[Samba] declaring Bind9 DNS servers as slaves when using Samba AD/DC with BIND9_DLZ

vincent at cojot.name vincent at cojot.name
Mon Apr 25 23:28:08 UTC 2022 

Hi all,

I have a small isolated 'island' made of two Samba AD/DC VMs. It works 
fine but is not really fault-tolerant (if one hypervisor crashes, every 
Windows client will time out for 50% of DNS requests.

I was trying to setup my bind infra as DNS 'slaves' of the AD/DC zones but 
I'm struggling to make it work. I suspect this might be related to having 
to list my bind DNS servers as authoritative 'NS' servers for my AD DC 
zones.. Here's what I have:

On a RHEL8 bind DNS server, I have declarations such as:
zone "_msdcs.ad.lasthome.solace.krynn" IN {
         type slave;
         masters { 10.0.131.248; 10.0.131.249; };
         notify yes;
         file "zonedb/named.KRYNN_AD._msdcs";
         allow-transfer { any; };
         allow-query { any; };
};
(and the same kind of declaration for _sites, _tcp, _udp...)

On my samba, AD/DC servers, I made sure to have:
         allow-transfer { any; };

Alas, on the BIND9 dns servers, I see this:
25-Apr-2022 19:16:43.809 xfer-in: info: transfer of '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer status: REFUSED
25-Apr-2022 19:16:43.809 xfer-in: info: transfer of '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)

This can be matched to these logs on the Samba AD/DC servers:
25-Apr-2022 16:38:01.528 notify: notice: client @0x7f0a341063f0 10.0.128.242#12714: received notify for zone '_msdcs.ad.lasthome.solace.krynn': not authoritative

so communication works but dc01 refuses the zone transfer because it is 
coming from a server which is not authoritative:

Sure enough, when querying the SOA for any of these sub-domains, only my 
AD/DC servers are listed:

# dig @dc00 -t SOA _msdcs.ad.lasthome.solace.krynn
[...]
;; AUTHORITY SECTION:
_msdcs.ad.lasthome.solace.krynn. 900 IN NS      dc01.ad.lasthome.solace.krynn.
_msdcs.ad.lasthome.solace.krynn. 900 IN NS      dc00.ad.lasthome.solace.krynn.

So I have a few questions:

- How do I add my bind servers as 'proper' authoritative NS servers for 
the DNS zones hosted on my AD/DC bind servers. What is the proper way to 
do this? I tried using RSAT/DNS manager and enabling 'Bind secondaries' 
but this did not work with Samba AD/DC.

- Is it a Bad idea to do this (add bind servers as authoritative DNS 
servers to my AD zones)? Might it break something in the future?

All comments/ideas needed.

Thank you,

Vincent

More information about the samba mailing list