samba4 from BDC to PDC

Daniele Dario d.dario76 at gmail.com
Tue Dec 27 09:45:47 MST 2011


On Tue, 2011-12-27 at 23:15 +1100, Amitay Isaacs wrote:
> Hi Daniele,
> 
> On Tue, Dec 27, 2011 at 8:32 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> > On Sat, 2011-12-24 at 09:13 +1100, Amitay Isaacs wrote:
> >> Hi Daniele,
> >>
> >> On Sat, Dec 24, 2011 at 2:18 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> >>
> >> > my sbs2003 definetly crashed and samba4 has been able to keep the network
> >> > up for a few days but yesterday, the fileserver with samba 3.4.7 stopped
> >> > allowing users to connect to the network shares.
> >> > Then I tried to set up a new VM (ubuntu 11.04 server i386) with samba4
> >> > Version 4.0.0alpha18-GIT-32317b0 and named BIND 9.9.0b1 from PPA.
> >> > I followed the instructions from samba4 howto on the wiki mixed with the
> >> > info related to bind DLZ and provisioned a new domain.
> >> >
> >> > At this time all seems to be OK:
> >> > - added organization unit, users and groups
> >> > - joined computers to the domain (Win XP)
> >> > - joined fileserver with samba 3.4.7 to the domain (with some chown on the
> >> > shares)
> >> > So, what can I say? GREAT !!!
> >> >
> >> > What I'm currently missing is:
> >> > - when I join a new computer to the domain, bind says
> >> >  update-security: error: client 192.168.12.49#62667: update
> >> > 'saitelitalia.local/IN' denied
> >> >  database: info: samba_dlz: cancelling transaction on zone
> >> > saitelitalia.local
> >> >  and looking in the AD zone, also adding a new A record it does not work
> >> > - it is not possible to add the reversed zone
> >>
> >> This looks like the dynamic update with kerberos. dlz_bind9 only supports secure
> >> dynamic updates. Windows first tries to do dynamic update without kerberos and
> >> if that fails, it will try with kerberos. So it's common to find a
> >> pattern of first denied
> >> and then updated.
> >>
> >> I have recently pushed patches to support reverse zones. (You can
> >> fetch the latest
> >> git tree.) You should be able to create reverse zones and get
> >> dlz_bind9 resolve PTR
> >> records.
> >>
> >> Just to note. One of the users had trouble getting bind 9.9.0 from PPA to work.
> >> He had to compile bind 9.8.1 from sources and then it worked. May be the PPA
> >> package has been updated since.
> >>
> >> Amitay.
> >
> > Hi Amitay,
> > about the PPA bind, this is what I find running named -V:
> > BIND 9.9.0b1 built with '--prefix=/usr' '--build=i686-linux-gnu'
> > '--host=i686-linux-gnu' '--mandir=/usr/share/man'
> > '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
> > '--localstatedir=/var/run/bind' '--enable-threads' '--enable-largefile'
> > '--enable-shared' '--enable-static' '--with-libtool'
> > '--with-openssl=/usr' '--with-gssapi=/usr' '--with-dlz-postgres=no'
> > '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes'
> > '--with-dlz-ldap=no' '--with-dlopen=yes' '--with-dlz-stub=yes'
> > '--enable-ipv6' 'build_alias=i686-linux-gnu' 'host_alias=i686-linux-gnu'
> > 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O3'
> > 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2'
> > 'FFLAGS=-g -O2'
> > using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010
> > using libxml2 version: 2.7.8
> >
> > Looking in the samba4 how-to, it seems that there are all the
> > requirements. I had some troubles with apparmor (needed to add the
> > following permissions)
> >  # samba4 related
> >  /usr/local/samba/private/dns.keytab r,
> >  /usr/local/samba/private/dns/** krw,
> >  /usr/local/samba/private/dns/ krw,
> >  /usr/local/samba/private/named.conf r,
> >  /usr/local/samba/lib/** mr,
> >  /usr/local/samba/modules/** mr,
> >  /usr/local/samba/etc/** r,
> >
> >  # with libdlz_bind9, named needs to
> > access /var/tmp/DNS-${HOSTNAME}_xxx tickets
> >  /var/tmp/** rw,
> >  /tmp/** rw,
> >
> > For the last two entries I don't know if we need both read and write
> > permissions.
> > Hope this helps other people.
> 
> I do not use apparmor, so cannot really comment on it. May be someone
> who is using
> apparmor can confirm if the settings are ok.
> 
> > About the ability to add records to the fwd zone, if I use the windows
> > AD DNS editor, I can add the records but after a refresh the records
> > disappear.
> 
> This was a problem because the rank of the DNS settings was not set correctly.
> 
> > Today I tried to add records using samba-tool dns add and now the
> > records appeared also in the windows AD DNS editor and it seems that
> > they are OK.
> 
> Did you update to the latest source? It has a patch to fix the rank of the DNS
> records.
> 
> > To use your patches, is it better if I create a new samba4 DC and join
> > it to the domain than try to add the reversed zone (this to avoid to
> > loose the DC we are currently using)?
> 
> Yes, that would be better. That way it won't disrupt the working DC.
> 
> > About the zone updates: if I include in named.conf.local the samba
> > provisioned named.conf.update update-policy (using the include directive
> > or directly copying the content of the file) named won't start.
> > With DLZ don't I need to spec the update policy?
> 
> What is the error when you specify the update-policy? Without error report it
> is difficult to figure out what's going wrong.
> 
> >
> > Regards,
> > Daniele
> >
> 
> Amitay.

