Web lists-archives.com

Re: [Samba] Workstations cannot update DNS




On 15/05/2019 21:43, durwin@xxxxxxxxxxxxxxx wrote:
> > *named.conf.options*
> > options {
> >         directory "/var/cache/bind";
> >
> >         // If there is a firewall between you and nameservers you want
> >         // to talk to, you may need to fix the firewall to allow multiple
> >         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> >
> >         // If your ISP provided one or more IP addresses for stable
> >         // nameservers, you probably want to use them as forwarders.
> >         // Uncomment the following block, and insert the addresses
> > replacing
> >         // the all-0's placeholder.
> >         // 172.23.93.3 is master dns for mycompany.com
> >
> >         forwarders {
> >   172.23.93.3; 8.8.8.8;
> >         };
> >
> > //======================================================================== > >         // If BIND logs error messages about the root key being expired,
> >         // you will need to update your keys.  See
> > https://www.isc.org/bind-keys
> > //========================================================================
> >         dnssec-validation auto;
> >
> >         auth-nxdomain no;    # conform to RFC1035
> >         //listen-on-v6 { any; };
> >         listen-on { any; };
> >         notify no;
> >
> >         empty-zones-enable no;
> >         // DNS dynamic updates via Kerberos
> > /var/lib/samba/private/dns.keytab;
> >         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > };
>
>
> OK, everything looks okay, except for /etc/bind/named.conf.options, this
> is mine (which as worked since 2012):
>
> options {
>      directory "/var/cache/bind";
>      version "0.0.7";
>      notify no;
>      empty-zones-enable no;
>      allow-query { 127.0.0.1; 192.168.0.0/24; };
>      allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
>      forwarders { 8.8.8.8; 8.8.4.4; };
>      allow-transfer { none; };
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>      listen-on-v6 { none; };
>      listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>
>      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> };
>
> I think you should be able to see the differences, especially the last
> line ;-)

I took your lines, modified for my subnet.
  1 options {
  2      directory "/var/cache/bind";
  3      notify no;
  4      empty-zones-enable no;
  5      allow-query { 127.0.0.1; 172.23.93.0/24; };
  6      allow-recursion {  172.23.93.0/24; 127.0.0.1/32; };
  7      forwarders { 172.23.93.3; 8.8.8.8; };
  8      allow-transfer { none; };
  9      dnssec-validation no;
 10      dnssec-enable no;
 11      dnssec-lookaside no;
 12      listen-on-v6 { none; };
 13      listen-on port 53 { 172.23.93.25; 127.0.0.1; };
 14
 15      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
 16 };

This is what systemctl status bind9 shows

● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)    Active: failed (Result: exit-code) since Wed 2019-05-15 14:25:31 MDT; 10min ago
     Docs: man:named(8)
  Process: 868 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 868 (code=exited, status=1/FAILURE)

May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:9: unknown option '   ' May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:10: unknown option '   ' May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:11: unknown option '   ' May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:12: unknown option '   ' May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:13: unknown option '   ' May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:15: unknown option '   '
May 15 14:25:31 dc0 named[868]: loading configuration: failure
May 15 14:25:31 dc0 named[868]: exiting (due to fatal error)
May 15 14:25:31 dc0 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE May 15 14:25:31 dc0 systemd[1]: bind9.service: Failed with result 'exit-code'.

Bit lost here, as I said, I have been using this since 2012, first on Ubuntu, then Debian and finally on Devuan, without problems. All I can suggest  is that you check it again for typos's etc.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba