i have build an AD with Samba 4.17.4 under Debian 11. So far everything works. I wanted to test smarcard login and encountered the following problem when logging in on a windows client:
‘Your credentials could not be verified’
Eventlog ID 4625
status 0xC000006D
substatus 0x0
FailReason %%2304
The PKI infrastructure consists of root ca and inter ca. My Kerberos Config on the DC:
/etc/krb5.conf
[libdefaults]
default_realm = SUB.TEST.DE
dns_lookup_realm = false
dns_lookup_kdc = true
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool= FILE:/var/lib/samba/private/tls/interca.pem
[appdefaults]
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool = FILE:/var/lib/samba/private/tls/interca.pem
[realms]
SUB.TEST.DE = {
default_domain = sub.test.de
pkinit_require_eku = true
}
[domain_realm]
dc0 = SUB.TEST.DE
[kdc]
enable-pkinit = yes
pkinit_identity = FILE:/var/lib/samba/private/tls/dc-cert.pem,/var/lib/samba/private/tls/secure/dc-privkey.pem
pkinit_anchors = FILE:/var/lib/samba/private/tls/cacert.pem
pkinit_pool = FILE:/var/lib/samba/private/tls/interca.pem
pkinit_revoke = FILE:/var/lib/samba/private/tls/sub.crl,/var/lib/samba/private/tls/rootca.crl
pkinit_principal_in_certificate = yes
pkinit_win2k = no
pkinit_win2k_require_binding = yes
my smb.conf:
GNU nano 5.4 /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 10.0.0.10
netbios name = DC
realm = SUB.TEST.DE
server role = active directory domain controller
dns forwarder = 10.0.0.1
workgroup = SUB
idmap_ldb:use rfc2307 = yes
log level = 1 auth_audit:3 auth_json_audit:3
tls enabled = yes
tls certfile = /var/lib/samba/private/tls/dc-cert.pem
tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
tls cafile = /var/lib/samba/private/tls/cacert.pem
tls crlfile = /var/lib/samba/private/tls/sub.crl
tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/sub.test.de/scripts
read only = No
GPO with Root CA (Trusted Root Certificates) and Inter CA (Intermediate Certificates) under computer configuration > windows setting > secruity settings > public key policies is set. Works perfectly.
Root and Inter CA Certificates are imported with certutil, works without problems. Time between DC an Client are synchronized.
The certificates were created like this
openssl req -new -addext 'subjectAltName = otherName:msUPN;UTF8:m.mustermann#sub.contoso.de,email:copy' -newkey rsa:2048 -keyout private/mmustermann-key.pem -out mmustermann-req.pem -config openssl.cnf
openssl ca -config openssl.cnf -extensions usr_cert_scarduser -in mmustermann-req.pem -out mmustermann-cert.pem
cat mmustermann-cert.pem chain.pem > mmustermann-chain.pem
openssl pkcs12 -in mmustermann-chain.pem -inkey private/mmustermann-key.pem -export -out mmustermann.p12
The p12 is imported to a yubikey and bundled with PIN.
Auth Log says following:
[2023/02/09 13:46:29.247497, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [Kerberos KDC,PK-INIT(ietf) Pre-authentication] user [(null)]\[m.mustermann\\#sub.test.de#SUB.TEST.DE] at [Thu, 09 Feb 2023 13:46:29.24748
7 CET] with [(null)] status [NT_STATUS_PKINIT_FAILURE] workstation [(null)] remote host [ipv4:10.0.0.100:61127] mapped to [SUB]\[m.mustermann]. local host [NULL]
{"timestamp": "2023-02-09T13:46:29.247547+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "51cf6b969
999c23e", "logonType": 3, "status": "NT_STATUS_PKINIT_FAILURE", "localAddress": null, "remoteAddress": "ipv4:10.0.0.100:61127", "serviceDescription": "Kerberos KDC", "authDe
scription": "PK-INIT(ietf) Pre-authentication", "clientDomain": null, "clientAccount": "m.mustermann\\#sub.test.de#SUB.TEST.DE", "workstation": nu
ll, "becameAccount": "m.mustermann", "becameDomain": "SUB", "becameSid": "S-1-5-21-3437283345-98153231-3800821964-1119", "mappedAccount": "m.mustermann", "mappedDomain": "SUB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passw
ordType": null, "duration": 4175}}
Anyone have any ideas what else I could check? I need a Direction.
regards
I tried different forms of user certificates. With chain, without, CRLs included. At the Certificate creation i tried different UPN types, like: "SUB\m.mustermann", "m.mustermann#sub.test.de" or "m.mustermann".
