[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

Rowland Penny rpenny at samba.org
Tue Aug 21 14:57:42 UTC 2018 

On Tue, 21 Aug 2018 16:30:42 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:

> > So you never read this:
> > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC
> > Which  means that you probably never ran the aptly named
> > 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid,
> > Rowland. At least I can read:D

I never said you were stupid, but I asked how you upgraded to Bind9 and
you never mentioned 'samba_upgradedns'

> If I've seen that Bind doesn't work,

Where ?? It has worked faithfully for me for the last 5 1/2 years. 


> 
> But it's nothing new, that errors I've seen from 4.2 until now.

OK, try this:

samba_dnsupdate --verbose --all-names --use-samba-tool


>  
> > It shouldn't have been 'painful' to upgrade, you could have done an
> > in place dist-upgrade. If this is not possible, you should have
> > demoted the old one and then joined a new DC with the same IP but a
> > new name. There is another flaw in your thinking, all DC's running
> > a dns nameserver are SOA masters.No, you cannot upgrade CentOS 6 to
> > 7 inplace.
> And I'm sorry for misunderstanding with SOA. Only one DC should be
> primary server in SOA (the very first provisioned DC), but that DC
> and all another DCs are NS for domain zones. But if you demote that
> first DC (primary in SOA), the record for that DC will remain in SOA.
> I tested it in lab environment and Bind threw errors because of that.

Yes that is a pain, you need to manually remove it with samba-tool.
Not sure, but I think the latest Samba removes it when a DC is
demoted.
 
> Moreover samba-tool domain demote remain many things in DNS and you
> have to run samba-tool domain demote --remove-other-dead-server=
> also. And manually delete rest for sure. Thats pain. And I don't know
> how others, but I tested FSMO transfer on 4.7 (both DCs) and also 4.8
> (both DCs) at it also didn't performed well. I hit some kind of
> timeouts during transfer and I had to run it 7 times to transfer all
> roles.It was really painfull in our environment. But it's quite old
> (from Samba 4.2) a classiupgraded, so quite different than default
> provisioned.Actually, I'm really glad our domain works at least with
> nonsecure internal DNS;)

As I said, a lot of the above has been fixed in the latest Samba
versions.

> > That is where I expected them to be ;-)
> > The only thing that can change the dns records is whatever owns
> > them, it looks like whatever is trying to change the records is
> > being refused because it doesn't own them.Ok. But is there some
> > insecure workaround? How do that internal server with "nonsecure"
> > options? As I wrote in the first mail, I have no problem with
> > forcing Bind to do thing insecure.Jiri
> 

Not sure about that, do your DC's point to themselves as their first
nameserver or another DC ?

Rowland

More information about the samba mailing list