Jiří Černý
2018-Aug-21 09:31 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> It should work ;-) > Can you post your smb.conf and /etc/named.conf files > RowlandHello Rowland. Of course I can: cat /etc/samba/smb.conf # Global parameters [global] workgroup = SVMETAL realm = samdom.svmetal.cz netbios name = DC01 server services = -dns server role = active directory domain controller idmap_ldb:use rfc2307 = yes allow dns updates = nonsecure log level = 1 dns:3 auth_audit:3 max log size = 102400 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ntlm auth = yes ldap server require strong auth = no [netlogon] path = /var/lib/samba/sysvol/samdom.svmetal.cz/scripts read only = No acl_xattr:ignore system acls = yes [sysvol] path = /var/lib/samba/sysvol read only = No acl_xattr:ignore system acls = yes cat /etc/named.conf # Global Configuration Options options { directory "/var/named"; notify no; empty-zones-enable no; allow-query { 127.0.0.1; 192.168.0.0/16; }; allow-recursion { 127.0.0.1; 192.168.0.0/16; }; forwarders { 8.8.8.8; 8.8.4.4; }; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; include "/var/lib/samba/bind-dns/named.conf"; # Root Servers zone "." { type hint; file "named.root"; }; # localhost zone zone "localhost" { type master; file "master/localhost.zone"; }; # 127.0.0. zone. zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone"; }; Jiri>>> Jiří Černý 21.8.2018 9:30 >>>Hello everyone. In our company we use Samba 4 for about 3 years (classic upgraded from Samba 3.5 + LDAP to Sernet Samba 4.2). We used CentOS 6 for domain controllers and with Bind bundled in this distro was impossible to use dynamic DNS updates. And because I don't like using compiled SW on production servers, we used Samba internal DNS, which worked well (dynamic updates). With one non default setting - allow dns updates = nonsecure. Because there is something wrong with our computers, because some of them can secure update their A record, but some of them not. If I try rejoin affected computer to domain (unjoin, delete computer account, join again), secure update works. It's also strange, because affected computers are Windows 7 and also Windows 10, only few months old. They were joined to domain in one IP subnet and than sent to another company unit with own IP subnet. I have no abilities to rejoin all affected computers, so I set smb.conf "allow dns updates = nonsecure" - testparm shows "allow dns updates nonsecure and secure". It works well a and some insecurity isn't problem in our environment. Now we upgraded to Sernet Samba 4.8.4 on CentOS 7.5, which has Bind built with capabilities to drive dynamic DNS updates. So after yearch on internal DNS I tried to switch to Bind. But it looks like "allow dns updates = nonsecure" doesn't work with BIND_DLZ (which is logical, because Samba is no more acting as DNS server). And what I have described above, because Bind looks like accepting only secure updates, many of our computers can't update their records. Also very interesting behavior: Notebook with Windows 10 connect to wifi (different IP subnet than subnets where are domain controllers), and dynamic DNS update work. But if that notebook connect VPN (with another one IP subnet), dynamic DNS update fail. So is there possibility to force Bind to accept nonsecure updates? Yours sincerely Jiří Černý System administrator +420 775 860 300 cerny at svmetal.cz helpdesk at svmetal.cz SV metal spol. s r.o. Divec 99 500 03 Hradec Králové Czech republic www.svmetal.cz
Rowland Penny
2018-Aug-21 10:10 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
On Tue, 21 Aug 2018 11:31:47 +0200 Jiří Černý via samba <samba at lists.samba.org> wrote:> > It should work ;-) > > Can you post your smb.conf and /etc/named.conf files > > Rowland > > Hello Rowland. Of course I can: > cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = SVMETAL > realm = samdom.svmetal.cz > netbios name = DC01 > server services = -dns > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > allow dns updates = nonsecure > log level = 1 dns:3 auth_audit:3 > max log size = 102400 > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > ntlm auth = yes > ldap server require strong auth = no > > [netlogon] > path = /var/lib/samba/sysvol/samdom.svmetal.cz/scripts > read only = No > acl_xattr:ignore system acls = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acls = yes > > > cat /etc/named.conf > # Global Configuration Options > options { > > directory "/var/named"; > notify no; > empty-zones-enable no; > > allow-query { 127.0.0.1; 192.168.0.0/16; }; > allow-recursion { 127.0.0.1; 192.168.0.0/16; }; > forwarders { 8.8.8.8; 8.8.4.4; }; > allow-transfer { none; }; > > dnssec-validation no; > dnssec-enable no; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > include "/var/lib/samba/bind-dns/named.conf"; > > # Root Servers > zone "." { > type hint; > file "named.root"; > }; > > # localhost zone > zone "localhost" { > type master; > file "master/localhost.zone"; > }; > > # 127.0.0. zone. > zone "0.0.127.in-addr.arpa" { > type master; > file "master/0.0.127.zone"; > }; >There doesn't seem anything wrong there, the only comment I would make, is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version of named ? How did you change to using Bind9 ? Please post the log where an update fails. Rowland
Possibly Parallel Threads
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND