samba4 from BDC to PDC

Daniele Dario d.dario76 at gmail.com
Mon Oct 24 07:43:05 MDT 2011


On Thu, 2011-10-20 at 18:01 +0200, Gémes Géza wrote:
> 2011-10-20 16:53 keltezéssel, Daniele Dario írta:
> > On Thu, 2011-10-20 at 15:28 +0200, Gémes Géza wrote:
> >> 2011-10-20 15:03 keltezéssel, Daniele Dario írta:
> >>> On Thu, 2011-10-20 at 13:43 +0200, Gémes Géza wrote:
> >>>> 2011-10-20 09:22 keltezéssel, Daniele Dario írta:
> >>>>> Hi all,
> >>>>> in my simple network I have:
> >>>>> - MS SBS2003 server which is PDC and master DNS (allow zone transfer to
> >>>>> other DNSs of the zone)
> >>>>> - Ubuntu 10.04 32b server VM on XEN server with samba Version
> >>>>> 4.0.0alpha17-GIT-ccaab14 joined to the AD domain as DC plus dhcpd
> >>>>> configured for ddns updates (currently to the SBS DNS) plus BIND
> >>>>> 9.8.0-P4 configured as slave DNS for the local domain zones
> >>>>> - Ubuntu 10.04 32b server with samba Version 3.4.7 joined to the AD
> >>>>> domain which acts as file server (for the network shares)
> >>>>>
> >>>>> My goal is to remove the SBS server so as first step I'll disable zone
> >>>>> transfer from the MS DNS and change the zones in BIND to master to check
> >>>>> if samba4 DDNS and ISC DHCPD DDNS still works but as per the samba4
> >>>>> how-to I need to add the tkey-gssapi-keytab
> >>>>> "/usr/local/samba/private/dns.keytab"; statement in named.conf.
> >>>>>
> >>>>> If I run provision on samba4 (for a new domain) at the end of the
> >>>>> provision the dns.keytab file is created in the samba/private directory.
> >>>>> Running the domain join command instead of the provision the dns.keytab
> >>>>> file is not created so how am I supposed to proceed?
> >>>>>
> >>>>> Thanks in advance,
> >>>>> Daniele.
> >>>>>
> >>>>>
> >>>>>
> >>>> Hi,
> >>>>
> >>>> IMHO you should check if you have
> >>>> /usr/local/samba/modules/bind9/dlz_bind9.so, if not check if you can
> >>>> find libdlz_bind9.so in the source (where you have compiled samba4), if
> >>>> there is one copy it to the right place. Then edit (being on Ubuntu I
> >>>> suppose the standard Ubuntu path) /etc/bind/named.conf.local and add the
> >>>> following:
> >>>> dlz "AD DNS Zone" {
> >>>>     database "dlopen /usr/local/samba/modules/bind9/dlz_bind9.so";
> >>>> };
> >>>> With samba-tool user add (or the windows tools) create a dns-samba4
> >>>> account with password never expiring
> >>>> with samba-tool spn add (or ktpass on windows) associate the principal
> >>>> names "DNS/your-ubuntu-server.your.domain" and "DNS/your.domain"
> >>>> with samba-tool domain exportkeytab dump the keys to a keytab (with
> >>>> ktutil -k keytab list you can verify the keys in it if there is any
> >>>> unneeded you can also delete them).
> >>>> Set up the tkey-gssapi-keytab option.
> >>>> Comment out the slave zones in bind.
> >>>> After a bind restart it should be able to read the rr-s directly from
> >>>> samba4's ad.
> >>>>
> >>>> Good luck!
> >>>>
> >>>> Cheers
> >>>>
> >>>> Geza
> >>> Hi Geza,
> >>> thanks for the tips.
> >>>
> >>> Before to modify the named.conf* files can you explain me what the dlz
> >>> statement will do?
> >>>
> >>> I thought I'll have to change from slave to master the zones and not
> >>> comment out the slave zones:
> >>>
> >>> zone "mydomain.local" {
> >>> 	type slave; //should become type master
> >>> 	file "/usr/local/samba/private/dns/db.mydomain.local";
> >>> };
> >>>
> >>> zone "12.168.192.in-addr.arpa" {
> >>> 	type slave; //should become type master
> >>> 	file "/usr/local/samba/private/dns/db.12.168.192";
> >>> };
> >>>
> >>> Thanks again,
> >>> Daniele.
> >>>
> >> Hi,
> >>
> >> DLZ stands for Dynamically Loaded Zone, it has been developed around
> >> 2003 for allowing bind to load zone data dynamically from external
> >> databases.
> >> Recently (2010) it has been extended by Andrew Tridgell (the creator of
> >> Samba) to do a read-write database access via the dlz dlopen plugin (it
> >> gets built by default from bind 9.8.1 (included from bind 9.8.0). So by
> >> instructing bind to use dlz "Whatever" {path to the corresponding
> >> library}, we ask to load a library which handless the manipulation
> >> (read-write) of the records. In case of samba it loads the dlz_bind9.so
> >> which handless all the retrieving /storing rr-s work for bind.
> >> I didn't say to remove anything I just suggest to try it out and see if
> >> it works for you. And please share your success/failure with us.
> >> Two suggestions if you follow this path:
> >> Use the current git version of samba (there were some recent fixes
> >> related to DDNS update)
> >> Change (at least) the owning group of
> >> /usr/local/samba/private/dns.keytab and
> >> /usr/local/samba/private/ldap_priv/ to bind (or whatever user your named
> >> runs as).
> >>
> >> Cheers
> >>
> >> Geza
> > Hi Geza,
> > looking in my ubuntu I found that I have a libdlz_bind9.so
> > in /usr/local/samba/lib/samba. Are them the same modules (maybe the
> > module has changed location between releases)? If yes should I use the
> > libdlz_bind9.so in /usr/local/samba/lib/samba/ instead
> > of /usr/local/samba/modules/bind9/dlz_bind9.so you told me?
> >
> > Anyway, just to better understand what I'm doing, what's the difference
> > between provisioning a new domain which does not include the dlz
> > statement in the bind configuration and my case (removing the sbs dc
> > after a domain join)?
> >
> > Regards,
> > Daniele.
> >
> The question is what is the version of samba you are running (samba -V)?
> 
> Cheers
> 
> Geza

Hi all,
I'm trying to run bind with the libdlz_bind9.so plugin but I'm having
some troubles.

About versions I currently have:
OS     : ubuntu 11.04 server x86
samba4 : Version 4.0.0alpha18-GIT-3ae478b
bind   : BIND 9.8.0-P4 built with '--with-openssl=/usr'
        '--with-gssapi=/usr/include/gssapi' '--with-dlz-dlopen=yes'
        using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010

As said by Geza, I created a dns-kdc02 user with password which won't
expire.
[root at kdc02:~]# samba-tool user add dns-kdc02 ********
[root at kdc02:~]# samba-tool user setexpiry dns-kdc02 --noexpiry
[root at kdc02:~]# samba-tool spn add DNS/kdc02.saitel.local dns-kdc02
[root at kdc02:~]# samba-tool spn add DNS/saitel.local dns-kdc02
[root at kdc02:~]# samba-tool spn list dns-kdc02
dns-kdc02
User CN=dns-kdc02,CN=Users,DC=Saitel,DC=local has the following
servicePrincipalName: 
	 DNS/kdc02.saitel.local
	 DNS/saitel.local

Than I dumped the keytab with
[root at kdc02:/usr/local/samba/private]# samba-tool domain exportkeytab
dns.keytab
and I chowned it to root.bind and chmoded it g+r

My named.conf.options now looks like:
options {
	directory "/var/cache/bind";

	forwarders {
		151.99.0.100;
		151.99.125.1;
	};

	auth-nxdomain no;    # conform to RFC1035
	//listen-on-v6 { any; };

	allow-query { localhost; 192.168.12.0/24; };

	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # the keytab
I dumped with samba-tool domain exportkeytab
};

and my named.conf.local is:
include "/etc/bind/zones.rfc1918";

dlz "AD" {
	database "dlopen /usr/local/samba/lib/samba/libdlz_bind9.so";
};

changed apparmor.d/usr/sbin/named to

/usr/sbin/named flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin
of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** rw,
  /var/cache/bind/ rw,

  # it seems that bind tries to load from here dns-$(HOSTNAME)_XXX
  /var/tmp/** r,

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,
  /usr/local/samba/private/dns.keytab r,

  # ssl
  /etc/ssl/openssl.cnf r,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /proc/*/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/run/named/named.pid w,
  /var/run/named/session.key w,
  # support for resolvconf
  /var/run/named/named.options r,

  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

  # allow samba4 updates
  /usr/local/samba/private/** rw,
  /usr/local/samba/private/dns/* krw,
  /usr/local/samba/private/ldap_priv/* rw,

  /usr/local/samba/lib/samba/libdlz_bind9.so mr,
}

If I try to run
[root at kdc02:~]# named -f -d 10 -c /etc/bind/named.conf -u bind
it starts reporting nothing but if I try to run samba_dnsupdate
[root at kdc02:~]# samba_dnsupdate --verbose
IPs: ['fe80::b0c7:11ff:fed6:27b3%eth0', '192.168.12.2']
Looking for DNS entry A saitel.local 192.168.12.2 as saitel.local.
Failed to find DNS entry A saitel.local 192.168.12.2
Looking for DNS entry A kdc02.saitel.local 192.168.12.2 as
kdc02.saitel.local.
Failed to find DNS entry A kdc02.saitel.local 192.168.12.2
Looking for DNS entry A gc._msdcs.saitel.local 192.168.12.2 as
gc._msdcs.saitel.local.
Failed to find DNS entry A gc._msdcs.saitel.local 192.168.12.2
Looking for DNS entry CNAME
13f817e6-4636-462e-98d4-8d63c7f24878._msdcs.saitel.local
kdc02.saitel.local as
13f817e6-4636-462e-98d4-8d63c7f24878._msdcs.saitel.local.
Failed to find DNS entry CNAME
13f817e6-4636-462e-98d4-8d63c7f24878._msdcs.saitel.local
kdc02.saitel.local
Looking for DNS entry SRV _kpasswd._tcp.saitel.local kdc02.saitel.local
464 as _kpasswd._tcp.saitel.local.
Failed to find DNS entry SRV _kpasswd._tcp.saitel.local
kdc02.saitel.local 464
Looking for DNS entry SRV _kpasswd._udp.saitel.local kdc02.saitel.local
464 as _kpasswd._udp.saitel.local.
Failed to find DNS entry SRV _kpasswd._udp.saitel.local
kdc02.saitel.local 464
Looking for DNS entry SRV _kerberos._tcp.saitel.local kdc02.saitel.local
88 as _kerberos._tcp.saitel.local.
Failed to find DNS entry SRV _kerberos._tcp.saitel.local
kdc02.saitel.local 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.saitel.local
kdc02.saitel.local 88 as _kerberos._tcp.dc._msdcs.saitel.local.
Failed to find DNS entry SRV _kerberos._tcp.dc._msdcs.saitel.local
kdc02.saitel.local 88
Looking for DNS entry SRV
_kerberos._tcp.nome-predefinito-primo-sito._sites.saitel.local
kdc02.saitel.local 88 as
_kerberos._tcp.nome-predefinito-primo-sito._sites.saitel.local.
Failed to find DNS entry SRV
_kerberos._tcp.nome-predefinito-primo-sito._sites.saitel.local
kdc02.saitel.local 88
Looking for DNS entry SRV
_kerberos._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
kdc02.saitel.local 88 as
_kerberos._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local.
Failed to find DNS entry SRV
_kerberos._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
kdc02.saitel.local 88
Looking for DNS entry SRV _kerberos._udp.saitel.local kdc02.saitel.local
88 as _kerberos._udp.saitel.local.
Failed to find DNS entry SRV _kerberos._udp.saitel.local
kdc02.saitel.local 88
Looking for DNS entry SRV _ldap._tcp.saitel.local kdc02.saitel.local 389
as _ldap._tcp.saitel.local.
Failed to find DNS entry SRV _ldap._tcp.saitel.local kdc02.saitel.local
389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.saitel.local
kdc02.saitel.local 389 as _ldap._tcp.dc._msdcs.saitel.local.
Failed to find DNS entry SRV _ldap._tcp.dc._msdcs.saitel.local
kdc02.saitel.local 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.saitel.local
kdc02.saitel.local 3268 as _ldap._tcp.gc._msdcs.saitel.local.
Failed to find DNS entry SRV _ldap._tcp.gc._msdcs.saitel.local
kdc02.saitel.local 3268
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.saitel.local
kdc02.saitel.local 389 as _ldap._tcp.pdc._msdcs.saitel.local.
Failed to find DNS entry SRV _ldap._tcp.pdc._msdcs.saitel.local
kdc02.saitel.local 389
Looking for DNS entry SRV
_ldap._tcp.nome-predefinito-primo-sito._sites.saitel.local
kdc02.saitel.local 389 as
_ldap._tcp.nome-predefinito-primo-sito._sites.saitel.local.
Failed to find DNS entry SRV
_ldap._tcp.nome-predefinito-primo-sito._sites.saitel.local
kdc02.saitel.local 389
Looking for DNS entry SRV
_ldap._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
kdc02.saitel.local 389 as
_ldap._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local.
Failed to find DNS entry SRV
_ldap._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
kdc02.saitel.local 389
Looking for DNS entry SRV
_ldap._tcp.nome-predefinito-primo-sito._sites.gc._msdcs.saitel.local
kdc02.saitel.local 3268 as
_ldap._tcp.nome-predefinito-primo-sito._sites.gc._msdcs.saitel.local.
Failed to find DNS entry SRV
_ldap._tcp.nome-predefinito-primo-sito._sites.gc._msdcs.saitel.local
kdc02.saitel.local 3268
Looking for DNS entry SRV
_ldap._tcp.2d0d2226-9d32-4953-a114-663990693ef1.domains._msdcs.saitel.local kdc02.saitel.local 389 as _ldap._tcp.2d0d2226-9d32-4953-a114-663990693ef1.domains._msdcs.saitel.local.
Failed to find DNS entry SRV
_ldap._tcp.2d0d2226-9d32-4953-a114-663990693ef1.domains._msdcs.saitel.local kdc02.saitel.local 389
Looking for DNS entry SRV _gc._tcp.saitel.local kdc02.saitel.local 3268
as _gc._tcp.saitel.local.
Failed to find DNS entry SRV _gc._tcp.saitel.local kdc02.saitel.local
3268
Looking for DNS entry SRV
_gc._tcp.nome-predefinito-primo-sito._sites.saitel.local
kdc02.saitel.local 3268 as
_gc._tcp.nome-predefinito-primo-sito._sites.saitel.local.
Failed to find DNS entry SRV
_gc._tcp.nome-predefinito-primo-sito._sites.saitel.local
kdc02.saitel.local 3268
Traceback (most recent call last):
  File "/usr/local/samba/sbin/samba_dnsupdate", line 474, in <module>
    get_credentials(lp)
  File "/usr/local/samba/sbin/samba_dnsupdate", line 118, in
get_credentials
    creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for KDC02$@SAITEL.LOCAL failed (Cannot contact any
KDC for requested realm)

What am I missing to make it work properly?

Thanks,
Daniele.




More information about the samba-technical mailing list