samba4 from BDC to PDC
Gémes Géza
geza at kzsdabas.hu
Mon Oct 24 11:01:45 MDT 2011
2011-10-24 16:54 keltezéssel, Daniele Dario írta:
> On Mon, 2011-10-24 at 15:43 +0200, Daniele Dario wrote:
>> On Thu, 2011-10-20 at 18:01 +0200, Gémes Géza wrote:
>>> 2011-10-20 16:53 keltezéssel, Daniele Dario írta:
>>>> On Thu, 2011-10-20 at 15:28 +0200, Gémes Géza wrote:
>>>>> 2011-10-20 15:03 keltezéssel, Daniele Dario írta:
>>>>>> On Thu, 2011-10-20 at 13:43 +0200, Gémes Géza wrote:
>>>>>>> 2011-10-20 09:22 keltezéssel, Daniele Dario írta:
>>>>>>>> Hi all,
>>>>>>>> in my simple network I have:
>>>>>>>> - MS SBS2003 server which is PDC and master DNS (allow zone transfer to
>>>>>>>> other DNSs of the zone)
>>>>>>>> - Ubuntu 10.04 32b server VM on XEN server with samba Version
>>>>>>>> 4.0.0alpha17-GIT-ccaab14 joined to the AD domain as DC plus dhcpd
>>>>>>>> configured for ddns updates (currently to the SBS DNS) plus BIND
>>>>>>>> 9.8.0-P4 configured as slave DNS for the local domain zones
>>>>>>>> - Ubuntu 10.04 32b server with samba Version 3.4.7 joined to the AD
>>>>>>>> domain which acts as file server (for the network shares)
>>>>>>>>
>>>>>>>> My goal is to remove the SBS server so as first step I'll disable zone
>>>>>>>> transfer from the MS DNS and change the zones in BIND to master to check
>>>>>>>> if samba4 DDNS and ISC DHCPD DDNS still works but as per the samba4
>>>>>>>> how-to I need to add the tkey-gssapi-keytab
>>>>>>>> "/usr/local/samba/private/dns.keytab"; statement in named.conf.
>>>>>>>>
>>>>>>>> If I run provision on samba4 (for a new domain) at the end of the
>>>>>>>> provision the dns.keytab file is created in the samba/private directory.
>>>>>>>> Running the domain join command instead of the provision the dns.keytab
>>>>>>>> file is not created so how am I supposed to proceed?
>>>>>>>>
>>>>>>>> Thanks in advance,
>>>>>>>> Daniele.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> IMHO you should check if you have
>>>>>>> /usr/local/samba/modules/bind9/dlz_bind9.so, if not check if you can
>>>>>>> find libdlz_bind9.so in the source (where you have compiled samba4), if
>>>>>>> there is one copy it to the right place. Then edit (being on Ubuntu I
>>>>>>> suppose the standard Ubuntu path) /etc/bind/named.conf.local and add the
>>>>>>> following:
>>>>>>> dlz "AD DNS Zone" {
>>>>>>> database "dlopen /usr/local/samba/modules/bind9/dlz_bind9.so";
>>>>>>> };
>>>>>>> With samba-tool user add (or the windows tools) create a dns-samba4
>>>>>>> account with password never expiring
>>>>>>> with samba-tool spn add (or ktpass on windows) associate the principal
>>>>>>> names "DNS/your-ubuntu-server.your.domain" and "DNS/your.domain"
>>>>>>> with samba-tool domain exportkeytab dump the keys to a keytab (with
>>>>>>> ktutil -k keytab list you can verify the keys in it if there is any
>>>>>>> unneeded you can also delete them).
>>>>>>> Set up the tkey-gssapi-keytab option.
>>>>>>> Comment out the slave zones in bind.
>>>>>>> After a bind restart it should be able to read the rr-s directly from
>>>>>>> samba4's ad.
>>>>>>>
>>>>>>> Good luck!
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Geza
>>>>>> Hi Geza,
>>>>>> thanks for the tips.
