bind 9.11.3 BIND9_FLATFILE update-policy
Sergey Urushkin
urushkin at telros.ru
Fri Sep 28 10:16:56 UTC 2018
Andrew Bartlett писал 2018-09-20 18:26:
> On Thu, 2018-09-20 at 17:46 +0300, Sergey Urushkin via samba-technical
> wrote:
>> Hello.
>>
>> Bind 9.11.3 (shipped with ubuntu 18.04) has modifications that
>> prevents
>> bind to start with samba's update-policy config file included
>> (BIND9_FLATFILE backend):
>>
>> https://gitlab.isc.org/isc-projects/bind9/commit/b329876bf1973bbf2ea9
>> 22aca0ba6eacf8ca9275
>>
>> Error text:
>> named.conf.update:3: name field not set to placeholder value '.'
>>
>> This already was in the mail list:
>> https://lists.samba.org/archive/samba/2018-March/214738.html
>>
>> This could be fixed by making a fixed copy of the config and
>> including
>> it to BIND instead of the original:
>> sed 's/ms-self \* /ms-self . /' named.conf.update >
>> named.conf.update.static
>>
>> The next patch fixes config generation for 9.11.3 and above:
>> --- a/source4/dsdb/dns/dns_update.c 2018-07-12
>> 11:23:36.000000000 +0300
>> +++ b/source4/dsdb/dns/dns_update.c 2018-09-20
>> 16:16:32.330242337 +0300
>> @@ -242,7 +242,7 @@
>> dprintf(fd, "%s\n",static_policies);
>> dprintf(fd, "/* End of static entries */\n");
>> }
>> - dprintf(fd, "\tgrant %s ms-self * A AAAA;\n", realm);
>> + dprintf(fd, "\tgrant %s ms-self . A AAAA;\n", realm);
>> dprintf(fd, "\tgrant Administrator@%s wildcard * A AAAA SRV
>> CNAME;\n",
>> realm);
>>
>> for (i=0; i<dc_count; i++) {
>>
>> But this may not work with the older versions (not tested!). If so,
>> we
>> should check the installed bind version on the samba start while
>> generating the config (named -V) or get the right value (* or .)
>> from
>> some another place (config file).
>> Another approach: since the config is pretty much static (at least
>> with
>> the current single-realm samba and it also doesn't honor real
>> 'Administrator' account name and even more widely - every
>> dns-administrator name), generate it on the provision
>> (python/samba/provision/sambadns.py) like we do for named.conf.dlz
>> and
>> just leave it as is with comments about BIND versions.
>
> At this stage my preference would have been to remove the 'feature'
> entirely, given the limitations. It causes a job to run frequently to
> fill in the file and trigger rndc reload even when Samba isn't using
> this, and this *may* be the cause of a crash or service outage on the
> bind size. (Not yet pinned down).
>
> We would prefer folks used the DLZ driver or the internal DNS, as these
> work with Microsoft and Samba admin tools etc. I don't mind us
> generating the zone long-term but I think the rest is always going to
> be so site-specific anyway.
>
> What do you think?
>
> Andrew Bartlett
Agreed.
Here is the patch that adds generating update-policy at provision.
The second part should be removing named.conf.update code from
/source4/dsdb/dns/dns_update.c - but I didn't touch it, since I'm not a
C specialist.
diff -ur a/python/samba/provision/sambadns.py
b/python/samba/provision/sambadns.py
--- a/python/samba/provision/sambadns.py 2018-09-28 08:36:00.198739082
+0000
+++ b/python/samba/provision/sambadns.py 2018-09-28 09:53:40.252765037
+0000
@@ -918,7 +918,7 @@
setup_file(setup_path("spn_update_list"), paths.spn_update_list,
None)
-def create_named_conf(paths, realm, dnsdomain, dns_backend, logger):
+def create_named_conf(paths, realm, dnsdomain, dns_backend, hostname,
logger):
"""Write out a file containing zone statements suitable for
inclusion in a
named.conf file (including GSS-TSIG configuration).
@@ -938,6 +938,11 @@
from samba.provision import ProvisioningError
if dns_backend == "BIND9_FLATFILE":
+ bind_info = subprocess.Popen(['named -V'], shell=True,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT,
+ cwd='.').communicate()[0]
+
setup_file(setup_path("named.conf"), paths.namedconf, {
"DNSDOMAIN": dnsdomain,
"REALM": realm,
@@ -947,7 +952,21 @@
"NAMED_CONF_UPDATE": paths.namedconf_update
})
- setup_file(setup_path("named.conf.update"),
paths.namedconf_update)
+ bind9_msself_name = '.'
+ if bind_info.upper().find('BIND 9.7') != -1 or \
+ bind_info.upper().find('BIND 9.8') != -1 or \
+ bind_info.upper().find('BIND 9.9') != -1 or \
+ bind_info.upper().find('BIND 9.10') != -1 or \
+ bind_info.upper().find('BIND 9.11.0') != -1 or \
+ bind_info.upper().find('BIND 9.11.1') != -1 or \
+ bind_info.upper().find('BIND 9.11.2') != -1:
+ bind9_msself_name = '*'
+ setup_file(setup_path("named.conf.update"),
paths.namedconf_update, {
+ "REALM": realm,
+ "HOSTNAME": hostname,
+ "BIND9_MSSELF_NAME": bind9_msself_name,
+ "NAMED_CONF_UPDATE": paths.namedconf_update
+ })
elif dns_backend == "BIND9_DLZ":
bind_info = subprocess.Popen(['named -V'], shell=True,
@@ -1250,7 +1269,7 @@
create_named_conf(paths, realm=names.realm,
dnsdomain=names.dnsdomain,
dns_backend=dns_backend,
- logger=logger)
+ hostname=names.hostname, logger=logger)
create_named_txt(paths.namedtxt,
realm=names.realm, dnsdomain=names.dnsdomain,
diff -ur a/source4/scripting/bin/samba_upgradedns
b/source4/scripting/bin/samba_upgradedns
--- a/source4/scripting/bin/samba_upgradedns 2018-09-28
08:36:00.622739925 +0000
+++ b/source4/scripting/bin/samba_upgradedns 2018-09-28
09:49:24.976185404 +0000
@@ -536,7 +536,7 @@
create_samdb_copy(ldbs.sam, logger, paths, names, domainsid,
domainguid)
- create_named_conf(paths, names.realm, dnsdomain,
opts.dns_backend, logger)
+ create_named_conf(paths, names.realm, dnsdomain,
opts.dns_backend, names.hostname, logger)
create_named_txt(paths.namedtxt, names.realm, dnsdomain,
dnsname,
paths.binddns_dir, paths.dns_keytab)
diff -ur a/source4/setup/named.conf.update
b/source4/setup/named.conf.update
--- a/source4/setup/named.conf.update 2018-09-28 08:36:01.666742005
+0000
+++ b/source4/setup/named.conf.update 2018-09-28 09:44:34.475447383
+0000
@@ -1,4 +1,17 @@
-/*
- this file will be automatically replaced with the correct
- 'grant' rules by samba at runtime
-*/
+# This DNS configuration is for BIND 9.7.0 or later with tkey-gssapi
support.
+#
+# This file should be included in your domain zone clause.
+#
+# For example with
+# include "${NAMED_CONF_UPDATE}";
+
+#
+# This configures update policy for zone using TSIG-GSS.
+# Use 'ms-self .' for BIND 9.11.3 or later.
+# Use 'ms-self *' for BIND 9.7 - 9.11.2.
+#
+update-policy {
+ grant ${REALM} ms-self ${BIND9_MSSELF_NAME} A AAAA;
+ grant Administrator@${REALM} wildcard * A AAAA SRV CNAME;
+ grant ${HOSTNAME}$@${REALM} wildcard * A AAAA SRV CNAME;
+};
---
Best regards,
Sergey Urushkin
More information about the samba-technical
mailing list