[Samba] Moving to Bind from internal Ubuntu Server

Szymon Życiński sz.zycinski at gmail.com
Fri Apr 25 14:43:55 MDT 2014


After a hour of work i ended up with:
------------------------------------------------------------
Apr 25 22:37:56 PrimaryDC named[14412]: received control channel command 
'stop -p'
Apr 25 22:37:56 PrimaryDC named[14412]: shutting down: flushing changes
Apr 25 22:37:56 PrimaryDC named[14412]: stopping command channel on 
127.0.0.1#953
Apr 25 22:37:56 PrimaryDC named[14412]: stopping command channel on ::1#953
Apr 25 22:37:56 PrimaryDC named[14412]: no longer listening on ::#53
Apr 25 22:37:56 PrimaryDC named[14412]: no longer listening on 127.0.0.1#53
Apr 25 22:37:56 PrimaryDC named[14412]: no longer listening on 
172.23.198.3#53
Apr 25 22:37:56 PrimaryDC named[14412]: exiting
Apr 25 22:37:57 PrimaryDC named[14662]: starting BIND 9.8.1-P1 -u bind
Apr 25 22:37:57 PrimaryDC named[14662]: built with '--prefix=/usr' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--sysconfdir=/etc/bind' '--localsta
tedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' 
'--enable-shared' '--enable-static' '--with-openssl=/usr' 
'--with-gssapi=/usr' '--with-g
nu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing 
-DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 
'CPPFLAGS=-D_FORT
IFY_SOURCE=2'

Apr 25 22:37:57 PrimaryDC named[14662]: adjusted limit on open files 
from 4096 to 1048576
Apr 25 22:37:57 PrimaryDC named[14662]: found 4 CPUs, using 4 worker threads
Apr 25 22:37:57 PrimaryDC named[14662]: using up to 4096 sockets
Apr 25 22:37:57 PrimaryDC named[14662]: loading configuration from 
'/etc/bind/named.conf'
Apr 25 22:37:57 PrimaryDC named[14662]: reading built-in trusted keys 
from file '/etc/bind/bind.keys'
Apr 25 22:37:57 PrimaryDC named[14662]: using default UDP/IPv4 port 
range: [1024, 65535]
Apr 25 22:37:57 PrimaryDC named[14662]: using default UDP/IPv6 port 
range: [1024, 65535]
Apr 25 22:37:57 PrimaryDC named[14662]: listening on IPv6 interfaces, 
port 53
Apr 25 22:37:57 PrimaryDC named[14662]: listening on IPv4 interface lo, 
127.0.0.1#53
Apr 25 22:37:57 PrimaryDC named[14662]: listening on IPv4 interface 
eth0, 172.23.198.3#53
Apr 25 22:37:57 PrimaryDC named[14662]: generating session key for 
dynamic DNS
Apr 25 22:37:57 PrimaryDC named[14662]: sizing zone task pool based on 5 
zones
Apr 25 22:37:57 PrimaryDC named[14662]: Loading 'AD DNS Zone' using 
driver dlopen
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: started for DN 
DC=4lo,DC=czest,DC=pl,DC=lan
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: starting configure
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: configured writeable 
zone '4lo.czest.pl.lan'
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: configured writeable 
zone '_msdcs.4lo.czest.pl.lan'
Apr 25 22:37:57 PrimaryDC named[14662]: set up managed keys zone for 
view _default, file 'managed-keys.bind'
Apr 25 22:37:57 PrimaryDC named[14662]: Warning: 
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 
empty zones
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
254.169.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
2.0.192.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
100.51.198.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
113.0.203.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
255.255.255.255.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: D.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 8.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 9.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: A.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: B.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
8.B.D.0.1.0.0.2.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: command channel listening on 
127.0.0.1#953
Apr 25 22:37:57 PrimaryDC named[14662]: command channel listening on ::1#953
Apr 25 22:37:57 PrimaryDC named[14662]: zone 0.in-addr.arpa/IN: loaded 
serial 1
Apr 25 22:37:57 PrimaryDC named[14662]: zone 127.in-addr.arpa/IN: loaded 
serial 1
Apr 25 22:37:57 PrimaryDC named[14662]: zone 255.in-addr.arpa/IN: loaded 
serial 1
Apr 25 22:37:57 PrimaryDC named[14662]: zone localhost/IN: loaded serial 2
Apr 25 22:37:57 PrimaryDC named[14662]: managed-keys-zone ./IN: loaded 
serial 3
Apr 25 22:37:57 PrimaryDC named[14662]: running


---------------------------------------------------------------

At /etc/apparmor.d/usr.sbin.named i added:
   /usr/local/samba/private/dns/* rw,
   /usr/local/samba/private/named.conf r,
   /usr/local/samba/private/named.conf.update r,
   /usr/local/samba/private/dns.keytab rk,
   /usr/local/samba/lib/bind9/dlz_bind9_9.so rm,
   /usr/local/samba/lib/private/* rmw,
   /usr/local/samba/lib/* rmw,
   /var/tmp/* rw,
   /usr/local/samba/lib/bind9/dlz_bind9.so rm,
   /usr/local/samba/** rwmk,
   /dev/urandom rw,

I know it is not optimal and have to clean it up .... but it seems to 
work. On monday will see if dynamic dns updates work. Of course internal 
dns (-dns) is disabled.

Hope it will help someone while digging through google. Apparmor is a 
pain in the ass in this case.

Szymon



More information about the samba mailing list