>>>>>>
>>>>>> Before to modify the named.conf* files can you explain me what the dlz
>>>>>> statement will do?
>>>>>>
>>>>>> I thought I'll have to change from slave to master the zones and not
>>>>>> comment out the slave zones:
>>>>>>
>>>>>> zone "mydomain.local" {
>>>>>> type slave; //should become type master
>>>>>> file "/usr/local/samba/private/dns/db.mydomain.local";
>>>>>> };
>>>>>>
>>>>>> zone "12.168.192.in-addr.arpa" {
>>>>>> type slave; //should become type master
>>>>>> file "/usr/local/samba/private/dns/db.12.168.192";
>>>>>> };
>>>>>>
>>>>>> Thanks again,
>>>>>> Daniele.
>>>>>>
>>>>> Hi,
>>>>>
>>>>> DLZ stands for Dynamically Loaded Zone, it has been developed around
>>>>> 2003 for allowing bind to load zone data dynamically from external
>>>>> databases.
>>>>> Recently (2010) it has been extended by Andrew Tridgell (the creator of
>>>>> Samba) to do a read-write database access via the dlz dlopen plugin (it
>>>>> gets built by default from bind 9.8.1 (included from bind 9.8.0). So by
>>>>> instructing bind to use dlz "Whatever" {path to the corresponding
>>>>> library}, we ask to load a library which handless the manipulation
>>>>> (read-write) of the records. In case of samba it loads the dlz_bind9.so
>>>>> which handless all the retrieving /storing rr-s work for bind.
>>>>> I didn't say to remove anything I just suggest to try it out and see if
>>>>> it works for you. And please share your success/failure with us.
>>>>> Two suggestions if you follow this path:
>>>>> Use the current git version of samba (there were some recent fixes
>>>>> related to DDNS update)
>>>>> Change (at least) the owning group of
>>>>> /usr/local/samba/private/dns.keytab and
>>>>> /usr/local/samba/private/ldap_priv/ to bind (or whatever user your named
>>>>> runs as).
>>>>>
>>>>> Cheers
>>>>>
>>>>> Geza
>>>> Hi Geza,
>>>> looking in my ubuntu I found that I have a libdlz_bind9.so
>>>> in /usr/local/samba/lib/samba. Are them the same modules (maybe the
>>>> module has changed location between releases)? If yes should I use the
>>>> libdlz_bind9.so in /usr/local/samba/lib/samba/ instead
>>>> of /usr/local/samba/modules/bind9/dlz_bind9.so you told me?
>>>>
>>>> Anyway, just to better understand what I'm doing, what's the difference
>>>> between provisioning a new domain which does not include the dlz
>>>> statement in the bind configuration and my case (removing the sbs dc
>>>> after a domain join)?
>>>>
>>>> Regards,
>>>> Daniele.
>>>>
>>> The question is what is the version of samba you are running (samba -V)?
>>>
>>> Cheers
>>>
>>> Geza
>> Hi all,
>> I'm trying to run bind with the libdlz_bind9.so plugin but I'm having
>> some troubles.
>>
>> About versions I currently have:
>> OS : ubuntu 11.04 server x86
>> samba4 : Version 4.0.0alpha18-GIT-3ae478b
>> bind : BIND 9.8.0-P4 built with '--with-openssl=/usr'
>> '--with-gssapi=/usr/include/gssapi' '--with-dlz-dlopen=yes'
>> using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010
>>
>> As said by Geza, I created a dns-kdc02 user with password which won't
>> expire.
