[Samba] declaring Bind9 DNS servers as slaves when using Samba AD/DC with BIND9_DLZ
Rowland Penny
rpenny at samba.org
Wed May 4 09:17:27 UTC 2022
On Mon, 2022-04-25 at 19:28 -0400, Vincent S. Cojot via samba wrote:
> Hi all,
>
> I have a small isolated 'island' made of two Samba AD/DC VMs. It
> works
> fine but is not really fault-tolerant (if one hypervisor crashes,
> every
> Windows client will time out for 50% of DNS requests.
>
> I was trying to setup my bind infra as DNS 'slaves' of the AD/DC
> zones but
> I'm struggling to make it work. I suspect this might be related to
> having
> to list my bind DNS servers as authoritative 'NS' servers for my AD
> DC
> zones.. Here's what I have:
>
> On a RHEL8 bind DNS server, I have declarations such as:
> zone "_msdcs.ad.lasthome.solace.krynn" IN {
> type slave;
> masters { 10.0.131.248; 10.0.131.249; };
> notify yes;
> file "zonedb/named.KRYNN_AD._msdcs";
> allow-transfer { any; };
> allow-query { any; };
> };
> (and the same kind of declaration for _sites, _tcp, _udp...)
>
> On my samba, AD/DC servers, I made sure to have:
> allow-transfer { any; };
>
> Alas, on the BIND9 dns servers, I see this:
> 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
> '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer
> status: REFUSED
> 25-Apr-2022 19:16:43.809 xfer-in: info: transfer of
> '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer
> completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
>
> This can be matched to these logs on the Samba AD/DC servers:
> 25-Apr-2022 16:38:01.528 notify: notice: client @0x7f0a341063f0
> 10.0.128.242#12714: received notify for zone
> '_msdcs.ad.lasthome.solace.krynn': not authoritative
>
> so communication works but dc01 refuses the zone transfer because it
> is
> coming from a server which is not authoritative:
>
> Sure enough, when querying the SOA for any of these sub-domains, only
> my
> AD/DC servers are listed:
>
> # dig @dc00 -t SOA _msdcs.ad.lasthome.solace.krynn
> [...]
> ;; AUTHORITY SECTION:
> _msdcs.ad.lasthome.solace.krynn. 900 IN
> NS dc01.ad.lasthome.solace.krynn.
> _msdcs.ad.lasthome.solace.krynn. 900 IN
> NS dc00.ad.lasthome.solace.krynn.
>
> So I have a few questions:
>
> - How do I add my bind servers as 'proper' authoritative NS servers
> for
> the DNS zones hosted on my AD/DC bind servers. What is the proper way
> to
> do this? I tried using RSAT/DNS manager and enabling 'Bind
> secondaries'
> but this did not work with Samba AD/DC.
>
> - Is it a Bad idea to do this (add bind servers as authoritative DNS
> servers to my AD zones)? Might it break something in the future?
>
> All comments/ideas needed.
>
> Thank you,
>
> Vincent
Sorry to be late in replying, but you need 4 things:
To be running Samba >= 4.15.0
On the DC with the PDC_Emulator FSMO role, you have 'dns zone transfer
clients allow = IP_OF_THE_SLAVE_DNS_SERVER' in the smb.conf
The DC is running a Bind9 dns server with 'allow-transfer {
IP_OF_THE_SLAVE_DNS_SERVER; };' in /etc/bind/named.conf.options
Your zones in /etc/bind/named.conf.local , similar to these
zone "ad.lasthome.solace.krynn" IN {
type slave;
file "/var/cache/bind/named.KRYNN_AD";
masters { 10.0.131.248; };
};
zone "_msdcs.ad.lasthome.solace.krynn" IN {
type slave;
file "/var/cache/bind/named.KRYNN_AD._msdcs";
masters { 10.0.131.248; };
};
zone "0.131.10.in-addr.arpa" IN {
type slave;
file "/var/cache/bind/reverse.KRYNN_AD";
masters { 10.0.131.248; };
};
Where '10.0.131.248' is the IP of the DC with the PDC_Emulator FSMO
role. It may work with multiple DC's but I haven't tested it.
Rowland
More information about the samba
mailing list