samba - Dec 2014 - samba_dlz Failed to configure reverse zone

Dear Roland,

and here we have one reasons / prove regarding Debian and current Samba BIND DLZ
issues :
http://metadata.ftp-master.debian.org/changelogs//main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u3_changelog
 MSG >> " * disable dlz until we get a patch to make it build
again"

Well Debian Maintainers seems seeking missing the dlz patches that RHEL &
SLES maintainers created some times ago  .

see http://bkraft.fr/blog/bind_9_10_1_and_bind_9_9_6_and_bind_9_8_8/ 
and derived centos bind9 https://github.com/remsnet/CentOS-Bind-DLZ , 
RPMS / SRPM /SPEC at
https://www.dropbox.com/sh/56xu6o49pnkrrhv/AACaz6_nryOlSRsT_7CNKYWOa?dl=0
.. was an hard days taking patching  to get it ... my special thanks to benjamin
kraft?s exelent work...


my  Rasberian had no load so bind9 dpkg install was quick :

Neue Version der Konfigurationsdatei /etc/init.d/bind9 wird installiert ...
[ ok ] Starting domain name service...: bind9.
Trigger f?r libc-bin (2.19-13) werden verarbeitet ...
Fehler traten auf beim Bearbeiten von:
 slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

root at app1:~# cat /etc/debian_version
jessie/sid


root at app1:~# uname -a
Linux app1 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l GNU/Linux


root at app1:~# named -V
BIND 9.9.5-7-Raspbian (Extended Support Version) <id:f9b8a50e> built by
make with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
-fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
compiled by GCC 4.9.1
using OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
using libxml2 version: 2.9.1

root at app1:~# date
Mo 29. Dez 19:06:05 CET 2014

DLZ been DISABLED  by debian bind9 pkg Maintainers at current.

- and current bind9.9.x an up  don?t support "buildin" option anymore,
  that way of configure has been  removed quite some time, notices for that can
be found on the bind mailinglist.

In this case - without DLZ -  the rebuild of the bind9 been _required_ to
service samba4 dlz.




--
Mit freundlichen Gr??en / Best Regards

Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de

Legal Notice: This transmittal and/or attachments may be privileged or
confidential. It is intended solely for the addressee named above. Any review,
dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.

> Gesendet: Montag, 29. Dezember 2014 um 18:41 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: support at remsnet.de
> Cc: samba at lists.samba.org
> Betreff: Re: Aw: Re:  Re: [Samba] samba_dlz Failed to configure reverse
zone
>
> On 29/12/14 17:32, support at remsnet.de wrote:
> > Dear Rowland ,
> >
> > Just keep in mind that the Debian RPI maintated by rasperry.org PI
fellows and _not_ mainly by the Mainsteam debian
> > pkg maintainers,  and ways behind the main distro - allmost.
> >
> >> Even though there is no mention of dlopen, samba_dlz works.
> >>
> > yes/no   ->> its not displaying the DLZ file open <<- and
that happen even on my now +1J old samba4.0 RPI samba4 ad.
> >
> > and thats why i reviewd the posted Bind startup
> > we both know if the dlopen not happen cleanly , then any zoneload will
be never succeeed.
> >
> > At monent i?m  build bind 9.9.5.7 on one of RPi cluster nodes , will
tell you next days the Outcome and named -V output from package and
selfcompiled. Compiling bind on RPI-II ( not croscompiling ) takes 4-6h , samba4
~13-17h .
> 
> Hi, ok I take your point, but the OP never mentioned Rpi, come to think 
> of it, the OP has never mentioned their distro, wonder what it is.
> 
> As for compiling S4 on rpi, been there, done that and yes it does take a 
> very long time. :-)
> 
> Rowland
> 
> >
> >
> > --
> > Mit freundlichen Gr??en / Best Regards
> >
> > Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de
> >
> > Legal Notice: This transmittal and/or attachments may be privileged or
confidential. It is intended solely for the addressee named above. Any review,
dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
> >
> >
> >> Gesendet: Montag, 29. Dezember 2014 um 18:06 Uhr
> >> Von: "Rowland Penny" <rowlandpenny at
googlemail.com>
> >> An: support at remsnet.de
> >> Cc: samba at lists.samba.org
> >> Betreff: Re: Aw: Re: [Samba] samba_dlz Failed to configure reverse
zone
> >>
> >> On 29/12/14 16:25, support at remsnet.de wrote:
> >>> Hello ,
> >>>
> >>> review bind9 options ...
> >>>
> >>>>> Dec 22 12:25:55 verdandi named[18534]: starting BIND
9.9.5-7-Debian -u
> >>>>> bind -4
> >>>>> Dec 22 12:25:55 verdandi named[18534]: built with
'--prefix=/usr'
> >>>>> '--mandir=/usr/share/man'
'--infodir=/usr/share/info'
> >>>>> '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads'
> >>>>> '--enable-largefile' '--with-libtool'
'--enable-shared'
> >>>>> '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr'
> >>>>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
> >>>>> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
> >>>>> -fno-delete-null-pointer-checks -DDIG_SIGCHASE
-O2'
> >>>>> Dec 22 12:25:55 verdandi named[18534]:
> >>> Due some currosity your Debian Bind seeems missing required
Bind-dlz options,
> >>>
> >>> This Samba wiki explains it :
https://wiki.samba.org/index.php/DNS,  in exact words not compiled in  required
BIND-DLZ options :
> >>>
> >>> --with-dlopen=yes \
> >>> --with-dlz-bdb \
> >>> --with-dlz-ldap \
> >>> --with-dlz-filesystem=yes \
> >>>
> >>>
> >>> And here an HowTO for Debian to fix that :
> >>>
> >>>
https://wiki.samba.org/index.php/DNS#Debian_.2F_Ubuntu_.2B_clones_-_Build_New_ISC_Bind_9.8_.2F_9.9_.2F_9.10
> >>> ( just updated for debian as well. )
> >>>
> >>> Verify your Bind9 build options with "named -V" or
"named-sdb -V":
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Mit freundlichen Gr??en / Best Regards
> >>>
> >>> Horst Venzke ; PGP NET : 1024G/082F2E6D ; 
http://www.remsnet.de
> >>>
> >>> Legal Notice: This transmittal and/or attachments may be
privileged or confidential. It is intended solely for the addressee named above.
Any review, dissemination, or copying is strictly prohibited. If you received
this transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
> >>>
> >> I must update that wiki page, the Debian bind9 package seems to
have the
> >> dlopen options built-in. I use 9.9.5 from wheezy backports:
> >>
> >> BIND 9.9.5-4~bpo70+1-Debian (Extended Support Version)
<id:f9b8a50e>
> >> built by make with '--prefix=/usr'
'--mandir=/usr/share/man'
> >> '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind'
> >> '--localstatedir=/var' '--enable-threads'
'--enable-largefile'
> >> '--with-libtool' '--enable-shared'
'--enable-static'
> >> '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
> >> '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6' '--enable-rrl'
> >> '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
-DDIG_SIGCHASE -O2'
> >>
> >> Even though there is no mention of dlopen, samba_dlz works.
> >>
> >> Rowland
> >>
> > >
> 
>

Just to clarify some things ...

the Bind9 and Samba4 are both current Debian Jessie on amd64. So the 
applicable changelog would be 
http://metadata.ftp-master.debian.org/changelogs//main/b/bind9/testing_changelog

Using 1:9.9.5.dfsg-6 the system worked nicely. Fixing a CVE pertaining 
to recursion does not easily link to DLZ issues.

The system definitely has DLZ included. Otherwise it could not produce 
DLZ related errors and change behaviour, if sam.ldb is changes.

