Failed dns update with error code 110

Samba4 DNS bugs

Перодически раз где-то в три дня приходится рестартить самбу, поскольку доменные ПК не могут получить имена других ПК.

DNS_backend=SAMBA_INTERNAL, на всех ПК static ip.

Значение allow dns updates какое стоит? На днях была похожая проблема, правда без потери Kerberos, временно решилось выставлением данного параметра значения nonsecure

Спасибо, попробуем. У меня стояло:

Сосбтвенно, я к тому что данный DC перенесенный с Win2008. И при вывовде samba-tool drs showrepl у меня был некоторый геморой ))

Вот здесь написано, что нужно создать:

Все, разобрался с GUID. По вашему совету выставил nonsecure и пока что-то вроде все ок. Погоняю несколько дней — посмотрю.

Теперь вот такой ВОПРОС: при использовании DNS-бэкенда SAMBA_INTERNAL приходится все компы добавлять в остнастке DNS вручную. Как сделать чтобы сами регистрировались?

Насчет добавления вручную не подскажу, при добавление в домен автоматически добавляются, а без домена, присутствие хоста в записях днс в моем случае не обязательно, поэтому не вникал почему так.
А вообще пришел к выводу что лучше использовать bind.
еще переодически встречал в поисковиках что какая то проблема с зоной local, но о чем конкретно речь там не смотрел.

Источник

Failed dns update with error code 110

I recently found the need to set up a test domain for work purposes but couldn’t get access to a proper Windows Server box so since Samba 4 can act as a proper AD controller I decided to give it a go.
It took a few tries and several card formattings before I got the process down pat so I thought I would share it and hopefully save other people the same headaches I had.

The process described will configure the PI as an AD controller, a DHCP client and also bridge the internet connection between the wired and wireless adaptors so that the connected clients can access the internet through the Pi.

Re: How-To: Pi as an Active Directory Domain Controller

I’m working through the post that you’ve put together, as I’m looking to add a domain controller to my dhcp, dns, ntp, vpn setup on my pi 3. From my down dealings with raspbian jessie, I’ve got as far as setting up the static ip part and noticed that there is a problem in your steps.

The problem is that the /etc/resolv.conf is overwritten when the PI starts up. This causes the domain and search items to be removed from the file as it’s make the content of that file based on the ip settings for the device.

So rather than editing resolv.conf, it’s better to add a couple of extra settings in /etc/dhcpcd.conf
Add these two lines to your IP configuration for eth0

static domain_name=vfrontiers.net
static domain_search=vfrontiers.net

so that your interface section reads like this.

interface eth0
static domain_name_servers=192.168.0.254
static ip_address=192.168.0.254
static routers=
static domain_search=vfrontiers.net
static domain_name=vfrontiers.net
static domain_search=vfrontiers.net

when you do that, your /etc/resolv.conf file will be populated with the domain and the nameserver the search item is omitted as it is the same as the domain. (I know it will add it as I tested it with a different value).

love the part about, iptables-persistent. This is a great idea, and much better than a bash script that I’d been doing. think I’ll do that as a change to my server.

There’s a problem with isc-dhcp-server, you may find that after a reboot it will fail to start up, unless you start it manually. Which will be very confusing to people. To solve this problem.

Choose option 4 – Wait for Network as Boot

Slow Wait for network connection before completing boot

This will fix the problem. I’m sure that there is a better solution, but I don’t know yet.

Re: How-To: Pi as an Active Directory Domain Controller

I’ve tried following this guide and have got to the point of having provisioned the domain, however when I attempt the first test this is what I get.

smbclient -L localhost -U%
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)

I’m not really sure what to do about this. Any ideas?

Re: How-To: Pi as an Active Directory Domain Controller

Re: How-To: Pi as an Active Directory Domain Controller

is this pertinent?

Re: How-To: Pi as an Active Directory Domain Controller

Re: How-To: Pi as an Active Directory Domain Controller

There is that much wrong with that howto, I do not really know where to start. I cannot recommend using it to set up a Samba AD DC, try following the official Samba wiki instead:

Re: How-To: Pi as an Active Directory Domain Controller

I followed the instructions carefully (omitting the DHCP and port forwarding setup as i don’t need it)

Unfortunately when I get to testing it with smbclient -L localhost -U% it responds with

Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)

and the kinit says it cant find KDC for the realm

Any suggestions ? Is there a firewall i need to switch off ? I am using the latest version of all the software. Might the instructions be out of date ?

