[Samba] named failing with bind_dlz includes

Rowland Penny rowlandpenny241155 at gmail.com
Fri Aug 28 18:48:16 UTC 2015


On 28/08/15 19:07, Robert Moskowitz wrote:
>
>
> On 08/28/2015 01:58 PM, Rowland Penny wrote:
>> On 28/08/15 18:17, Robert Moskowitz wrote:
>>> Bind if failing with:
>>>
>>> include "/var/lib/samba/private/named.conf";
>>>
>>> which has:
>>>
>>> # more /var/lib/samba/private/named.conf
>>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen 
>>> support.
>>> #
>>> # This file should be included in your main BIND configuration file
>>> #
>>> # For example with
>>> # include "/var/lib/samba/private/named.conf";
>>>
>>> #
>>> # This configures dynamically loadable zones (DLZ) from AD schema
>>> # Uncomment only single database line, depending on your BIND version
>>> #
>>> dlz "AD DNS Zone" {
>>>     # For BIND 9.8.x
>>>     # database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";
>>>
>>>     # For BIND 9.9.x
>>>      database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
>>>
>>>     # For BIND 9.10.x
>>>     # database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
>>> };
>>>
>>> And my bind is 9.9.4-18
>>>
>>> Of course if I comment out this include, forwarding is not working 
>>> so there is still something wrong with the basic /etc/named.conf 
>>> (previously I was using my test network DNS for this system, not its 
>>> own bind).
>>>
>>>
>>>
>>
>> Does the bind user have the rights to read the included named.conf ?
>
> The files have general read permissions.  And when I had the 
> named.conf.updates included I got a message that update-policy is not 
> a supported option:
>
> Aug 28 14:03:17 homebase.home.htt named-checkconf[3761]: 
> /var/lib/samba/private/named.conf.update:2: unknown option 
> 'update-policy'
>
> I am beginning to suspect /usr/lib/samba/bind9/dlz_bind9_9.so
>
>> Can we possibly see your bind conf files ?
>
> # cat /etc/named.conf
> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) 
> DNS
> // server as a caching only nameserver (as a localhost DNS resolver 
> only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration 
> files.
> //
>
> options {
>     listen-on port 53 { 127.0.0.1; };
>     listen-on-v6 port 53 { ::1; };
>     directory     "/var/named";
>     dump-file     "/var/named/data/cache_dump.db";
>     statistics-file "/var/named/data/named_stats.txt";
>     memstatistics-file "/var/named/data/named_mem_stats.txt";
>     allow-query     { localhost; };
>
>     /*
>      - If you are building an AUTHORITATIVE DNS server, do NOT enable 
> recursion.
>      - If you are building a RECURSIVE (caching) DNS server, you need 
> to enable
>        recursion.
>      - If your recursive DNS server has a public IP address, you MUST 
> enable access
>        control to limit queries to your legitimate users. Failing to 
> do so will
>        cause your server to become part of large scale DNS amplification
>        attacks. Implementing BCP38 within your network would greatly
>        reduce such attack surface
>     */
>     recursion yes;
>
>     dnssec-enable yes;
>     dnssec-validation yes;
>     dnssec-lookaside auto;
>     forwarders {
>         192.168.192.5;
>     };
>
>     /* Path to ISC DLV key */
>     bindkeys-file "/etc/named.iscdlv.key";
>
>     managed-keys-directory "/var/named/dynamic";
>
>     pid-file "/run/named/named.pid";
>     session-keyfile "/run/named/session.key";
> };
>
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
>
> zone "." IN {
>     type hint;
>     file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> # tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> # include "/var/lib/samba/private/named.conf";
> # include "/var/lib/samba/private/named.conf.update";
>
> # more /var/lib/samba/private/named.conf
> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen 
> support.
> #
> # This file should be included in your main BIND configuration file
> #
> # For example with
> # include "/var/lib/samba/private/named.conf";
>
> #
> # This configures dynamically loadable zones (DLZ) from AD schema
> # Uncomment only single database line, depending on your BIND version
> #
> dlz "AD DNS Zone" {
>     # For BIND 9.8.x
>     # database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";
>
>     # For BIND 9.9.x
>      database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
>
>     # For BIND 9.10.x
>     # database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
> };
>
>
> # more /var/lib/samba/private/named.conf.update
> /* this file is auto-generated - do not edit */
> update-policy {
>     grant HOME.HTT ms-self * A AAAA;
>     grant Administrator at HOME.HTT wildcard * A AAAA SRV CNAME;
>     grant HOMEBASE$@home.htt wildcard * A AAAA SRV CNAME;
> };
>
> I am trying to find an old namecaching named.conf I had some many 
> years ago....
>
>

OK, I use debian which splits up named.conf, so I have stitched it back 
together as one file and this is it:

options {
         directory "/var/cache/bind";
         forwarders { 8.8.8.8; 8.8.4.4; };

         dnssec-validation no;

         auth-nxdomain no;    # conform to RFC1035
         listen-on-v6 { any; };
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

// prime the server with knowledge of the root servers
zone "." {
         type hint;
         file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
         type master;
         file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
         type master;
         file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
         type master;
         file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
         type master;
         file "/etc/bind/db.255";
};

include "/var/lib/samba/private/named.conf";

That is all you need, the above works, you can of course embellish it, 
but why bother ?

Rowland




More information about the samba mailing list