DLZ not loading all DNS zones

Samuel Cabrero scabrero at zentyal.com
Fri Feb 8 08:20:08 MST 2013

Understood, thanks for the explanation.

On 02/07/2013 08:43 AM, Andrew Bartlett wrote:
> On Thu, 2013-02-07 at 18:39 +1100, Amitay Isaacs wrote:
>> Hi Samuel,
>> On Thu, Feb 7, 2013 at 4:24 AM, Samuel Cabrero Alamán
>> <scabrero at zentyal.com>wrote:
>>> Hello,
>>> we have found a environment where the AD DNS zone is stored in
>>> CN=crosoftDNS,CN=System,.... The bind9 DLZ was not able to load it
>>> because not all files inside private/dns/sam.ldb.d/ are hard links to
>>> private/sam.ldb.d/. After hard linking all of them by hand the DLZ
>>> successfully loaded all DNS zones, but the wiki (
>>> https://wiki.samba.org/index.php/DNS#A_note_on_DNS_problems) only
>>> mentions that just two of them should be hard linked, DomainDnzZones and
>>> ForestDnsZones. Is it correct to hard link all of them?
>> Since the main domain partition contains critical information about the
>> domain, that partition should not really be hard-linked.  The provision
>> code actually creates a partial copy of domain partition which only
>> contains entries which are required for parsing DNS partitions. This
>> particular solution was envisaged to prevent access by BIND to the critical
>> AD information.  And in this scenario, it is assumed that the DNS
>> information is stored in DNS partitions and not in the main domain
>> partition.
>> There are few choices here:
>> 1. Use internal DNS server instead of BIND9 + DLZ module. This depends on
>> your DNS setup and may not be suitable for sophisticated setups.
>> 2. Migrate DNS information to DNS partitions from domain partition.  This
>> would be ideal, since that would allow you to continue using DNS set up and
>> isolate BIND from accessing domain information. (Unfortunately, there is no
>> tool in samba to do that yet.)
>> 3. Link domain partition, so BIND can access complete domain partition and
>> access DNS data. This solution will definitely work, but at the cost of
>> exposing domain information to BIND and also to BIND gid if you are not
>> running named as root and have changed the group of domain partition file.
>> If choice 3 suits you best, then you can continue to do so.
> Thanks Amitay, that explains it well.
> Essentially 3 makes BIND root on your system, as access to that DB is
> essentially 'god' on the network, because it can fake the KDC etc.
> Andrew Bartlett

Samuel Cabrero - Developer
scabrero at zentyal.com

The Linux small business server

More information about the samba-technical mailing list