Re: How-To: Pi as an Active Directory Domain Controller

I’ve managed to get over the problem of the error from the following command

smbclient -L localhost -U%

By looking at other tutorials, after the «sudo samba-tool domain provision. » you actually have to start samba with «sudo samba»

However, I am now stuck at configuring Kerberos. when calling «kinit administrator@BP.LOCAL» i get the error «kinit: Cannot contact any KDC for realm ‘BP.LOCAL’ while getting initial credentials»

How do i debug this ?

Re: How-To: Pi as an Active Directory Domain Controller

after further investigation, the DNS that samba provides is not working properly, the suggested host -A check produces a «no server could be reached»

My guess is one of the latest package versions has invalidated this tutorial. The samba log is as follows.

Источник

Failed dns update with error code 110

I updated some packages today and rebooted the server, I can not access Flexshare Shared directories anymore.

Accepted Answer

Instead of downgrading, can someone who is experiencing this issue try the following:

Please test modifying the line in /etc/samba/smb.conf to be the following:

allow trusted domains = yes

This is for those that are using ClearOS as a NAS with no domain logons.

I’m curious to know if this fixes the Samba issue reported with the update.

Accepted Answer

Did you run out of disk space?

Can I suggest you try a configuration restore from before the upgrade. Webconfig > System > Backup > Configuration Backup and Restore.

Accepted Answer

Can you please try starting ldap from the command line interactively:Please report what happens.

Have you by any chance lost an interface?Or did you have any where you had to load the drivers yourself?

And the answers to your questions are both NO.

Is not a big deal since I have a snapshot from a working configuration, but it’s taking me back of install clearOs in other environments

Thanks for you help again.

Accepted Answer

Can you please try starting ldap from the command line interactively:Please report what happens.

Have you by any chance lost an interface?Or did you have any where you had to load the drivers yourself?

Accepted Answer

I’ve deleted your duplicate post. As you’ve now had two posts approved by the mods they should now automatically appear.

It sounds like you have more than one problem.

For DNS, please do a:
Then look in /var/log/messages for errors.

For Samba, please can you do a:Then try starting any not running (not sure about winbind — it depends on your set up) and have a look in the logs (various including in /var/log/samba/)

Please can you also check slapd is running with a:

Hi Nick. Really appreciate with your quick answer.

Let’s go step by step.

I am checking those logs on /varl/logs/messages

YUM REPO

systemctl restart dnsmasq.service

Still cannot resolve.

Dont have winbind

Unfortunately, smb.log is empty. Samba.log has only information related to the ClearOs before the update and that message is repeated again and again.

LPAD command

Thanks a lot again for your help. Have a great day.

Accepted Answer

Jey Mike Gallego wrote:

Well, first of all, sorry for the spam. But I have been digging a little bit more into the issue. First of all. message from logs when I try to start Samba from Web

Look there is not samba.service within «/usr/lib/systemd/system», however, I can find smb.service instead.

Can you check guys in yout configuration?

The samba service name is smb.conf. In which logs are you seeing the message?

What is you output of:

Accepted Answer

I’ve deleted your duplicate post. As you’ve now had two posts approved by the mods they should now automatically appear.

It sounds like you have more than one problem.

For DNS, please do a:
Then look in /var/log/messages for errors.

For Samba, please can you do a:Then try starting any not running (not sure about winbind — it depends on your set up) and have a look in the logs (various including in /var/log/samba/)

Please can you also check slapd is running with a:

Accepted Answer

Well, first of all, sorry for the spam. But I have been digging a little bit more into the issue. First of all. message from logs when I try to start Samba from Web

Look there is not samba.service within «/usr/lib/systemd/system», however, I can find smb.service instead.

Can you check guys in yout configuration?

Accepted Answer

The root cause seems to be that Samba changed how the parameter was working. It now should be set to «yes» or deleted completely. It may have originally been caused by a misunderstanding on how the parameter should have been set in the first place, but it does not matter now. Updates should now be automatically setting the parameter to «yes» if it exists.

Sadly that didnt work for me. «allow trusted domains = yes» is set and my samba does not start and I also lost the DNS server. Thankfully I have a snapshot but I dont want to give up.

Accepted Answer

Accepted Answer

Is there any news about that issue? It was located the root of the cause?

Thanks for all this information I could fix my server and taking back Flexshare and Samba.

Accepted Answer

It looks like this setting as yes or no does not affect computers joined to the domain but only those in NAS mode. I’m going to suggest that this parameter be flipped to Yes on all configs during the upgrade process.

Accepted Answer

Accepted Answer

Accepted Answer

Instead of downgrading, can someone who is experiencing this issue try the following:

Please test modifying the line in /etc/samba/smb.conf to be the following:

allow trusted domains = yes

This is for those that are using ClearOS as a NAS with no domain logons.

I’m curious to know if this fixes the Samba issue reported with the update.

I upgraded the Samba packages again, changed that option and it worked.

Thank You Dave for this solution,
Thank You Nick for prompt temporary solution.

Accepted Answer

Accepted Answer

I’ve tested Dave’s solution and it works for me — Win10 (1803). I’ve rejected my post in this thread as being the Accepted Answer and Accepted Dave’s. I’ve also posted to the main thread.

FWIW the repo management is not working well. There was no way to downgrade. It looks like there is also a new installation where the user is unable to install from the marketplace, because his system has not upgraded yet and the lack of old packages is causing dependency problems.

@Tony,
I could not hope to cover all bases with the downgrade. Even to get to where I got with the packages I had to do a dummy upgrade of a Business box to work out all the packages it needed then I download each one with yumdownloader. It is quite possible I picked up more packages than I needed but were needed for that particular set up (e.g. python-dns?). I then tried the downgrade in a VM. That worked so then on my test Community box and I was able to map the drive. It could have been a case of dependency hell!

Accepted Answer

I’m curious to know if anyone is experiencing this issue if joined to the domain on an upgrade. My suspicion is no. My hypothesis is that this only affects those that use the flexshares in non-domain join modes.

It took me a bit to get the lab set up to replicate the problem and when I got it all done the error messages weren’t specific enough so I cranked the log level to 8 and read through both a working 7.4 log trace for the same activity vs. a 7.5 and this is the nugget that I found:

At first, I thought that there was an LDAP problem because of the unmatched users bit but then I reasoned that this would NOT be the case since Linux and Macs are working fine so it cannot be that. I also thought that perhaps that the match was an issue but I can see elsewhere in the logs that the match is happening to LDAP. The key was just below where the domain was rejected. The domain, ‘dloper-PC’, is the machine name of my test computer which I purposefully did NOT join to the domain. So this means that it was rejecting based on the lack of a computer account which is supposed to work based on the NAS model. I then googled a bit to see if that error was known to the samba community. I couldn’t find any articles related so I decided to troll through the smb.conf file and the line just stood out to me for some reason.

allow trusted domains = yes

BTW, you only need to change this in the file, you don’t need to reboot or restart samba for this to go into effect.

Источник

Re-enable systemd-resolve.

Two possibilities…

1. Regarding dnsmasq and systemd-resolved…

Do a ps auxc | grep -i dns and ps auxc | grep -i resolv and look for dnsmasq and systemd-resolved, and if both are running, you need to disable the DNS part of systemd-resolved by editing /etc/systemd/resolved.conf and…

change:

#DNSStubListener=yes

to:

DNSStubListener=no

then restart systemd-resolve and dnsmasq, or reboot.

1. you MAY need to reset the symlink that is /etc/resolv.conf (if dnsmasq is not running)…

sudo mv /etc/resolv.conf /etc/resolv.conf.OLD # save the old symlink

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf # create new symlink

Update #1:

Many details of this installation came forward in the comments, and we still don’t have a final working solution. Here are some points to recognize…

DNSStubListener=no does not belong in /etc/resolv.conf. (/etc/resolv.conf should not (normally) be edited directly). It’s an edit to /etc/systemd/resolved.conf. DNS= can also be edited there to add DNS server addresses.

/etc/resolv.conf should be a symlink, linked to one of two possible locations in /run.

