How To Install Samba4 Active Directory on CentOS 7 Part 2

Home » Samba » How To Install Samba4 Active Directory on CentOS 7 Part 2
Samba 78 Comments

Previously, we have been compile and install samba4 that explained at this link : http://imanudin.net/2014/11/16/how-to-install-samba4-active-directory-on-centos-7-part-1/. Now we will configure dns to integrated with Samba and configure Kerberos. First, we should install bind for dns server

yum install bind bind-sdb

Configure named.conf to listen-on port and allow query from samba server. Also include records dns BIND9_DLZ samba

vi /etc/named.conf

change/add and adjust with the following example

Change line below so that become:

listen-on port 53 { 127.0.0.1; any; };
allow-query     { localhost; any; };

Add line below on the bottom

include "/usr/local/samba/private/named.conf";

check bind version and adjust that version in file named.conf on folder /usr/local/samba/private/

yum info bind
[root@samba4 ~]# yum info bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Installed Packages
Name        : bind
Arch        : x86_64
Epoch       : 32
Version     : 9.9.4
Release     : 14.el7
Size        : 4.3 M
Repo        : installed
From repo   : DVD
Summary     : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
URL         : http://www.isc.org/products/BIND/
License     : ISC
Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS
            : (Domain Name System) protocols. BIND includes a DNS server (named),
            : which resolves host names to IP addresses; a resolver library
            : (routines for applications to use when interfacing with DNS); and
            : tools for verifying that the DNS server is operating properly.

On my system, bind version is 9.9.4. Open file /usr/local/samba/private/named.conf and using database for bind 9.9.0 so that as below :

vi /usr/local/samba/private/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9.0
     database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};

change owner of folder /var/named, restart dns service and testing

chown named.named /var/named/
service named restart
host -t SRV _ldap._tcp.imanudin.net.
host -t SRV _kerberos._udp.imanudin.net.
host -t A imanudin.net.

This is results of above command. If your results different, maybe configure of dns still problem

[root@samba4 ~]# host -t SRV _ldap._tcp.imanudin.net.
_ldap._tcp.imanudin.net has SRV record 0 100 389 samba4.imanudin.net.
[root@samba4 ~]# host -t SRV _kerberos._udp.imanudin.net.
_kerberos._udp.imanudin.net has SRV record 0 100 88 samba4.imanudin.net.
[root@samba4 ~]# host -t A imanudin.net.
imanudin.net has address 192.168.26.11

# Configure Kerberos

cp /etc/krb5.conf /etc/krb5.conf.ori
cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

# Testing Kerberos

kinit administrator
klist -e

This is results of testing Kerberos

[root@samba4 ~]# kinit administrator
Password for administrator@IMANUDIN.NET: 
Warning: Your password will expire in 41 days on Mon Dec 29 00:50:47 2014
[root@samba4 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@IMANUDIN.NET

Valid starting     Expires            Service principal
11/17/14 00:57:04  11/17/14 10:57:04  krbtgt/IMANUDIN.NET@IMANUDIN.NET
        renew until 11/18/14 00:57:01, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 

# Configure kerberos DNS dynamic updates (Optional)

This configuration is optional. You can apply or skip this section. For configuration,adding this line tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab”; in named.conf on options section. See the following example

vi /etc/named.conf
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
listen-on port 53 { 127.0.0.1; any; };

Run the following command to change owner and access on dns.keytab file

chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
systemctl enable named.service

check whether any update about dynamic DNS updates with the following command

/usr/local/samba/sbin/samba_dnsupdate --verbose

Hooray, now we have been succeeded install Samba4 as Active Directory and be able join Windows client to Samba4.

Good luck and hopefully useful 😀

78 thoughts on - How To Install Samba4 Active Directory on CentOS 7 Part 2

  • Hi!

    Thank you for your tutorial, I’m following step by step but I’m receiving this error:

    Loading ‘AD DNS Zone’ using driver dlopen
    samba_dlz: Failed to connect to /usr/local/samba/private/dns/sam.ldb

    When I try:
    service named restart

    Do you have any tips?

    Thank you again!

  • Hi Iman!

