samba - Jan 2018 - Switching from Internal DNS to Bind9_DLZ

Hello,

     Installing bind9 on my Ubuntu 14.04 via. apt-get displays the 
following options.

  #named -V
BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version) <id:f9b8a50e> 
built by make with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' 
'--localstatedir=/var' '--enable-threads'
'--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static' 
'--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
'--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE
-O2'

The Samba wiki states I should see;

named -V
BIND 9.x.y built with ... '--with-dlopen=yes'
'--with-gssapi=yes' ...

As you can see I have;

'--with-gssapi=/usr' and *NO* '--with-dlopen=yes'

Is it possible to enable '--with-dlopen=yes' without compiling? Thanks.



-- 
--
James

On Tue, 2 Jan 2018 12:09:33 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> Hello,
> 
>      Installing bind9 on my Ubuntu 14.04 via. apt-get displays the 
> following options.
> 
>   #named -V
> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
> <id:f9b8a50e> built by make with '--prefix=/usr'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
> '--enable-largefile' '--with-libtool'
'--enable-shared'
> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6'
> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
> -DDIG_SIGCHASE -O2'
> 
> The Samba wiki states I should see;
> 
> named -V
> BIND 9.x.y built with ... '--with-dlopen=yes'
'--with-gssapi=yes' ...
> 
> As you can see I have;
> 
> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
> 
> Is it possible to enable '--with-dlopen=yes' without compiling?
> Thanks.
> 
> 
> 
No, but funnily enough, you won't be able enable it by compiling it
either ;-)

It is now built into the standard compiled Bind9, so I suppose the real
answer to your question is that you can use the standard Bind9 package
on 14.04 with Samba.

I will update the wiki page.

Rowland

On 1/2/2018 12:25 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
>> '--enable-largefile' '--with-libtool'
'--enable-shared'
>> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes'
'--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland
Thank you.

I notice that when installing bind9 via apt-get, I get a user and group 
created called 'bind' rather then 'named'. I assume I can just
use
'bind' when  following the wiki here;

Enable the BIND user to read the root servers list:
# chown root:named /var/named/named.root
# chmod 640 /var/named/named.root


-- 
--
James

On 1/2/2018 12:25 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
>> '--enable-largefile' '--with-libtool'
'--enable-shared'
>> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes'
'--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland
I compiled Samba 4.7.4 from source(/configure, make, make install) but 
do not have the following.

/usr/local/samba/private/named.conf


Therefore I'm unable to complete the next step in the wiki;

Edit the /usr/local/samba/private/named.conf file and uncomment the 
module for your BIND version. For example:

dlz "AD DNS Zone" {
     # For BIND 9.8
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

     # For BIND 9.9
     database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

     # For BIND 9.10
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";

     # For BIND 9.11
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
};

-- 
--
James

On 1/2/2018 12:25 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
>> '--enable-largefile' '--with-libtool'
'--enable-shared'
>> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes'
'--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland
On second read through.  I assume the only contents in named.conf is

dlz "AD DNS Zone" {
     # For BIND 9.8
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

     # For BIND 9.9
      # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

     # For BIND 9.10
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";

     # For BIND 9.11
     # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
};


It's safe to create this file myself then I would suppose?

-- 
--
James

On 1/2/2018 12:25 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
>> '--enable-largefile' '--with-libtool'
'--enable-shared'
>> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes'
'--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland
A few other observations while attempting to switch.

  * I do not have a dns.keytab file. Should I or is created after
    attempting to switch?
  * running 'named-checkconf' throws an error.

named-checkconf
/etc/bind/named.conf:15: 'options' redefined near 'options'

My 'named.conf' is the following

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/usr/local/samba/private/named.conf";

# Global Configuration Options
options {

     auth-nxdomain yes;
     directory "/var/named";
     notify no;
     empty-zones-enable no;
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

     # IP addresses and network ranges allowed to query the DNS server:
     allow-query {
         127.0.0.1;
         172.0.0.0/8;
     };

     # IP addresses and network ranges allowed to run recursive queries:
     # (Zones not served by this DNS server)
     allow-recursion {
         127.0.0.1;
         172.0.0.0/8;
     };

     # Forward queries that can not be answered from own zones
     # to these DNS servers:
     forwarders {
         8.8.8.8;
         8.8.4.4;
     };

     # Disable zone transfers
     allow-transfer {
         none;
     };
  };

# Root Servers
# (Required for recursive DNS queries)
zone "." {
    type hint;
    file "named.root";
};

# localhost zone
zone "localhost" {
     type master;
     file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
     type master;
     file "master/0.0.127.zone";
};


-- 
--
James