about samba_dnsupgrade.
>>>
>>>>     * running 'named-checkconf' throws an error.
>>> It would, it cannot find the zones files that are now in AD.
>>>
>>> Rowland
>> Rowland,
>>
>>       I think I'm on the home stretch :). However I am running into a
>> issue after switching the backend. The switch command completes
>> successfully. Bind starts but I get errors when attempting to run
>> this command after reboot.
>>
>> samba_dnsupdate --verbose --all-names
>>
>> I get this error for all updates.
>>
>> TSIG error with server: tsig indicates error
>> update failed: NOTAUTH(BADSIG)
>> Failed nsupdate: 2
>> update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
>> Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
>> Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as
>> DDC2$ Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.domain.local.   900     IN      A       172.16.22.27
>>
>>
>> I can connect to the server via. Windows DNS Manager and browse.
>>
>>
> Try adding '--use-samba-tool' to the 'samba_dnsupdate' command
>
> Rowland

I will add that DNS is replicating correctly.  I deleted and added a DNS
A record and it replicated instantaneously across sites.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On Tue, 2 Jan 2018 14:40:10 -0500
lingpanda101 <[hidden email]> wrote:

> On 1/2/2018 2:23 PM, Rowland Penny wrote:
> > On Tue, 2 Jan 2018 14:15:11 -0500
> > lingpanda101 <[hidden email]> wrote:
> >
> >> On 1/2/2018 1:51 PM, Rowland Penny wrote:
> >>> On Tue, 2 Jan 2018 13:38:52 -0500
> >>> lingpanda101 via samba <[hidden email]> wrote:
> >>>
> >>>
> >>>> A few other observations while attempting to switch.
> >>>>
> >>>>     * I do not have a dns.keytab file. Should I or is created
> >>>> after attempting to switch?
> >>> See my earlier post about samba_dnsupgrade.
> >>>
> >>>>     * running 'named-checkconf' throws an error.
> >>> It would, it cannot find the zones files that are now in AD.
> >>>
> >>> Rowland
> >> Rowland,
> >>
> >>       I think I'm on the home stretch :). However I am running
> >> into a issue after switching the backend. The switch command
> >> completes successfully. Bind starts but I get errors when
> >> attempting to run this command after reboot.
> >>
> >> samba_dnsupdate --verbose --all-names
> >>
> >> I get this error for all updates.
> >>
> >> TSIG error with server: tsig indicates error
> >> update failed: NOTAUTH(BADSIG)
> >> Failed nsupdate: 2
> >> update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
> >> Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
> >> Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as
> >> DDC2$ Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> gc._msdcs.domain.local.   900     IN      A       172.16.22.27
> >>
> >>
> >> I can connect to the server via. Windows DNS Manager and browse.
> >>
> >>
> > Try adding '--use-samba-tool' to the 'samba_dnsupdate' command
> >
> > Rowland
>
> I will add that DNS is replicating correctly.  I deleted and added a
> DNS A record and it replicated instantaneously across sites.
>

The problem is that only the owner (or a member of dnsadmins) of a dns
record can update it. You seem to be trying to use a computer account
(fairly common) that doesn't own the records.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On 1/2/2018 2:49 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 14:40:10 -0500
> lingpanda101 <[hidden email]> wrote:
>
>> On 1/2/2018 2:23 PM, Rowland Penny wrote:
>>> On Tue, 2 Jan 2018 14:15:11 -0500
>>> lingpanda101 <[hidden email]> wrote:
>>>
>>>> On 1/2/2018 1:51 PM, Rowland Penny wrote:
>>>>> On Tue, 2 Jan 2018 13:38:52 -0500
>>>>> lingpanda101 via samba <[hidden email]> wrote:
>>>>>
>>>>>
>>>>>> A few other observations while attempting to switch.
>>>>>>
>>>>>>      * I do not have a dns.keytab file. Should I or is created
>>>>>> after attempting to switch?
>>>>> See my earlier post about samba_dnsupgrade.
>>>>>
>>>>>>      * running 'named-checkconf' throws an error.
>>>>> It would, it cannot find the zones files that are now in AD.
>>>>>
>>>>> Rowland
>>>> Rowland,
>>>>
>>>>        I think I'm on the home stretch :). However I am running
>>>> into a issue after switching the backend. The switch command
>>>> completes successfully. Bind starts but I get errors when
>>>> attempting to run this command after reboot.
>>>>
>>>> samba_dnsupdate --verbose --all-names
>>>>
>>>> I get this error for all updates.
>>>>
>>>> TSIG error with server: tsig indicates error
>>>> update failed: NOTAUTH(BADSIG)
>>>> Failed nsupdate: 2
>>>> update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
>>>> Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
>>>> Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as
>>>> DDC2$ Outgoing update query:
>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>> ;; UPDATE SECTION:
>>>> gc._msdcs.domain.local.   900     IN      A       172.16.22.27
>>>>
>>>>
>>>> I can connect to the server via. Windows DNS Manager and browse.
>>>>
>>>>
>>> Try adding '--use-samba-tool' to the 'samba_dnsupdate' command
>>>
>>> Rowland
>> I will add that DNS is replicating correctly.  I deleted and added a
>> DNS A record and it replicated instantaneously across sites.
>>
> The problem is that only the owner (or a member of dnsadmins) of a dns
> record can update it. You seem to be trying to use a computer account
> (fairly common) that doesn't own the records.
>
> Rowland