Using some hints from bind-users I found

ldbsearch -H /var/lib/samba/private/sam.ldb -b 
"DC=DomainDnsZones,DC=ad,DC=microsult,DC=de"
"(objectClass=dnsZone)" dn

a useful command. It showed me that I added the wrong zones and that the 
zones claimed to have missing SOA and NS are actually there. To cite the 
most important parts of the logs:

Dec 29 20:24:26 verdandi named[3695]: samba_dlz: starting configure
Dec 29 20:24:26 verdandi named[3695]: zone 10.16.172.in-addr.arpa/NONE: 
has 0 SOA records
Dec 29 20:24:26 verdandi named[3695]: zone 10.16.172.in-addr.arpa/NONE: 
has no NS records
Dec 29 20:24:26 verdandi named[3695]: samba_dlz: Failed to configure 
zone '10.16.172.in-addr.arpa.'

Mind the final dot in the zone name! It's clear, but for some reason I 
forgot it over and over in the past. So listing the correct reverse zone:

root at verdandi:~# samba-tool dns query localhost 10.16.172.in-addr.arpa. 
@ ALL -U Administrator
Password for [AD\Administrator]:
   Name=, Records=2, Children=0
     SOA: serial=1, refresh=900, retry=600, expire=86400, minttl=3600, 
ns=samba.ad.microsult.de., email=hostmaster.ad.microsult.de. 
(flags=600000f0, serial=1, ttl=3600)
     NS: samba.ad.microsult.de. (flags=600000f0, serial=1, ttl=3600)

Shows that the are SOA and NS entries, i.e. it's all there is in the 
zone and in all other reverse zones as well.

The library is part of the Samba package and has not changed. So either 
Bind9 now has a bug and interfaces incorrectly with DLZ, or the DLZ 
library presents the data incorrectly and the CVE fix now denies it, or 
the library does not match Bind9 anymore.

I ran a strace, but it does not give too much information. Yes, sam.ldb 
and sam.ldb.d are accessed, so the DLZ basics should be straight, which 
somewhat rules out the last option. In between "samba_dlz: starting 
configure" and "zone ... has 0 SOA records" I only see a lot of
read
lock and unlock operations on 3 different fd, relating to files in 
sam.ldb.d: "AD DN.ldb", "DC=DOMAINDNSZONES,AD DN.ldb", 
"DC=FORESTDNSZONES,AD DN.ldb" (AD DN is the DN of the AD).

In summary: I now understand, why Bind9 would load reverse zones (they 
actually exist). I don't understand why samba-tool reports SOA and NS, 
while Bind9 claims both absent. And I'm unsure why 
10.16.172.in-addr.arpa seems to collide with 10.16.172.in-addr.arpa. 
(mind the dot). This at least smells like different parts of the code 
follow a different functional specification. But this is a side note and 
in no way important for the problem of getting Bind9 running again.

I still don't know whether I can configure it away, or should file a bug 
and to whom: Bind9 or Samba4.

Regards,
  - lars.

