To whom it may concern,
Not long ago, I joined a Samba4 box as a DC to a single DC Windows 2003
Active Directory domain to begin the process of learning Samba4.
Unfortunately, before I was ready to make the total switch, my Windows
2003 server died, and the remnants of my domain were left with Samba4.
While I have got my Samba4 running fairly smoothly (after forcing it to
take on fsmo roles), there are still a few snags - and DNS happens to be
one of them.
Right now I'm running two CentOS 6.4 (x64) servers that are operating as
Active Directory DCs. Both are utilizing Samba 4.0.7 (provided by
SerNet) on Linux kernel 2.6.32. Both are running BIND 9.8.2 with the
Samba DLZ plugin for DNS (and for the record, these servers do more than
run Samba and require BIND for DNS).
I have two primary problems with DNS. One, I can't manage any of my AD
DNS zones from Windows using MMC, or from samba-tool. MMC either
complains the DNS server is unreachable, or that the Active Directory
service is unavailable. The samba-tool utility returns the error code
ERROR(runtime): uncaught exception - (-1073741249,
'NT_STATUS_PORT_UNREACHABLE'). Two, while my reverse zone (for a
10.0.0.0/24 subnet) is being served out of the DLZ, my forward Active
Directory "office" zone is not. Right now it is running as a master zone
in BIND.
Employees can login via AD without issue. Replication appears to be
working correctly so far as I can tell.
------------------------------------------------------------------------------
Here's my smb.conf file:
# Global parameters
[global]
workgroup = OFFICE
realm = office.domain.com
netbios name = CARBON
netbios aliases = COBALT COBALT-DC FS1
server role = active directory domain controller
server services = +web -smb +s3fs -dns +dns_update +kdc +rpc +nbt
+wrepl +drepl +ldap +cldap +ntp_signd +kcc
dcerpc endpoint servers = +epmapper +wkssvc +rpcecho +samr
+netlogon +lsarpc +spoolss +drsuapi +dssetup +unixinfo +browser
+eventlog6 +backupkey -winreg -srvsvc -dnsserver -dns
load printers = no
log file = /var/log/samba/log.%m
log level = 5
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config OFFICE:backend = ad
idmap config OFFICE:schema_mode = rfc2307
idmap config OFFICE:range = 10000-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr recycle shadow_copy2
acl_xattr:ignore system acls = no
recycle:keeptree = True
recycle:versions = False
recycle:touch = False
recycle:repository = .recycle
recycle:exclude = *.tmp
recycle:exclude_dir =
logon drive = U:
logon script = \\CARBON\netlogon\NetDrives.vbs
logon path = \\CARBON\data\users\%U
------------------------------------------------------------------------------
Here's my named.conf file:
# Loads Samba Active Directory zone
include "/var/lib/samba/private/named.conf";
# Global options
options {
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;
allow-query {
127.0.0.0/8; 10.0.0.0/24;
};
allow-recursion {
127.0.0.0/8; 10.0.0.0/24;
};
allow-transfer {
10.0.0.0/24; 127.0.0.1;
};
forwarders {
66.111.113.7; 66.111.113.8;
};
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
tkey-domain "OFFICE.DOMAIN.COM";
};
controls {
inet 127.0.0.1 port 953
allow { 10.0.0.0/24; 127.0.0.1; } keys { "rndc-key"; };
};
key "rndc-key" {
algorithm hmac-md5;
secret << OMMITTED >>;
};
# Root servers (required zone for recursive queries)
zone "." {
type hint;
file "named.root";
};
# Required localhost forward-/reverse zones
zone "localhost" {
type master;
file "master/localhost.zone";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
#zone "0.0.10.in-addr.arpa" {
# type master;
# file "master/0.0.10.in-addr.arpa.zone";
# update-policy {
# grant *.COM wildcard *.0.0.10.in-addr.arpa. PTR;
# grant OFFICE.DOMAIN.COM ms-self * A AAAA;
# };
#};
zone "domain.com" {
type master;
file "master/domain.com.zone";
};
zone "office.domain.com" {
type master;
check-names ignore; # Required for MS AD domain
file "master/office.domain.com.zone";
include "/var/lib/samba/private/named.conf.update";
};
------------------------------------------------------------------------------
The "office.domain.com" zone file came of the fact that I had a backup
of the zone file because one of my Samba servers was once a slave DNS
server to the Windows 2003 server that I lost (it was running Samba3
before my move to Samba4).
The command samba_dnsupdate --all-names completes without error.
There's nothing in the logs that jumps out at me. I can provide log data
if I know what to look for.
All in all, I am having a hard time troubleshooting because the
documentation that I can find for Samba4 seems to be a bit lacking at
the present time. I might be able troubleshoot this by process of
elimination if I could find the information that I needed.
Any suggestions? Thanks in advance!
--
Jason Bailey
Region IT/IS Manager
Gull Communications
jason.bai...@sunad.com
(435) 637-0732 x31
(435) 637-2716 Fax
* Emery County Progress
* Richfield Reaper
* Sun Advocate
* Uintah Basin Standard
* Vernal Express
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
