samba4 from BDC to PDC

Thu Oct 20 07:28:07 MDT 2011

2011-10-20 15:03 keltezéssel, Daniele Dario írta:
> On Thu, 2011-10-20 at 13:43 +0200, Gémes Géza wrote:
>> 2011-10-20 09:22 keltezéssel, Daniele Dario írta:
>>> Hi all,
>>> in my simple network I have:
>>> - MS SBS2003 server which is PDC and master DNS (allow zone transfer to
>>> other DNSs of the zone)
>>> - Ubuntu 10.04 32b server VM on XEN server with samba Version
>>> 4.0.0alpha17-GIT-ccaab14 joined to the AD domain as DC plus dhcpd
>>> configured for ddns updates (currently to the SBS DNS) plus BIND
>>> 9.8.0-P4 configured as slave DNS for the local domain zones
>>> - Ubuntu 10.04 32b server with samba Version 3.4.7 joined to the AD
>>> domain which acts as file server (for the network shares)
>>>
>>> My goal is to remove the SBS server so as first step I'll disable zone
>>> transfer from the MS DNS and change the zones in BIND to master to check
>>> if samba4 DDNS and ISC DHCPD DDNS still works but as per the samba4
>>> how-to I need to add the tkey-gssapi-keytab
>>> "/usr/local/samba/private/dns.keytab"; statement in named.conf.
>>>
>>> If I run provision on samba4 (for a new domain) at the end of the
>>> provision the dns.keytab file is created in the samba/private directory.
>>> Running the domain join command instead of the provision the dns.keytab
>>> file is not created so how am I supposed to proceed?
>>>
>>> Thanks in advance,
>>> Daniele.
>>>
>>>
>>>
>> Hi,
>>
>> IMHO you should check if you have
>> /usr/local/samba/modules/bind9/dlz_bind9.so, if not check if you can
>> find libdlz_bind9.so in the source (where you have compiled samba4), if
>> there is one copy it to the right place. Then edit (being on Ubuntu I
>> suppose the standard Ubuntu path) /etc/bind/named.conf.local and add the
>> following:
>> dlz "AD DNS Zone" {
>>     database "dlopen /usr/local/samba/modules/bind9/dlz_bind9.so";
>> };
>> With samba-tool user add (or the windows tools) create a dns-samba4
>> account with password never expiring
>> with samba-tool spn add (or ktpass on windows) associate the principal
>> names "DNS/your-ubuntu-server.your.domain" and "DNS/your.domain"
>> with samba-tool domain exportkeytab dump the keys to a keytab (with
>> ktutil -k keytab list you can verify the keys in it if there is any
>> unneeded you can also delete them).
>> Set up the tkey-gssapi-keytab option.
>> Comment out the slave zones in bind.
>> After a bind restart it should be able to read the rr-s directly from
>> samba4's ad.
>>
>> Good luck!
>>
>> Cheers
>>
>> Geza
> Hi Geza,
> thanks for the tips.
>
> Before to modify the named.conf* files can you explain me what the dlz
> statement will do?
>
> I thought I'll have to change from slave to master the zones and not
> comment out the slave zones:
>
> zone "mydomain.local" {
> 	type slave; //should become type master
> 	file "/usr/local/samba/private/dns/db.mydomain.local";
> };
>
> zone "12.168.192.in-addr.arpa" {
> 	type slave; //should become type master
> 	file "/usr/local/samba/private/dns/db.12.168.192";
> };
>
> Thanks again,
> Daniele.
>
Hi,

DLZ stands for Dynamically Loaded Zone, it has been developed around
2003 for allowing bind to load zone data dynamically from external
databases.
Recently (2010) it has been extended by Andrew Tridgell (the creator of
Samba) to do a read-write database access via the dlz dlopen plugin (it
gets built by default from bind 9.8.1 (included from bind 9.8.0). So by
instructing bind to use dlz "Whatever" {path to the corresponding
library}, we ask to load a library which handless the manipulation
(read-write) of the records. In case of samba it loads the dlz_bind9.so
which handless all the retrieving /storing rr-s work for bind.
I didn't say to remove anything I just suggest to try it out and see if
it works for you. And please share your success/failure with us.
Two suggestions if you follow this path:
Use the current git version of samba (there were some recent fixes
related to DDNS update)
Change (at least) the owning group of
/usr/local/samba/private/dns.keytab and
/usr/local/samba/private/ldap_priv/ to bind (or whatever user your named
runs as).

Cheers

Geza