NEW -> /run/systemd/resolve/resolv.conf
OLD -> ../run/resolvconf/resolv.conf

and should contain either 127.0.0.53 (or 127.0.0.1 if dnsmasq was running), or DNS nameserver addresses, or your router’s address (ex: 192.168.1.1)

If you’re going to use NetworkManager instead of netplan, then /etc/netplan should contain at least one .yaml file containing…

network:
  version: 2
  renderer: NetworkManager

followed by…

sudo netplan generate # generate config files

sudo netplan apply # apply configuration

If you’re using NetworkManager, then /etc/NetworkManager/NetworkManager.conf should exist… and should look something like…

[main]
plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no

If dnsmasq AND systemd-resolve are running, then you should do #1 in my answer.

If dnsmasq is not running, and systemd-resolve is running, then you should do #2 in my answer.

Hi there, i need your help to be sure that i made good configuration of BIND in 9.9 version and my dig and nslookup works correctly.
I am not sure that all is ok but i have NO IDEA where and what i should change.

First of all, why im trying to confirm all this:
after using systemctl status named -l i got this:

Mar 23 00:08:55 dc1.sub.domain.com named[1164]: all zones loaded
Mar 23 00:08:55 dc1.sub.domain.com named[1164]: running
Mar 23 00:08:55 dc1.sub.domain.com systemd[1]: Started Berkeley Internet Name Domain (DNS).
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: no longer listening on 192.168.1.100#53
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: no longer listening on 127.0.0.1#53
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: not listening on any interfaces
Mar 23 17:14:35 dc1.sub.domain.com named[1164]: not listening on any interfaces
Mar 23 17:14:36 dc1.sub.domain.com named[1164]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 23 17:14:40 dc1.sub.domain.com named[1164]: listening on IPv4 interface enp0s3, 192.168.1.100#53
Mar 23 17:23:28 dc1.sub.domain.com named[1164]: [b]client 127.0.0.1#58024 (dc1): query (cache) 'dc1/A/IN' denied[/b]

Also, status samba shows:

Mar 23 00:08:57 dc1.sub.domain.com winbindd[1334]: [2018/03/23 00:08:57.626359,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Mar 23 00:08:57 dc1.sub.domain.com winbindd[1334]:   STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Mar 23 16:43:49 dc1.sub.domain.com winbindd[1359]: [2018/03/23 16:43:49.619082,  0] ../source3/winbindd/winbindd_dual.c:107(child_write_response)
Mar 23 16:43:49 dc1.sub.domain.com winbindd[1359]:   [b]Could not write result[/b]
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]: [2018/03/23 16:43:51.310978,  0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]:  [b] ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110[/b]
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]: [2018/03/23 16:43:51.311524,  0] ../source4/dsdb/dns/dns_update.c:313(dnsupdate_spnupdate_done)
Mar 23 16:43:51 dc1.sub.domain.com samba[1330]:   ../source4/dsdb/dns/dns_update.c:313: Failed SPN update - with error code 110
Mar 23 16:43:51 dc1.sub.domain.com smbd[1332]: [2018/03/23 16:43:51.733542,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Mar 23 16:43:51 dc1.sub.domain.com smbd[1332]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections

And after using nslookup:

[root@dc1 ~]# nslookup
> dc1
Server:         192.168.1.100
Address:        192.168.1.100#53

** server can't find dc1: NXDOMAIN
> dc1.sub.domain.com
Server:         192.168.1.100
Address:        192.168.1.100#53

Name:   dc1.sub.domain.com
Address: 192.168.122.1
Name:   dc1.sub.domain.com
Address: 192.168.1.100
> vsfiles
Server:         192.168.1.100
Address:        192.168.1.100#53

** server can't find vsfiles: NXDOMAIN
> vsfiles.sub.domain.com
Server:         192.168.1.100
Address:        192.168.1.100#53

** server can't find vsfiles.sub.domain.com: NXDOMAIN

After using dig:

[root@dc1 ~]# dig dc1

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> dc1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23884
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.                           IN      A

;; AUTHORITY SECTION:
.                       8491    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2018032201 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:53:30 CET 2018
;; MSG SIZE  rcvd: 107

[root@dc1 ~]# dig dc1.sub.domain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> dc1.sub.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52581
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.sub.domain.com.             IN      A

;; ANSWER SECTION:
dc1.sub.domain.com.      900     IN      A       192.168.1.100
dc1.sub.domain.com.      900     IN      A       192.168.122.1

;; AUTHORITY SECTION:
sub.domain.com.          900     IN      NS      dc1.sub.domain.com.

