On 31/03/12 14:36, Anton Aylward wrote:
lynn said the following on 03/31/2012 03:17 AM:
Hi Yes. I can explain the conflict now. My Samba4 dynamic dns configuration was creating the forward zone for me so by adding my own it was conflicting with the zone that was already loaded. DUH! I only needed to add the _forward_ zone myself as the A record was already there. Correction: I meant _reverse_ zone of course. It is the forward zone tyat is already there. Ah. I'm glad you found that. I'm glad because I have no experience or insight into Samba*4*. It's not out of alpha yet but it's an amazing piece of kit. It helps enormously with sso on heterogeneous lans.
The server has fqdn hh3.hh3.site at 192.168.1.3
Now *that* I would put in /etc/host! OK. copy: 192.168.1.3 hh3.hh3.site hh3
Actually it should be supplied by DHCP but my experience is that many/some machines don't always honour all of
ofHere is my reverse zone (created by Yast):
cat /var/lib/named/master/1.168.192.in-addr.arpa $TTL 2d @ IN SOA hh3.hh3.site. root.hh3.hh3.site. ( 2012033101 ; serial 3h ; refresh 1h ; retry 1w ; expiry 1d ) ; minimum 1.168.192.in-addr.arpa. IN NS hh3.hh3.site. 3 IN PTR hh3.hh3.site. Now you *may* have a problem here.
[Sidebar: I'm assuming that yast created such a minimalist zone file because that was all it could see, just the local machine. If you google, you'll find there are many tools (often written in perl or shell) for generating zone files. ]
I'm assuming that your other machines - workstations ? - are also on the 192.168.1/24 subnet and have addresses assigned by DHCP. Do I need a PTR for each computer on the lan? There are two ways to can get their reverse addresses to work. The first is to use 'dynamic dns' where the DHCP server tells the DNS server that it has assigned an address and supplies the details which the DNS server can now had out in response to queries. Yes. That's what we have. that's what the samba4 guys added to bind9 to get it to do the dynamic updates. We have our win7 and linux clients using the dhcp server. It works ok but coming back to the original point, we have to put 127.0.1.1 in /etc/hosts on the client to get a name over to the server. Its another thing to have to get exactly right. http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm http://www.sghaida.com/dhcp-bind-dynamic-updates/ and this mentions a few important 'secrets' http://hackerific.net/2007/12/24/dynamic-dns-with-dhcp-and-bind-9/
When you report
Still can't lose this error: Mar 31 08:47:46 hh3 named[9900]: couldn't add command channel ::1#953: address not available
Well that's what its talking about, but it looks like that involves IPv6. To be honest, once IPv6 comes into play with ddns things get a bit complicated, especially of you're not using IPv6 in the first place :-) The IPv6 stuff come straight out of a default openSUSE bind install. I don't want it. It just gets put here.
The other way to deal with workstation addresses is a bit of a cheat, but its easy and it works and in a constrained small system as opposed to a multi-segment, multi-server campus, I'm not going to argue. I use it for my home system, a few machines around the house, a couple of laptops, toys ... wifi on the patio ...
Basically you pre-load the reverse domain to match the addresses DHCP can supply.
So if your DHCP says
subnet 192.168.1.0 netmask 255.255.255.127 { authoritative; range dynamic-bootp 192.168.1.32 192.168.1.64 ;
Then you can load up you reverse zone with
32 IN PTR ws32.hh3.site. 33 IN PTR ws33.hh3.site. ... 64 IN PTR ws64.hh3.site.
Actually if you're really good and have the upper levels set correctly, you can use a lot of shorthand and only need lines like
32 IN PTR ws32
:-) But heck, belt and braces approach never hurt!
Here is /etc/named.conf grep -v "#" /etc/named.conf Filtering out comments .... after reading mine, go back and read what you didn't show!
options { directory "/var/lib/named"; managed-keys-directory "/var/lib/named/dyn/"; dump-file "/var/log/named_dump.db"; statistics-file "/var/log/named.stats"; All those should be writeable by named. Yes. Infact if the whole of /var/lib/named is not writeable by named, named will not start. the maintainers will not change this however. Pls see the other post for details of the bugzillas.
listen-on-v6 { any; };
WHOA! listen-on-v6 turns on BIND to listen for IPv6 queries. If you're not running IPv6 then you want "none" rather than "any". This may account for one error :-) Yes it does. Again, it is default openSUSE.
See http://www.zytrax.com/books/dns/ch7/hkpng.html
notify no; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; include "/etc/named.d/forwarders.conf";
That may or may not produce more ....