I rebuilt the whole structure oriented on this:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Set_up_the_CRL_Distribution_Point
The only difference is that there was only a root CA in use. On other system tried this, and it works. But with InterCA i have the explained problem. Thias must be a trick somewhere. I cant see it.
Related
The ruby-saml gem supports adding certificate and private-key info to Service Provider's metadata, but as far as I can tell, that configures only signing certificate, but not encryption one. Here's what I do:
settings.certificate = "---- BEGIN CERTIFICATE----..."
settings.private_key = "-----BEGIN PRIVATE KEY----..."
which results in the following XML section added to Service Provider's metadata:
<md:KeyDescriptor use='signing'>
<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:X509Data>
<ds:X509Certificate>
CERTIFICATE IS HERE GSDk3tShjl4yhShj4Hr....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
But how do I configure ruby-saml to add a similar section for use='encryption' in addition to use='signing'?
If I understood correctly, You are not able to send the SAMLResponse in the encrypted form. If that is the case, when you are building the SAML response, send one more parameter
saml_response = encode_response( :encryption => encryption_opts())
def encryption_opts:
return {
cert: saml_request.service_provider.cert,
block_encryption: 'aes256-cbc',
key_transport: 'rsa-oaep-mgf1p'
}
I've tried following the guide at http://gatling.io/docs/2.2.3/realtime_monitoring/index.html to log my test results to influxdb and display the data in a grafana that I have previously set up. However I can't see any of the data that gatling is supposed to log anywhere in influxdb.
I've edited by influxdb.conf file so that it contains the following fields:
[[graphite]]
enabled = true
database = "gatlingdb"
bind-address = ":2003"
protocol = "tcp"
consistency-level = "one"
name-separator = "."
templates = [
"gatling.*.*.*.count measurement.simulation.request.status.field",
"gatling.*.*.*.min measurement.simulation.request.status.field",
"gatling.*.*.*.max measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles50 measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles75 measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles95 measurement.simulation.request.status.field",
"gatling.*.*.*.percentiles99 measurement.simulation.request.status.field"
]
and my gatling.conf file contains the following fields:
data {
writers = [console, file, graphite] # The list of DataWriters to which Gatling write simulation data (currently supported : console, file, graphite, jdbc)
console {
#light = false # When set to true, displays a light version without detailed request stats
}
graphite {
#light = false # only send the all* stats
host = "127.0.0.1" # The host where the Carbon server is located
port = 2003 # The port to which the Carbon server listens to (2003 is default for plaintext, 2004 is default for pickle)
protocol = "tcp" # The protocol used to send data to Carbon (currently supported : "tcp", "udp")
rootPathPrefix = "gatling" # The common prefix of all metrics sent to Graphite
#bufferSize = 8192 # GraphiteDataWriter's internal data buffer size, in bytes
#writeInterval = 1 # GraphiteDataWriter's write interval, in seconds
}
Whenever i run my gatling tests I see no error messages or anything that indicates that anything is wrong, but I cannot see anything in the influxd logs that indicates that anything has been logged to influxdb, nor can I see any data in the gatlingdb database. I am using influxdb v0.10 and gatling v2.2.3 on Ubuntu
Can anyone help me figure out what I am doing wrong?
Updated to influxdb v1.1 and the problem seemed to have resolved itself from doing that
I'm trying to create a rich client that performs EJB RMI to interact with a server/DB. Previously, I had communications working with the remoting system to authenticate a user. Then I tacked on HTTPS communications using a keystore and clustering to the environment. Everything worked at that point.
The file-based authentication was an interim step in moving towards database authentication & authorization. I may still have configurations from that lingering and effecting this new step, I'm not certain.