On 29/12/14 18:20, support at remsnet.de wrote:
> Dear Roland,
>
> and here we have one reasons / prove regarding Debian and current Samba
BIND DLZ issues :
>
http://metadata.ftp-master.debian.org/changelogs//main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u3_changelog
>   MSG >> " * disable dlz until we get a patch to make it build
again"
>
> Well Debian Maintainers seems seeking missing the dlz patches that RHEL
& SLES maintainers created some times ago  .
>
> see http://bkraft.fr/blog/bind_9_10_1_and_bind_9_9_6_and_bind_9_8_8/
> and derived centos bind9 https://github.com/remsnet/CentOS-Bind-DLZ ,
> RPMS / SRPM /SPEC at
https://www.dropbox.com/sh/56xu6o49pnkrrhv/AACaz6_nryOlSRsT_7CNKYWOa?dl=0
> .. was an hard days taking patching  to get it ... my special thanks to
benjamin kraft?s exelent work...
>
>
> my  Rasberian had no load so bind9 dpkg install was quick :
>
> Neue Version der Konfigurationsdatei /etc/init.d/bind9 wird installiert ...
> [ ok ] Starting domain name service...: bind9.
> Trigger f?r libc-bin (2.19-13) werden verarbeitet ...
> Fehler traten auf beim Bearbeiten von:
>   slapd
> E: Sub-process /usr/bin/dpkg returned an error code (1)
>
> root at app1:~# cat /etc/debian_version
> jessie/sid
>
>
> root at app1:~# uname -a
> Linux app1 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l
GNU/Linux
>
>
> root at app1:~# named -V
> BIND 9.9.5-7-Raspbian (Extended Support Version) <id:f9b8a50e> built
by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
-fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
> compiled by GCC 4.9.1
> using OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
> using libxml2 version: 2.9.1
>
> root at app1:~# date
> Mo 29. Dez 19:06:05 CET 2014
>
> DLZ been DISABLED  by debian bind9 pkg Maintainers at current.
>
> - and current bind9.9.x an up  don?t support "buildin" option
anymore,
>    that way of configure has been  removed quite some time, notices for
that can be found on the bind mailinglist.
>
> In this case - without DLZ -  the rebuild of the bind9 been _required_ to
service samba4 dlz.
>
>
>
>
> --
> Mit freundlichen Gr??en / Best Regards
>
> Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de
>
> Legal Notice: This transmittal and/or attachments may be privileged or
confidential. It is intended solely for the addressee named above. Any review,
dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
>
>
>> Gesendet: Montag, 29. Dezember 2014 um 18:41 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: support at remsnet.de
>> Cc: samba at lists.samba.org
>> Betreff: Re: Aw: Re:  Re: [Samba] samba_dlz Failed to configure reverse
zone
>>
>> On 29/12/14 17:32, support at remsnet.de wrote:
>>> Dear Rowland ,
>>>
>>> Just keep in mind that the Debian RPI maintated by rasperry.org PI
fellows and _not_ mainly by the Mainsteam debian
>>> pkg maintainers,  and ways behind the main distro - allmost.
>>>
>>>> Even though there is no mention of dlopen, samba_dlz works.
>>>>
>>> yes/no   ->> its not displaying the DLZ file open <<-
and that happen even on my now +1J old samba4.0 RPI samba4 ad.
>>>
>>> and thats why i reviewd the posted Bind startup
>>> we both know if the dlopen not happen cleanly , then any zoneload
will be never succeeed.
>>>
>>> At monent i?m  build bind 9.9.5.7 on one of RPi cluster nodes ,
will tell you next days the Outcome and named -V output from package and
selfcompiled. Compiling bind on RPI-II ( not croscompiling ) takes 4-6h , samba4
~13-17h .
>> Hi, ok I take your point, but the OP never mentioned Rpi, come to think
>> of it, the OP has never mentioned their distro, wonder what it is.
