[Samba] named failing with bind_dlz includes

Robert Moskowitz rgm at htt-consult.com
Fri Aug 28 18:07:47 UTC 2015 


On 08/28/2015 01:58 PM, Rowland Penny wrote:
> On 28/08/15 18:17, Robert Moskowitz wrote:
>> Bind if failing with:
>>
>> include "/var/lib/samba/private/named.conf";
>>
>> which has:
>>
>> # more /var/lib/samba/private/named.conf
>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen 
>> support.
>> #
>> # This file should be included in your main BIND configuration file
>> #
>> # For example with
>> # include "/var/lib/samba/private/named.conf";
>>
>> #
>> # This configures dynamically loadable zones (DLZ) from AD schema
>> # Uncomment only single database line, depending on your BIND version
>> #
>> dlz "AD DNS Zone" {
>>     # For BIND 9.8.x
>>     # database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";
>>
>>     # For BIND 9.9.x
>>      database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
>>
>>     # For BIND 9.10.x
>>     # database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
>> };
>>
>> And my bind is 9.9.4-18
>>
>> Of course if I comment out this include, forwarding is not working so 
>> there is still something wrong with the basic /etc/named.conf 
>> (previously I was using my test network DNS for this system, not its 
>> own bind).
>>
>>
>>
>
> Does the bind user have the rights to read the included named.conf ?

The files have general read permissions.  And when I had the 
named.conf.updates included I got a message that update-policy is not a 
supported option:

Aug 28 14:03:17 homebase.home.htt named-checkconf[3761]: 
/var/lib/samba/private/named.conf.update:2: unknown option 'update-policy'

I am beginning to suspect /usr/lib/samba/bind9/dlz_bind9_9.so

> Can we possibly see your bind conf files ?

# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
     listen-on port 53 { 127.0.0.1; };
     listen-on-v6 port 53 { ::1; };
     directory     "/var/named";
     dump-file     "/var/named/data/cache_dump.db";
     statistics-file "/var/named/data/named_stats.txt";
     memstatistics-file "/var/named/data/named_mem_stats.txt";
     allow-query     { localhost; };

     /*
      - If you are building an AUTHORITATIVE DNS server, do NOT enable 
recursion.
      - If you are building a RECURSIVE (caching) DNS server, you need 
to enable
        recursion.
      - If your recursive DNS server has a public IP address, you MUST 
enable access
        control to limit queries to your legitimate users. Failing to do 
so will
        cause your server to become part of large scale DNS amplification
        attacks. Implementing BCP38 within your network would greatly
        reduce such attack surface
     */
     recursion yes;

     dnssec-enable yes;
     dnssec-validation yes;
     dnssec-lookaside auto;
     forwarders {
         192.168.192.5;
     };

     /* Path to ISC DLV key */
     bindkeys-file "/etc/named.iscdlv.key";

     managed-keys-directory "/var/named/dynamic";

     pid-file "/run/named/named.pid";
     session-keyfile "/run/named/session.key";
};

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
     type hint;
     file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

# tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
# include "/var/lib/samba/private/named.conf";
# include "/var/lib/samba/private/named.conf.update";

# more /var/lib/samba/private/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
     # For BIND 9.8.x
     # database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";

     # For BIND 9.9.x
      database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";

     # For BIND 9.10.x
     # database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
};


# more /var/lib/samba/private/named.conf.update
/* this file is auto-generated - do not edit */
update-policy {
     grant HOME.HTT ms-self * A AAAA;
     grant Administrator at HOME.HTT wildcard * A AAAA SRV CNAME;
     grant HOMEBASE$@home.htt wildcard * A AAAA SRV CNAME;
};

I am trying to find an old namecaching named.conf I had some many years 
ago....

More information about the samba mailing list