>> [root at kdc02:~]# samba-tool user add dns-kdc02 ********
>> [root at kdc02:~]# samba-tool user setexpiry dns-kdc02 --noexpiry
>> [root at kdc02:~]# samba-tool spn add DNS/kdc02.saitel.local dns-kdc02
>> [root at kdc02:~]# samba-tool spn add DNS/saitel.local dns-kdc02
>> [root at kdc02:~]# samba-tool spn list dns-kdc02
>> dns-kdc02
>> User CN=dns-kdc02,CN=Users,DC=Saitel,DC=local has the following
>> servicePrincipalName:
>> DNS/kdc02.saitel.local
>> DNS/saitel.local
>>
>> Than I dumped the keytab with
>> [root at kdc02:/usr/local/samba/private]# samba-tool domain exportkeytab
>> dns.keytab
>> and I chowned it to root.bind and chmoded it g+r
>>
>> My named.conf.options now looks like:
>> options {
>> directory "/var/cache/bind";
>>
>> forwarders {
>> 151.99.0.100;
>> 151.99.125.1;
>> };
>>
>> auth-nxdomain no; # conform to RFC1035
>> //listen-on-v6 { any; };
>>
>> allow-query { localhost; 192.168.12.0/24; };
>>
>> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # the keytab
>> I dumped with samba-tool domain exportkeytab
>> };
>>
>> and my named.conf.local is:
>> include "/etc/bind/zones.rfc1918";
>>
>> dlz "AD" {
>> database "dlopen /usr/local/samba/lib/samba/libdlz_bind9.so";
>> };
>>
>> changed apparmor.d/usr/sbin/named to
>>
>> /usr/sbin/named flags=(complain) {
>> #include <abstractions/base>
>> #include <abstractions/nameservice>
>>
>> capability net_bind_service,
>> capability setgid,
>> capability setuid,
>> capability sys_chroot,
>> capability sys_resource,
>>
>> # /etc/bind should be read-only for bind
>> # /var/lib/bind is for dynamically updated zone (and journal) files.
>> # /var/cache/bind is for slave/stub data, since we're not the origin
>> of it.
>> # See /usr/share/doc/bind9/README.Debian.gz
>> /etc/bind/** r,
>> /var/lib/bind/** rw,
>> /var/lib/bind/ rw,
>> /var/cache/bind/** rw,
>> /var/cache/bind/ rw,
>>
>> # it seems that bind tries to load from here dns-$(HOSTNAME)_XXX
>> /var/tmp/** r,
>>
>> # gssapi
>> /etc/krb5.keytab kr,
>> /etc/bind/krb5.keytab kr,
>> /usr/local/samba/private/dns.keytab r,
>>
>> # ssl
>> /etc/ssl/openssl.cnf r,
>>
>> # dnscvsutil package
>> /var/lib/dnscvsutil/compiled/** rw,
>>
>> /proc/net/if_inet6 r,
>> /proc/*/net/if_inet6 r,
>> /usr/sbin/named mr,
>> /var/run/named/named.pid w,
>> /var/run/named/session.key w,
>> # support for resolvconf
>> /var/run/named/named.options r,
>>
>> # some people like to put logs in /var/log/named/ instead of having
>> # syslog do the heavy lifting.
>> /var/log/named/** rw,
>> /var/log/named/ rw,
>>
>> # allow samba4 updates
>> /usr/local/samba/private/** rw,
>> /usr/local/samba/private/dns/* krw,
>> /usr/local/samba/private/ldap_priv/* rw,
>>
>> /usr/local/samba/lib/samba/libdlz_bind9.so mr,
>> }
>>
>> If I try to run
>> [root at kdc02:~]# named -f -d 10 -c /etc/bind/named.conf -u bind
>> it starts reporting nothing but if I try to run samba_dnsupdate
>> [root at kdc02:~]# samba_dnsupdate --verbose
>> IPs: ['fe80::b0c7:11ff:fed6:27b3%eth0', '192.168.12.2']
>> Looking for DNS entry A saitel.local 192.168.12.2 as saitel.local.
>> Failed to find DNS entry A saitel.local 192.168.12.2
>> Looking for DNS entry A kdc02.saitel.local 192.168.12.2 as
>> kdc02.saitel.local.
>> Failed to find DNS entry A kdc02.saitel.local 192.168.12.2
>> Looking for DNS entry A gc._msdcs.saitel.local 192.168.12.2 as
>> gc._msdcs.saitel.local.
>> Failed to find DNS entry A gc._msdcs.saitel.local 192.168.12.2
>> Looking for DNS entry CNAME
>> 13f817e6-4636-462e-98d4-8d63c7f24878._msdcs.saitel.local
>> kdc02.saitel.local as
>> 13f817e6-4636-462e-98d4-8d63c7f24878._msdcs.saitel.local.
>> Failed to find DNS entry CNAME
>> 13f817e6-4636-462e-98d4-8d63c7f24878._msdcs.saitel.local
>> kdc02.saitel.local
>> Looking for DNS entry SRV _kpasswd._tcp.saitel.local kdc02.saitel.local
>> 464 as _kpasswd._tcp.saitel.local.
>> Failed to find DNS entry SRV _kpasswd._tcp.saitel.local
>> kdc02.saitel.local 464
>> Looking for DNS entry SRV _kpasswd._udp.saitel.local kdc02.saitel.local
>> 464 as _kpasswd._udp.saitel.local.
>> Failed to find DNS entry SRV _kpasswd._udp.saitel.local
>> kdc02.saitel.local 464
>> Looking for DNS entry SRV _kerberos._tcp.saitel.local kdc02.saitel.local
>> 88 as _kerberos._tcp.saitel.local.
>> Failed to find DNS entry SRV _kerberos._tcp.saitel.local
>> kdc02.saitel.local 88
>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.saitel.local
>> kdc02.saitel.local 88 as _kerberos._tcp.dc._msdcs.saitel.local.
>> Failed to find DNS entry SRV _kerberos._tcp.dc._msdcs.saitel.local
>> kdc02.saitel.local 88
>> Looking for DNS entry SRV
>> _kerberos._tcp.nome-predefinito-primo-sito._sites.saitel.local
>> kdc02.saitel.local 88 as
>> _kerberos._tcp.nome-predefinito-primo-sito._sites.saitel.local.
>> Failed to find DNS entry SRV
>> _kerberos._tcp.nome-predefinito-primo-sito._sites.saitel.local
>> kdc02.saitel.local 88
>> Looking for DNS entry SRV
>> _kerberos._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
>> kdc02.saitel.local 88 as
>> _kerberos._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local.
>> Failed to find DNS entry SRV
>> _kerberos._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
>> kdc02.saitel.local 88
>> Looking for DNS entry SRV _kerberos._udp.saitel.local kdc02.saitel.local
>> 88 as _kerberos._udp.saitel.local.
>> Failed to find DNS entry SRV _kerberos._udp.saitel.local
>> kdc02.saitel.local 88
>> Looking for DNS entry SRV _ldap._tcp.saitel.local kdc02.saitel.local 389
>> as _ldap._tcp.saitel.local.
>> Failed to find DNS entry SRV _ldap._tcp.saitel.local kdc02.saitel.local
>> 389
>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.saitel.local
>> kdc02.saitel.local 389 as _ldap._tcp.dc._msdcs.saitel.local.
>> Failed to find DNS entry SRV _ldap._tcp.dc._msdcs.saitel.local
>> kdc02.saitel.local 389
>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.saitel.local
>> kdc02.saitel.local 3268 as _ldap._tcp.gc._msdcs.saitel.local.
>> Failed to find DNS entry SRV _ldap._tcp.gc._msdcs.saitel.local
>> kdc02.saitel.local 3268
>> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.saitel.local
>> kdc02.saitel.local 389 as _ldap._tcp.pdc._msdcs.saitel.local.
>> Failed to find DNS entry SRV _ldap._tcp.pdc._msdcs.saitel.local
>> kdc02.saitel.local 389
>> Looking for DNS entry SRV
>> _ldap._tcp.nome-predefinito-primo-sito._sites.saitel.local
>> kdc02.saitel.local 389 as
>> _ldap._tcp.nome-predefinito-primo-sito._sites.saitel.local.
>> Failed to find DNS entry SRV
>> _ldap._tcp.nome-predefinito-primo-sito._sites.saitel.local
>> kdc02.saitel.local 389
>> Looking for DNS entry SRV
>> _ldap._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
>> kdc02.saitel.local 389 as
>> _ldap._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local.
>> Failed to find DNS entry SRV
>> _ldap._tcp.nome-predefinito-primo-sito._sites.dc._msdcs.saitel.local
>> kdc02.saitel.local 389
>> Looking for DNS entry SRV
>> _ldap._tcp.nome-predefinito-primo-sito._sites.gc._msdcs.saitel.local
>> kdc02.saitel.local 3268 as
>> _ldap._tcp.nome-predefinito-primo-sito._sites.gc._msdcs.saitel.local.
>> Failed to find DNS entry SRV
>> _ldap._tcp.nome-predefinito-primo-sito._sites.gc._msdcs.saitel.local
>> kdc02.saitel.local 3268
>> Looking for DNS entry SRV
>> _ldap._tcp.2d0d2226-9d32-4953-a114-663990693ef1.domains._msdcs.saitel.local kdc02.saitel.local 389 as _ldap._tcp.2d0d2226-9d32-4953-a114-663990693ef1.domains._msdcs.saitel.local.
>> Failed to find DNS entry SRV
>> _ldap._tcp.2d0d2226-9d32-4953-a114-663990693ef1.domains._msdcs.saitel.local kdc02.saitel.local 389
>> Looking for DNS entry SRV _gc._tcp.saitel.local kdc02.saitel.local 3268
>> as _gc._tcp.saitel.local.
>> Failed to find DNS entry SRV _gc._tcp.saitel.local kdc02.saitel.local
>> 3268
>> Looking for DNS entry SRV
>> _gc._tcp.nome-predefinito-primo-sito._sites.saitel.local
>> kdc02.saitel.local 3268 as
>> _gc._tcp.nome-predefinito-primo-sito._sites.saitel.local.
>> Failed to find DNS entry SRV
>> _gc._tcp.nome-predefinito-primo-sito._sites.saitel.local
>> kdc02.saitel.local 3268
>> Traceback (most recent call last):
>> File "/usr/local/samba/sbin/samba_dnsupdate", line 474, in <module>
>> get_credentials(lp)
>> File "/usr/local/samba/sbin/samba_dnsupdate", line 118, in
>> get_credentials
>> creds.get_named_ccache(lp, ccachename)
>> RuntimeError: kinit for KDC02$@SAITEL.LOCAL failed (Cannot contact any
>> KDC for requested realm)
>>
>> What am I missing to make it work properly?
>>
>> Thanks,
>> Daniele.
>>
>>
> Looking better I find:
>
> [root at kdc02:~]# named -f -g -d 5 -c /etc/bind/named.conf.dlz -u bind
> 24-Oct-2011 16:41:31.030 starting BIND 9.8.0-P4 -f -g -d 5
> -c /etc/bind/named.conf.dlz -u bind
> 24-Oct-2011 16:41:31.030 built with '--with-openssl=/usr'
> '--with-gssapi=/usr/include/gssapi' '--with-dlz-dlopen=yes'
> 24-Oct-2011 16:41:31.030 using up to 4096 sockets
> 24-Oct-2011 16:41:31.030 Registering DLZ_dlopen driver
> 24-Oct-2011 16:41:31.030 Registering SDLZ driver 'dlopen'
> 24-Oct-2011 16:41:31.030 Registering DLZ driver 'dlopen'
> 24-Oct-2011 16:41:31.032 decrement_reference: delete from rbt:
> 0xb72550f8 .
