为什么 bind9 无法使用 Samba 4 AD DC 启动？

我跟着这指南安装 Samba 4 作为 Active Directory 域控制器并在启动 bind9 时卡住了。

以下是一些重要的配置文件和日志。

tail /var/log/syslog：

Mar  2 23:02:11 mail named[3552]: listening on IPv4 interface eth0, 31.31.79.102#53
Mar  2 23:02:11 mail named[3552]: generating session key for dynamic DNS
Mar  2 23:02:11 mail named[3552]: sizing zone task pool based on 5 zones
Mar  2 23:02:11 mail named[3552]: Loading 'AD DNS Zone' using driver dlopen
Mar  2 23:02:11 mail named[3552]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
Mar  2 23:02:11 mail named[3552]: dlz_dlopen of 'AD DNS Zone' failed
Mar  2 23:02:11 mail named[3552]: SDLZ driver failed to load.
Mar  2 23:02:11 mail named[3552]: DLZ driver failed to load.
Mar  2 23:02:11 mail named[3552]: loading configuration: failure
Mar  2 23:02:11 mail named[3552]: exiting (due to fatal error)   

ls -l /var/lib/samba/private/dns/：

total 144
-rwxrwxrwx 1 root memcache 143360 Mar  2 15:25 sam.ldb
drwxrwxrwx 2 root memcache   4096 Mar  2 15:25 sam.ldb.d

cat /etc/apparmor.d/usr.sbin.named：

# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** rw,
  /var/cache/bind/ rw,

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,

  # ssl
  /etc/ssl/openssl.cnf r,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /proc/*/net/if_inet6 r,
  /usr/sbin/named mr,
  /{,var/}run/named/named.pid w,
  /{,var/}run/named/session.key w,
  # support for resolvconf
  /{,var/}run/named/named.options r,

  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>

  /var/lib/samba/private/** rkw,
  /var/lib/samba/private/dns/** rkw,
  /usr/lib/x86_64-linux-gnu/samba/bind9/** rm,
  /usr/lib/x86_64-linux-gnu/samba/gensec/** rm,
  /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
  /usr/lib/x86_64-linux-gnu/samba/ldb/** rm,
  /usr/lib/x86_64-linux-gnu/plugin/krb5/** rm,
}

/etc/init.d/apparmor reload：

 * Reloading AppArmor profiles
 Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
 [ OK ]

service bind9 start：

 * Starting domain name service... bind9
 [fail]