samba4 from BDC to PDC

Amitay Isaacs amitay at
Tue Dec 27 05:15:31 MST 2011

Hi Daniele,

On Tue, Dec 27, 2011 at 8:32 PM, Daniele Dario <d.dario76 at> wrote:
> On Sat, 2011-12-24 at 09:13 +1100, Amitay Isaacs wrote:
>> Hi Daniele,
>> On Sat, Dec 24, 2011 at 2:18 AM, Daniele Dario <d.dario76 at> wrote:
>> > my sbs2003 definetly crashed and samba4 has been able to keep the network
>> > up for a few days but yesterday, the fileserver with samba 3.4.7 stopped
>> > allowing users to connect to the network shares.
>> > Then I tried to set up a new VM (ubuntu 11.04 server i386) with samba4
>> > Version 4.0.0alpha18-GIT-32317b0 and named BIND 9.9.0b1 from PPA.
>> > I followed the instructions from samba4 howto on the wiki mixed with the
>> > info related to bind DLZ and provisioned a new domain.
>> >
>> > At this time all seems to be OK:
>> > - added organization unit, users and groups
>> > - joined computers to the domain (Win XP)
>> > - joined fileserver with samba 3.4.7 to the domain (with some chown on the
>> > shares)
>> > So, what can I say? GREAT !!!
>> >
>> > What I'm currently missing is:
>> > - when I join a new computer to the domain, bind says
>> >  update-security: error: client update
>> > 'saitelitalia.local/IN' denied
>> >  database: info: samba_dlz: cancelling transaction on zone
>> > saitelitalia.local
>> >  and looking in the AD zone, also adding a new A record it does not work
>> > - it is not possible to add the reversed zone
>> This looks like the dynamic update with kerberos. dlz_bind9 only supports secure
>> dynamic updates. Windows first tries to do dynamic update without kerberos and
>> if that fails, it will try with kerberos. So it's common to find a
>> pattern of first denied
>> and then updated.
>> I have recently pushed patches to support reverse zones. (You can
>> fetch the latest
>> git tree.) You should be able to create reverse zones and get
>> dlz_bind9 resolve PTR
>> records.
>> Just to note. One of the users had trouble getting bind 9.9.0 from PPA to work.
>> He had to compile bind 9.8.1 from sources and then it worked. May be the PPA
>> package has been updated since.
>> Amitay.
> Hi Amitay,
> about the PPA bind, this is what I find running named -V:
> BIND 9.9.0b1 built with '--prefix=/usr' '--build=i686-linux-gnu'
> '--host=i686-linux-gnu' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
> '--localstatedir=/var/run/bind' '--enable-threads' '--enable-largefile'
> '--enable-shared' '--enable-static' '--with-libtool'
> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-dlz-postgres=no'
> '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes'
> '--with-dlz-ldap=no' '--with-dlopen=yes' '--with-dlz-stub=yes'
> '--enable-ipv6' 'build_alias=i686-linux-gnu' 'host_alias=i686-linux-gnu'
> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O3'
> 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2'
> 'FFLAGS=-g -O2'
> using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010
> using libxml2 version: 2.7.8
> Looking in the samba4 how-to, it seems that there are all the
> requirements. I had some troubles with apparmor (needed to add the
> following permissions)
>  # samba4 related
>  /usr/local/samba/private/dns.keytab r,
>  /usr/local/samba/private/dns/** krw,
>  /usr/local/samba/private/dns/ krw,
>  /usr/local/samba/private/named.conf r,
>  /usr/local/samba/lib/** mr,
>  /usr/local/samba/modules/** mr,
>  /usr/local/samba/etc/** r,
>  # with libdlz_bind9, named needs to
> access /var/tmp/DNS-${HOSTNAME}_xxx tickets
>  /var/tmp/** rw,
>  /tmp/** rw,
> For the last two entries I don't know if we need both read and write
> permissions.
> Hope this helps other people.

I do not use apparmor, so cannot really comment on it. May be someone
who is using
apparmor can confirm if the settings are ok.

> About the ability to add records to the fwd zone, if I use the windows
> AD DNS editor, I can add the records but after a refresh the records
> disappear.

This was a problem because the rank of the DNS settings was not set correctly.

> Today I tried to add records using samba-tool dns add and now the
> records appeared also in the windows AD DNS editor and it seems that
> they are OK.

Did you update to the latest source? It has a patch to fix the rank of the DNS

> To use your patches, is it better if I create a new samba4 DC and join
> it to the domain than try to add the reversed zone (this to avoid to
> loose the DC we are currently using)?

Yes, that would be better. That way it won't disrupt the working DC.

> About the zone updates: if I include in named.conf.local the samba
> provisioned named.conf.update update-policy (using the include directive
> or directly copying the content of the file) named won't start.
> With DLZ don't I need to spec the update policy?

What is the error when you specify the update-policy? Without error report it
is difficult to figure out what's going wrong.

> Regards,
> Daniele


More information about the samba-technical mailing list