[Samba] Problems with samba 4.3 and Bind_DLZ - ddns not working

dura-zell dura-zell at dynamik.ddns.net
Mon Feb 29 06:23:05 UTC 2016


Hi

I'm currently testing the replacement of a samba 3 with LDAP backend 
with a samba 4 ad-dc.
For this, I have a fresh install of:
- FreeBSD 10.2
- samba 4.3.3
- bind with dlopen-support:
IND 9.10.3-P3 <id:bdaecad>
built by make with '--localstatedir=/var' '--disable-linux-caps' 
'--with-dlopen=yes' '--disable-symtable' '--with-randomdev=/dev/random' 
'--with-libxml2=/usr/local' '--with-readline=-ledit' 
'--sysconfdir=/usr/local/etc/namedb' '--disable-fetchlimit' 
'--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' 
'--with-idn=/usr/local' '--enable-ipv6' '--enable-largefile' 
'--disable-newstats' '--with-python' '--disable-querytrace' 
'--disable-rpz-nsdname' '--disable-rpz-nsip' '--enable-rrl' 
'STD_CDEFINES=-DDIG_SIGCHASE=1' '--with-gssapi=/usr/local' 
'KRB5CONFIG=/usr/local/bin/krb5-config' '--with-openssl=/usr' 
'--disable-native-pkcs11' '--with-dlz-bdb=yes' '--with-dlz-ldap=yes' 
'--with-dlz-filesystem=yes' '--with-dlz-stub=yes' '--without-gost' 
'--enable-threads' '--prefix=/usr/local' '--mandir=/usr/local/man' 
'--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.2' 
'build_alias=amd64-portbld-freebsd10.2' 'CC=cc' 'CFLAGS=-O2 -pipe 
-isystem /usr/local/include -DLIBICONV_PLUG -fstack-protector 
-DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib 
-Wl,-rpath,/usr/local/lib/heimdal:/usr/lib -fstack-protector' 'LIBS=' 
'CPPFLAGS=-isystem /usr/local/include -DLIBICONV_PLUG' 'CPP=cpp'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 3.4.1 
(tags/RELEASE_34/dot1-final 208032)
compiled with OpenSSL version: OpenSSL 1.0.1p-freebsd 9 Jul 2015
linked to OpenSSL version: OpenSSL 1.0.1p-freebsd 9 Jul 2015
compiled with libxml2 version: 2.9.3
linked to libxml2 version: 20903


When setting up my environment, I mostly followed the tutorial found 
here: https://forums.freebsd.org/threads/47798/
I needed to adapt it a bit to match my environment and supplemented it 
with Information found via google.

So far everything is working: I can join my test-domain with Windows7 
clients, use the RSAT tools to administer my domain and so on. Only one 
thing, I'm having a hard time getting to work: The dynamik dns updates 
from samba to bind. Here I'm getting denied errors. After some days of 
googling, I'm at a complete loss. I need to use bind, as I have parts of 
my network not in the planned active directory.

When I issue the samba_dnsupdate command, this happens:

[root at katalog ~]# samba_dnsupdate --verbose --all-names
IPs: ['10.151.21.4']
Calling nsupdate for A katalog.int.domain.test 10.151.21.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
katalog.int.domain.test. 900 IN     A       10.151.21.4

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A int.domain.test 10.151.21.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
int.domain.test.    900     IN      A       10.151.21.4
[...]snip[...]
update failed: REFUSED
Failed nsupdate: 2
Failed update of 27 entries

I'm getting this messages in the bind-log:
Feb 29 06:36:39 katalog named[51930]: client 10.151.21.4#40144: view 
internal: update 'int.domain.test/IN' denied
Feb 29 06:36:39 katalog named[51930]: client 10.151.21.4#27355: view 
internal: update 'int.domain.test/IN' denied
[...]snip[...]


Here are my config files:
named.conf:
acl local-domain { 10.151.0.0/16; 127.0.0.1; };
acl interfaces { 10.151.21.4; 127.0.0.1; };
options {
         directory       "/usr/local/etc/namedb/working/";
         notify          no;
         recursion       yes;
         minimal-responses yes;
         provide-ixfr    yes;
         request-ixfr    yes;
         pid-file        "/var/run/named/pid";
         dump-file       "/var/dump/named_dump.db";
         statistics-file "/var/stats/named.stats";
         tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
         listen-on       { interfaces; };
};


view "internal" {
         match-clients { local-domain; };
         allow-update { local-domain; };
         allow-query { local-domain; };
         allow-recursion { local-domain; };
         forwarders { 10.151.21.2; };
         include "/var/db/samba4/private/named.conf";
}; 
 


/var/db/samba4/private/named.conf:
dlz "AD DNS Zone" {
     # For BIND 9.8.x
     # database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";

     # For BIND 9.9.x
     # database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so";

     # For BIND 9.10.x
      database "dlopen 
/usr/local/lib/shared-modules/bind9/dlz_bind9_10.so -d 3";
};

and /usr/local/etc/smb4.conf (this is the default-name on FreeBSD):
[global]
         workgroup = INT
         realm = INT.DOMAIN.TEST
         netbios name = KATALOG
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         nsupdate command = /usr/local/bin/nsupdate
         kerberos method = secrets and keytab
         log level 10

[netlogon]
         path = /var/db/samba4/sysvol/int.domain.test/scripts
         read only = No

[sysvol]
         path = /var/db/samba4/sysvol
         read only = No

the dns.keytab is accessible for the bind-user (even tried with chmod 
777) and bind doesn't run chrooted / jailed. I can see from the logs 
that loading / initializing the dlz works fine.

I tried to get more meaningful logs from bind, but it always comes down 
to "denied". It never tells my WHY it denies the update. Has someone an 
idea what I'm doing wrong here? I searched the internet for the last two 
days, but wasn't able to to get it running as intended. Now I'm stuck. 
Using bind is a requirement for my setup. Please give me a hint where to 
search further for any issues / mistakes I might have made.

kind regards,
Michael



More information about the samba mailing list