samba4 from BDC to PDC

Gémes Géza geza at
Thu Oct 20 10:01:31 MDT 2011

2011-10-20 16:53 keltezéssel, Daniele Dario írta:
> On Thu, 2011-10-20 at 15:28 +0200, Gémes Géza wrote:
>> 2011-10-20 15:03 keltezéssel, Daniele Dario írta:
>>> On Thu, 2011-10-20 at 13:43 +0200, Gémes Géza wrote:
>>>> 2011-10-20 09:22 keltezéssel, Daniele Dario írta:
>>>>> Hi all,
>>>>> in my simple network I have:
>>>>> - MS SBS2003 server which is PDC and master DNS (allow zone transfer to
>>>>> other DNSs of the zone)
>>>>> - Ubuntu 10.04 32b server VM on XEN server with samba Version
>>>>> 4.0.0alpha17-GIT-ccaab14 joined to the AD domain as DC plus dhcpd
>>>>> configured for ddns updates (currently to the SBS DNS) plus BIND
>>>>> 9.8.0-P4 configured as slave DNS for the local domain zones
>>>>> - Ubuntu 10.04 32b server with samba Version 3.4.7 joined to the AD
>>>>> domain which acts as file server (for the network shares)
>>>>> My goal is to remove the SBS server so as first step I'll disable zone
>>>>> transfer from the MS DNS and change the zones in BIND to master to check
>>>>> if samba4 DDNS and ISC DHCPD DDNS still works but as per the samba4
>>>>> how-to I need to add the tkey-gssapi-keytab
>>>>> "/usr/local/samba/private/dns.keytab"; statement in named.conf.
>>>>> If I run provision on samba4 (for a new domain) at the end of the
>>>>> provision the dns.keytab file is created in the samba/private directory.
>>>>> Running the domain join command instead of the provision the dns.keytab
>>>>> file is not created so how am I supposed to proceed?
>>>>> Thanks in advance,
>>>>> Daniele.
>>>> Hi,
>>>> IMHO you should check if you have
>>>> /usr/local/samba/modules/bind9/, if not check if you can
>>>> find in the source (where you have compiled samba4), if
>>>> there is one copy it to the right place. Then edit (being on Ubuntu I
>>>> suppose the standard Ubuntu path) /etc/bind/named.conf.local and add the
>>>> following:
>>>> dlz "AD DNS Zone" {
>>>>     database "dlopen /usr/local/samba/modules/bind9/";
>>>> };
>>>> With samba-tool user add (or the windows tools) create a dns-samba4
>>>> account with password never expiring
>>>> with samba-tool spn add (or ktpass on windows) associate the principal
>>>> names "DNS/your-ubuntu-server.your.domain" and "DNS/your.domain"
>>>> with samba-tool domain exportkeytab dump the keys to a keytab (with
>>>> ktutil -k keytab list you can verify the keys in it if there is any
>>>> unneeded you can also delete them).
>>>> Set up the tkey-gssapi-keytab option.
>>>> Comment out the slave zones in bind.
>>>> After a bind restart it should be able to read the rr-s directly from
>>>> samba4's ad.
>>>> Good luck!
>>>> Cheers
>>>> Geza
>>> Hi Geza,
>>> thanks for the tips.
>>> Before to modify the named.conf* files can you explain me what the dlz
>>> statement will do?
>>> I thought I'll have to change from slave to master the zones and not
>>> comment out the slave zones:
>>> zone "mydomain.local" {
>>> 	type slave; //should become type master
>>> 	file "/usr/local/samba/private/dns/db.mydomain.local";
>>> };
>>> zone "" {
>>> 	type slave; //should become type master
>>> 	file "/usr/local/samba/private/dns/db.12.168.192";
>>> };
>>> Thanks again,
>>> Daniele.
>> Hi,
>> DLZ stands for Dynamically Loaded Zone, it has been developed around
>> 2003 for allowing bind to load zone data dynamically from external
>> databases.
>> Recently (2010) it has been extended by Andrew Tridgell (the creator of
>> Samba) to do a read-write database access via the dlz dlopen plugin (it
>> gets built by default from bind 9.8.1 (included from bind 9.8.0). So by
>> instructing bind to use dlz "Whatever" {path to the corresponding
>> library}, we ask to load a library which handless the manipulation
>> (read-write) of the records. In case of samba it loads the
>> which handless all the retrieving /storing rr-s work for bind.
>> I didn't say to remove anything I just suggest to try it out and see if
>> it works for you. And please share your success/failure with us.
>> Two suggestions if you follow this path:
>> Use the current git version of samba (there were some recent fixes
>> related to DDNS update)
>> Change (at least) the owning group of
>> /usr/local/samba/private/dns.keytab and
>> /usr/local/samba/private/ldap_priv/ to bind (or whatever user your named
>> runs as).
>> Cheers
>> Geza
> Hi Geza,
> looking in my ubuntu I found that I have a
> in /usr/local/samba/lib/samba. Are them the same modules (maybe the
> module has changed location between releases)? If yes should I use the
> in /usr/local/samba/lib/samba/ instead
> of /usr/local/samba/modules/bind9/ you told me?
> Anyway, just to better understand what I'm doing, what's the difference
> between provisioning a new domain which does not include the dlz
> statement in the bind configuration and my case (removing the sbs dc
> after a domain join)?
> Regards,
> Daniele.
The question is what is the version of samba you are running (samba -V)?



More information about the samba-technical mailing list