[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

Tue Aug 21 09:31:47 UTC 2018

> It should work ;-)
> Can you post your smb.conf and /etc/named.conf files
> Rowland

Hello Rowland. Of course I can:
cat /etc/samba/smb.conf 
# Global parameters
[global]
    workgroup = SVMETAL
    realm = samdom.svmetal.cz
    netbios name = DC01
    server services = -dns
    server role = active directory domain controller
    idmap_ldb:use rfc2307 = yes
    allow dns updates = nonsecure
    log level = 1 dns:3 auth_audit:3
    max log size = 102400
    load printers = no
    printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
    ntlm auth = yes 
	ldap server require strong auth = no

[netlogon]
    path = /var/lib/samba/sysvol/samdom.svmetal.cz/scripts
    read only = No
    acl_xattr:ignore system acls = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No
    acl_xattr:ignore system acls = yes

cat /etc/named.conf 
# Global Configuration Options
options {

    directory "/var/named";
    notify no;
    empty-zones-enable no;

    allow-query { 127.0.0.1; 192.168.0.0/16; };
    allow-recursion { 127.0.0.1; 192.168.0.0/16; };
    forwarders { 8.8.8.8; 8.8.4.4;  };
    allow-transfer { none; };

    dnssec-validation no; 
    dnssec-enable no; 

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
 };

include "/var/lib/samba/bind-dns/named.conf";

# Root Servers
zone "." {
   type hint;
   file "named.root";
};

# localhost zone
zone "localhost" {
    type master;
    file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

Jiri
>>> Jiří Černý 21.8.2018 9:30 >>>
Hello everyone.

In our company we use Samba 4 for about 3 years (classic upgraded from
Samba 3.5 + LDAP to Sernet Samba 4.2). We used CentOS 6 for domain
controllers and with Bind bundled in this distro was impossible to use
dynamic DNS updates. And because I don't like using compiled SW on
production servers, we used Samba internal DNS, which worked well
(dynamic updates).
With one non default setting - allow dns updates = nonsecure.

Because there is something wrong with our computers, because some of
them can secure update their A record, but some of them not.
If I try rejoin affected computer to domain (unjoin, delete computer
account, join again), secure update works. It's also strange, because
affected computers are Windows 7 and also Windows 10, only few months
old. They were joined to domain in one IP subnet and than sent to
another company unit with own IP subnet.

I have no abilities to rejoin all affected computers, so I set smb.conf
"allow dns updates = nonsecure" - testparm shows "allow dns updates =
nonsecure and secure".
It works well a and some insecurity isn't problem in our environment.

Now we upgraded to Sernet Samba 4.8.4 on CentOS 7.5, which has Bind
built with capabilities to drive dynamic DNS updates. So after yearch on
internal DNS I tried to switch to Bind.
But it looks like "allow dns updates = nonsecure" doesn't work with
BIND_DLZ (which is logical, because Samba is no more acting as DNS
server).
And what I have described above, because Bind looks like accepting only
secure updates, many of our computers can't update their records.

Also very interesting behavior:
Notebook with Windows 10 connect to wifi (different IP subnet than
subnets where are domain controllers), and dynamic DNS update work. But
if that notebook connect VPN (with another one IP subnet), dynamic DNS
update fail.

So is there possibility to force Bind to accept nonsecure updates?

Yours sincerely

Jiří Černý
System administrator

+420 775 860 300
cerny at svmetal.cz
helpdesk at svmetal.cz

SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic

www.svmetal.cz 