Below is the failure message when trying to authenticate via the client:
Jan 19, 2017 12:51:52 PM org.jboss.ejb.client.EJBClient <clinit>
INFO: JBoss EJB Client version 2.1.4.Final
Jan 19, 2017 12:51:52 PM org.xnio.Xnio <clinit>
INFO: XNIO version 3.4.0.Final
Jan 19, 2017 12:51:52 PM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.4.0.Final
Jan 19, 2017 12:51:52 PM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 4.0.21.Final
Jan 19, 2017 12:51:53 PM org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector setupEJBReceivers
WARN: Could not register a EJB receiver for connection to 10.0.0.1:8443
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: /home/appsrv/wildfly-10.1.0.Final/domain/tmp/auth/local4807198060994958453.challenge (No such file or directory)]
DIGEST-MD5: Server rejected authentication
at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:114)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:389)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:241)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:198)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:112)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.ssl.JsseStreamConduit.run(JsseStreamConduit.java:446)
at org.xnio.ssl.JsseStreamConduit.readReady(JsseStreamConduit.java:547)
at org.xnio.ssl.JsseStreamConduit$2.readReady(JsseStreamConduit.java:319)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:294)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:430)
at org.jboss.ejb.client.remoting.EndpointPool$PooledEndpoint.connect(EndpointPool.java:192)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:153)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:78)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:161)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:118)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:47)
at org.jboss.ejb.client.EJBClientContext.getCurrent(EJBClientContext.java:281)
at org.jboss.ejb.client.EJBClientContext.requireCurrent(EJBClientContext.java:291)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:178)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:146)
at com.sun.proxy.$Proxy6.getVer(Unknown Source)
at com.test.clientapp.TestClient.authenticate(TestClient.java:208)
at com.test.clientapp.BackgroundServiceEngine.run(BackgroundServiceEngine.java:136)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
In my WildFly domain configuration, I added the following authentication module to the "ha" profile (the one assigned to my host controllers) in -> Security -> MySecurityDomain via the GUI:
name: testds01
code: Database
flag: required
module options:
dsJndiName = java:/TestDS01
principalsQuery = SELECT password FROM users WHERE username=?
password-stacking = useFirstPass
hashAlgorithm = MD5
hashEncoding = BASE64
hashCharset = utf-8
I also added the following authorization module to the same area:
name: testds01
code: Delegating
flag: required
module options:
dsJndiName = java:/TestDS01
rolesQuery = SELECT role, 'Roles' FROM roles INNER JOIN users ON users.role_id = roles.role_id WHERE users.username =?
Honestly, I don't know what the flag "required" means. Nor the code "Delegating". I just found these in a book I read.
My WildFly setup includes: 1x Domain Controller, 2x Host Controllers w/1 server each, 2x SQL databases. All 5 of these are separate VMs. So, In addition to the testds01 modules added above, I have testds02 modules added pointing to "java:/TestDS02".
Let me know if additional information is needed. I'm not sure I covered everything.
Update: It's probably useful to have the client properties I'm using to setup & perform RMI:
// Set TLS Properties
System.setProperty("javax.net.ssl.keyStore", "test.keystore");
System.setProperty("javax.net.ssl.trustStore", "test.truststore");
System.setProperty("javax.net.ssl.keyStorePassword", "testpass1");
System.setProperty("javax.net.ssl.trustStorePassword", "testpass2");
// Set Application Server Properties
properties = new Properties();
properties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
properties.put("remote.connections", "hcl01,hcl02");
// Host Controller
properties.put("remote.connection.hcl01.port", "8443");
properties.put("remote.connection.hcl01.host", "10.0.0.1");
properties.put("remote.connection.hcl01.protocol", "https-remoting");
properties.put("remote.connection.hcl01.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
properties.put("remote.connection.hrl01.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
properties.put("remote.connection.hcl01.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
properties.put("remote.connection.hrl01.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
properties.put("remote.connection.hcl02.port", "8443");
properties.put("remote.connection.hcl02.host", "10.0.0.2");
properties.put("remote.connection.hcl02.protocol", "https-remoting");
properties.put("remote.connection.hcl02.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
properties.put("remote.connection.hrl02.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
properties.put("remote.connection.hcl02.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
properties.put("remote.connection.hrl02.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
// Build SLSB Lookup String
String appName = "/"; //name of ear containg ejb
String moduleName = "testapp/"; //name of ejb jar w/o extension
String distinctName = "/"; //any distinct name set within jboss for this deployment
String beanName = Login.class.getSimpleName(); //name of the bean we're looking up
String viewClassName = LoginRemote.class.getName(); //name of the bean interface
System.out.println("beanName=" + beanName + " viewClassName=" + viewClassName);
lookupSLSB = "ejb:" + appName + moduleName + distinctName + beanName + "!" + viewClassName;
// Configure EJB Lookup
Properties props = new Properties();
props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
context = new InitialContext(props);
properties.put("remote.connection.hcl01.username", au.getUsername());
properties.put("remote.connection.hcl01.password", au.getPassword());
properties.put("remote.connection.hcl02.username", au.getUsername());
properties.put("remote.connection.hcl02.password", au.getPassword());
// JBoss Cluster Setup (using properties above)
EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(properties);
ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
EJBClientContext.setSelector(selector);
LoginRemote bean = (LoginRemote)context.lookup(lookupSLSB);
System.out.println("NIC [From bean]: Class=\"" + bean.getStr() + "\"");
I resolved this issue. After dumping traffic it appeared that the queries were being sent to the database. I enabled query logging on the database and found that they were being received, but there was a permission issue with the database user. After granting privileges to the tables being queried, the communication was successful.