    I tried again in my work with a new install (CentOS-7.0-1406-x86_64-Minimal) but I still having the same error.
    —————-
    # journalctl -xn
    Dec 02 15:34:09 dc1.xyz.lan named[2164]: dlz_dlopen of ‘AD DNS Zone’ failed
    Dec 02 15:34:09 dc1.xyz.lan named[2164]: SDLZ driver failed to load.
    Dec 02 15:34:09 dc1.xyz.lan named[2164]: DLZ driver failed to load.
    Dec 02 15:34:09 dc1.xyz.lan named[2164]: loading configuration: failure
    Dec 02 15:34:09 dc1.xyz.lan named[2164]: exiting (due to fatal error)
    Dec 02 15:34:09 dc1.xyz.lan systemd[1]: named.service: control process exited, code=exited status=1
    Dec 02 15:34:09 dc1.xyz.lan systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
    — Subject: Unit named.service has failed
    —————-
    The bind-sdb is installed

    # rpm -qa | grep bind
    bind-sdb-9.9.4-14.el7.x86_64
    bind-license-9.9.4-14.el7.noarch
    bind-libs-9.9.4-14.el7.x86_64
    bind-libs-lite-9.9.4-14.el7.x86_64
    bind-9.9.4-14.el7.x86_64
    —————-
    Maybe it’s a rights issue in the folder?

    I did the #chown named.named /var/named/

    drwxr-x— 5 named 120 Dec 2 14:41 named/
    —————-
    Thank you!

    • Hi Roger,

      It seems that problem while provisioning. Please try to remove sam.ldb and provision again

      rm /usr/local/samba/private/sam.ldb
      /usr/local/samba/bin/samba-tool domain provision

    • Hi Bernard,

      I just configure my bind same as how to on this guidance. In this guidance, i am using BIND9_DLZ who has been provided by Samba4 all records of dns needed

  • I figured out why host -t SRV & A is not working.

    I updated the /etc/resolv.conf and added the local dns running on my test server (e.g nameserver ) before I run the host -t SRV & A commands.

    • Hi Bernard,

      Please make sure your bind service has been starting. Please check any problem on the log in /var/log/messages for tracking and debugging

  • Hi guys,

    I found a solution for this problem (if you always need it) :

    samba_dlz: Failed to connect to /usr/local/samba/private/dns/sam.ldb

    chmod 777 /usr/local/samba/private/
    chmod 777 /usr/local/samba/private/dns/
    chmod 777 /usr/local/samba/private/dns.keytab
    chmod 777 /usr/local/samba/private/dns/sam.ldb.d
    chmod 777 /usr/local/samba/private/dns/sam.ldb

    It worked for me next that 🙂

    Bye

  • Hi Iman,
    I have the following errors,

    host -t SRV _kerberos._udp.ashproperties.com.
    Host _kerberos._udp.ashproperties.com. not found: 3(NXDOMAIN)

    host -t SRV _ldap._tcp.ashproperties.com.
    Host _ldap._tcp.ashproperties.com. not found: 3(NXDOMAIN)

    service named restart
    Redirecting to /bin/systemctl restart named.service
    Job for named.service failed. See ‘systemctl status named.service’ and ‘journalctl -xn’ for details.

    • Additional info:
      A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
      Once the above files are installed, your Samba4 server will be ready to use
      Server Role: active directory domain controller
      Hostname: localhost
      NetBIOS Domain: ASHPROPERTIES
      DNS Domain: ashproperties.com
      DOMAIN SID: S-1-5-21-28188146-4262063930-3393960050

      • Hi Ron,

        It seems problem on your /etc/hosts. Please change information on /etc/hosts so that like below :

        127.0.0.1 localhost
        192.168.26.11 samba4.ashproperties.com samba4

        • [rbautista@localhost ~]$ systemctl status named
          named.service – Berkeley Internet Name Domain (DNS)
          Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
          Active: active (running) since Thu 2015-03-12 09:12:21 EDT; 1h 19min ago
          Process: 19427 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
          Process: 19441 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
          Process: 19438 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
          Main PID: 19442 (named)
          CGroup: /system.slice/named.service
          └─19442 /usr/sbin/named -u named

    • Hi Ron,

      It seems your DNS configuration still problem. Please paste the result of this command :

      systemctl restart named
      systemctl status named
      tail -n20 /var/log/messages

      • [rbautista@localhost ~]$ systemctl status named
        named.service – Berkeley Internet Name Domain (DNS)
        Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
        Active: active (running) since Thu 2015-03-12 09:12:21 EDT; 1h 19min ago
        Process: 19427 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
        Process: 19441 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
        Process: 19438 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
        Main PID: 19442 (named)
        CGroup: /system.slice/named.service
        └─19442 /usr/sbin/named -u named

  • Hi!
    Very nice tutorial!
    Everything is working, but i can’t create a new account in my domain, only the administrator account is working.
    I used: “useradd xxx” and “smbpasswd xxx” but i can’t connect on my domain.

  • Hello,

    Thanks for your guide.
    While trying to install BIND, package bind-sdb isn’t installed. Package bind installs correctly without errors.
    I get the following output:
    yum install bind-sdb
    Loaded plugins: amazon-id, rhui-lb
    No package bind-sdb available.
    Error: Nothing to do

    Do you have any suggestions?

    Best Regards,
    Konstantin.

  • Hi iman great post.

    i have an issue with dns update

    01-Oct-2015 05:10:27.023 database: info: samba_dlz: starting transaction on zone eproyiv.cu
    01-Oct-2015 05:10:27.026 update-security: error: client 172.168.1.4#1370: update ‘eproyiv.cu/IN’ denied
    01-Oct-2015 05:10:27.026 database: info: samba_dlz: cancelling transaction on zone eproyiv.cu

    i check everything and seem to be allright

  • service named start
    Failed to connect to /usr/local/samba/private/dns/sam.ldb
    Still looking for an answer for this! Therefor neither LDAP nor kerberos are not working 🙁 I gave permission to this file as an owner for named but not working..

    • Hi,

      Please try to change permission with 777. For example

      chmod -R 777 /usr/local/samba/private/dns/
      

      Sometimes, i also use this options for make sure nothing problem with my configuration. But problem in permissions 😉

  • You saved the day! Now it works great thx a lot 🙂 How i’m silly
    Let me add something; BIND must have installed before provisioning bcoz during the provision samba generates /usr/local/samba/private/named.conf! I mean If bind installed already than samba creates the right configuration file..
    Attention! If you try to re-enable SElinux!
    Must add the following rules;
    firewall-cmd –permanent –add-port=53/tcp
    firewall-cmd –permanent –add-port=53/udp
    firewall-cmd –permanent –add-port=88/tcp
    firewall-cmd –permanent –add-port=88/udp
    firewall-cmd –permanent –add-port=135/tcp
    firewall-cmd –permanent –add-port=137/tcp
    firewall-cmd –permanent –add-port=137/udp
    firewall-cmd –permanent –add-port=138/udp
    firewall-cmd –permanent –add-port=139/tcp
    firewall-cmd –permanent –add-port=389/tcp
    firewall-cmd –permanent –add-port=389/udp
    firewall-cmd –permanent –add-port=445/tcp
    firewall-cmd –permanent –add-port=464/tcp
    firewall-cmd –permanent –add-port=464/udp
    firewall-cmd –permanent –add-port=636/tcp
    firewall-cmd –permanent –add-port=1024-5000/tcp
    firewall-cmd –permanent –add-port=1024-5000/udp
    firewall-cmd –permanent –add-port=3268/tcp
    firewall-cmd –permanent –add-port=3269/tcp
    firewall-cmd –permanent –add-port=5353/tcp
    firewall-cmd –permanent –add-port=5353/udp
    And restart.. Restart again 🙂

    Thx again man you are great
    Best regards

  • May I ask question?
    I have some problem, when I running “service named restart”.
    It can’t start.
    Dec 21 22:36:59 sdc.tatung.com named[997]: —————————————————-
    Dec 21 22:36:59 sdc.tatung.com named[997]: adjusted limit on open files from 4096 to 1048576
    Dec 21 22:36:59 sdc.tatung.com named[997]: found 2 CPUs, using 2 worker threads
    Dec 21 22:36:59 sdc.tatung.com named[997]: using 2 UDP listeners per interface
    Dec 21 22:36:59 sdc.tatung.com named[997]: using up to 4096 sockets
    Dec 21 22:36:59 sdc.tatung.com named[997]: loading configuration from ‘/etc/named.conf’
    Dec 21 22:36:59 sdc.tatung.com named[997]: reading built-in trusted keys from file ‘/etc/named.iscdlv.key’
    Dec 21 22:36:59 sdc.tatung.com named[997]: using default UDP/IPv4 port range: [1024, 65535]
    Dec 21 22:36:59 sdc.tatung.com named[997]: using default UDP/IPv6 port range: [1024, 65535]
    Dec 21 22:36:59 sdc.tatung.com named[997]: listening on IPv4 interface lo, 127.0.0.1#53
    Dec 21 22:36:59 sdc.tatung.com named[997]: listening on IPv4 interface eno16777728, 172.17.0.51#53
    Dec 21 22:36:59 sdc.tatung.com named[997]: listening on IPv6 interface lo, ::1#53
    Dec 21 22:36:59 sdc.tatung.com named[997]: generating session key for dynamic DNS
    Dec 21 22:36:59 sdc.tatung.com named[997]: sizing zone task pool based on 6 zones
    Dec 21 22:36:59 sdc.tatung.com named[997]: Loading ‘AD DNS Zone’ using driver dlopen
    Dec 21 22:36:59 sdc.tatung.com named[997]: dlz_dlopen: incorrect version 1 should be 2 in ‘/usr/local/samba/lib/bind9/dlz_bind9.so’
    Dec 21 22:36:59 sdc.tatung.com named[997]: dlz_dlopen of ‘AD DNS Zone’ failed
    Dec 21 22:36:59 sdc.tatung.com kernel: named[998]: segfault at a8 ip 00007f839d754939 sp 00007f8399591310 error 4 in named[7f839d6e6000+86000]
    Dec 21 22:37:00 sdc.tatung.com systemd[1]: named.service: control process exited, code=exited status=1
    Dec 21 22:37:00 sdc.tatung.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

    But i already install bind.
    rpm -qa | grep bind
    bind-9.9.4-29.el7_2.1.x86_64
    bind-libs-9.9.4-29.el7_2.1.x86_64
    bind-libs-lite-9.9.4-29.el7_2.1.x86_64
    bind-license-9.9.4-29.el7_2.1.noarch
    bind-sdb-9.9.4-29.el7_2.1.x86_64

    Can you help me to fix this problem ?

    • Hi,

      Your problem is here

      Dec 21 22:36:59 sdc.tatung.com named[997]: Loading ‘AD DNS Zone’ using driver dlopen
      Dec 21 22:36:59 sdc.tatung.com named[997]: dlz_dlopen: incorrect version 1 should be 2 in ‘/usr/local/samba/lib/bind9/dlz_bind9.so’
      

      Please open file /usr/local/samba/private/named.conf and ensure dlz bind is same as bind version

  • Hi Iman ,
    i have this problem with “kinit administrator”… kinit: Cannot contact any KDC for realm ‘AUDIFARMA.LOCAL’ while getting initial credentials
    Help me please!!

      • [libdefaults]
        default_realm = AUDIFARMA.LOCAL
        dns_lookup_realm = true
        dns_lookup_kdc = true
        # forwardable = true

        [realms]
        AUDIFARMA.LOCAL = {
        kdc = pdc.audifarma.local
        admin_server = pdc.audifarma.local
        }

        [domain_realm]
        .audifarma.local = AUDIFARMA.LOCAL
        audifarma.local = AUDIFARMA.LOCAL

  • Everytime i install samba with BIND9_DLZ i get the following error…….
    # systemctl -l status named
    ● named.service – Berkeley Internet Name Domain (DNS)
    Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Sat 2016-03-05 11:44:49 IST; 19min ago
    Process: 5982 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=1/FAILURE)
    Process: 5979 ExecStartPre=/bin/bash -c if [ ! “$DISABLE_ZONE_CHECKING” == “yes” ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo “Checking of zone files is disabled”; fi (code=exited, status=0/SUCCESS)
    Main PID: 2211 (code=exited, status=0/SUCCESS)

    Mar 05 11:44:49 test.example.com named[5985]: listening on IPv4 interface enp0s3, 192.168.1.10#53
    Mar 05 11:44:49 test.example.com named[5985]: generating session key for dynamic DNS
    Mar 05 11:44:49 test.example.com named[5985]: sizing zone task pool based on 6 zones
    Mar 05 11:44:49 test.example.com named[5985]: Loading ‘AD DNS ZONE’ using driver dlopen
    Mar 05 11:44:49 test.example.com named[5985]: dlz_dlopen failed to open library ‘/usr/local/samba/lib/bind9/dlz_bind9_9.so’ – /usr/local/samba/lib/bind9/dlz_bind9_9.so: failed to map segment from shared object: Permission denied
    Mar 05 11:44:49 test.example.com named[5985]: dlz_dlopen of ‘AD DNS ZONE’ failed
    Mar 05 11:44:49 test.example.com systemd[1]: named.service: control process exited, code=exited status=1
    Mar 05 11:44:49 test.example.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
    Mar 05 11:44:49 test.example.com systemd[1]: Unit named.service entered failed state.
    Mar 05 11:44:49 test.example.com systemd[1]: named.service failed.

    #ll /usr/local/samba/lib/bind9/dlz_bind9_9.so
    -rwxr-xr-x. 1 root named 50920 Mar 5 09:36 /usr/local/samba/lib/bind9/dlz_bind9_9.so

    • Hi,

      Please perform the following command and restart BIND

      /usr/local/samba/sbin/samba_upgradedns --dns-backend=BIND9_DLZ
      systemctl restart named
      
      • #/usr/local/samba/sbin/samba_upgradedns –dns-backend=BIND9_DLZ

        Reading domain information
        DNS accounts already exist
        No zone file /usr/local/samba/private/dns/EXAMPLE.COM.zone
        DNS records will be automatically created
        DNS partitions already exist
        dns-test account already exists
        See /usr/local/samba/private/named.conf for an example configuration include file for BIND
        and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
        Finished upgrading DNS

        After that got the same error……..

          • Its working fine in Centos-6 with bind9.8 . But in Centos7 with Bind9.9 always the same problem.

            Selinux and firewall is off in Centos 7 but still comes the same problem.

  • hi! i have a problem! i need to join linux machine on samba4 domain. I used this tutorial to create samba AD. At moment the client have some problem with DNS, the error is “Host kclient.samdom.er.com not found: 3(NXDOMAIN)”. File hosts it’s properly configured. From server i can ping the client and viceversa. Windows works good in domain, i also a problem with linux join.

    • Hi Gennaro,

      For Linux client who join domain, i am not yet try in other Linux. I am usually use openSUSE/SLES for join domain using YAST (Wizard/GUI) 😀

      • Ok thank. I have another question. I need manage some users from kerberos database with “kadmin” and generate some keytabs for clients. With samba4 i add users with “samba-tool” and kerberos works fine but how can i generate keytabs and to use kadmin interface?? In another server i have configured kerberos generating a database and add user principals, the kadmin interface worked fine. In your tutorial what is the kerberosdatabase? whats is the principals kerberos?

    • Hi Edgar,

      Please check whether your DNS server has been worked or not. You can check from services of BIND, nslookup command or dig and firewall configuration

  • Hello Mas Iman,
    Salam SUPERRR…
    nice sharing..

    Lagi nyoba SAMBA nih buat PDC di kantor, tapi ada trouble pas di bagian konfigurasi BIND

    [root@sambalab samba]# systemctl restart named
    Job for named.service failed because the control process exited with error code. See “systemctl status named.service” and “journalctl -xe” for details.

    [root@sambalab samba]# systemctl status named
    ● named.service – Berkeley Internet Name Domain (DNS)
    Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Fri 2016-05-27 15:04:26 WIB; 12s ago
    Process: 7045 ExecStartPre=/bin/bash -c if [ ! “$DISABLE_ZONE_CHECKING” == “yes” ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo “Checking of zone files is disabled”; fi (code=exited, status=1/FAILURE)

    May 27 15:04:25 sambalab.ito.co.id systemd[1]: Starting Berkeley Internet Name Domain (DNS)…
    May 27 15:04:26 sambalab.ito.co.id bash[7045]: /etc/named.conf:57: open: usr/local/samba/private/n…und
    May 27 15:04:26 sambalab.ito.co.id systemd[1]: named.service: control process exited, code=exited …s=1
    May 27 15:04:26 sambalab.ito.co.id systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
    May 27 15:04:26 sambalab.ito.co.id systemd[1]: Unit named.service entered failed state.
    May 27 15:04:26 sambalab.ito.co.id systemd[1]: named.service failed.

    [root@sambalab samba]# journalctl -xe
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Started Generate rndc key for BIND (DNS).
    — Subject: Unit named-setup-rndc.service has finished start-up
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named-setup-rndc.service has finished starting up.

    — The start-up result is done.
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Starting Berkeley Internet Name Domain (DNS)…
    — Subject: Unit named.service has begun start-up
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named.service has begun starting up.
    May 27 15:04:46 sambalab.ito.co.id bash[7136]: /etc/named.conf:57: open: usr/local/samba/private/named.c
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: named.service: control process exited, code=exited status
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
    — Subject: Unit named.service has failed
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named.service has failed.

    — The result is failed.
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Unit named.service entered failed state.
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: named.service failed.
    May 27 15:04:46 sambalab.ito.co.id polkitd[670]: Unregistered Authentication Agent for unix-process:7129
    lines 3092-3118/3118 (END)
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Started Generate rndc key for BIND (DNS).
    — Subject: Unit named-setup-rndc.service has finished start-up
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named-setup-rndc.service has finished starting up.

    — The start-up result is done.
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Starting Berkeley Internet Name Domain (DNS)…
    — Subject: Unit named.service has begun start-up
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named.service has begun starting up.
    May 27 15:04:46 sambalab.ito.co.id bash[7136]: /etc/named.conf:57: open: usr/local/samba/private/named.conf: file not found
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: named.service: control process exited, code=exited status=1
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
    — Subject: Unit named.service has failed
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named.service has failed.

    — The result is failed.
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: Unit named.service entered failed state.
    May 27 15:04:46 sambalab.ito.co.id systemd[1]: named.service failed.
    May 27 15:04:46 sambalab.ito.co.id polkitd[670]: Unregistered Authentication Agent for unix-process:7129:734534 (system bus name :1.99, object path /org/freedesktop/Pol

    ini…salah dimana ya mas??

    terimakasih untuk infonya.

    Warm regards,

  • [root@sambalab samba]# vi /etc/named.conf
    //
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //

    options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory “/var/named”;
    dump-file “/var/named/data/cache_dump.db”;
    statistics-file “/var/named/data/named_stats.txt”;
    memstatistics-file “/var/named/data/named_mem_stats.txt”;
    allow-query { localhost; any; };

    /*
    – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
    – If you are building a RECURSIVE (caching) DNS server, you need to enable
    recursion.
    – If your recursive DNS server has a public IP address, you MUST enable access
    control to limit queries to your legitimate users. Failing to do so will
    cause your server to become part of large scale DNS amplification
    attacks. Implementing BCP38 within your network would greatly
    reduce such attack surface

    [root@sambalab samba]# vi /usr/local/samba/private/named.conf
    # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
    #
    # This file should be included in your main BIND configuration file
    #
    # For example with
    # include “/usr/local/samba/private/named.conf”;

    #
    # This configures dynamically loadable zones (DLZ) from AD schema
    # Uncomment only single database line, depending on your BIND version
    #
    dlz “AD DNS Zone” {
    # For BIND 9.8.0
    database “dlopen /usr/local/samba/lib/bind9/dlz_bind9.so”;

    # For BIND 9.9.0
    database “dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so”;
    };

    • Hi mas,

      Sudah ikuti panduan yang ini?

      Add line below on the bottom
      
      include "/usr/local/samba/private/named.conf";
      

      Dan sesuaikan isian ini sesuai dengan versi bind9 yang digunakan?

      dlz "AD DNS Zone" {
          # For BIND 9.8.0
          # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
      
          # For BIND 9.9.0
           database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
      };
      
  • Hi mas Iman,

    restart named.service sudah bisa mas..guidance jg sudah saya ikutin..tapi pas instruksi berikut..
    [root@samba ~]# host -t SRV _ldap._tcp.ito.co.id.
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached
    [root@samba ~]# host -t SRV _kerberos._udp.ito.co.id.
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached
    [root@samba ~]# host -t A ito.co.id
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached

    whats wrong mas? need help pls..
    thx bro.

    • Hi mas,

      Pastikan services DNS nya sudah jalan. Coba cek pake perintah nslookup jika pake perintah host tidak bisa

      nslookup ito.co.id
      

      Pastikan IP nameserver yang pertama mengarah ke localhost/IP server itu sendiri

  • Dear Mas Iman..

    IP nameserver sudah saya arhkan ke ip server..domain ito.co.id masih belum kebaca mas. nslookup ito.co.id tidak ada.
    berikut konfigurasinya..

    [root@sambalab etc]# vi /etc/hosts
    127.0.0.1 sambalab sambalab.ito.co.id
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
    172.0.10.20 sambalab sambalab.ito.co.id

    [root@sambalab etc]# vi /etc/resolve.conf
    # Generated by NetworkManager
    nameserver localhost
    nameserver 172.10.0.20

    [root@sambalab etc]# vi /etc/named.conf
    //
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //

    options {
    listen-on port 53 { 127.0.0.1; 172.0.10.20; any; };
    listen-on-v6 port 53 { ::1; };
    directory “/var/named”;
    dump-file “/var/named/data/cache_dump.db”;
    statistics-file “/var/named/data/named_stats.txt”;
    memstatistics-file “/var/named/data/named_mem_stats.txt”;
    allow-query { localhost; any; };

    /*
    – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
    – If you are building a RECURSIVE (caching) DNS server, you need to enable
    recursion.
    – If your recursive DNS server has a public IP address, you MUST enable access
    control to limit queries to your legitimate users. Failing to do so will
    cause your server to become part of large scale DNS amplification
    attacks. Implementing BCP38 within your network would greatly
    reduce such attack surface
    */
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file “/etc/named.iscdlv.key”;

    managed-keys-directory “/var/named/dynamic”;

    pid-file “/run/named/named.pid”;
    session-keyfile “/run/named/session.key”;
    };

    [root@sambalab etc]# vi /etc/krb5.conf
    [libdefaults]
    default_realm = ITO.CO.ID
    dns_lookup_realm = true
    dns_lookup_kdc = true

    [root@sambalab etc]# systemctl status samba.service
    ● samba.service – LSB: Bring up/down samba
    Loaded: loaded (/etc/rc.d/init.d/samba)
    Active: active (running) since Mon 2016-05-30 10:26:37 WIB; 26min ago
    Docs: man:systemd-sysv-generator(8)
    Process: 8577 ExecStop=/etc/rc.d/init.d/samba stop (code=killed, signal=TERM)
    Process: 8582 ExecStart=/etc/rc.d/init.d/samba start (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/samba.service
    ├─8590 /usr/local/samba/sbin/samba
    ├─8612 /usr/local/samba/sbin/samba
    ├─8613 /usr/local/samba/sbin/samba
    ├─8614 /usr/local/samba/sbin/samba
    ├─8615 /usr/local/samba/sbin/samba
    ├─8616 /usr/local/samba/sbin/samba
    ├─8618 /usr/local/samba/sbin/samba
    ├─8619 /usr/local/samba/sbin/samba
    ├─8621 /usr/local/samba/sbin/smbd –option=server role check:inhibit=yes –foreground
    ├─8622 /usr/local/samba/sbin/samba
    ├─8623 /usr/local/samba/sbin/samba
    ├─8624 /usr/local/samba/sbin/samba
    ├─8626 /usr/local/samba/sbin/samba
    ├─8628 /usr/local/samba/sbin/samba
    └─8655 /usr/local/samba/sbin/smbd –option=server role check:inhibit=yes –foreground

    May 30 10:26:36 sambalab smbd[8621]: [2016/05/30 10:26:36.574263, 0] ../source3/smbd/server.c:1266(main)
    May 30 10:26:36 sambalab smbd[8621]: standard input is not a socket, assuming -D option
    May 30 10:26:37 sambalab samba[8582]: Starting samba: [ OK ]
    May 30 10:26:37 sambalab systemd[1]: Started LSB: Bring up/down samba.
    May 30 10:26:56 sambalab samba[8628]: [2016/05/30 10:26:56.581991, 0] ../source4/dsdb/dns/dns_upd…one)
    May 30 10:26:56 sambalab samba[8628]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS update – …EOUT
    May 30 10:36:56 sambalab samba[8628]: [2016/05/30 10:36:56.623967, 0] ../source4/dsdb/dns/dns_upd…one)
    May 30 10:36:56 sambalab samba[8628]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS update – …EOUT
    May 30 10:46:56 sambalab samba[8628]: [2016/05/30 10:46:56.663867, 0] ../source4/dsdb/dns/dns_upd…one)
    May 30 10:46:56 sambalab samba[8628]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS update – …EOUT
    Hint: Some lines were ellipsized, use -l to show in full.
    [root@sambalab etc]# systemctl status named.service
    ● named.service – Berkeley Internet Name Domain (DNS)
    Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
    Active: active (running) since Mon 2016-05-30 10:47:41 WIB; 5min ago
    Process: 10152 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (co de=exited, status=0/SUCCESS)
    Process: 7792 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID ( code=exited, status=0/SUCCESS)
    Process: 10167 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
    Process: 10164 ExecStartPre=/bin/bash -c if [ ! “$DISABLE_ZONE_CHECKING” == “yes” ]; then /usr/sbin/nam ed-checkconf -z /etc/named.conf; else echo “Checking of zone files is disabled”; fi (code=exited, status= 0/SUCCESS)
    Main PID: 10170 (named)
    CGroup: /system.slice/named.service
    └─10170 /usr/sbin/named -u named

    May 30 10:47:41 sambalab named[10170]: command channel listening on ::1#953
    May 30 10:47:41 sambalab named[10170]: managed-keys-zone: loaded serial 12
    May 30 10:47:41 sambalab named[10170]: zone 0.in-addr.arpa/IN: loaded serial 0
    May 30 10:47:41 sambalab named[10170]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
    May 30 10:47:41 sambalab named[10170]: zone localhost.localdomain/IN: loaded serial 0
    May 30 10:47:41 sambalab named[10170]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0….al 0
    May 30 10:47:41 sambalab named[10170]: zone localhost/IN: loaded serial 0
    May 30 10:47:41 sambalab named[10170]: all zones loaded
    May 30 10:47:41 sambalab systemd[1]: Started Berkeley Internet Name Domain (DNS).
    May 30 10:47:41 sambalab named[10170]: running
    Hint: Some lines were ellipsized, use -l to show in full.
    [root@sambalab etc]# kinit administrator
    kinit: Cannot find KDC for realm “ITO.CO.ID” while getting initial credentials

    terimakasih buat infonya.

