[Samba] BIND9_DLZ and Reverse Lookups

Günter Kukkukk linux at kukkukk.com
Fri Feb 7 19:22:17 MST 2014 

Am 05.02.2014 02:18, schrieb David Kirk:
> Hi,
> 
> 
> Ok.  I'm stumped, so I'm finally going to ask for help.
> 
> I'm testing a brand new setup of Samba4 as an AD DC with Bind9 for DNS.
>  The problem I'm having is when I create a new A record using the Windows
> DNS tools.  I tick the box to create a corresponding PTR record, but it
> never does.
> 
> I've created the reverse zone.  I've tried using the Windows DNS tools to
> create it, and I've also tried samba-tool to create it.  Either way, it
> gets created, but no records go in there when I create my A records.
> 
> What I want to end up with is a system where servers have static IP
> addresses.  I manually add an A record for them and the PTR should be
> created automatically.  Clients should get their IP address from DHCP and
> an A record and PTR record should automatically get created.
> 
> I'm installing on Centos 6.5 with Samba Version 4.1.4-SerNet-RedHat-7.el6.
>  Bind is bind-9.8.2-0.17.rc1.el6.6.x86_64.
> 
> I've had 3 attempts to get this working.  The first one, I installed samba
> from git.  Bind was from Centos.  For attempt 2 I did the same, but found
> some instructions to install Bind from SRPM and update the spec file to use
> the gssapi and dlopen options.  Then I compiled and installed.  The final
> attempt was using the sernet package listed above and the Bind RPM from the
> previous server instance.
> 
> I've followed the instructions on the Samba wiki very carefully.  The only
> thing I haven't tried yet is to build Bind from source from isc.org.
> 
> Does anyone else have this working?  Is it achievable?
> 
> 
> Thanks
> 
> David
> 

Hi David,

i'm atm analyzing the problems, my view is mostly at the bind DLZ module,
but i also do similar tests against the internal dns server.

There are (at least) 2 ways to modify dns entries with the usual windows
and samba (plus ISC) tools:

1.) Using normal dyn. DNS updates, e.g.
     - windows: ipconfig /registerdns
     - linux:   nsupdate -g ...
2.) Using RPC calls:
     - windows: DNS-GUI applet, DNSCMD  (?) must check this
     - linux:   samba-tool

Obviously both methods use completely different (wire) transfer
methods (protocols) and code paths.

My test environment is atm (neither samba nor bind is running already):
  - start samba inside a root console as:  samba -i -M single -d3 (or higher level)
  - start ISC bind inside a 2nd root console as: named -g -u named -d1 (or higher level)
    Note that "-u named" specifies the name of the running dns daemon.
      Some distros use "named", others use "bind". This must be checked when the "normal"
      daemon has been started as a test.
    Note also that the usual init/systemd bind dns daemon possibly must have been started once after
    boot to create the needed subdirs on nonpermanent file systems like /var/run/ (distro dependent)
    So carefully watch _all_ bind startup messages!
    To get more debug info from the DLZ module itself, modify
    /usr/local/samba/private/named.conf (or whereever this info is stored):

dlz "AD DNS Zone" {
    # For BIND 9.8.0
    #database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9.0
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so -d6";  <<<=== debug level !!!
};

Now when you use any client dns tools - and have both consoles side-by-side - you can watch
how both daemons react on each command.

In addition, there are smb.conf options to selectively set debug levels for different actions...

My test setup is:
   - VM host:  running samba AD DC with internal dns (opensuse 12.3)
   - VM guest: running samba AD DC with DLZ module (opensuse 13.1)
   - VM guest: windows server 2008r2
   - VM guest: windows server 2012r2  (was not able to join it, some "exchange ldif" problem)
   - VM guest: windows 7
   - VM guest: windows 8.1
All these have been joined to the same domain.

Atm i also see the same as you. When using the MS DNSGUI to add a new host and set the checkmark
to also create the reverse PTR entry - the reverse entry is not created.

In addition, atm the windows 8.1 box _can_ use "IPCONFIG /registerdns" successfully here, when
doing the same with windows 7, the DLZ module shows "denied" for _signed_ updates...

Don't get confused with some denied msgs from the DLZ module. Even when you configure the windows clients
to _only_ use signed dyn. DNS updates - they try unsigned first. O_o

I must admit that this testing environment is also new to me (bought new hardware to be able to
run many VMs side by side) - but i get more familiar with it every new day :-)

I'll post all my findings on the mailing list.

Also this samba output should be explained further:
Calling samba_kcc script
/usr/local/samba/sbin/samba_kcc: 'DirectoryServiceAgent' object has no attribute 'create_connection'
Child /usr/local/samba/sbin/samba_kcc exited with status 1 - Operation not permitted
../source4/dsdb/kcc/kcc_periodic.c:646: Failed samba_kcc - NT_STATUS_ACCESS_DENIED

Cheers, Günter

--

More information about the samba mailing list