[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

[Jiří Černý]

I just tested samba_dnsupdate --verbose --all-names on our test domain.
Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4.

And it just work.
But with Internal DNS it threw ; TSIG error with server: tsig verify
failure and Failed nsupdate: 2, same as in production domain.

So you are right, Rowland, it's problem with Bind - Samba
communication. But I don't know, why in test environment it's ok.
But it's practically empty domain, 2 DC's, 3 client machines. So many
differences.



>>> Jiří Černý 22.8.2018 15:47 >>>
> Yes, it is a failure, but a failure of the script, it shouldn't
print
> all those Python errors, it should print something like 'No update
> required' for each attempted update and then 'No updates required'

Yes, I understand. samba_dnsupdate --verbose --all-names
--use-samba-tool gave reasonable output. But samba_dnsupdate --verbose
--all-names only just throws
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
which look more serious.

> What it does show is that it isn't a Samba problem, but something to
do
> with the interaction of Bind9 and Samba AD.
Same errors I get with Samba internal DNS, so I don't think it is Bind
related. Or maybe I can't understand you, sorry.

> It is your decision, but I wouldn't allow anything to
> change /etc/resolv.conf on a DC.
>
> I can only speak about my experience with the order of
> nameservers in /etc/resolv.conf. All my DC's have their ipaddress as
> the first nameserver, followed by the other DC's. I never add any
> nameservers outside the domain, this is what 'forwarders' is for. I
> also never add a 'domain' line.
>With a DC based on the above, I have never experienced 'islanding'

All DC have static IP configuration, but it's done by nmtui. I never
had problem with this on many CentOS 7 server I manage.
I changed all DCs to point to itself first, than to others. And I also
deleted domain search line, as you recommend.

Jiri