Hi Amitay,
here the log if I run:
[root at kdc01:~]# named -g -d 10 -u bind -c /etc/bind/named.conf
27-Dec-2011 17:39:35.157 starting BIND 9.9.0b1 -g -d 10 -u bind
-c /etc/bind/named.conf
27-Dec-2011 17:39:35.157 built with '--prefix=/usr'
'--build=i686-linux-gnu' '--host=i686-linux-gnu'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var/run/bind'
'--enable-threads' '--enable-largefile' '--enable-shared'
'--enable-static' '--with-libtool' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
'--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=no'
'--with-dlopen=yes' '--with-dlz-stub=yes' '--enable-ipv6'
'build_alias=i686-linux-gnu' 'host_alias=i686-linux-gnu'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O3'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2'
'FFLAGS=-g -O2'
27-Dec-2011 17:39:35.157 adjusted limit on open files from 4096 to
1048576
27-Dec-2011 17:39:35.157 found 2 CPUs, using 2 worker threads
27-Dec-2011 17:39:35.158 using up to 4096 sockets
27-Dec-2011 17:39:35.158 Registering DLZ_dlopen driver
27-Dec-2011 17:39:35.158 Registering SDLZ driver 'dlopen'
27-Dec-2011 17:39:35.158 Registering DLZ driver 'dlopen'
27-Dec-2011 17:39:35.158 Registering DLZ_stub driver.
27-Dec-2011 17:39:35.158 Registering SDLZ driver 'dlz_stub'
27-Dec-2011 17:39:35.158 Registering DLZ driver 'dlz_stub'
27-Dec-2011 17:39:35.158 Registering DLZ filesystem driver.
27-Dec-2011 17:39:35.158 Registering SDLZ driver 'filesystem'
27-Dec-2011 17:39:35.158 Registering DLZ driver 'filesystem'
27-Dec-2011 17:39:35.158 Registering DLZ bdb driver.
27-Dec-2011 17:39:35.158 Registering SDLZ driver 'bdb'
27-Dec-2011 17:39:35.158 Registering DLZ driver 'bdb'
27-Dec-2011 17:39:35.158 Registering DLZ bdbhpt driver.
27-Dec-2011 17:39:35.158 Registering SDLZ driver 'bdbhpt'
27-Dec-2011 17:39:35.158 Registering DLZ driver 'bdbhpt'
27-Dec-2011 17:39:35.159 decrement_reference: delete from rbt:
0xb6e240b0 .
27-Dec-2011 17:39:35.164 loading configuration from
'/etc/bind/named.conf'
27-Dec-2011 17:39:35.165 /usr/local/samba/private/named.conf:13: unknown
option 'update-policy'
27-Dec-2011 17:39:35.165 load_configuration: failure
27-Dec-2011 17:39:35.165 loading configuration: failure
27-Dec-2011 17:39:35.165 exiting (due to fatal error)

where /usr/local/samba/private/named.conf contains

#
# This configures dynamically loadable zones (DLZ) from AD schema
#
dlz "AD DNS Zone" {
    database "dlopen /usr/local/samba/modules/bind9/dlz_bind9.so";
    update-policy {
        grant SAITELITALIA.LOCAL ms-self * A AAAA;
        grant Administrator at SAITELITALIA.LOCAL wildcard * A AAAA SRV
CNAME;
        grant KDC01$@saitelitalia.local wildcard * A AAAA SRV CNAME;
    };
};

Last Friday, when I tried, I had no time to investigate but looking at
the log maybe that I had to move the update policy out of the zone and
add it in the named.conf.options so it is global?

Daniele



More information about the samba-technical mailing list