Actually it looks as if Bind isn't running. Though I could've sworn it
did at one point.

service bind9 restart
  * Stopping domain name service... bind9
               rndc: connect failed: 127.0.0.1#953: connection refused
[ OK ]
  * Starting domain name service... bind9 [fail]

Log shows;

Jan  2 15:20:51 ddc2 named[2793]:
----------------------------------------------------
Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
Systems Consortium,
Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and training for
BIND 9 are
Jan  2 15:20:51 ddc2 named[2793]: available at https://www.isc.org/support
Jan  2 15:20:51 ddc2 named[2793]:
----------------------------------------------------
Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from 4096
to 1048576
Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker threads
Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners per interface
Jan  2 15:20:51 ddc2 named[2793]: using up to 4096 sockets
Jan  2 15:20:51 ddc2 named[2793]: loading configuration from
'/etc/bind/named.conf'
Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: 'options'
redefined near 'options'
Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already exists
Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal error)

It seems to stem from the issue I had before "/etc/bind/named.conf:15:
'options' redefined near 'options'"

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On Tue, 2 Jan 2018 15:23:18 -0500
lingpanda101 <[hidden email]> wrote:


> Actually it looks as if Bind isn't running. Though I could've sworn
> it did at one point.
>
> service bind9 restart
>   * Stopping domain name service... bind9
>                rndc: connect failed: 127.0.0.1#953: connection refused
> [ OK ]
>   * Starting domain name service... bind9 [fail]
>
> Log shows;
>
> Jan  2 15:20:51 ddc2 named[2793]:
> ----------------------------------------------------
> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
> Systems Consortium,
> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit 501(c)(3)
> public-benefit
> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and training
> for BIND 9 are
> Jan  2 15:20:51 ddc2 named[2793]: available at
> https://www.isc.org/support Jan  2 15:20:51 ddc2 named[2793]:
> ----------------------------------------------------
> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
> 4096 to 1048576
> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker threads
> Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners per interface
> Jan  2 15:20:51 ddc2 named[2793]: using up to 4096 sockets
> Jan  2 15:20:51 ddc2 named[2793]: loading configuration from
> '/etc/bind/named.conf'
> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: 'options'
> redefined near 'options'
> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal error)
>
> It seems to stem from the issue I had before
> "/etc/bind/named.conf:15: 'options' redefined near 'options'"
>

I reread your earlier post and noticed something I missed earlier, do
you normally use red-hat ?
I ask this because you have this line in /etc/bind/named.conf:

include "/etc/bind/named.conf.options";

Followed by:
# Global Configuration Options
options {
.........
......



If this is all in the one file (ala red-hat), then this is your
problem, debian splits up Bind9 into separate conf files and you will
have two 'options'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On 1/2/2018 3:37 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 15:23:18 -0500
> lingpanda101 <[hidden email]> wrote:
>
>
>> Actually it looks as if Bind isn't running. Though I could've sworn
>> it did at one point.
>>
>> service bind9 restart
>>    * Stopping domain name service... bind9
>>                 rndc: connect failed: 127.0.0.1#953: connection refused
>> [ OK ]
>>    * Starting domain name service... bind9 [fail]
>>
>> Log shows;
>>
>> Jan  2 15:20:51 ddc2 named[2793]:
>> ----------------------------------------------------
>> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
>> Systems Consortium,
>> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit 501(c)(3)
>> public-benefit
>> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and training
>> for BIND 9 are
>> Jan  2 15:20:51 ddc2 named[2793]: available at
>> https://www.isc.org/support Jan  2 15:20:51 ddc2 named[2793]:
>> ----------------------------------------------------
>> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
>> 4096 to 1048576
>> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker threads
>> Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners per interface
>> Jan  2 15:20:51 ddc2 named[2793]: using up to 4096 sockets
>> Jan  2 15:20:51 ddc2 named[2793]: loading configuration from
>> '/etc/bind/named.conf'
>> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15: 'options'
>> redefined near 'options'
>> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
>> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal error)
>>
>> It seems to stem from the issue I had before
>> "/etc/bind/named.conf:15: 'options' redefined near 'options'"
>>
> I reread your earlier post and noticed something I missed earlier, do
> you normally use red-hat ?
> I ask this because you have this line in /etc/bind/named.conf:
>
> include "/etc/bind/named.conf.options";
>
> Followed by:
> # Global Configuration Options
> options {
> .........
> ......
>
>
>
> If this is all in the one file (ala red-hat), then this is your
> problem, debian splits up Bind9 into separate conf files and you will
> have two 'options'
>
> Rowland