;; Query time: 2 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:53:39 CET 2018
;; MSG SIZE  rcvd: 92

[root@dc1 ~]# dig dc1.sub.domain.com.

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> dc1.sub.domain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19681
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dc1.sub.domain.com.             IN      A

;; ANSWER SECTION:
dc1.sub.domain.com.      900     IN      A       192.168.122.1
dc1.sub.domain.com.      900     IN      A       192.168.1.100

;; AUTHORITY SECTION:
sub.domain.com.          900     IN      NS      dc1.sub.domain.com.

;; Query time: 2 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:53:44 CET 2018
;; MSG SIZE  rcvd: 92

[root@dc1 ~]# dig vsfiles.sub.domain.com.

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> vsfiles.sub.domain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41015
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vsfiles.sub.domain.com.         IN      A

;; AUTHORITY SECTION:
sub.domain.com.          3600    IN      SOA     dc1.sub.domain.com. hostmaster.sub.domain.com. 21 900 600 86400 3600

;; Query time: 6 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:54:06 CET 2018
;; MSG SIZE  rcvd: 101

[root@dc1 ~]# dig vsfiles.sub.domain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> vsfiles.sub.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6486
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vsfiles.sub.domain.com.         IN      A

;; AUTHORITY SECTION:
sub.domain.com.          3600    IN      SOA     dc1.sub.domain.com. hostmaster.sub.domain.com. 21 900 600 86400 3600

;; Query time: 7 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:54:19 CET 2018
;; MSG SIZE  rcvd: 101

[root@dc1 ~]# dig vsfiles

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> vsfiles
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25419
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vsfiles.                       IN      A

;; AUTHORITY SECTION:
.                       8425    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2018032300 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Fri Mar 23 17:54:28 CET 2018
;; MSG SIZE  rcvd: 111

Why i dont have answer for vsfiles record? Are other queries ok? Shouldn’t it be ANSWER:1 not 0 for some questions?
I got vsfiles added to domain, i can see it as computer account in rsat from windows, i do not have any idea why i dont get information about this machine.

My named.conf:

#Global BIND configuration optionsGlbal BIND configuration options
include "/usr/local/samba/private/named.conf";
options {

    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;
    tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
    listen-on port 53 {
                127.0.0.1;
                192.168.1.100;};

allow-query {
        127.0.0.1;
        localhost;
        192.168.1.0/24;

# add other networks you want to allow to query your DNS
    };

    allow-recursion {
        192.168.1.0/24;

 # add other networks you want to allow to do recursive queries
    };

    forwarders {
        # Google public DNS server here - replace with your own if necessary
        8.8.8.8;
        8.8.4.4;
    };

    allow-transfer {
        # this config is for a single master DNS server
     localhost;
    };

};


# Root servers (required zone for recursive queries)
zone "." {
   type hint;
   file "named.root";
};

# Required localhost forward-/reverse zones
zone "domain.com" {
    type master;
    file "master/sub.domain.com.zone";
};

zone "1.168.192.in-addr.arpa" {
    type master;
    file "master/192.168.1.zone";
};

My zone files:

$TTL 1D

@       IN      SOA     sub.domain.com.  root.sub.domain.com. (
                                        2018032301      ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        IN NS           dc1.sub.domain.com.
                        ;IN NS           srv12.linuxphobia.com.

                        IN MX 5 smpt.sub.domain.com.

dc1.sub.domain.com.   IN      A       192.168.1.100
dc2.sub.domain.com.   IN     A       192.168.1.200


mail.sub.domain.com.   IN      CNAME   smtp.sub.domain.com.

;webserver.linuxphobia.com. IN   A       192.168.1.111

;sai-scan.linuxphobia.com.       IN      A       192.168.1.71
;                                IN      A       192.168.1.72
;                                IN      A       192.168.1.73
;                                IN      TXT     "Round-robin IP for Scan"

sub.domain.com.        IN      A       192.168.1.100
smtp.sub.domain.com.   IN      A       192.168.1.111
;www                     IN      CNAME   webserver.linuxphobia.com

vsfiles.sub.domain.com. IN A 192.168.1.101

$TTL 1D

@       IN      SOA     sub.domain.com.  root.sub.domain.com. (
                                        2018032301      ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                         NS           dc1.sub.domain.com.

