samba4 from BDC to PDC

Daniele Dario d.dario76 at gmail.com
Tue Dec 27 02:32:51 MST 2011 

On Sat, 2011-12-24 at 09:13 +1100, Amitay Isaacs wrote:
> Hi Daniele,
> 
> On Sat, Dec 24, 2011 at 2:18 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> 
> > my sbs2003 definetly crashed and samba4 has been able to keep the network
> > up for a few days but yesterday, the fileserver with samba 3.4.7 stopped
> > allowing users to connect to the network shares.
> > Then I tried to set up a new VM (ubuntu 11.04 server i386) with samba4
> > Version 4.0.0alpha18-GIT-32317b0 and named BIND 9.9.0b1 from PPA.
> > I followed the instructions from samba4 howto on the wiki mixed with the
> > info related to bind DLZ and provisioned a new domain.
> >
> > At this time all seems to be OK:
> > - added organization unit, users and groups
> > - joined computers to the domain (Win XP)
> > - joined fileserver with samba 3.4.7 to the domain (with some chown on the
> > shares)
> > So, what can I say? GREAT !!!
> >
> > What I'm currently missing is:
> > - when I join a new computer to the domain, bind says
> >  update-security: error: client 192.168.12.49#62667: update
> > 'saitelitalia.local/IN' denied
> >  database: info: samba_dlz: cancelling transaction on zone
> > saitelitalia.local
> >  and looking in the AD zone, also adding a new A record it does not work
> > - it is not possible to add the reversed zone
> 
> This looks like the dynamic update with kerberos. dlz_bind9 only supports secure
> dynamic updates. Windows first tries to do dynamic update without kerberos and
> if that fails, it will try with kerberos. So it's common to find a
> pattern of first denied
> and then updated.
> 
> I have recently pushed patches to support reverse zones. (You can
> fetch the latest
> git tree.) You should be able to create reverse zones and get
> dlz_bind9 resolve PTR
> records.
> 
> Just to note. One of the users had trouble getting bind 9.9.0 from PPA to work.
> He had to compile bind 9.8.1 from sources and then it worked. May be the PPA
> package has been updated since.
> 
> Amitay.

Hi Amitay,
about the PPA bind, this is what I find running named -V:
BIND 9.9.0b1 built with '--prefix=/usr' '--build=i686-linux-gnu'
'--host=i686-linux-gnu' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var/run/bind' '--enable-threads' '--enable-largefile'
'--enable-shared' '--enable-static' '--with-libtool'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-dlz-postgres=no'
'--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes'
'--with-dlz-ldap=no' '--with-dlopen=yes' '--with-dlz-stub=yes'
'--enable-ipv6' 'build_alias=i686-linux-gnu' 'host_alias=i686-linux-gnu'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O3'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2'
'FFLAGS=-g -O2'
using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010
using libxml2 version: 2.7.8

Looking in the samba4 how-to, it seems that there are all the
requirements. I had some troubles with apparmor (needed to add the
following permissions)
  # samba4 related
  /usr/local/samba/private/dns.keytab r,
  /usr/local/samba/private/dns/** krw,
  /usr/local/samba/private/dns/ krw,
  /usr/local/samba/private/named.conf r,
  /usr/local/samba/lib/** mr,
  /usr/local/samba/modules/** mr,
  /usr/local/samba/etc/** r,

  # with libdlz_bind9, named needs to
access /var/tmp/DNS-${HOSTNAME}_xxx tickets
  /var/tmp/** rw,
  /tmp/** rw,

For the last two entries I don't know if we need both read and write
permissions.
Hope this helps other people.

About the ability to add records to the fwd zone, if I use the windows
AD DNS editor, I can add the records but after a refresh the records
disappear.
Today I tried to add records using samba-tool dns add and now the
records appeared also in the windows AD DNS editor and it seems that
they are OK.

To use your patches, is it better if I create a new samba4 DC and join
it to the domain than try to add the reversed zone (this to avoid to
loose the DC we are currently using)?

About the zone updates: if I include in named.conf.local the samba
provisioned named.conf.update update-policy (using the include directive
or directly copying the content of the file) named won't start.
With DLZ don't I need to spec the update policy?

Regards,
Daniele

More information about the samba-technical mailing list