> 24-Oct-2011 16:41:31.035 loading configuration from
> '/etc/bind/named.conf.dlz'
> 24-Oct-2011 16:41:31.036 reading built-in trusted keys from file
> '/etc/bind.keys'
> 24-Oct-2011 16:41:31.036 set maximum stack size to 4294967295: success
> 24-Oct-2011 16:41:31.036 set maximum data size to 4294967295: success
> 24-Oct-2011 16:41:31.036 set maximum core size to 4294967295: success
> 24-Oct-2011 16:41:31.036 set maximum open files to 18446744073709551615:
> success
> 24-Oct-2011 16:41:31.037 using default UDP/IPv4 port range: [1024,
> 65535]
> 24-Oct-2011 16:41:31.037 using default UDP/IPv6 port range: [1024,
> 65535]
> 24-Oct-2011 16:41:31.039 listening on IPv4 interface lo, 127.0.0.1#53
> 24-Oct-2011 16:41:31.039 clientmgr @0xb7255398: create
> 24-Oct-2011 16:41:31.039 clientmgr @0xb7255398: createclients
> 24-Oct-2011 16:41:31.039 clientmgr @0xb7255398: create new
> 24-Oct-2011 16:41:31.039 client @0xb7285008: create
> 24-Oct-2011 16:41:31.039 clientmgr @0xb7255398: createclients
> 24-Oct-2011 16:41:31.039 clientmgr @0xb7255398: create new
> 24-Oct-2011 16:41:31.039 client @0xb72853f8: create
> 24-Oct-2011 16:41:31.039 listening on IPv4 interface eth0,
> 192.168.12.2#53
> 24-Oct-2011 16:41:31.039 clientmgr @0xb72554e8: create
> 24-Oct-2011 16:41:31.039 clientmgr @0xb72554e8: createclients
> 24-Oct-2011 16:41:31.039 clientmgr @0xb72554e8: create new
> 24-Oct-2011 16:41:31.039 client @0xb72857e8: create
> 24-Oct-2011 16:41:31.039 clientmgr @0xb72554e8: createclients
> 24-Oct-2011 16:41:31.039 clientmgr @0xb72554e8: create new
> 24-Oct-2011 16:41:31.039 client @0xb7285bd8: create
> 24-Oct-2011 16:41:31.040 generating session key for dynamic DNS
> 24-Oct-2011 16:41:31.041 decrement_reference: delete from rbt:
> 0xb7255698 .
> 24-Oct-2011 16:41:31.041 Loading 'AD' using driver dlopen
> 24-Oct-2011 16:41:31.041 Loading SDLZ driver.
> 24-Oct-2011 16:41:31.105 samba_dlz: started for DN DC=Saitel,DC=local
> 24-Oct-2011 16:41:31.106 SDLZ driver loaded successfully.
> 24-Oct-2011 16:41:31.106 DLZ driver loaded successfully.
> 24-Oct-2011 16:41:31.106 samba_dlz: starting configure
> 24-Oct-2011 16:41:31.215 zone 12.168.192.in-addr.arpa/NONE: number of
> nodes in database: 0
> 24-Oct-2011 16:41:31.215 zone 12.168.192.in-addr.arpa/NONE: loaded
> 24-Oct-2011 16:41:31.218 samba b9_putrr: unhandled record type 65282
> 24-Oct-2011 16:41:31.224 samba b9_putrr: unhandled record type 65282
> 24-Oct-2011 16:41:31.227 zone_settimer: zone
> 12.168.192.in-addr.arpa/NONE: enter
> 24-Oct-2011 16:41:31.227 samba_dlz: configured writeable zone
> '12.168.192.in-addr.arpa'
> 24-Oct-2011 16:41:31.229 res 0xb72570c0: create
>
> So it seems that the reversed zone is present.
> Doing a nslookup it gives the right hostname.domain.com but it won't
> work with the direct zone.
>
> What am I doing wrong?
> Daniele.
>
Recently there was a tread about some updates for samba dlz module to
allow dynamic ptr zones:
https://lists.samba.org/archive/samba-technical/2011-October/079834.html, so
maybe you should try a recent git pull?
Cheers
Geza
More information about the samba-technical
mailing list