dura-zell
2016-Feb-29 06:23 UTC
[Samba] Problems with samba 4.3 and Bind_DLZ - ddns not working
Hi
I'm currently testing the replacement of a samba 3 with LDAP backend
with a samba 4 ad-dc.
For this, I have a fresh install of:
- FreeBSD 10.2
- samba 4.3.3
- bind with dlopen-support:
IND 9.10.3-P3 <id:bdaecad>
built by make with '--localstatedir=/var' '--disable-linux-caps'
'--with-dlopen=yes' '--disable-symtable'
'--with-randomdev=/dev/random'
'--with-libxml2=/usr/local' '--with-readline=-ledit'
'--sysconfdir=/usr/local/etc/namedb' '--disable-fetchlimit'
'--disable-filter-aaaa' '--disable-fixed-rrset'
'--without-geoip'
'--with-idn=/usr/local' '--enable-ipv6'
'--enable-largefile'
'--disable-newstats' '--with-python'
'--disable-querytrace'
'--disable-rpz-nsdname' '--disable-rpz-nsip'
'--enable-rrl'
'STD_CDEFINES=-DDIG_SIGCHASE=1' '--with-gssapi=/usr/local'
'KRB5CONFIG=/usr/local/bin/krb5-config' '--with-openssl=/usr'
'--disable-native-pkcs11' '--with-dlz-bdb=yes'
'--with-dlz-ldap=yes'
'--with-dlz-filesystem=yes' '--with-dlz-stub=yes'
'--without-gost'
'--enable-threads' '--prefix=/usr/local'
'--mandir=/usr/local/man'
'--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.2'
'build_alias=amd64-portbld-freebsd10.2' 'CC=cc' 'CFLAGS=-O2
-pipe
-isystem /usr/local/include -DLIBICONV_PLUG -fstack-protector
-DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib
-Wl,-rpath,/usr/local/lib/heimdal:/usr/lib -fstack-protector'
'LIBS='
'CPPFLAGS=-isystem /usr/local/include -DLIBICONV_PLUG' 'CPP=cpp'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 3.4.1
(tags/RELEASE_34/dot1-final 208032)
compiled with OpenSSL version: OpenSSL 1.0.1p-freebsd 9 Jul 2015
linked to OpenSSL version: OpenSSL 1.0.1p-freebsd 9 Jul 2015
compiled with libxml2 version: 2.9.3
linked to libxml2 version: 20903
When setting up my environment, I mostly followed the tutorial found
here: https://forums.freebsd.org/threads/47798/
I needed to adapt it a bit to match my environment and supplemented it
with Information found via google.
So far everything is working: I can join my test-domain with Windows7
clients, use the RSAT tools to administer my domain and so on. Only one
thing, I'm having a hard time getting to work: The dynamik dns updates
from samba to bind. Here I'm getting denied errors. After some days of
googling, I'm at a complete loss. I need to use bind, as I have parts of
my network not in the planned active directory.
When I issue the samba_dnsupdate command, this happens:
[root at katalog ~]# samba_dnsupdate --verbose --all-names
IPs: ['10.151.21.4']
Calling nsupdate for A katalog.int.domain.test 10.151.21.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
katalog.int.domain.test. 900 IN A 10.151.21.4
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A int.domain.test 10.151.21.4 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
int.domain.test. 900 IN A 10.151.21.4
[...]snip[...]
update failed: REFUSED
Failed nsupdate: 2
Failed update of 27 entries
I'm getting this messages in the bind-log:
Feb 29 06:36:39 katalog named[51930]: client 10.151.21.4#40144: view
internal: update 'int.domain.test/IN' denied
Feb 29 06:36:39 katalog named[51930]: client 10.151.21.4#27355: view
internal: update 'int.domain.test/IN' denied
[...]snip[...]
Here are my config files:
named.conf:
acl local-domain { 10.151.0.0/16; 127.0.0.1; };
acl interfaces { 10.151.21.4; 127.0.0.1; };
options {
directory "/usr/local/etc/namedb/working/";
notify no;
recursion yes;
minimal-responses yes;
provide-ixfr yes;
request-ixfr yes;
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
listen-on { interfaces; };
};
view "internal" {
match-clients { local-domain; };
allow-update { local-domain; };
allow-query { local-domain; };
allow-recursion { local-domain; };
forwarders { 10.151.21.2; };
include "/var/db/samba4/private/named.conf";
};
/var/db/samba4/private/named.conf:
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen
/usr/local/lib/shared-modules/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen
/usr/local/lib/shared-modules/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
database "dlopen
/usr/local/lib/shared-modules/bind9/dlz_bind9_10.so -d 3";
};
and /usr/local/etc/smb4.conf (this is the default-name on FreeBSD):
[global]
workgroup = INT
realm = INT.DOMAIN.TEST
netbios name = KATALOG
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
nsupdate command = /usr/local/bin/nsupdate
kerberos method = secrets and keytab
log level 10
[netlogon]
path = /var/db/samba4/sysvol/int.domain.test/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
the dns.keytab is accessible for the bind-user (even tried with chmod
777) and bind doesn't run chrooted / jailed. I can see from the logs
that loading / initializing the dlz works fine.
I tried to get more meaningful logs from bind, but it always comes down
to "denied". It never tells my WHY it denies the update. Has someone
an
idea what I'm doing wrong here? I searched the internet for the last two
days, but wasn't able to to get it running as intended. Now I'm stuck.
Using bind is a requirement for my setup. Please give me a hint where to
search further for any issues / mistakes I might have made.
kind regards,
Michael
Possibly Parallel Threads
Wisdom of the Ancients
