AD DNS and Global sequence number implementation
mat at samba.org
Mon Nov 21 17:39:51 MST 2011
On 22/11/2011 01:05, Amitay Isaacs wrote:
> Hi All,
> In the current implementation of dlz_bind9, connection to SAM database is
> made over internal LDAP socket.
> This creates a dependency between samba and named as named cannot be
> started without samba first
> running. And in case samba is restarted, named also has to be restarted.
> Since DNS data is mainly stored in two separate partitions (DomainDnsZones
> and ForestDnsZones), Tridge
> suggested giving named permissions to these two partitions only. In the
> current samdb scheme, any process
> requiring write access to specific partitions has to have full access to
> sam because of the transactions. To
> overcome this problem, we created a partial copy of the SAM database.
> In the partial copy
> - RootDSE, Schema, Configuration partitions are copied as is,
> - New empty Domain partition is created (to prevent access to secrets),
> - DomainDnsZones, ForestDnsZones partitions are linked to the main SAM
> In addition, permission of DNS partitions are changed to give named write
> access to these partitions.
> With this partial copy of SAM and dlz_bind9 connecting to it directly,
> named can be started
> without having to start samba first. However, this brings forth another
> issue when I start replicating
> DNS partitions with other DCs in the domain. The problem is that when new
> records are created by
> dlz_bind9, they are created with wrong sequence number. This is because the
> sequence number
> logic relies on the availability of all the partitions since the inception
> of the SAM. The sequence
> number is calculated as the sum of the changes done per partition. If we
> lose any of the partition,
> then the sequence number calculated is obviously smaller than what it
> should be.
Why not having a simplier solution: make the bind plugin refuse to serve
any request for the domain up to the moment the unix socket is readable ?
It allows bind to start correctly and pretend it is serving our zone.
Another idea is: while samba is not started bind has only a read access
on the partial copy and when samba is started it has the write access
through the unix socket.
More information about the samba-technical