Web lists-archives.com

Re: [Samba] Switching from Internal DNS to Bind9_DLZ




On 1/8/2018 1:11 PM, lingpanda101 wrote:
On 1/2/2018 4:05 PM, Rowland Penny wrote:
On Tue, 2 Jan 2018 15:52:57 -0500
lingpanda101<lingpanda101@xxxxxxxxx>  wrote:

On 1/2/2018 3:37 PM, Rowland Penny wrote:
On Tue, 2 Jan 2018 15:23:18 -0500
lingpanda101<lingpanda101@xxxxxxxxx>  wrote:


Actually it looks as if Bind isn't running. Though I could've sworn
it did at one point.

service bind9 restart
    * Stopping domain name service... bind9
                 rndc: connect failed: 127.0.0.1#953: connection
refused [ OK ]
    * Starting domain name service... bind9 [fail]

Log shows;

Jan  2 15:20:51 ddc2 named[2793]:
----------------------------------------------------
Jan  2 15:20:51 ddc2 named[2793]: BIND 9 is maintained by Internet
Systems Consortium,
Jan  2 15:20:51 ddc2 named[2793]: Inc. (ISC), a non-profit
501(c)(3) public-benefit
Jan  2 15:20:51 ddc2 named[2793]: corporation.  Support and
training for BIND 9 are
Jan  2 15:20:51 ddc2 named[2793]: available at
https://www.isc.org/support  Jan  2 15:20:51 ddc2 named[2793]:
----------------------------------------------------
Jan  2 15:20:51 ddc2 named[2793]: adjusted limit on open files from
4096 to 1048576
Jan  2 15:20:51 ddc2 named[2793]: found 2 CPUs, using 2 worker
threads Jan  2 15:20:51 ddc2 named[2793]: using 2 UDP listeners
per interface Jan  2 15:20:51 ddc2 named[2793]: using up to 4096
sockets Jan  2 15:20:51 ddc2 named[2793]: loading configuration
from '/etc/bind/named.conf'
Jan  2 15:20:51 ddc2 named[2793]: /etc/bind/named.conf:15:
'options' redefined near 'options'
Jan  2 15:20:51 ddc2 named[2793]: loading configuration: already
exists Jan  2 15:20:51 ddc2 named[2793]: exiting (due to fatal
error)

It seems to stem from the issue I had before
"/etc/bind/named.conf:15: 'options' redefined near 'options'"

I reread your earlier post and noticed something I missed earlier,
do you normally use red-hat ?
I ask this because you have this line in /etc/bind/named.conf:

include "/etc/bind/named.conf.options";

Followed by:
# Global Configuration Options
options {
.........
......



If this is all in the one file (ala red-hat), then this is your
problem, debian splits up Bind9 into separate conf files and you
will have two 'options'

Rowland
I do not. Ubuntu but I do have two CentOS systems.

The config file was auto-generated when I installed via. apt-get.
This is what it originally contained before I made any modifications.

// This is the primary configuration file for the BIND DNS server
named. //
// Please read /usr/share/doc/bind9/README.Debian.gz for information
on the // structure of BIND configuration files in Debian, *BEFORE*
you customize // this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

If I comment out these include files, Bind9 starts. However I do
still get

rndc: connect failed: 127.0.0.1#953: connection refused

However I'm still getting the TSIG errors.

These are my named.conf files (with any comments stripped out), they
have worked for me for the last 5 years ;-)

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

options {
         directory "/var/cache/bind";
         version "0.0.7";
         notify no;
         empty-zones-enable no;
         allow-query { 127.0.0.1; 192.168.0.0/24; };
         allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
         forwarders { 8.8.8.8; 8.8.4.4; };
         allow-transfer { none; };
         dnssec-validation no;
         dnssec-enable no;
         listen-on-v6 { none; };
         listen-on port 53 { 192.168.0.7; 127.0.0.1; };

         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

/etc/bind/named.conf.local

include "/usr/local/samba/private/named.conf";


/etc/bind/named.conf.default-zones

zone "." {
         type hint;
         file "/etc/bind/db.root";
};

zone "localhost" {
         type master;
         file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
         type master;
         file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
         type master;
         file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
         type master;
         file "/etc/bind/db.255";
};

Rowland

_It looks as if I have a issue with the switch to Bind on one of my 6 DC's. Samba log gives the following.
_


[2018/01/08 10:59:19.002290,  0, pid=968, effective(0, 0), real(0, 0)] ../lib/util/fault.c:79(fault_report)
  INTERNAL ERROR: Signal 7 in pid 968 (4.7.4)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2018/01/08 10:59:19.002521,  0, pid=968, effective(0, 0), real(0, 0)] ../lib/util/fault.c:81(fault_report)
===============================================================
[2018/01/08 10:59:19.002712,  0, pid=968, effective(0, 0), real(0, 0)] ../lib/util/fault.c:151(smb_panic_default)
  PANIC: internal error
[2018/01/08 10:59:19.873041,  0, pid=948, effective(0, 0), real(0, 0)] ../source4/smbd/process_standard.c:161(standard_child_pipe_handler)
  Child 968 (drepl) terminated with signal 6
[2018/01/08 11:00:39.091609,  0, pid=960, effective(0, 0), real(0, 0)] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback)
  IRPC callback failed for DsReplicaSync - NT_STATUS_OBJECT_NAME_NOT_FOUND

_I get repeated errors over and over for the following._

IRPC callback failed for DsReplicaSync - NT_STATUS_OBJECT_NAME_NOT_FOUND

_I tried switching back to the internal but it didn't resolve. Running 'samba-tool drs showrepl' shows a issue with the Domain DnsZones partition. I tried manual replication but that to failed._

/usr/local/samba/bin/samba-tool drs replicate ddc2 ddc1 DC=DomainDnsZones,DC=domain,DC=local -U Administrator
Password for [DOMAIN\Administrator]:
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073610699, 'The operation cannot be performed.')   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 386, in run     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options)   File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 85, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)

_Raising the log level to 3 didn't give me anything other than this._

[2018/01/08 12:40:05.883956,  3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
  Registered DDC2<00> with 172.16.22.27 on interface 172.16.22.255
[2018/01/08 12:40:05.886205,  3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
  Registered DDC2<03> with 172.16.22.27 on interface 172.16.22.255
[2018/01/08 12:40:05.886324,  3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
  Registered DDC2<20> with 172.16.22.27 on interface 172.16.22.255
[2018/01/08 12:40:05.915493,  3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
  Registered DOMAIN<1c> with 172.16.22.27 on interface 172.16.22.255
[2018/01/08 12:40:05.915654,  3, pid=2271, effective(0, 0), real(0, 0)] ../source4/nbt_server/register.c:155(nbtd_register_name_handler)
  Registered DOMAIN<00> with 172.16.22.27 on interface 172.16.22.255
[2018/01/08 12:40:06.183365,  3, pid=2282, effective(0, 0), real(0, 0)] ../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)   samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_dnsupdate exited 0

_Why would the DC register itself on the broadcast address? Any harm in simply demoting and rejoin the DC? Do I need to clean up all the meta data before rejoin? Thanks._





--
--
James

    As of this moment it's working again. Deleted NTDS settings on the affected DC's and Switched back to the Internal DNS on the two. Allowed them to use the internal DNS for a bit and switched back to Bind. Now I'm not showing any issues. Will continue to monitor.

--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba