samba - Jul 2012 - Samba4 and Bind9

CentOS 6.2, Samba 4.0.0beta3, Bind 9.9.1-P1.

I have a workking Bind9 installation which includes several different zone 
files. Foward and reverse lookups work fine.

When I include

 	include "/usr/local/samba4/private/named.conf";

in the named.conf, named will no longer start:

Jul  9 15:01:47 s6a named[9857]: samba_dlz: started for DN
DC=test,DC=cornell,DC=edu
Jul  9 15:01:47 s6a named[9857]: samba_dlz: starting configure
Jul  9 15:01:47 s6a named[9857]: samba_dlz: Failed to configure zone
'test.cornell.edu'
Jul  9 15:01:47 s6a named[9857]: loading configuration: already exists
Jul  9 15:01:47 s6a named[9857]: exiting (due to fatal error)

because of a conflict between an already included zone file and the Samba4
domain (test.cornell.edu).

What is the recommended best practice to fix this situation? I don't 
believe that I should have to add the offending zone's contents to 
dns_update_list; this seems like a hack to me. But then I don't have a lot 
of mileage with samba_dnsupdate yet.

Steve

Hi Steve,

On Tue, Jul 10, 2012 at 7:17 AM, Steve Thompson <smt at vgersoft.com>
wrote:
> CentOS 6.2, Samba 4.0.0beta3, Bind 9.9.1-P1.
>
> I have a workking Bind9 installation which includes several different zone
> files. Foward and reverse lookups work fine.
>
> When I include
>
>         include "/usr/local/samba4/private/named.conf";
>
> in the named.conf, named will no longer start:
>
> Jul  9 15:01:47 s6a named[9857]: samba_dlz: started for DN
> DC=test,DC=cornell,DC=edu
> Jul  9 15:01:47 s6a named[9857]: samba_dlz: starting configure
> Jul  9 15:01:47 s6a named[9857]: samba_dlz: Failed to configure zone
> 'test.cornell.edu'
> Jul  9 15:01:47 s6a named[9857]: loading configuration: already exists
> Jul  9 15:01:47 s6a named[9857]: exiting (due to fatal error)
>
> because of a conflict between an already included zone file and the Samba4
> domain (test.cornell.edu).
>
> What is the recommended best practice to fix this situation? I don't
believe
> that I should have to add the offending zone's contents to
dns_update_list;
> this seems like a hack to me. But then I don't have a lot of mileage
with
> samba_dnsupdate yet.
>
> Steve
DLZ module is used to dynamically load the zone (the ones configured
in Samba AD) information. So you cannot have two different sources for
the same zone. Please comment the file based forward zone for domain
(test.cornell.edu). And if you have configured reverse zone in AD,
then comment the file based reverse zone as well.

Amitay.

On 26/07/12 15:32, Steve Thompson wrote:
> Samba 4.0.0beta4, CentOS 6.3.
>
> It seems to me that when samba updates its DNS entries by processing a 
> dns_update_list entry such as:
>
>     A ${DNSDOMAIN} $IP
>
> then:
>
> (1) it is using the Kerberos realm name for DNSDOMAIN rather than the 
> DNS domain name. Indeed, it seems to me that there is quite a bit of 
> confusion between the two throughout Samba4.
>
> (2) when a second or third DC is added, the value for $IP inserted in 
> the second or third DNS is the IP address of the first DC, not that of 
> the second or third. Huh?
>
> I would _like_ the realm name and the DNS domain name to be the same, 
> but it appears that one cannot do that: bind9 will no longer start, as 
> I observed and reported previously.
>
> Steve
Bind9 will not start if you set it up before provisioning Samba4, you 
will end up with two zones, one will be the flat file you created and 
the other will be the dlz file created by Samba4 and they will clash.

Provision Samba4 then add any servers, workstations etc to the dns 
domain (and yes, the realm can be the same as the dns domain, i.e. they 
both can be example.com). To add to the bind9 dlz file, use samba-tool 
dns add <server> <zone> <name>
<A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>
Try samba-tool dns add --help

Rowland



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

On Thu, 26 Jul 2012, Rowland Penny wrote:
> To add to the bind9 dlz file, use samba-tool dns add <server>
<zone>
> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>
I realize that one could do this if absolutely desperate, but it is the 
most dreadful hack! Very ugly.

Steve