[Samba] Is possible use BIND9 as DNS Back End on a new Samba DC?

Igor Sousa igorvolt at gmail.com
Wed Apr 17 20:45:50 UTC 2019 

Rowland,

I've done almost all permissions change, I forgot bind-dns directory. Now,
the named service still doesn't start and journalctl -xe showed me that
this occurs because permission denied to run dlz_bind9_9.so. I've checked
out and the lib and directory /usr/local/samba/lib/bind9/ have execute
permission to named group. The output of ls command, journalctl -xe and
/etc/named.conf. In my samba, the dns.keytab there isn't into
/usr/local/samba/bind-dns/. This file there is into
/usr/local/samba/private/ and I do pointing to it into /etc/named.conf as
said at "Setting up Dynamic DNS Updates Using Kerberos" into "BIND9 DLZ DNS
Back End".

[root at newdc ~]# ls -lad /usr/local/samba/bind-dns/
drwxrwx---. 3 root named 4096 Apr 17 17:04 /usr/local/samba/bind-dns/

[root at newdc ~]# ls -la /usr/local/samba/bind-dns/
total 24
drwxrwx---.  3 root named 4096 Apr 17 17:05 .
drwxr-xr-x. 12 root root  4096 Nov 29 19:46 ..
drwxrwx---.  3 root named 4096 Apr 17 11:29 dns
-rw-r--r--.  1 root named  830 Apr 17 11:29 named.conf
-r--r--r--.  1 root root   331 Apr 17 15:05 named.conf.update
-rw-r--r--.  1 root root  2096 Apr 17 11:29 named.txt

[root at newdc ~]# ls -lad /usr/local/samba/lib/bind9/
drwxr-xr-x. 2 root named 4096 Apr 16 17:44 /usr/local/samba/lib/bind9/

[root at newdc ~]# ls -la /usr/local/samba/lib/bind9/
total 308
drwxr-xr-x.  2 root named  4096 Apr 16 17:44 .
drwxr-xr-x. 15 root root   4096 Apr 16 17:44 ..
-rwxr-xr-x.  1 root named 59648 Apr 16 17:43 dlz_bind9_10.so
-rwxr-xr-x.  1 root named 59648 Apr 16 17:43 dlz_bind9_11.so
-rwxr-xr-x.  1 root named 59648 Apr 16 17:43 dlz_bind9_12.so
-rwxr-xr-x.  1 root named 59648 Apr 16 17:43 dlz_bind9_9.so
-rwxr-xr-x.  1 root named 59648 Apr 16 17:43 dlz_bind9.so

[root at newdc ~]# ls -lad /usr/local/samba/private/
drwx------. 7 root root 4096 Apr 17 15:05 /usr/local/samba/private/

[root at newdc ~]# ls -la /usr/local/samba/private/
total 10988
drwx------.  7 root root     4096 Apr 17 15:05 .
drwxr-xr-x. 12 root root     4096 Nov 29 19:46 ..
-rw-r-----.  1 root named     722 Apr 17 11:29 dns.keytab
-rw-r--r--.  1 root root     3663 Apr 17 11:29 dns_update_list
-rw-------.  1 root root       16 Apr 17 11:29 encrypted_secrets.key
-rw-------.  1 root root  1286144 Apr 17 11:29 hklm.ldb
-rw-------.  1 root root  1286144 Apr 17 15:05 idmap.ldb
-rw-r--r--.  1 root root       91 Apr 17 11:29 krb5.conf
srwxrwxrwx.  1 root root        0 Apr 17 15:05 ldapi
drwxr-x---.  2 root root     4096 Apr 17 15:05 ldap_priv
drwx------.  2 root root     4096 Apr 17 17:20 msg.sock
-rw-------.  1 root root     8888 Apr 17 15:05 netlogon_creds_cli.tdb
-rw-------.  1 root root  1286144 Apr 17 11:29 privilege.ldb
-rw-------.  1 root root  4247552 Apr 17 11:29 sam.ldb
drwx------.  2 root root     4096 Apr 17 11:29 sam.ldb.d
-rw-------.  1 root root      696 Apr 17 15:05 schannel_store.tdb
-rw-------.  1 root root     1052 Apr 17 11:29 secrets.keytab
-rw-------.  1 root root  1286144 Apr 17 11:29 secrets.ldb
-rw-------.  1 root root   499712 Apr 17 15:05 secrets.tdb
-rw-------.  1 root root  1286144 Apr 17 11:29 share.ldb
drwxr-xr-x.  2 root root     4096 Apr 17 15:05 smbd.tmp
-rw-r--r--.  1 root root      955 Apr 17 11:29 spn_update_list
drwxr-xr-x.  2 root root     4096 Apr 17 15:05 tls


[root at newdc ~]# journalctl -xe
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 2) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv4) (type 6) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 30) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP City (IPv6) (type 31) DB not
available
Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 3) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Region (type 7) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP ISP (type 4) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Org (type 5) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP AS (type 9) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP Domain (type 11) DB not available
Apr 17 17:43:08 newdc named[6011]: GeoIP NetSpeed (type 10) DB not available
Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv4 port range:
[1024, 65535]
Apr 17 17:43:08 newdc named[6011]: using default UDP/IPv6 port range:
[1024, 65535]
Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface lo,
127.0.0.1#53
Apr 17 17:43:08 newdc named[6011]: listening on IPv4 interface eth0,
10.41.20.115#53
Apr 17 17:43:08 newdc named[6011]: generating session key for dynamic DNS
Apr 17 17:43:08 newdc named[6011]: sizing zone task pool based on 3 zones
Apr 17 17:43:08 newdc named[6011]: Loading 'AD DNS Zone' using driver dlopen
Apr 17 17:43:08 newdc named[6011]: dlz_dlopen failed to open library
'/usr/local/samba/lib/bind9/dlz_bind9_9.so' -
/usr/local/samba/lib/bind9/dlz_bind9_9.so: cannot open shared object file:
Permission denied
Apr 17 17:43:08 newdc named[6011]: dlz_dlopen of 'AD DNS Zone' failed
Apr 17 17:43:08 newdc kernel: named[6012]: segfault at a8 ip
0000556333f0e299 sp 00007f66404c7320 error 4 in named[556333e9e000+88000]
Apr 17 17:43:08 newdc systemd[1]: named.service: control process exited,
code=exited status=1
Apr 17 17:43:08 newdc systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS).
-- Subject: Unit named.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit named.service has failed.
-- 
-- The result is failed.


[root at newdc ~]# cat /etc/named.conf
#Global Configuration Options
options {

    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;

    # Dynamic DNS
    tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

    # IP addresses and network ranges allowed to query the DNS server:
    allow-query {
        127.0.0.1;
        172.16.0.0/16;
    };

    # IP addresses and network ranges allowed to run recursive queries:
    # (Zones not served by this DNS server)
    allow-recursion {
        127.0.0.1;
        172.16.0.0/16;
    };

    # Forward queries that can not be answered from own zones
    # to these DNS servers:
    forwarders {
        172.16.20.211;
        172.16.20.212;
    };

    # Disable zone transfers
    allow-transfer {
        none;
    };
 };

# Root Servers
# (Required for recursive DNS queries)
zone "." {
   type hint;
   file "named.root";
};

# localhost zone
zone "localhost" {
    type master;
    file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

include "/usr/local/samba/bind-dns/named.conf";


--
Igor Sousa


Em qua, 17 de abr de 2019 às 16:03, Rowland Penny via samba <
samba at lists.samba.org> escreveu:

> On Wed, 17 Apr 2019 15:02:04 -0300
> Igor Sousa <igorvolt at gmail.com> wrote:
>
> > Rowland,
> >
> > My configure line is ./configure --enable-debug --enable-selftest
> > --with-systemd.
> >
> > A hour ago, I ignored the inconsistency that I reported in the first
> > e-mail of this topic and I proceeded as described at topic "Joining a
> > Samba DC to an Existing Active Directory" and I joined new DC with
> > command:
> >
> > samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator"
> > --dns-backend=BIND9_DLZ
> >
> > I've looked the output command and new DC seemly joined to
> > mydomain.com. I've checked out /usr/local/samba/bind-dns/named.conf
> > and, now, there is this file. But, when I've added 'include
> > "/usr/local/samba/bind-dns/named.con"' into my BIND named.conf file,
> > the named service has not started.
> >
> > I've got the following journalctl -xe output when it said
> > "/etc/named.conf:59: open: /usr/local/samba/bind-dns/named.conf:
> > permission denied". The file exists and I've tired to change
> > permissions of this file to own to root:named, but journalctl -xe
> > still shows the same error.
> >
>
> The permissions should be:
>
> ls -lad /usr/local/samba/bind-dns/
> drwxrwx---. 3 root named 70 Apr 17 16:39 /usr/local/samba/bind-dns/
>
> ls -la /usr/local/samba/bind-dns/
>
> drwxrwx---.  3 root named   38 Apr 17 16:39 dns
> -rw-r-----.  2 root named  797 Apr 17 16:39 dns.keytab
> -rw-r--r--.  1 root root   830 Apr 17 16:39 named.conf
> -rw-r--r--.  1 root root  2096 Apr 17 16:39 named.txt
>
> Can you post /etc/named.conf
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list