>>
>> As for compiling S4 on rpi, been there, done that and yes it does take
a
>> very long time. :-)
>>
>> Rowland
>>
>>>
>>> --
>>> Mit freundlichen Gr??en / Best Regards
>>>
>>> Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de
>>>
>>> Legal Notice: This transmittal and/or attachments may be privileged
or confidential. It is intended solely for the addressee named above. Any
review, dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
>>>
>>>
>>>> Gesendet: Montag, 29. Dezember 2014 um 18:06 Uhr
>>>> Von: "Rowland Penny" <rowlandpenny at
googlemail.com>
>>>> An: support at remsnet.de
>>>> Cc: samba at lists.samba.org
>>>> Betreff: Re: Aw: Re: [Samba] samba_dlz Failed to configure
reverse zone
>>>>
>>>> On 29/12/14 16:25, support at remsnet.de wrote:
>>>>> Hello ,
>>>>>
>>>>> review bind9 options ...
>>>>>
>>>>>>> Dec 22 12:25:55 verdandi named[18534]: starting
BIND 9.9.5-7-Debian -u
>>>>>>> bind -4
>>>>>>> Dec 22 12:25:55 verdandi named[18534]: built with
'--prefix=/usr'
>>>>>>> '--mandir=/usr/share/man'
'--infodir=/usr/share/info'
>>>>>>> '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads'
>>>>>>> '--enable-largefile'
'--with-libtool' '--enable-shared'
>>>>>>> '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr'
>>>>>>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
>>>>>>> '--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
>>>>>>> -fno-delete-null-pointer-checks -DDIG_SIGCHASE
-O2'
>>>>>>> Dec 22 12:25:55 verdandi named[18534]:
>>>>> Due some currosity your Debian Bind seeems missing required
Bind-dlz options,
>>>>>
>>>>> This Samba wiki explains it :
https://wiki.samba.org/index.php/DNS,  in exact words not compiled in  required
BIND-DLZ options :
>>>>>
>>>>> --with-dlopen=yes \
>>>>> --with-dlz-bdb \
>>>>> --with-dlz-ldap \
>>>>> --with-dlz-filesystem=yes \
>>>>>
>>>>>
>>>>> And here an HowTO for Debian to fix that :
>>>>>
>>>>>
https://wiki.samba.org/index.php/DNS#Debian_.2F_Ubuntu_.2B_clones_-_Build_New_ISC_Bind_9.8_.2F_9.9_.2F_9.10
>>>>> ( just updated for debian as well. )
>>>>>
>>>>> Verify your Bind9 build options with "named -V"
or "named-sdb -V":
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Mit freundlichen Gr??en / Best Regards
>>>>>
>>>>> Horst Venzke ; PGP NET : 1024G/082F2E6D ; 
http://www.remsnet.de
>>>>>
>>>>> Legal Notice: This transmittal and/or attachments may be
privileged or confidential. It is intended solely for the addressee named above.
Any review, dissemination, or copying is strictly prohibited. If you received
this transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
>>>>>
>>>> I must update that wiki page, the Debian bind9 package seems to
have the
>>>> dlopen options built-in. I use 9.9.5 from wheezy backports:
>>>>
>>>> BIND 9.9.5-4~bpo70+1-Debian (Extended Support Version)
<id:f9b8a50e>
>>>> built by make with '--prefix=/usr'
'--mandir=/usr/share/man'
>>>> '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind'
>>>> '--localstatedir=/var' '--enable-threads'
'--enable-largefile'
>>>> '--with-libtool' '--enable-shared'
'--enable-static'
>>>> '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
>>>> '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6' '--enable-rrl'
>>>> '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
-DDIG_SIGCHASE -O2'
>>>>
>>>> Even though there is no mention of dlopen, samba_dlz works.
>>>>
>>>> Rowland
>>>>
>>>>
> >
OK, thanks for that, but it cannot be affecting my wheezy backports 
version BIND 9.9.5-4~bpo70+1-Debian (Extended Support Version) as it 
works, so yet another reason not to upgrade to Jessie when it finally 
gets released.