No that's fine. The only error now is here: Mar 31 17:25:44 hh3 named[2483]: starting BIND 9.8.1-P1 -u named Mar 31 17:25:44 hh3 named[2483]: built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-libtool' '--enable-runidn' '--with-libxml2' '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-fomit-frame-pointer -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -DNO_VERSION_DATE -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib' Mar 31 17:25:44 hh3 named[2483]: adjusted limit on open files from 4096 to 1048576 Mar 31 17:25:44 hh3 named[2483]: found 1 CPU, using 1 worker thread Mar 31 17:25:44 hh3 named[2483]: using up to 4096 sockets Mar 31 17:25:44 hh3 named[2483]: loading configuration from '/etc/named.conf' Mar 31 17:25:44 hh3 named[2483]: reading built-in trusted keys from file '/etc/bind.keys' Mar 31 17:25:44 hh3 named[2483]: using default UDP/IPv4 port range: [1024, 65535] Mar 31 17:25:44 hh3 named[2483]: using default UDP/IPv6 port range: [1024, 65535] Mar 31 17:25:44 hh3 named[2483]: listening on IPv6 interfaces, port 53 Mar 31 17:25:44 hh3 named[2483]: listening on IPv4 interface lo, 127.0.0.1#53 Mar 31 17:25:44 hh3 named[2483]: listening on IPv4 interface eth1, 192.168.1.3#53 Mar 31 17:25:44 hh3 named[2483]: generating session key for dynamic DNS Mar 31 17:25:44 hh3 named[2483]: sizing zone task pool based on 5 zones Mar 31 17:25:44 hh3 named[2483]: Loading 'AD DNS Zone' using driver dlopen Mar 31 17:25:47 hh3 named[2483]: samba_dlz: started for DN DC=hh3,DC=site Mar 31 17:25:47 hh3 named[2483]: samba_dlz: starting configure Mar 31 17:25:47 hh3 named[2483]: samba_dlz: configured writeable zone 'hh3.site' Mar 31 17:25:47 hh3 named[2483]: samba_dlz: configured writeable zone '_msdcs.hh3.site' Mar 31 17:25:47 hh3 named[2483]: set up managed keys zone for view _default, file '/var/lib/named/dyn//managed-keys.bind' Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 10.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 16.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 17.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 18.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 19.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 20.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 21.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 22.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 23.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 24.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 25.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 26.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 27.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 28.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 29.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 30.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 31.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 168.192.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 0.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 127.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 254.169.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: D.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 8.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 9.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: A.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: B.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: command channel listening on 127.0.0.1#953 Mar 31 17:25:47 hh3 named[2483]: couldn't add command channel ::1#953: address not available Mar 31 17:25:47 hh3 named[2483]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Mar 31 17:25:47 hh3 named[2483]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2012033101 Mar 31 17:25:47 hh3 named[2483]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42 Mar 31 17:25:47 hh3 named[2483]: zone localhost/IN: loaded serial 42 Mar 31 17:25:47 hh3 named[2483]: managed-keys-zone ./IN: loaded serial 0 Mar 31 17:25:47 hh3 named[2450]: Starting name server BIND ..done Mar 31 17:25:47 hh3 named[2483]: running This is after changing ownership of /var/lib/named and after creating he managed-keys.bind file. Without those changes, bind will not start.
}; zone "." in { type hint; file "root.hint"; }; zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" If you're not using IPv6 then you might consider removing all such references.
the ip6.arpa one no?
in { type master; file "127.0.0.zone"; allow-transfer { any; }; Why?
This is what the default install did.
}; include "/etc/named.conf.include";
Again, an 'include' may alter things dramatically!
Default again. named.conf.include is empty.
logging { category default { log_syslog; }; channel log_syslog { syslog; };
Default openSUSE.
}; zone "1.168.192.in-addr.arpa" in { allow-transfer { any; }; Why? This is for reverse lookup. This is what I added. Without it, reverse lookup does not work. file "master/1.168.192.in-addr.arpa"; type master; }; Reverse lookup added by myself. the samba 4 dlz stuff. include "/usr/local/samba/private/named.conf"; Again, an 'include' may alter things dramatically! This is working OK. It's he samba4 dlz stuff
Notes: Changes made to the 12.1 bind to get rid of the startup errors: chown named:named /var/lib/named (working directory not writable) :-)
touch /var/lib/dyn/managed-keys.bind (file does not exist) No, that needs to contain the crypto key used by ddns. Unless that file exists, it throws an error. /etc/sysconfig/named NAMED_RUN_CHROOTED="no" (It's too much hassle transferring the samba dlz stuff to the jail) I can see that; I'm not going to harp on abut "basic security". I chroot so I know I can, but if you can justify not needing to then its "no harm, no foul". Yes. The samba include file must be readable. In the chroot it can't be read. I can't find a way of making it work in the chroot without including most of the samba stuff in there too.
The Yast DNS module is not easy to use. Do you think it would be helpful if I wrote a howto for it? There is one here: http://www.pcc-services.com/sles/dns3.html but it's not correct. There are so many tools out there that do all this a help page might read "use these instead"!
Check out named-checkconf and named-checkzone and have a look at named-compilezone
Will do. Meanwhile, one important one. I need to add a PTR for each machine on the lan? L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org