Mailinglist Archive: opensuse (1477 mails)

< Previous Next >
Re: [opensuse] what does 127.0.1.1 mean?
On 31/03/12 14:36, Anton Aylward wrote:
lynn said the following on 03/31/2012 03:17 AM:

Hi
Yes. I can explain the conflict now.
My Samba4 dynamic dns configuration was creating the forward zone for me
so by adding my own it was conflicting with the zone that was already
loaded. DUH! I only needed to add the _forward_ zone myself as the A
record was already there.
Correction: I meant _reverse_ zone of course. It is the forward zone tyat is already there.
Ah.
I'm glad you found that.
I'm glad because I have no experience or insight into Samba*4*.
It's not out of alpha yet but it's an amazing piece of kit. It helps enormously with sso on heterogeneous lans.


The server has fqdn hh3.hh3.site at 192.168.1.3
Now *that* I would put in /etc/host!
OK. copy:
192.168.1.3 hh3.hh3.site hh3

Actually it should be supplied by DHCP but my experience is that
many/some machines don't always honour all of



ofHere is my reverse zone (created by Yast):

cat /var/lib/named/master/1.168.192.in-addr.arpa
$TTL 2d
@ IN SOA hh3.hh3.site. root.hh3.hh3.site. (
2012033101 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
1.168.192.in-addr.arpa. IN NS hh3.hh3.site.
3 IN PTR hh3.hh3.site.
Now you *may* have a problem here.

[Sidebar: I'm assuming that yast created such a minimalist
zone file because that was all it could see, just the
local machine.
If you google, you'll find there are many tools (often written
in perl or shell) for generating zone files.
]

I'm assuming that your other machines - workstations ? - are also on the
192.168.1/24 subnet and have addresses assigned by DHCP.
Do I need a PTR for each computer on the lan?
There are two ways to can get their reverse addresses to work.
The first is to use 'dynamic dns' where the DHCP server tells the DNS
server that it has assigned an address and supplies the details which
the DNS server can now had out in response to queries.
Yes. That's what we have. that's what the samba4 guys added to bind9 to get it to do the dynamic updates. We have our win7 and linux clients using the dhcp server. It works ok but coming back to the original point, we have to put 127.0.1.1 in /etc/hosts on the client to get a name over to the server.
Its another
thing to have to get exactly right.
http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
http://www.sghaida.com/dhcp-bind-dynamic-updates/
and this mentions a few important 'secrets'
http://hackerific.net/2007/12/24/dynamic-dns-with-dhcp-and-bind-9/

When you report
Still can't lose this error:
Mar 31 08:47:46 hh3 named[9900]: couldn't add command channel ::1#953:
address not available

Well that's what its talking about, but it looks like that involves IPv6.
To be honest, once IPv6 comes into play with ddns things get a bit
complicated, especially of you're not using IPv6 in the first place :-)
The IPv6 stuff come straight out of a default openSUSE bind install. I don't want it. It just gets put here.


The other way to deal with workstation addresses is a bit of a cheat,
but its easy and it works and in a constrained small system as opposed
to a multi-segment, multi-server campus, I'm not going to argue. I use
it for my home system, a few machines around the house, a couple of
laptops, toys ... wifi on the patio ...

Basically you pre-load the reverse domain to match the addresses DHCP
can supply.

So if your DHCP says

subnet 192.168.1.0 netmask 255.255.255.127 {
authoritative;
range dynamic-bootp 192.168.1.32 192.168.1.64 ;

Then you can load up you reverse zone with

32 IN PTR ws32.hh3.site.
33 IN PTR ws33.hh3.site.
...
64 IN PTR ws64.hh3.site.


Actually if you're really good and have the upper levels set correctly,
you can use a lot of shorthand and only need lines like

32 IN PTR ws32


:-) But heck, belt and braces approach never hurt!



Here is /etc/named.conf
grep -v "#" /etc/named.conf
Filtering out comments .... after reading mine, go back and read what
you didn't show!



options {
directory "/var/lib/named";
managed-keys-directory "/var/lib/named/dyn/";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
All those should be writeable by named.
Yes. Infact if the whole of /var/lib/named is not writeable by named, named will not start. the maintainers will not change this however. Pls see the other post for details of the bugzillas.

listen-on-v6 { any; };
WHOA! listen-on-v6 turns on BIND to listen for IPv6 queries.
If you're not running IPv6 then you want "none" rather than "any".
This may account for one error :-)
Yes it does. Again, it is default openSUSE.

See http://www.zytrax.com/books/dns/ch7/hkpng.html




notify no;
disable-empty-zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
include "/etc/named.d/forwarders.conf";
That may or may not produce more ....