Rowland

On 29/12/14 18:20, support at remsnet.de wrote:
> Dear Roland,
>
> and here we have one reasons / prove regarding Debian and current Samba
BIND DLZ issues :
>
http://metadata.ftp-master.debian.org/changelogs//main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u3_changelog
>   MSG >> " * disable dlz until we get a patch to make it build
again"
>
> Well Debian Maintainers seems seeking missing the dlz patches that RHEL
& SLES maintainers created some times ago  .
>
> see http://bkraft.fr/blog/bind_9_10_1_and_bind_9_9_6_and_bind_9_8_8/
> and derived centos bind9 https://github.com/remsnet/CentOS-Bind-DLZ ,
> RPMS / SRPM /SPEC at
https://www.dropbox.com/sh/56xu6o49pnkrrhv/AACaz6_nryOlSRsT_7CNKYWOa?dl=0
> .. was an hard days taking patching  to get it ... my special thanks to
benjamin kraft?s exelent work...
>
>
> my  Rasberian had no load so bind9 dpkg install was quick :
>
> Neue Version der Konfigurationsdatei /etc/init.d/bind9 wird installiert ...
> [ ok ] Starting domain name service...: bind9.
> Trigger f?r libc-bin (2.19-13) werden verarbeitet ...
> Fehler traten auf beim Bearbeiten von:
>   slapd
> E: Sub-process /usr/bin/dpkg returned an error code (1)
>
> root at app1:~# cat /etc/debian_version
> jessie/sid
>
>
> root at app1:~# uname -a
> Linux app1 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l
GNU/Linux
>
>
> root at app1:~# named -V
> BIND 9.9.5-7-Raspbian (Extended Support Version) <id:f9b8a50e> built
by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
-fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
> compiled by GCC 4.9.1
> using OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
> using libxml2 version: 2.9.1
>
> root at app1:~# date
> Mo 29. Dez 19:06:05 CET 2014
>
> DLZ been DISABLED  by debian bind9 pkg Maintainers at current.
>
> - and current bind9.9.x an up  don?t support "buildin" option
anymore,
>    that way of configure has been  removed quite some time, notices for
that can be found on the bind mailinglist.
>
> In this case - without DLZ -  the rebuild of the bind9 been _required_ to
service samba4 dlz.
>
>
>
>
> --
> Mit freundlichen Gr??en / Best Regards
>
> Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de
>
> Legal Notice: This transmittal and/or attachments may be privileged or
confidential. It is intended solely for the addressee named above. Any review,
dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
>
>
>> Gesendet: Montag, 29. Dezember 2014 um 18:41 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: support at remsnet.de
>> Cc: samba at lists.samba.org
>> Betreff: Re: Aw: Re:  Re: [Samba] samba_dlz Failed to configure reverse
zone
>>
>> On 29/12/14 17:32, support at remsnet.de wrote:
>>> Dear Rowland ,
>>>
>>> Just keep in mind that the Debian RPI maintated by rasperry.org PI
fellows and _not_ mainly by the Mainsteam debian
>>> pkg maintainers,  and ways behind the main distro - allmost.
>>>
>>>> Even though there is no mention of dlopen, samba_dlz works.
>>>>
>>> yes/no   ->> its not displaying the DLZ file open <<-
and that happen even on my now +1J old samba4.0 RPI samba4 ad.
>>>
>>> and thats why i reviewd the posted Bind startup
>>> we both know if the dlopen not happen cleanly , then any zoneload
will be never succeeed.
>>>
>>> At monent i?m  build bind 9.9.5.7 on one of RPi cluster nodes ,
will tell you next days the Outcome and named -V output from package and
selfcompiled. Compiling bind on RPI-II ( not croscompiling ) takes 4-6h , samba4
~13-17h .
>> Hi, ok I take your point, but the OP never mentioned Rpi, come to think
>> of it, the OP has never mentioned their distro, wonder what it is.
>>
>> As for compiling S4 on rpi, been there, done that and yes it does take
a
>> very long time. :-)
>>
>> Rowland
>>
>>>
>>> --
>>> Mit freundlichen Gr??en / Best Regards
>>>
>>> Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de
>>>
>>> Legal Notice: This transmittal and/or attachments may be privileged
or confidential. It is intended solely for the addressee named above. Any
review, dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
>>>
>>>
>>>> Gesendet: Montag, 29. Dezember 2014 um 18:06 Uhr
>>>> Von: "Rowland Penny" <rowlandpenny at
googlemail.com>
>>>> An: support at remsnet.de
>>>> Cc: samba at lists.samba.org
>>>> Betreff: Re: Aw: Re: [Samba] samba_dlz Failed to configure
reverse zone
>>>>
>>>> On 29/12/14 16:25, support at remsnet.de wrote:
>>>>> Hello ,
>>>>>
>>>>> review bind9 options ...
>>>>>
>>>>>>> Dec 22 12:25:55 verdandi named[18534]: starting
BIND 9.9.5-7-Debian -u
>>>>>>> bind -4
>>>>>>> Dec 22 12:25:55 verdandi named[18534]: built with
'--prefix=/usr'
>>>>>>> '--mandir=/usr/share/man'
'--infodir=/usr/share/info'
>>>>>>> '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads'
>>>>>>> '--enable-largefile'
'--with-libtool' '--enable-shared'
>>>>>>> '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr'
>>>>>>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
>>>>>>> '--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
>>>>>>> -fno-delete-null-pointer-checks -DDIG_SIGCHASE
-O2'
>>>>>>> Dec 22 12:25:55 verdandi named[18534]:
>>>>> Due some currosity your Debian Bind seeems missing required
Bind-dlz options,
>>>>>
>>>>> This Samba wiki explains it :
https://wiki.samba.org/index.php/DNS,  in exact words not compiled in  required
BIND-DLZ options :
>>>>>
>>>>> --with-dlopen=yes \
>>>>> --with-dlz-bdb \
>>>>> --with-dlz-ldap \
>>>>> --with-dlz-filesystem=yes \
>>>>>
>>>>>
>>>>> And here an HowTO for Debian to fix that :
>>>>>
>>>>>
https://wiki.samba.org/index.php/DNS#Debian_.2F_Ubuntu_.2B_clones_-_Build_New_ISC_Bind_9.8_.2F_9.9_.2F_9.10
>>>>> ( just updated for debian as well. )
>>>>>
>>>>> Verify your Bind9 build options with "named -V"
or "named-sdb -V":
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Mit freundlichen Gr??en / Best Regards
>>>>>
>>>>> Horst Venzke ; PGP NET : 1024G/082F2E6D ; 
http://www.remsnet.de
>>>>>
>>>>> Legal Notice: This transmittal and/or attachments may be
privileged or confidential. It is intended solely for the addressee named above.
Any review, dissemination, or copying is strictly prohibited. If you received
this transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.
>>>>>
>>>> I must update that wiki page, the Debian bind9 package seems to
have the
>>>> dlopen options built-in. I use 9.9.5 from wheezy backports:
>>>>
>>>> BIND 9.9.5-4~bpo70+1-Debian (Extended Support Version)
<id:f9b8a50e>
>>>> built by make with '--prefix=/usr'
'--mandir=/usr/share/man'
>>>> '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind'
>>>> '--localstatedir=/var' '--enable-threads'
'--enable-largefile'
>>>> '--with-libtool' '--enable-shared'
'--enable-static'
>>>> '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
>>>> '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6' '--enable-rrl'
>>>> '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
-DDIG_SIGCHASE -O2'
>>>>
>>>> Even though there is no mention of dlopen, samba_dlz works.
>>>>
>>>> Rowland
>>>>
>>>>
> >
hang on a bit, the Debian link is for bind 9.8.x and the dlz reference 
is for 9.8.1.dfsg-1.