I do not. Ubuntu but I do have two CentOS systems.

The config file was auto-generated when I installed via. apt-get. This
is what it originally contained before I made any modifications.

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

If I comment out these include files, Bind9 starts. However I do still get

rndc: connect failed: 127.0.0.1#953: connection refused

However I'm still getting the TSIG errors.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On Tue, 2 Jan 2018 15:52:57 -0500
lingpanda101 <[hidden email]> wrote:

> On 1/2/2018 3:37 PM, Rowland Penny wrote:
> > On Tue, 2 Jan 2018 15:23:18 -0500
> > lingpanda101 <[hidden email]> wrote:
> >
> >
> >> Actually it looks as if Bind isn't running. Though I could've sworn
> >> it did at one point.
> >>
> >> service bind9 restart
> >>    * Stopping domain name service... bind9
> >>                 rndc: connect failed: 127.0.0.1#953: connection
> >> refused [ OK ]
> >>    * Starting domain name service... bind9 [fail]
> >>
> >> Log shows;
> >>
> >> Jan  2 15:20:51 ddc2 named[2793]:
> >> ----------------------------------------------------
> >> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
> >> Systems Consortium,
> >> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit
> >> 501(c)(3) public-benefit
> >> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and
> >> training for BIND 9 are
> >> Jan  2 15:20:51 ddc2 named[2793]: available at
> >> https://www.isc.org/support Jan  2 15:20:51 ddc2 named[2793]:
> >> ----------------------------------------------------
> >> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
> >> 4096 to 1048576
> >> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker
> >> threads Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners
> >> per interface Jan  2 15:20:51 ddc2 named[2793]: using up to 4096
> >> sockets Jan  2 15:20:51 ddc2 named[2793]: loading configuration
> >> from '/etc/bind/named.conf'
> >> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15:
> >> 'options' redefined near 'options'
> >> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
> >> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal
> >> error)
> >>
> >> It seems to stem from the issue I had before
> >> "/etc/bind/named.conf:15: 'options' redefined near 'options'"
> >>
> > I reread your earlier post and noticed something I missed earlier,
> > do you normally use red-hat ?
> > I ask this because you have this line in /etc/bind/named.conf:
> >
> > include "/etc/bind/named.conf.options";
> >
> > Followed by:
> > # Global Configuration Options
> > options {
> > .........
> > ......
> >
> >
> >
> > If this is all in the one file (ala red-hat), then this is your
> > problem, debian splits up Bind9 into separate conf files and you
> > will have two 'options'
> >
> > Rowland
>
> I do not. Ubuntu but I do have two CentOS systems.
>
> The config file was auto-generated when I installed via. apt-get.
> This is what it originally contained before I made any modifications.
>
> // This is the primary configuration file for the BIND DNS server
> named. //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information
> on the // structure of BIND configuration files in Debian, *BEFORE*
> you customize // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> If I comment out these include files, Bind9 starts. However I do
> still get
>
> rndc: connect failed: 127.0.0.1#953: connection refused
>
> However I'm still getting the TSIG errors.
>

These are my named.conf files (with any comments stripped out), they
have worked for me for the last 5 years ;-)

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; 8.8.4.4; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;
        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.7; 127.0.0.1; };

        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

/etc/bind/named.conf.local

include "/usr/local/samba/private/named.conf";


/etc/bind/named.conf.default-zones

zone "." {
        type hint;
        file "/etc/bind/db.root";
};

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
On 1/2/2018 4:05 PM, Rowland Penny wrote:

