[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

Jiří Černý cerny at svmetal.cz
Tue Aug 21 12:37:27 UTC 2018 

> There doesn't seem anything wrong there, the only comment I would make,
> is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version
> of named ?

Yes
cat /var/lib/samba/bind-dns/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
	 database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
};

named -V
BIND 9.9.4-RedHat-9.9.4-61.el7 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
using OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
using libxml2 version: 2.9.1


> How did you change to using Bind9 ?
It was very painful journey to migrate Samba from CentOS 6 to Centos 7. I had to preserve IP addresses of DCs because we have many static IP configured devices which use Samba DCs as DNS servers. So after that one DC is brand new (hostname and IP), second DC is "half" new (new hostname but original IP) and third DC - master in SOA of DNS zones, FSMO owner is just copied over from CentOS 6 to CentOS 7. Even if I transfered FSMO and cleaned DNS Samba did not like it very much - I was unable to join it back. And so I gave it up, and I just copied /var/lib/samba.
I have been very careful to take care not to damage Samba database, so every time I made on DC's I first stopped Samba AD service on all DCs, then made snapshots of that VMs and than started them again. So everything was consistent.
But maybe something went wrong during this process. But it's very interesting, that nonsecure dynamic DNS work with internal DNS with all clients and secure ones with only several clients, but also with Bind.
Secure DNS updates never worked well on our environment. I made some tests in time after upgrading from Samba 3 in 2015 which resulted to setting option "nonsecure" in smb.conf.

We can live with internal DNS as we have lived with the previous three years, but I was curious about why the Bind could not work too.


> Please post the log where an update fails.
There is nothing in /var/log/samba/log.samba even with "log level = dns:10".

>From /var/log/messages:
Aug 21 14:22:08 dc03x named[15860]: samba_dlz: starting transaction on zone samdom.svmetal.cz
Aug 21 14:22:08 dc03x named[15860]: client 192.168.45.26#63596: update 'samdom.svmetal.cz/IN' denied
Aug 21 14:22:08 dc03x named[15860]: samba_dlz: cancelling transaction on zone samdom.svmetal.cz

systemctl status named:
srp 21 14:22:08 dc03x named[15860]: samba_dlz: starting transaction on zone samdom.svmetal.cz
srp 21 14:22:08 dc03x named[15860]: client 192.168.45.26#63596: update 'samdom.svmetal.cz/IN' denied
srp 21 14:22:08 dc03x named[15860]: samba_dlz: cancelling transaction on zone samdom.svmetal.cz

> Rowland

Jiri

More information about the samba mailing list