Rowland

Hello rowland,
> 
> hang on a bit, the Debian link is for bind 9.8.x and the dlz reference 
> is for 9.8.1.dfsg-1.
> 
I don?t recomend to use Bind 9.8.1 / 9.8.2  anymore - most distro use it but the
shuold move due DLZ compile & bind bugs.
and 9.8  soon goes on end of Life see
https://kb.isc.org/article/AA-01211/81/BIND-9.8.8-Release-Notes.html
> Rowland
> 
This just gotten  from the debian "main" aka "Production"
bind packages for
http://ftp.de.debian.org/debian/pool/main/b/bind9/bind9_9.9.5.dfsg-7.dsc

...
configure: WARNING: unrecognized options: --with-dlz-dlopen
... 

checking for Berkeley DB DLZ driver... not found
configure: error: could not find Berkeley DB include directory
root at app1:/usr/src/BUILD/bind9/bind9-9.9.5.dfsg-dlz#

and gotten same at https://packages.debian.org/wheezy-backports/bind9
->
http://ftp.de.debian.org/debian/pool/main/b/bind9/bind9_9.9.5.dfsg-4~bpo70+1.dsc

Check it yourself if you don?t trust - DLZ dl open support at Debian had been
droped OUT.

I?ll work  on an debian 9.9.6 bind dlz Build project .
Any vulnoteered existing patches are welcome ( by mail i.e ).


--
Mit freundlichen Gr??en / Best Regards

Horst Venzke ; PGP NET : 1024G/082F2E6D ;  http://www.remsnet.de

Legal Notice: This transmittal and/or attachments may be privileged or
confidential. It is intended solely for the addressee named above. Any review,
dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately
delete this message and all its attachments. Thank you.

Last month I struggled with a severe DLZ issue and today I could solve 
it. Credits for the important idea go to Peter Serbe, thanks!