I tried to connect JMX rmi url in Jboss fuse container for monitoring the queues.
The URL not connected in jconsole,
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi/camel
I want to implement in my bundle, How to connect MBean server in JBoss Fuse?
Advance Thanks.
IMHO just wrong URL.
You can see the current settings of your server in the org.apache.karaf.management.cfg.
For example:
#
# Port number for RMI registry connection
#
rmiRegistryPort = 1099
#
# Host for RMI registry
#
rmiRegistryHost = 0.0.0.0
#
# Port number for RMI server connection
#
rmiServerPort = 44444
#
# Host for RMI server
#
rmiServerHost = 0.0.0.0
#
# Name of the JAAS realm used for authentication
#
jmxRealm = karaf
#
# The service URL for the JMXConnectorServer
#
serviceUrl = service:jmx:rmi://${rmiServerHost}:${rmiServerPort}/jndi/rmi://${rmiRegistryHost}:${rmiRegistryPort}/karaf-${karaf.name}
#
# Whether any threads started for the JMXConnectorServer should be started as daemon threads
#
daemon = true
#
# Whether the JMXConnectorServer should be started in a separate thread
#
threaded = true
#
# The ObjectName used to register the JMXConnectorServer
#
objectName = connector:name=rmi
In my case URL looks like service:jmx:rmi://0.0.0.0:44444/jndi/rmi://0.0.0.0:1099/karaf-root
P.S. And don't forget to specify a user name and password.
Finally solved the issue with the karaf username and password,
Check with the username and password in users.properties file.
service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root
It should work.
JMXServiceURL url = new JMXServiceURL(serviceURL);
HashMap<String, String[]> environment = new HashMap<String, String[]>();
String username = "admin";
String password = "admin";
String[] credentials = new String[] { username, password };
environment.put("jmx.remote.credentials", credentials);
connectorServer = JMXConnectorFactory.connect(url,environment);
I try to join Active Directory and Samba 4 in Ubuntu 12.04.05.
When I run host -t SRV _kerberos._udp.test.sg I get the error:
Host _kerberos._udp.test.sg not found: 3(NXDOMAIN)
meanwhile
$# host -t SRV _ldap._tcp.test.sg
_ldap._tcp.test.sg has SRV record 0 0 389 4ecapsvsg6.test.sg.
$# host -t A 4ECAPSVSG6.test.sg
4ECAPSVSG6.test.sg has address 10.153.64.5
My /etc/samba/smb.conf:
# Global parameters
[global]
workgroup = TEST
realm = TEST.SG
netbios name = 4ECAPSVSG6
server role = active directory domain controller
dns forwarder = 10.153.64.5
security = ads
use kerberos keytab = true
password server = 4ecapsvsg6.test.sg
allow dns updates = nonsecure and secure
bind interfaces only = no
server services = +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc
passdb backend = samba4
server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
My /etc/krb5.conf:
[libdefaults]
default_realm = TEST.SG
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
4ECAP.SG = {
kdc = 4ecapsvsg6.test.sg:88
admin_server = 4ecapsvsg6.test.sg:749
default_domain = test.sg
}
[domain_realm]
.test.sg = TEST.SG
test.sg = TEST.SG
[login]
krb4_convert = true
krb4_get_tickets = false
My /etc/hosts:
127.0.0.1 localhost
127.0.1.1 4ecapsvsg6
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.153.64.5 4ecapsvsg6.test.sg 4ecapsvsg6
What is the solution? Without it I cannot run join domain with command:
sudo net ads join
which comes out error like
Failed to join domain: failed to lookup DC info for domain 'TEST' over rpc: Logon failure
I did kinit administrator and klist, result:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator#TEST.SG
Valid starting Expires Service principal
26/03/2015 14:29:04 27/03/2015 00:29:04 krbtgt/TEST.SG#TEST.SG
renew until 27/03/2015 14:29:00
meanwhile i include my /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.153.64.5
search test.sg
domain test.sg
After i google this past week, lucky i found this site http://edoceo.com/howto/samba4
Happens to be i need to edit my dnsmasq (/etc/dnsmasq.conf)
add this line :
srv-host=_kerberos._tcp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._tcp.dc._msdcs.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._udp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kpasswd._tcp.test.sg,4ecapsvsg6.test.sg,464
srv-host=_kpasswd._udp.test.sg,4ecapsvsg6.test.sg,464
and disable Bind9 (which installed along with Samba4 by default)
Now the problems gone :)
Only one problems remains, how to connect to AD (which i'll open another thread for that)