                        ;IN NS           srv12.linuxphobia.com.
;                        IN MX 5 smpt.sub.domain.com.
;dc1.sub.domain.com.   IN      A       192.168.1.100
;dc2.sub.domain.com.   IN     A       192.168.1.200
;mail.sub.domain.com.   IN      CNAME   smtp.sub.domain.com.
;webserver.linuxphobia.com. IN   A       192.168.1.111
;sai-scan.linuxphobia.com.       IN      A       192.168.1.71
;                                IN      A       192.168.1.72
;                                IN      A       192.168.1.73
;                                IN      TXT     "Round-robin IP for Scan"
;sub.domain.com.        IN      A       192.168.1.100
;www                     IN      CNAME   webserver.linuxphobia.com.

100 IN PTR dc1.sub.domain.com.
200 IN PTR dc2.sub.domain.com.

100 IN PTR sub.domain.com.
101 IN PTR vsfiles.sub.domain.com.
~

What i did wrong?

имя сервера ещё дайте плиз

Пользователь решил продолжить мысль [time]Tue Apr  5 11:41:15 2011[/time]:

Значит так ! Всё с самого начала. Буду писать все подробно с установкой пакетов. Если они уже установлены, то хорошо.

sudo aptitude install krb5-user samba winbind smbclient

Идём править /etc/resolv.conf, нужно привести его к виду:

domain adm.bl
search adm.bl
nameserver 192.168.5.1
Если DNS сервер у Вас стоит не на DC, то меняйте ип из nameserver на свой.

Теперь проверим файл /etc/hostname, в нём должно быть имя вашей машины, а именно ip-admin

Так же нужно поправить /etc/hosts, в него нужно запихнуть:

127.0.0.1 localhost
192.168.5.44 ip-admin.adm.bl MyPC
ОБЯЗАТЕЛЬНО!!! нужно синхронизировать время с контроллером домена, можно сделать руками ntpdate 192.168.5.1, а можно установаить службу: sudo aptitude install ntp

правим /etc/ntp.conf

...
# You do need to talk to an NTP server or two (or three).
server 192.168.5.1
...

Перезагружаем sudo /etc/init.d/ntp restart, всё ок…

Меняем конфиг кербероса /etc/krb5.conf

[libdefaults]
default_realm = ADM.BL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ADM.BL = {
kdc = 192.168.5.1
admin_server = 192.168.5.1
}
[domain_realm]
 .adm.bl = ADM.BL
adm.bl = ADM.BL
[login]
krb4_convert = true
krb4_get_tickets = false

Получаем билет в домен kinit username@ADM.BL
Ошибок быть не должно, если будут, то пиши сюда — обсудим…

Идём править конфиг самбы /etc/samba/smb.conf. Я повыкидывал всё лишнее. Сначала введём в домен, а там бдем прикручивать ещё что-нить.

[global]
workgroup = ADM
realm = ADM.BL
security = ADS
encrypt passwords = true
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
load printers = yes
show add printer wizard = yes
printcap name = /dev/null
disable spoolss = yes
idmap uid = 10000 - 40000
idmap gid = 10000 - 40000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template shell = /bin/bash
winbind refresh tickets = yes

На всякий проверить параметры можно testparm, но всё должно быть ок.

Вгоняем машинку в домен sudo net ads join -U username -D ADM.BL

Для авторизации пользюков на твоей машинке, нужно поправить /etc/nsswitch.conf
там изменить только:

passwd: compat
group: compat


На

passwd: compat winbind
group: compat winbind

Проверить можно выполнив getent passwd, эта херь покажет тебе все списки пользюков локальных и доменных.

И исправить опцию в файле /etc/pam.d/common-session

session optionalнужно привести её к виду:

session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
После чего выполнить

mv /etc/rc4.d/S20winbind /etc/rc2.d/S99winbind
mv /etc/rc4.d/S20winbind /etc/rc3.d/S99winbind
mv /etc/rc4.d/S20winbind /etc/rc4.d/S99winbind
mv /etc/rc4.d/S20winbind /etc/rc5.d/S99winbind

После перезагрузки машинки всё будет работать. Должно… И да.. При вводе машины в домен ты поймаешь ошибку DNS update failed, в ней нет ничего страшного. Просто добавишь в DNS руками потом свою машану и всё.