[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

Tue Aug 21 13:11:06 UTC 2018

On Tue, 21 Aug 2018 14:37:27 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

> > There doesn't seem anything wrong there, the only comment I would
> > make, is '/var/lib/samba/bind-dns/named.conf' pointing to the
> > correct version of named ?
> 
> 
> > How did you change to using Bind9 ?
> It was very painful journey to migrate Samba from CentOS 6 to Centos
> 7. I had to preserve IP addresses of DCs because we have many static
> IP configured devices which use Samba DCs as DNS servers. So after
> that one DC is brand new (hostname and IP), second DC is "half" new
> (new hostname but original IP) and third DC - master in SOA of DNS
> zones, FSMO owner is just copied over from CentOS 6 to CentOS 7. Even
> if I transfered FSMO and cleaned DNS Samba did not like it very much
> - I was unable to join it back. And so I gave it up, and I just
> copied /var/lib/samba. I have been very careful to take care not to
> damage Samba database, so every time I made on DC's I first stopped
> Samba AD service on all DCs, then made snapshots of that VMs and than
> started them again. So everything was consistent. But maybe something
> went wrong during this process. But it's very interesting, that
> nonsecure dynamic DNS work with internal DNS with all clients and
> secure ones with only several clients, but also with Bind. Secure DNS
> updates never worked well on our environment. I made some tests in
> time after upgrading from Samba 3 in 2015 which resulted to setting
> option "nonsecure" in smb.conf.

So you never read this:

https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC

Which  means that you probably never ran the aptly named
'samba_upgradedns'

It shouldn't have been 'painful' to upgrade, you could have done an in
place dist-upgrade. If this is not possible, you should have demoted
the old one and then joined a new DC with the same IP but a new name.
There is another flaw in your thinking, all DC's running a dns
nameserver are SOA masters.

> 
> We can live with internal DNS as we have lived with the previous
> three years, but I was curious about why the Bind could not work too.
> 
> 
> > Please post the log where an update fails.
> There is nothing in /var/log/samba/log.samba even with "log level =
> dns:10".
> 
> From /var/log/messages:
> Aug 21 14:22:08 dc03x named[15860]: samba_dlz: starting transaction
> on zone samdom.svmetal.cz Aug 21 14:22:08 dc03x named[15860]: client
> 192.168.45.26#63596: update 'samdom.svmetal.cz/IN' denied Aug 21
> 14:22:08 dc03x named[15860]: samba_dlz: cancelling transaction on
> zone samdom.svmetal.cz
> 

That is where I expected them to be ;-)
The only thing that can change the dns records is whatever owns them,
it looks like whatever is trying to change the records is being refused
because it doesn't own them.

Rowland