  • Hi Mas iman,

    untuk problem di atas sudah bisa..ada kesalahan di konfigurasi named.conf
    tapi untuk testing..
    [root@sambalab ~]# host -t A dc.ito.co.id.
    Host dc.ito.co.id. not found: 3(NXDOMAIN)

    konfig yg mana ya mas yg harus di edit?

    thx,

  • Hi,
    Iman,
    Nice guide, thanks for this, can you please help me whit this error. Thaks.
    [root@samba4 ~]# journalctl -xe

    — Unit named-setup-rndc.service has finished starting up.

    — The start-up result is done.
    Jun 21 13:23:02 samba4 systemd[1]: Starting Berkeley Internet Name Domain (DNS)…
    — Subject: Unit named.service has begun start-up
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named.service has begun starting up.
    Jun 21 13:23:02 samba4 bash[2015]: /usr/local/samba/private/named.conf:12: unknown option ‘dlz’
    Jun 21 13:23:02 samba4 systemd[1]: named.service: control process exited, code=exited status=1
    Jun 21 13:23:02 samba4 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
    — Subject: Unit named.service has failed
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit named.service has failed.

    — The result is failed.
    Jun 21 13:23:02 samba4 systemd[1]: Unit named.service entered failed state.
    Jun 21 13:23:02 samba4 systemd[1]: named.service failed.
    Jun 21 13:23:02 samba4 polkitd[599]: Unregistered Authentication Agent for unix-process:2009:33509 (system bus name :
    lines 2390-2412/2412 (END)

    Thanks for you support.
    Disla

  • Hi firs off very nice guide.

    I got everything to work. But i have this 1 problem that the DNS (bind) wont resolve names to ip addresses. i can ping googles ip address but not http://www.google.com.

    Any suggestions to where the configuration is messed up ?

  • mas Iman, setelah saya menambahkan include “/usr/local/samba/private/named.conf”; pada konfigurasi /etc/named.conf, dan saya cek pada named.conf tsb sudah ada dgn menggunakan bind 9.8, saat saya restart namednya muncul error not found file named.conf tsb, kira2x masalahnya apa ya mas? karena sata install di SLES 12 konfigurasi tsb tidak masalah.
    # ls -lh /usr/local/samba/private/ |grep named.conf
    -rw-r–r– 1 root root 647 Oct 13 15:24 named.conf

  • Mas salam jumpa lagi .. !
    Sy punya masalah mirip seperti Mas Haryanto tp kode errornya beda kira-kira begini :
    1. root@RP-SV002 ~]# systemctl status named.service
    ● named.service – Berkeley Internet Name Domain (DNS)
    Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Fri 2016-11-11 19:28:48 WIB; 40min ago
    Process: 5683 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=1/FAILURE)
    Process: 5672 ExecStartPre=/bin/bash -c if [ ! “$DISABLE_ZONE_CHECKING” == “yes” ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo “Checking of zone files is disabled”; fi (code=exited, status=0/SUCCESS)

    Nov 11 19:28:47 RP-SV002 named[5685]: listening on IPv6 interface lo, ::1#53
    Nov 11 19:28:47 RP-SV002 named[5685]: generating session key for dynamic DNS
    Nov 11 19:28:47 RP-SV002 named[5685]: sizing zone task pool based on 6 zones
    Nov 11 19:28:47 RP-SV002 named[5685]: Loading ‘AD DNS Zone’ using driver dlopen
    Nov 11 19:28:47 RP-SV002 named[5685]: dlz_dlopen failed to open library ‘/u…ed
    Nov 11 19:28:47 RP-SV002 named[5685]: dlz_dlopen of ‘AD DNS Zone’ failed
    Nov 11 19:28:48 RP-SV002 systemd[1]: named.service: control process exited,…=1
    Nov 11 19:28:48 RP-SV002 systemd[1]: Failed to start Berkeley Internet Name…).
    Nov 11 19:28:48 RP-SV002 systemd[1]: Unit named.service entered failed state.
    Nov 11 19:28:48 RP-SV002 systemd[1]: named.service failed.
    Hint: Some lines were ellipsized, use -l to show in full.
    Bisa tolong carikan solusinya … ?

    thank’s

LEAVE A COMMENT