DLZ not loading all DNS zones

Andrew Bartlett abartlet at samba.org
Thu Feb 7 00:43:46 MST 2013

On Thu, 2013-02-07 at 18:39 +1100, Amitay Isaacs wrote:
> Hi Samuel,
> On Thu, Feb 7, 2013 at 4:24 AM, Samuel Cabrero Alamán
> <scabrero at zentyal.com>wrote:
> > Hello,
> >
> > we have found a environment where the AD DNS zone is stored in
> > CN=MicrosoftDNS,CN=System,.... The bind9 DLZ was not able to load it
> > because not all files inside private/dns/sam.ldb.d/ are hard links to
> > private/sam.ldb.d/. After hard linking all of them by hand the DLZ
> > successfully loaded all DNS zones, but the wiki (
> > https://wiki.samba.org/index.php/DNS#A_note_on_DNS_problems) only
> > mentions that just two of them should be hard linked, DomainDnzZones and
> > ForestDnsZones. Is it correct to hard link all of them?
> >
> >
> Since the main domain partition contains critical information about the
> domain, that partition should not really be hard-linked.  The provision
> code actually creates a partial copy of domain partition which only
> contains entries which are required for parsing DNS partitions. This
> particular solution was envisaged to prevent access by BIND to the critical
> AD information.  And in this scenario, it is assumed that the DNS
> information is stored in DNS partitions and not in the main domain
> partition.
> There are few choices here:
> 1. Use internal DNS server instead of BIND9 + DLZ module. This depends on
> your DNS setup and may not be suitable for sophisticated setups.
> 2. Migrate DNS information to DNS partitions from domain partition.  This
> would be ideal, since that would allow you to continue using DNS set up and
> isolate BIND from accessing domain information. (Unfortunately, there is no
> tool in samba to do that yet.)
> 3. Link domain partition, so BIND can access complete domain partition and
> access DNS data. This solution will definitely work, but at the cost of
> exposing domain information to BIND and also to BIND gid if you are not
> running named as root and have changed the group of domain partition file.
> If choice 3 suits you best, then you can continue to do so.

Thanks Amitay, that explains it well.

Essentially 3 makes BIND root on your system, as access to that DB is
essentially 'god' on the network, because it can fake the KDC etc. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list