I checked the DNS contents using RSAT. There was nothing wrong with SOA 
nor NS entries, but the reverse zones were actually forward zones with 
proper names in the in-addr.arpa. domain. I built proper reverse zones 
and deleted the forward-reverse zones and Bind DLZ did not complain 
anymore and can resolve all hosts on all directions.

The remaining questions is: Since I never created any reverse zones 
manually, how have these zones been created?

Thanks,
  - lars.

Am 29.12.2014 um 21:33 schrieb Lars Hanke:
> Just to clarify some things ...
>
> the Bind9 and Samba4 are both current Debian Jessie on amd64. So the
> applicable changelog would be
>
http://metadata.ftp-master.debian.org/changelogs//main/b/bind9/testing_changelog
>
>
> Using 1:9.9.5.dfsg-6 the system worked nicely. Fixing a CVE pertaining
> to recursion does not easily link to DLZ issues.
>
> The system definitely has DLZ included. Otherwise it could not produce
> DLZ related errors and change behaviour, if sam.ldb is changes.
>
> Using some hints from bind-users I found
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "DC=DomainDnsZones,DC=ad,DC=microsult,DC=de"
"(objectClass=dnsZone)" dn
>
> a useful command. It showed me that I added the wrong zones and that the
> zones claimed to have missing SOA and NS are actually there. To cite the
> most important parts of the logs:
>
> Dec 29 20:24:26 verdandi named[3695]: samba_dlz: starting configure
> Dec 29 20:24:26 verdandi named[3695]: zone 10.16.172.in-addr.arpa/NONE:
> has 0 SOA records
> Dec 29 20:24:26 verdandi named[3695]: zone 10.16.172.in-addr.arpa/NONE:
> has no NS records
> Dec 29 20:24:26 verdandi named[3695]: samba_dlz: Failed to configure
> zone '10.16.172.in-addr.arpa.'
>
> Mind the final dot in the zone name! It's clear, but for some reason I
> forgot it over and over in the past. So listing the correct reverse zone:
>
> root at verdandi:~# samba-tool dns query localhost 10.16.172.in-addr.arpa.
> @ ALL -U Administrator
> Password for [AD\Administrator]:
>    Name=, Records=2, Children=0
>      SOA: serial=1, refresh=900, retry=600, expire=86400, minttl=3600,
> ns=samba.ad.microsult.de., email=hostmaster.ad.microsult.de.
> (flags=600000f0, serial=1, ttl=3600)
>      NS: samba.ad.microsult.de. (flags=600000f0, serial=1, ttl=3600)
>
> Shows that the are SOA and NS entries, i.e. it's all there is in the
> zone and in all other reverse zones as well.
>
> The library is part of the Samba package and has not changed. So either
> Bind9 now has a bug and interfaces incorrectly with DLZ, or the DLZ
> library presents the data incorrectly and the CVE fix now denies it, or
> the library does not match Bind9 anymore.
>
> I ran a strace, but it does not give too much information. Yes, sam.ldb
> and sam.ldb.d are accessed, so the DLZ basics should be straight, which
> somewhat rules out the last option. In between "samba_dlz: starting
> configure" and "zone ... has 0 SOA records" I only see a lot
of read
> lock and unlock operations on 3 different fd, relating to files in
> sam.ldb.d: "AD DN.ldb", "DC=DOMAINDNSZONES,AD DN.ldb",
> "DC=FORESTDNSZONES,AD DN.ldb" (AD DN is the DN of the AD).
>
> In summary: I now understand, why Bind9 would load reverse zones (they
> actually exist). I don't understand why samba-tool reports SOA and NS,
> while Bind9 claims both absent. And I'm unsure why
> 10.16.172.in-addr.arpa seems to collide with 10.16.172.in-addr.arpa.
> (mind the dot). This at least smells like different parts of the code
> follow a different functional specification. But this is a side note and
> in no way important for the problem of getting Bind9 running again.
>
> I still don't know whether I can configure it away, or should file a
bug
> and to whom: Bind9 or Samba4.
>
> Regards,
>   - lars.
>