thr3ads.net - samba - [Samba] Moving to Bind from internal Ubuntu Server [Apr 2014]

If this information is useful, please help other people find it:
Share via:

Szymon Życiński

2014-Apr-25 12:01 UTC

[Samba] Moving to Bind from internal Ubuntu Server

Hello

I'm trying to move to Bind from internal DNS. Internal DNS sometimes 
does not answer for clients with forwarded from another one records. It 
serves only local addreses when there is high traffic.

When i start bind is see some errors:
-----------------------------------
Apr 25 13:50:35 PrimaryDC named[7726]: sizing zone task pool based on 5 
zones
Apr 25 13:50:35 PrimaryDC named[7726]: Loading 'AD DNS Zone' using 
driver dlopen
Apr 25 13:50:35 PrimaryDC named[7726]: dlz_dlopen failed to open library 
'/usr/local/samba/lib/bind9/dlz_bind9_9.so' - 
/usr/local/samba/lib/bind9/dlz_bind9_9.so: failed to map segment from 
shared object: Permission denied
Apr 25 13:50:35 PrimaryDC named[7726]: dlz_dlopen of 'AD DNS Zone'
failed
Apr 25 13:50:35 PrimaryDC named[7726]: SDLZ driver failed to load.
Apr 25 13:50:35 PrimaryDC named[7726]: DLZ driver failed to load.
Apr 25 13:50:35 PrimaryDC named[7726]: loading configuration: failure
Apr 25 13:50:35 PrimaryDC named[7726]: exiting (due to fatal error)
----------------------------------------

In /etc/apparmor.d/usr.sbin.named i added lines:
   /usr/local/samba/private/** rkw,
   /usr/local/samba/lib/bind9/** rkw,
   /usr/local/samba/private/dns/** rkw,

Szymon

Szymon Życiński

2014-Apr-25 20:43 UTC

head link

[Samba] Moving to Bind from internal Ubuntu Server

After a hour of work i ended up with:
------------------------------------------------------------
Apr 25 22:37:56 PrimaryDC named[14412]: received control channel command 
'stop -p'
Apr 25 22:37:56 PrimaryDC named[14412]: shutting down: flushing changes
Apr 25 22:37:56 PrimaryDC named[14412]: stopping command channel on 
127.0.0.1#953
Apr 25 22:37:56 PrimaryDC named[14412]: stopping command channel on ::1#953
Apr 25 22:37:56 PrimaryDC named[14412]: no longer listening on ::#53
Apr 25 22:37:56 PrimaryDC named[14412]: no longer listening on 127.0.0.1#53
Apr 25 22:37:56 PrimaryDC named[14412]: no longer listening on 
172.23.198.3#53
Apr 25 22:37:56 PrimaryDC named[14412]: exiting
Apr 25 22:37:57 PrimaryDC named[14662]: starting BIND 9.8.1-P1 -u bind
Apr 25 22:37:57 PrimaryDC named[14662]: built with '--prefix=/usr' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--sysconfdir=/etc/bind' '--localsta
tedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool'
'--enable-shared' '--enable-static'
'--with-openssl=/usr'
'--with-gssapi=/usr' '--with-g
nu-ld' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing
-DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 
'CPPFLAGS=-D_FORT
IFY_SOURCE=2'

Apr 25 22:37:57 PrimaryDC named[14662]: adjusted limit on open files 
from 4096 to 1048576
Apr 25 22:37:57 PrimaryDC named[14662]: found 4 CPUs, using 4 worker threads
Apr 25 22:37:57 PrimaryDC named[14662]: using up to 4096 sockets
Apr 25 22:37:57 PrimaryDC named[14662]: loading configuration from 
'/etc/bind/named.conf'
Apr 25 22:37:57 PrimaryDC named[14662]: reading built-in trusted keys 
from file '/etc/bind/bind.keys'
Apr 25 22:37:57 PrimaryDC named[14662]: using default UDP/IPv4 port 
range: [1024, 65535]
Apr 25 22:37:57 PrimaryDC named[14662]: using default UDP/IPv6 port 
range: [1024, 65535]
Apr 25 22:37:57 PrimaryDC named[14662]: listening on IPv6 interfaces, 
port 53
Apr 25 22:37:57 PrimaryDC named[14662]: listening on IPv4 interface lo, 
127.0.0.1#53
Apr 25 22:37:57 PrimaryDC named[14662]: listening on IPv4 interface 
eth0, 172.23.198.3#53
Apr 25 22:37:57 PrimaryDC named[14662]: generating session key for 
dynamic DNS
Apr 25 22:37:57 PrimaryDC named[14662]: sizing zone task pool based on 5 
zones
Apr 25 22:37:57 PrimaryDC named[14662]: Loading 'AD DNS Zone' using 
driver dlopen
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: started for DN 
DC=4lo,DC=czest,DC=pl,DC=lan
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: starting configure
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: configured writeable 
zone '4lo.czest.pl.lan'
Apr 25 22:37:57 PrimaryDC named[14662]: samba_dlz: configured writeable 
zone '_msdcs.4lo.czest.pl.lan'
Apr 25 22:37:57 PrimaryDC named[14662]: set up managed keys zone for 
view _default, file 'managed-keys.bind'
Apr 25 22:37:57 PrimaryDC named[14662]: Warning: 
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 
empty zones
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
254.169.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
2.0.192.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
100.51.198.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
113.0.203.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
255.255.255.255.IN-ADDR.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: D.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 8.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 9.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: A.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: B.E.F.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: automatic empty zone: 
8.B.D.0.1.0.0.2.IP6.ARPA
Apr 25 22:37:57 PrimaryDC named[14662]: command channel listening on 
127.0.0.1#953
Apr 25 22:37:57 PrimaryDC named[14662]: command channel listening on ::1#953
Apr 25 22:37:57 PrimaryDC named[14662]: zone 0.in-addr.arpa/IN: loaded 
serial 1
Apr 25 22:37:57 PrimaryDC named[14662]: zone 127.in-addr.arpa/IN: loaded 
serial 1
Apr 25 22:37:57 PrimaryDC named[14662]: zone 255.in-addr.arpa/IN: loaded 
serial 1
Apr 25 22:37:57 PrimaryDC named[14662]: zone localhost/IN: loaded serial 2
Apr 25 22:37:57 PrimaryDC named[14662]: managed-keys-zone ./IN: loaded 
serial 3
Apr 25 22:37:57 PrimaryDC named[14662]: running


---------------------------------------------------------------

At /etc/apparmor.d/usr.sbin.named i added:
   /usr/local/samba/private/dns/* rw,
   /usr/local/samba/private/named.conf r,
   /usr/local/samba/private/named.conf.update r,
   /usr/local/samba/private/dns.keytab rk,
   /usr/local/samba/lib/bind9/dlz_bind9_9.so rm,
   /usr/local/samba/lib/private/* rmw,
   /usr/local/samba/lib/* rmw,
   /var/tmp/* rw,
   /usr/local/samba/lib/bind9/dlz_bind9.so rm,
   /usr/local/samba/** rwmk,
   /dev/urandom rw,

I know it is not optimal and have to clean it up .... but it seems to 
work. On monday will see if dynamic dns updates work. Of course internal 
dns (-dns) is disabled.

Hope it will help someone while digging through google. Apparmor is a 
pain in the ass in this case.

Szymon

Seemingly Similar Threads

Search for more apparently analagous threads

samba - Apr 2014 - Moving to Bind from internal Ubuntu Server

[Samba] Moving to Bind from internal Ubuntu Server

[Samba] Moving to Bind from internal Ubuntu Server

Seemingly Similar Threads