samba4 from BDC to PDC

Daniele Dario d.dario76 at gmail.com
Thu Oct 20 08:53:31 MDT 2011 

On Thu, 2011-10-20 at 15:28 +0200, Gémes Géza wrote:
> 2011-10-20 15:03 keltezéssel, Daniele Dario írta:
> > On Thu, 2011-10-20 at 13:43 +0200, Gémes Géza wrote:
> >> 2011-10-20 09:22 keltezéssel, Daniele Dario írta:
> >>> Hi all,
> >>> in my simple network I have:
> >>> - MS SBS2003 server which is PDC and master DNS (allow zone transfer to
> >>> other DNSs of the zone)
> >>> - Ubuntu 10.04 32b server VM on XEN server with samba Version
> >>> 4.0.0alpha17-GIT-ccaab14 joined to the AD domain as DC plus dhcpd
> >>> configured for ddns updates (currently to the SBS DNS) plus BIND
> >>> 9.8.0-P4 configured as slave DNS for the local domain zones
> >>> - Ubuntu 10.04 32b server with samba Version 3.4.7 joined to the AD
> >>> domain which acts as file server (for the network shares)
> >>>
> >>> My goal is to remove the SBS server so as first step I'll disable zone
> >>> transfer from the MS DNS and change the zones in BIND to master to check
> >>> if samba4 DDNS and ISC DHCPD DDNS still works but as per the samba4
> >>> how-to I need to add the tkey-gssapi-keytab
> >>> "/usr/local/samba/private/dns.keytab"; statement in named.conf.
> >>>
> >>> If I run provision on samba4 (for a new domain) at the end of the
> >>> provision the dns.keytab file is created in the samba/private directory.
> >>> Running the domain join command instead of the provision the dns.keytab
> >>> file is not created so how am I supposed to proceed?
> >>>
> >>> Thanks in advance,
> >>> Daniele.
> >>>
> >>>
> >>>
> >> Hi,
> >>
> >> IMHO you should check if you have
> >> /usr/local/samba/modules/bind9/dlz_bind9.so, if not check if you can
> >> find libdlz_bind9.so in the source (where you have compiled samba4), if
> >> there is one copy it to the right place. Then edit (being on Ubuntu I
> >> suppose the standard Ubuntu path) /etc/bind/named.conf.local and add the
> >> following:
> >> dlz "AD DNS Zone" {
> >>     database "dlopen /usr/local/samba/modules/bind9/dlz_bind9.so";
> >> };
> >> With samba-tool user add (or the windows tools) create a dns-samba4
> >> account with password never expiring
> >> with samba-tool spn add (or ktpass on windows) associate the principal
> >> names "DNS/your-ubuntu-server.your.domain" and "DNS/your.domain"
> >> with samba-tool domain exportkeytab dump the keys to a keytab (with
> >> ktutil -k keytab list you can verify the keys in it if there is any
> >> unneeded you can also delete them).
> >> Set up the tkey-gssapi-keytab option.
> >> Comment out the slave zones in bind.
> >> After a bind restart it should be able to read the rr-s directly from
> >> samba4's ad.
> >>
> >> Good luck!
> >>
> >> Cheers
> >>
> >> Geza
> > Hi Geza,
> > thanks for the tips.
> >
> > Before to modify the named.conf* files can you explain me what the dlz
> > statement will do?
> >
> > I thought I'll have to change from slave to master the zones and not
> > comment out the slave zones:
> >
> > zone "mydomain.local" {
> > 	type slave; //should become type master
> > 	file "/usr/local/samba/private/dns/db.mydomain.local";
> > };
> >
> > zone "12.168.192.in-addr.arpa" {
> > 	type slave; //should become type master
> > 	file "/usr/local/samba/private/dns/db.12.168.192";
> > };
> >
> > Thanks again,
> > Daniele.
> >
> Hi,
> 
> DLZ stands for Dynamically Loaded Zone, it has been developed around
> 2003 for allowing bind to load zone data dynamically from external
> databases.
> Recently (2010) it has been extended by Andrew Tridgell (the creator of
> Samba) to do a read-write database access via the dlz dlopen plugin (it
> gets built by default from bind 9.8.1 (included from bind 9.8.0). So by
> instructing bind to use dlz "Whatever" {path to the corresponding
> library}, we ask to load a library which handless the manipulation
> (read-write) of the records. In case of samba it loads the dlz_bind9.so
> which handless all the retrieving /storing rr-s work for bind.
> I didn't say to remove anything I just suggest to try it out and see if
> it works for you. And please share your success/failure with us.
> Two suggestions if you follow this path:
> Use the current git version of samba (there were some recent fixes
> related to DDNS update)
> Change (at least) the owning group of
> /usr/local/samba/private/dns.keytab and
> /usr/local/samba/private/ldap_priv/ to bind (or whatever user your named
> runs as).
> 
> Cheers
> 
> Geza
Hi Geza,
looking in my ubuntu I found that I have a libdlz_bind9.so
in /usr/local/samba/lib/samba. Are them the same modules (maybe the
module has changed location between releases)? If yes should I use the
libdlz_bind9.so in /usr/local/samba/lib/samba/ instead
of /usr/local/samba/modules/bind9/dlz_bind9.so you told me?

Anyway, just to better understand what I'm doing, what's the difference
between provisioning a new domain which does not include the dlz
statement in the bind configuration and my case (removing the sbs dc
after a domain join)?

Regards,
Daniele.

More information about the samba-technical mailing list