[Samba] Workstations cannot update DNS
Rowland penny
rpenny at samba.org
Wed May 15 19:26:39 UTC 2019
On 15/05/2019 20:11, durwin at mgtsciences.com wrote:
> > >
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
> > >
> > > selinux is not installed.
> > > Firewall is not active.
> > > iptables is not active.
> > The problem appears to have something to do with Apparmor.
> > >
> > > From that page,
> > > BIND process has read access to the following files
> > > /var/lib/samba/private/dns.keytab
> > > /var/lib/samba/private/named.conf # THIS DOES NOT EXIST
> >
> > OK, but I do not remember you saying which version of Samba you are
> > using, later versions now use the path '/var/lib/samba/bind-dns'
> instead
> > of '/var/lib/samba/private'
>
> I am using Bind9 on Ubuntu 18.04
> Ok, I verified permissions on /var/lib/samba/bind-dns.
>
> >
> > >
> > > as well read-write access to the
> > > /var/lib/samba/private/dns/ # THIS DOES NOT EXIST
> > > directory and it's own zone file(s).
> > >
> > > this is in /etc/apparmor.d/usr.sbin.named.
> > > # /etc/bind should be read-only for bind
> > > # /var/lib/bind is for dynamically updated zone (and journal) files.
> > > # /var/cache/bind is for slave/stub data, since we're not the
> origin
> > > of it.
> > > # See /usr/share/doc/bind9/README.Debian.gz
> > > /etc/bind/** r,
> > > /var/lib/bind/** rw,
> > > /var/lib/bind/ rw,
> > > /var/cache/bind/** lrw,
> > > /var/cache/bind/ rw,
> > >
> > > # gssapi
> > > /etc/krb5.keytab kr,
> > > /etc/bind/krb5.keytab kr,
> > > /var/lib/samba/lib/** rm,
> > > /var/lib/samba/private/dns.keytab r,
> > > /var/lib/samba/private/named.conf r,
> > > /var/lib/samba/private/dns/** rwk, # THIS DOES NOT EXIST
>
> I changed above line to.
> /var/lib/samba/bind-dns/** rwk,
> Or should it be?
> /var/lib/samba/bind-dns/dns/** rwk,
>
> > > /var/lib/samba/etc/smb.conf r,
> > >
> > > I rebooted just to be sure. However, I still get client update
> denied.
> > >
> > >
> > > This is in /etc/bind/
> > >
> > > drwxr-sr-x 2 root bind 4096 May 15 10:38 ./
> > > drwxr-xr-x 99 root root 4096 May 3 11:13 ../
> > > -rw-r--r-- 1 root root 2761 Apr 24 04:04 bind.keys
> > > -rw-r--r-- 1 root root 237 Oct 10 2018 db.0
> > > -rw-r--r-- 1 root root 271 Oct 10 2018 db.127
> > > -rw-r--r-- 1 root bind 615 May 10 11:28 db.172.23.93
> > Is the above your reverse zone ?
>
> The only thing I added or modified in this entire directory is
> named.conf.msi and added line,
> include "/etc/bind/named.conf.msi";
> to named.conf
> The rest you see here was not added by me.
>
> > >
> > > -rw-r--r-- 1 root root 237 Oct 10 2018 db.255
> > > -rw-r--r-- 1 root root 353 Oct 10 2018 db.empty
> > > -rw-r--r-- 1 root root 270 Oct 10 2018 db.local
> > > -rw-r--r-- 1 root root 3171 Oct 10 2018 db.root
> > > -rw-r--r-- 1 root bind 499 May 10 11:12 named.conf
> > > -rw-r--r-- 1 root bind 662 May 14 11:42 named.conf.default-zones
> > > -rw-r--r-- 1 root bind 258 Apr 29 11:34 named.conf.local
> > > -rw-r--r-- 1 root bind 193 May 14 11:44 named.conf.msi
> >
> > And is the above your forward zone ?
> >
> > If it is yes to both of the last questions, then you need to delete
> > them, you cannot use flatfiles with BIND9_DLZ
>
> Do I delete only the 'db.*' files? Are the 'named.conf*' files in this
> location not used? If I do delete the named.* files, what do I edit
> to add a slave domain for mycompany.com (DC domain is msi.mycompany.com)?
> The DC is master of msi.mycompany.com, another server is master of
> mycompany.com.
Your DC is authoritative for your ad domain and should only store
records for that domain, anything else should be forwarded to a dns
server outside the ad domain.
I would suggest you delete these:
db.172.23.93
named.conf.msi
I think it might be a good idea if you post the contents of these files:
/etc/bind/ named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones
Rowland
More information about the samba
mailing list