bind 9.11.3 BIND9_FLATFILE update-policy

Sergey Urushkin urushkin at telros.ru
Fri Sep 28 10:16:56 UTC 2018 

Andrew Bartlett писал 2018-09-20 18:26:
> On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via samba-technical
> wrote:
>> Hello.
>> 
>> Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
>> prevents 
>> bind to start with samba's update-policy config file included 
>> (BIND9_FLATFILE backend):
>> 
>> https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
>> 22aca0ba6eacf8ca9275
>> 
>> Error text:
>> named.conf.update:3: name field not set to placeholder value '.'
>> 
>> This already was in the mail list: 
>> https://lists.samba.org/archive/samba/2018-March/214738.html
>> 
>> This could be fixed by making a fixed copy of the config and
>> including 
>> it to BIND instead of the original:
>> sed 's/ms-self \* /ms-self . /' named.conf.update > 
>> named.conf.update.static
>> 
>> The next patch fixes config generation for 9.11.3 and above:
>> --- a/source4/dsdb/dns/dns_update.c	2018-07-12
>> 11:23:36.000000000 +0300
>> +++ b/source4/dsdb/dns/dns_update.c	2018-09-20
>> 16:16:32.330242337 +0300
>> @@ -242,7 +242,7 @@
>>   		dprintf(fd, "%s\n",static_policies);
>>   		dprintf(fd, "/* End of static entries */\n");
>>   	}
>> -	dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
>> +	dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
>>   	dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV
>> CNAME;\n", 
>> realm);
>> 
>>   	for (i=0; i<dc_count; i++) {
>> 
>> But this may not work with the older versions (not tested!). If so,
>> we 
>> should check the installed bind version on the samba start while 
>> generating the config (named -V) or get the right value (* or .)
>> from 
>> some another place (config file).
>> Another approach: since the config is pretty much static (at least
>> with 
>> the current single-realm samba and it also doesn't honor real 
>> 'Administrator' account name and even more widely - every 
>> dns-administrator name), generate it on the provision 
>> (python/samba/provision/sambadns.py) like we do for named.conf.dlz
>> and 
>> just leave it as is with comments about BIND versions.
> 
> At this stage my preference would have been to remove the 'feature'
> entirely, given the limitations.  It causes a job to run frequently to
> fill in the file and trigger rndc reload even when Samba isn't using
> this, and this *may* be the cause of a crash or service outage on the
> bind size.  (Not yet pinned down). 
> 
> We would prefer folks used the DLZ driver or the internal DNS, as these
> work with Microsoft and Samba admin tools etc.  I don't mind us
> generating the zone long-term but I think the rest is always going to
> be so site-specific anyway.
> 
> What do you think?
> 
> Andrew Bartlett

Agreed.
Here is the patch that adds generating update-policy at provision.
The second part should be removing named.conf.update code from 
/source4/dsdb/dns/dns_update.c - but I didn't touch it, since I'm not a 
C specialist.

diff -ur a/python/samba/provision/sambadns.py 
b/python/samba/provision/sambadns.py
--- a/python/samba/provision/sambadns.py	2018-09-28 08:36:00.198739082 
+0000
+++ b/python/samba/provision/sambadns.py	2018-09-28 09:53:40.252765037 
+0000
@@ -918,7 +918,7 @@
      setup_file(setup_path("spn_update_list"), paths.spn_update_list, 
None)


-def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
+def create_named_conf(paths, realm, dnsdomain, dns_backend, hostname, 
logger):
      """Write out a file containing zone statements suitable for 
inclusion in a
      named.conf file (including GSS-TSIG configuration).

@@ -938,6 +938,11 @@
      from samba.provision import ProvisioningError

      if dns_backend == "BIND9_FLATFILE":
+        bind_info = subprocess.Popen(['named -V'], shell=True,
+                                     stdout=subprocess.PIPE,
+                                     stderr=subprocess.STDOUT,
+                                     cwd='.').communicate()[0]
+
          setup_file(setup_path("named.conf"), paths.namedconf, {
                      "DNSDOMAIN": dnsdomain,
                      "REALM": realm,
@@ -947,7 +952,21 @@
                      "NAMED_CONF_UPDATE": paths.namedconf_update
                      })

-        setup_file(setup_path("named.conf.update"), 
paths.namedconf_update)
+        bind9_msself_name = '.'
+        if bind_info.upper().find('BIND 9.7') != -1 or \
+                bind_info.upper().find('BIND 9.8') != -1 or \
+                bind_info.upper().find('BIND 9.9') != -1 or \
+                bind_info.upper().find('BIND 9.10') != -1 or \
+                bind_info.upper().find('BIND 9.11.0') != -1 or \
+                bind_info.upper().find('BIND 9.11.1') != -1 or \
+                bind_info.upper().find('BIND 9.11.2') != -1:
+            bind9_msself_name = '*'
+        setup_file(setup_path("named.conf.update"), 
paths.namedconf_update, {
+                    "REALM": realm,
+                    "HOSTNAME": hostname,
+                    "BIND9_MSSELF_NAME": bind9_msself_name,
+                    "NAMED_CONF_UPDATE": paths.namedconf_update
+                    })

      elif dns_backend == "BIND9_DLZ":
          bind_info = subprocess.Popen(['named -V'], shell=True,
@@ -1250,7 +1269,7 @@

      create_named_conf(paths, realm=names.realm,
                        dnsdomain=names.dnsdomain, 
dns_backend=dns_backend,
-                      logger=logger)
+                      hostname=names.hostname, logger=logger)

      create_named_txt(paths.namedtxt,
                       realm=names.realm, dnsdomain=names.dnsdomain,
diff -ur a/source4/scripting/bin/samba_upgradedns 
b/source4/scripting/bin/samba_upgradedns
--- a/source4/scripting/bin/samba_upgradedns	2018-09-28 
08:36:00.622739925 +0000
+++ b/source4/scripting/bin/samba_upgradedns	2018-09-28 
09:49:24.976185404 +0000
@@ -536,7 +536,7 @@
          create_samdb_copy(ldbs.sam, logger, paths, names, domainsid,
                            domainguid)

-        create_named_conf(paths, names.realm, dnsdomain, 
opts.dns_backend, logger)
+        create_named_conf(paths, names.realm, dnsdomain, 
opts.dns_backend, names.hostname, logger)

          create_named_txt(paths.namedtxt, names.realm, dnsdomain, 
dnsname,
                           paths.binddns_dir, paths.dns_keytab)
diff -ur a/source4/setup/named.conf.update 
b/source4/setup/named.conf.update
--- a/source4/setup/named.conf.update	2018-09-28 08:36:01.666742005 
+0000
+++ b/source4/setup/named.conf.update	2018-09-28 09:44:34.475447383 
+0000
@@ -1,4 +1,17 @@
-/*
-	this file will be automatically replaced with the correct
-	'grant' rules by samba at runtime
-*/
+# This DNS configuration is for BIND 9.7.0 or later with tkey-gssapi 
support.
+#
+# This file should be included in your domain zone clause.
+#
+# For example with
+# include "${NAMED_CONF_UPDATE}";
+
+#
+# This configures update policy for zone using TSIG-GSS.
+# Use 'ms-self .' for BIND 9.11.3 or later.
+# Use 'ms-self *' for BIND 9.7 - 9.11.2.
+#
+update-policy {
+    grant ${REALM} ms-self ${BIND9_MSSELF_NAME} A AAAA;
+    grant Administrator@${REALM} wildcard * A AAAA SRV CNAME;
+    grant ${HOSTNAME}$@${REALM} wildcard * A AAAA SRV CNAME;
+};

---
Best regards,
Sergey Urushkin

More information about the samba-technical mailing list