No that's fine. The only error now is here:
Mar 31 17:25:44 hh3 named[2483]: starting BIND 9.8.1-P1 -u named
Mar 31 17:25:44 hh3 named[2483]: built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-libtool' '--enable-runidn' '--with-libxml2' '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-fomit-frame-pointer -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -DNO_VERSION_DATE -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib'
Mar 31 17:25:44 hh3 named[2483]: adjusted limit on open files from 4096 to 1048576
Mar 31 17:25:44 hh3 named[2483]: found 1 CPU, using 1 worker thread
Mar 31 17:25:44 hh3 named[2483]: using up to 4096 sockets
Mar 31 17:25:44 hh3 named[2483]: loading configuration from '/etc/named.conf'
Mar 31 17:25:44 hh3 named[2483]: reading built-in trusted keys from file '/etc/bind.keys'
Mar 31 17:25:44 hh3 named[2483]: using default UDP/IPv4 port range: [1024, 65535]
Mar 31 17:25:44 hh3 named[2483]: using default UDP/IPv6 port range: [1024, 65535]
Mar 31 17:25:44 hh3 named[2483]: listening on IPv6 interfaces, port 53
Mar 31 17:25:44 hh3 named[2483]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 31 17:25:44 hh3 named[2483]: listening on IPv4 interface eth1, 192.168.1.3#53
Mar 31 17:25:44 hh3 named[2483]: generating session key for dynamic DNS
Mar 31 17:25:44 hh3 named[2483]: sizing zone task pool based on 5 zones
Mar 31 17:25:44 hh3 named[2483]: Loading 'AD DNS Zone' using driver dlopen
Mar 31 17:25:47 hh3 named[2483]: samba_dlz: started for DN DC=hh3,DC=site
Mar 31 17:25:47 hh3 named[2483]: samba_dlz: starting configure
Mar 31 17:25:47 hh3 named[2483]: samba_dlz: configured writeable zone 'hh3.site'
Mar 31 17:25:47 hh3 named[2483]: samba_dlz: configured writeable zone '_msdcs.hh3.site'
Mar 31 17:25:47 hh3 named[2483]: set up managed keys zone for view _default, file '/var/lib/named/dyn//managed-keys.bind'
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 10.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 16.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 17.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 18.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 19.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 20.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 21.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 22.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 23.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 24.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 25.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 26.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 27.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 28.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 29.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 30.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 31.172.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 168.192.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 0.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 127.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: D.F.IP6.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: A.E.F.IP6.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: B.E.F.IP6.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Mar 31 17:25:47 hh3 named[2483]: command channel listening on 127.0.0.1#953
Mar 31 17:25:47 hh3 named[2483]: couldn't add command channel ::1#953: address not available
Mar 31 17:25:47 hh3 named[2483]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42
Mar 31 17:25:47 hh3 named[2483]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2012033101
Mar 31 17:25:47 hh3 named[2483]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42
Mar 31 17:25:47 hh3 named[2483]: zone localhost/IN: loaded serial 42
Mar 31 17:25:47 hh3 named[2483]: managed-keys-zone ./IN: loaded serial 0
Mar 31 17:25:47 hh3 named[2450]: Starting name server BIND ..done
Mar 31 17:25:47 hh3 named[2483]: running

This is after changing ownership of /var/lib/named and after creating he managed-keys.bind file. Without those changes, bind will not start.


};
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
If you're not using IPv6 then you might consider removing all such
references.
the ip6.arpa one no?


in {
type master;
file "127.0.0.zone";
allow-transfer { any; };
Why?
This is what the default install did.

};
include "/etc/named.conf.include";

Again, an 'include' may alter things dramatically!
Default again. named.conf.include is empty.

logging {
category default { log_syslog; };
channel log_syslog { syslog; };
Default openSUSE.
};
zone "1.168.192.in-addr.arpa" in {
allow-transfer { any; };
Why?
This is for reverse lookup. This is what I added. Without it, reverse lookup does not work.
file "master/1.168.192.in-addr.arpa";
type master;
};
Reverse lookup added by myself.
the samba 4 dlz stuff.
include "/usr/local/samba/private/named.conf";
Again, an 'include' may alter things dramatically!
This is working OK. It's he samba4 dlz stuff



Notes:
Changes made to the 12.1 bind to get rid of the startup errors:
chown named:named /var/lib/named (working directory not writable)
:-)

touch /var/lib/dyn/managed-keys.bind (file does not exist)
No, that needs to contain the crypto key used by ddns.
Unless that file exists, it throws an error.
/etc/sysconfig/named NAMED_RUN_CHROOTED="no" (It's too much hassle
transferring the samba dlz stuff to the jail)
I can see that; I'm not going to harp on abut "basic security".
I chroot so I know I can, but if you can justify not needing to
then its "no harm, no foul".
Yes. The samba include file must be readable. In the chroot it can't be read. I can't find a way of making it work in the chroot without including most of the samba stuff in there too.





The Yast DNS module is not easy to use. Do you think it would be helpful
if I wrote a howto for it? There is one here:
http://www.pcc-services.com/sles/dns3.html
but it's not correct.
There are so many tools out there that do all this a help page might
read "use these instead"!

Check out named-checkconf and named-checkzone
and have a look at named-compilezone






Will do.
Meanwhile, one important one. I need to add a PTR for each machine on the lan?
L x
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups