[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

[Jiří Černý]

Hello, everyone.

To recapitulate the results of our research:
1) I can confirm Samba 4.8 and Bind 9.9.4 (distribution package) on CentOS 7 (tested od 7.5) work even with dynamic DNS updates without any additional fixes or need to recompile Bind package.
I think it will work also on other RHEL 7 clones, so we should update Wiki page: https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates

2) There is something terribly wrong with our domain. Specifically dynamic DNS updates with Bind 9 DLZ. But I do not know when and if it ever worked in our environment. 
It passes every test I can found on wiki, but only Bind 9 DLZ dynamic updates (nsupdate driven) not.
It looks like there are some permissions inside Samba databases which don't work. But I can't say how to find them.

So my updated question.
Is it possible to trace where the problem is? Some debug hints?
And is it even possible to fix that? If not, what ca I do? We have too many users and computers and I can't start the new domain from scratch. Rejoin of computers is ok, but I have to preserve user's and even domain SIDs because of permissions on their Windows profiles.
Or, would it be a solution to build a new domain and set up a trust relationship between old and new? And migrate users one by one? But I am afraid that trust code of Samba does not have enough abilities to do this (such a solution would require a domain user of one domain to be a member of the group in second domain) in mixed Windows and Linux/Winbind environment (see https://bugzilla.samba.org/show_bug.cgi?id=13300).



Jiri