[Samba] named failing with bind_dlz includes
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Aug 28 18:48:16 UTC 2015
On 28/08/15 19:07, Robert Moskowitz wrote:
>
>
> On 08/28/2015 01:58 PM, Rowland Penny wrote:
>> On 28/08/15 18:17, Robert Moskowitz wrote:
>>> Bind if failing with:
>>>
>>> include "/var/lib/samba/private/named.conf";
>>>
>>> which has:
>>>
>>> # more /var/lib/samba/private/named.conf
>>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
>>> support.
>>> #
>>> # This file should be included in your main BIND configuration file
>>> #
>>> # For example with
>>> # include "/var/lib/samba/private/named.conf";
>>>
>>> #
>>> # This configures dynamically loadable zones (DLZ) from AD schema
>>> # Uncomment only single database line, depending on your BIND version
>>> #
>>> dlz "AD DNS Zone" {
>>> # For BIND 9.8.x
>>> # database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";
>>>
>>> # For BIND 9.9.x
>>> database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
>>>
>>> # For BIND 9.10.x
>>> # database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
>>> };
>>>
>>> And my bind is 9.9.4-18
>>>
>>> Of course if I comment out this include, forwarding is not working
>>> so there is still something wrong with the basic /etc/named.conf
>>> (previously I was using my test network DNS for this system, not its
>>> own bind).
>>>
>>>
>>>
>>
>> Does the bind user have the rights to read the included named.conf ?
>
> The files have general read permissions. And when I had the
> named.conf.updates included I got a message that update-policy is not
> a supported option:
>
> Aug 28 14:03:17 homebase.home.htt named-checkconf[3761]:
> /var/lib/samba/private/named.conf.update:2: unknown option
> 'update-policy'
>
> I am beginning to suspect /usr/lib/samba/bind9/dlz_bind9_9.so
>
>> Can we possibly see your bind conf files ?
>
> # cat /etc/named.conf
> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8)
> DNS
> // server as a caching only nameserver (as a localhost DNS resolver
> only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration
> files.
> //
>
> options {
> listen-on port 53 { 127.0.0.1; };
> listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; };
>
> /*
> - If you are building an AUTHORITATIVE DNS server, do NOT enable
> recursion.
> - If you are building a RECURSIVE (caching) DNS server, you need
> to enable
> recursion.
> - If your recursive DNS server has a public IP address, you MUST
> enable access
> control to limit queries to your legitimate users. Failing to
> do so will
> cause your server to become part of large scale DNS amplification
> attacks. Implementing BCP38 within your network would greatly
> reduce such attack surface
> */
> recursion yes;
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
> forwarders {
> 192.168.192.5;
> };
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
>
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> # tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> # include "/var/lib/samba/private/named.conf";
> # include "/var/lib/samba/private/named.conf.update";
>
> # more /var/lib/samba/private/named.conf
> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
> support.
> #
> # This file should be included in your main BIND configuration file
> #
> # For example with
> # include "/var/lib/samba/private/named.conf";
>
> #
> # This configures dynamically loadable zones (DLZ) from AD schema
> # Uncomment only single database line, depending on your BIND version
> #
> dlz "AD DNS Zone" {
> # For BIND 9.8.x
> # database "dlopen /usr/lib/samba/bind9/dlz_bind9.so";
>
> # For BIND 9.9.x
> database "dlopen /usr/lib/samba/bind9/dlz_bind9_9.so";
>
> # For BIND 9.10.x
> # database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so";
> };
>
>
> # more /var/lib/samba/private/named.conf.update
> /* this file is auto-generated - do not edit */
> update-policy {
> grant HOME.HTT ms-self * A AAAA;
> grant Administrator at HOME.HTT wildcard * A AAAA SRV CNAME;
> grant HOMEBASE$@home.htt wildcard * A AAAA SRV CNAME;
> };
>
> I am trying to find an old namecaching named.conf I had some many
> years ago....
>
>
OK, I use debian which splits up named.conf, so I have stitched it back
together as one file and this is it:
options {
directory "/var/cache/bind";
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/var/lib/samba/private/named.conf";
That is all you need, the above works, you can of course embellish it,
but why bother ?
Rowland
More information about the samba
mailing list