[Samba] Workstations cannot update DNS

durwin at mgtsciences.com durwin at mgtsciences.com
Wed May 15 20:03:05 UTC 2019


> > > > 
> > 
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration

> > > >
> > > > selinux is not installed.
> > > > Firewall is not active.
> > > > iptables is not active.
> > > The problem appears to have something to do with Apparmor.
> > > >
> > > > From that page,
> > > > BIND process has read access to the following files
> > > > /var/lib/samba/private/dns.keytab
> > > > /var/lib/samba/private/named.conf  # THIS DOES NOT EXIST
> > >
> > > OK, but I do not remember you saying which version of Samba you are
> > > using, later versions now use the path '/var/lib/samba/bind-dns' 
> > instead
> > > of '/var/lib/samba/private'
> >
> > I am using Bind9 on Ubuntu 18.04
> > Ok, I verified permissions on /var/lib/samba/bind-dns.
> >
> > >
> > > >
> > > > as well read-write access to the
> > > > /var/lib/samba/private/dns/        # THIS DOES NOT EXIST
> > > > directory and it's own zone file(s).
> > > >
> > > > this is in /etc/apparmor.d/usr.sbin.named.
> > > >   # /etc/bind should be read-only for bind
> > > >   # /var/lib/bind is for dynamically updated zone (and journal) 
files.
> > > >   # /var/cache/bind is for slave/stub data, since we're not the 
> > origin
> > > > of it.
> > > >   # See /usr/share/doc/bind9/README.Debian.gz
> > > >   /etc/bind/** r,
> > > >   /var/lib/bind/** rw,
> > > >   /var/lib/bind/ rw,
> > > >   /var/cache/bind/** lrw,
> > > >   /var/cache/bind/ rw,
> > > >
> > > >   # gssapi
> > > >   /etc/krb5.keytab kr,
> > > >   /etc/bind/krb5.keytab kr,
> > > >   /var/lib/samba/lib/** rm,
> > > >   /var/lib/samba/private/dns.keytab r,
> > > >   /var/lib/samba/private/named.conf r,
> > > >   /var/lib/samba/private/dns/** rwk,      # THIS DOES NOT EXIST
> >
> > I changed above line to.
> >      /var/lib/samba/bind-dns/** rwk,
> > Or should it be?
> >       /var/lib/samba/bind-dns/dns/** rwk,
> >
> > > >   /var/lib/samba/etc/smb.conf r,
> > > >
> > > > I rebooted just to be sure.  However, I still get client update 
> > denied.
> > > >
> > > >
> > > > This is in /etc/bind/
> > > >
> > > > drwxr-sr-x  2 root bind 4096 May 15 10:38 ./
> > > > drwxr-xr-x 99 root root 4096 May  3 11:13 ../
> > > > -rw-r--r--  1 root root 2761 Apr 24 04:04 bind.keys
> > > > -rw-r--r--  1 root root  237 Oct 10  2018 db.0
> > > > -rw-r--r--  1 root root  271 Oct 10  2018 db.127
> > > > -rw-r--r--  1 root bind  615 May 10 11:28 db.172.23.93
> > > Is the above your reverse zone ?
> >
> > The only thing I added or modified in this entire directory is
> > named.conf.msi and added line,
> > include "/etc/bind/named.conf.msi";
> > to named.conf
> > The rest you see here was not added by me.
> >
> > > >
> > > > -rw-r--r--  1 root root  237 Oct 10  2018 db.255
> > > > -rw-r--r--  1 root root  353 Oct 10  2018 db.empty
> > > > -rw-r--r--  1 root root  270 Oct 10  2018 db.local
> > > > -rw-r--r--  1 root root 3171 Oct 10  2018 db.root
> > > > -rw-r--r--  1 root bind  499 May 10 11:12 named.conf
> > > > -rw-r--r--  1 root bind  662 May 14 11:42 named.conf.default-zones
> > > > -rw-r--r--  1 root bind  258 Apr 29 11:34 named.conf.local
> > > > -rw-r--r--  1 root bind  193 May 14 11:44 named.conf.msi
> > >
> > > And is the above your forward zone ?
> > >
> > > If it is yes to both of the last questions, then you need to delete
> > > them, you cannot use flatfiles with BIND9_DLZ
> >
> > Do I delete only the 'db.*' files?  Are the 'named.conf*' files in 
this
> > location not used?  If I do delete the named.* files, what do I edit
> > to add a slave domain for mycompany.com (DC domain is 
msi.mycompany.com)?
> > The DC is master of msi.mycompany.com, another server is master of
> > mycompany.com.
> 
> 
> Your DC is authoritative for your ad domain and should only store 
> records for that domain, anything else should be forwarded to a dns 
> server outside the ad domain.
> 
> I would suggest you delete these:
> 
> db.172.23.93
> 
> named.conf.msi

This has been cleaned up.

> 
> I think it might be a good idea if you post the contents of these files:
> 
> /etc/bind/ named.conf
> /etc/bind/named.conf.options
> /etc/bind/named.conf.local
> /etc/bind/named.conf.default-zones

named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on 
the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 

// this configuration file.
//
// If you are just adding zones, please do that in 
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// adding the Samba dlopen ( Bind DLZ ) module
include "/var/lib/samba/bind-dns/named.conf";


named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders. 
        // Uncomment the following block, and insert the addresses 
replacing 
        // the all-0's placeholder.
        // 172.23.93.3 is master dns for mycompany.com

        forwarders {
              172.23.93.3; 8.8.8.8;
        };

 
//========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See 
https://www.isc.org/bind-keys
 
//========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        //listen-on-v6 { any; };
        listen-on { any; };
        notify no;

        empty-zones-enable no;
        // DNS dynamic updates via Kerberos 
/var/lib/samba/private/dns.keytab;
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



This email message and any attachments are for the sole use of the 
intended recipient(s) and may contain proprietary and/or confidential 
information which may be privileged or otherwise protected from 
disclosure. Any unauthorized review, use, disclosure or distribution is 
prohibited. If you are not the intended recipient(s), please contact the 
sender by reply email and destroy the original message and any copies of 
the message as well as any attachments to the original message.


More information about the samba mailing list