> On Tue, 2 Jan 2018 15:52:57 -0500
> lingpanda101 <[hidden email]> wrote:
>
>> On 1/2/2018 3:37 PM, Rowland Penny wrote:
>>> On Tue, 2 Jan 2018 15:23:18 -0500
>>> lingpanda101 <[hidden email]> wrote:
>>>
>>>
>>>> Actually it looks as if Bind isn't running. Though I could've sworn
>>>> it did at one point.
>>>>
>>>> service bind9 restart
>>>>     * Stopping domain name service... bind9
>>>>                  rndc: connect failed: 127.0.0.1#953: connection
>>>> refused [ OK ]
>>>>     * Starting domain name service... bind9 [fail]
>>>>
>>>> Log shows;
>>>>
>>>> Jan  2 15:20:51 ddc2 named[2793]:
>>>> ----------------------------------------------------
>>>> Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
>>>> Systems Consortium,
>>>> Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit
>>>> 501(c)(3) public-benefit
>>>> Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and
>>>> training for BIND 9 are
>>>> Jan  2 15:20:51 ddc2 named[2793]: available at
>>>> https://www.isc.org/support Jan  2 15:20:51 ddc2 named[2793]:
>>>> ----------------------------------------------------
>>>> Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
>>>> 4096 to 1048576
>>>> Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker
>>>> threads Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners
>>>> per interface Jan  2 15:20:51 ddc2 named[2793]: using up to 4096
>>>> sockets Jan  2 15:20:51 ddc2 named[2793]: loading configuration
>>>> from '/etc/bind/named.conf'
>>>> Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15:
>>>> 'options' redefined near 'options'
>>>> Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
>>>> exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal
>>>> error)
>>>>
>>>> It seems to stem from the issue I had before
>>>> "/etc/bind/named.conf:15: 'options' redefined near 'options'"
>>>>
>>> I reread your earlier post and noticed something I missed earlier,
>>> do you normally use red-hat ?
>>> I ask this because you have this line in /etc/bind/named.conf:
>>>
>>> include "/etc/bind/named.conf.options";
>>>
>>> Followed by:
>>> # Global Configuration Options
>>> options {
>>> .........
>>> ......
>>>
>>>
>>>
>>> If this is all in the one file (ala red-hat), then this is your
>>> problem, debian splits up Bind9 into separate conf files and you
>>> will have two 'options'
>>>
>>> Rowland
>> I do not. Ubuntu but I do have two CentOS systems.
>>
>> The config file was auto-generated when I installed via. apt-get.
>> This is what it originally contained before I made any modifications.
>>
>> // This is the primary configuration file for the BIND DNS server
>> named. //
>> // Please read /usr/share/doc/bind9/README.Debian.gz for information
>> on the // structure of BIND configuration files in Debian, *BEFORE*
>> you customize // this configuration file.
>> //
>> // If you are just adding zones, please do that in
>> /etc/bind/named.conf.local
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>>
>> If I comment out these include files, Bind9 starts. However I do
>> still get
>>
>> rndc: connect failed: 127.0.0.1#953: connection refused
>>
>> However I'm still getting the TSIG errors.
>>
> These are my named.conf files (with any comments stripped out), they
> have worked for me for the last 5 years ;-)
>
> /etc/bind/named.conf
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> /etc/bind/named.conf.options
>
> options {
>          directory "/var/cache/bind";
>          version "0.0.7";
>          notify no;
>          empty-zones-enable no;
>          allow-query { 127.0.0.1; 192.168.0.0/24; };
>          allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>          forwarders { 8.8.8.8; 8.8.4.4; };
>          allow-transfer { none; };
>          dnssec-validation no;
>          dnssec-enable no;
>          listen-on-v6 { none; };
>          listen-on port 53 { 192.168.0.7; 127.0.0.1; };
>
>          tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> };
>
> /etc/bind/named.conf.local
>
> include "/usr/local/samba/private/named.conf";
>
>
> /etc/bind/named.conf.default-zones
>
> zone "." {
>          type hint;
>          file "/etc/bind/db.root";
> };
>
> zone "localhost" {
>          type master;
>          file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>          type master;
>          file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>          type master;
>          file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>          type master;
>          file "/etc/bind/db.255";
> };
>
> Rowland

Splitting up the config files per your template works for me. Bind
starts without any errors. Now it's just the TSIG issue now as far as I
can tell. Thank you.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Switching from Internal DNS to Bind9_DLZ

Samba - General mailing list
In reply to this post by Samba - General mailing list
     As I proceed to setup Bind on my other DC's, how often should the
root server list be updated? The wiki merely states it's optional via.
cron. I'm initially using once a day. Thanks.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12