Hi Karl
Im running for years with samba now with bind_dlz and on stock debian samba and
bind runs fine.
I went through your mails on the list and i noticed the following.
> client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE':
update
> failed: rejected by secure update (REFUSED)
> samba_dlz: disallowing update of signer=client006\$\@MY.DOMAIN.DE
> name=client006.my.domain.de type=AAAA error=insufficient access rights
This shows me 2 things.
The first is rejected by bind, and thats because it was catched by somewhere in
your config of bind.
The second is rejected by bind_DLZ.
And in my opinion these both has nothing todo with rights in
/var/lib/samba/private. Because the messages above actively are denying things.
( not an error )
If the rights really where a problem then you should see that in you syslog.
So in my opinion start with a correct/working/well-tested bind config.
Change you bind setup to the following.
Backup your or bind folder.
cp /etc/bind{,.backup}
Change the acl all-networks to your network and change the forwarders to your
ISP dns servers.
The bind config. Best is to never change this file.
The loading order is important.
named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.options
acl all-networks {
192.168.1.0/24; 10.150.0.0/16;
};
options {
directory "/var/cache/bind";
version "0.0.7";
forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; };
dnssec-validation no;
auth-nxdomain yes; # conform to RFC1035 =no
listen-on-v6 { "none"; };
listen-on port 53 { IPv4-IP_OF_YOUR_SERVER; 127.0.0.1; };
notify no;
empty-zones-enable no;
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "all-networks"; 127.0.0.1/32; };
// Add any subnets or hosts you want to allow to use recursive queries
allow-recursion { "all-networks"; 127.0.0.1/32; };
// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};
named.conf.local
// the samba install defaults to bind9.8
include "/var/lib/samba/private/named.conf";
chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
And restart bind.
Systemctl restart bind
Run:
klist -k /var/lib/samba/private/dns.keytab
check you see your DNS/hostname-DC.fqdn and dns-hostname-DC$@REALM>
run
ldbsearch -H /var/lib/samba/private/sam.ldb 'cn=hostname-DC' dn
and run : samba_dnsupdate --verbose --all-names
( see: https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates )
And in smb.conf try it with these:
server services = -dns
# please set the interfaces and bind interfaces like this.
interfaces = YOUR_IP 127.0.0.1
bind interfaces only = yes
now reboot the server.
Reboot the pc.
And try again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Karl Heinz Wichmann [mailto:wichmann-karl at web.de]
> Verzonden: maandag 3 april 2017 17:32
> Aan: L.P.H. van Belle
> Onderwerp: ,Re: [Samba] samba Digest, Vol 172, Issue 2
>
> Hello Louis
>
> The right are ok. If i change to internal dns of samba, the record will
> be greated.
>
> I think bind9 at debian 8.7 was default not compiled with
> "--with-dlopen=yes" only with '--with-gssapi=/usr'
>
> Reagards
>
> Karl Heinz
>
>
>
> i suspect the ad right in the dns is wrong.
>
> Start the windows dns manager, go to the A (and ptr) get the properties
> and check the owner and set it to the computername$ and try again.
>
> Greetz,
> Louis
>
> > Op 2 apr. 2017 om 17:14 heeft Marc Muehlfeld via samba
> <samba at lists.samba.org> het volgende geschreven:
> >
> > Hello Karl Heinz,
> >
> >> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
> >> I change the right from 600 (root:root) to 660 (root:bind) and i
get
> >> following errormessage.
> >>
> >> -rw-rw---- 1 root bind 4,1M Jul 8 2015 sam.ldb
> >
> > Please revert these insecure permissions to the ones we set during
the
> > provisioning.
> >
> > Using these permissions, the BIND user account is enabled to read and
> > write to the whole AD database file. The sam.ldb must have 600
> > permissions and owned by root:root to be protected:
> >
> > -rw------- root root /usr/local/samba/private/sam.ldb
> >
> > sam.ldb is a virtual view to all AD partitions.
> >
> >
> >
> >> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
> >
> > The permissions on this directory is correct. However, please check
the
> > permissions of the raw AD partition database files in it. If you
> changed
> > them, reset them to the secure permissions we set during the
> provisioning:
> >
> > -rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> > -rw------- root root
> > CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> > -rw-rw---- root named
DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> > -rw-rw---- root named
DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> > -rw------- root root DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> > -rw-rw---- root named metadata.tdb
> >
> >
> >
> > Some background information: The sam.ldb.d directory is required to
> > enable the third-party daemon BIND to access the AD DNS partitions,
> > without allowing access to any other partition.
> >
> > The samb.ldb.d directory contains the raw AD partition databases,
while
> > the sam.ldb file is a view to all of them.
> >
> > That's why BIND needs write access to the two DNS partition
databases
> > files (+ metadata.ldb) and must not have access to any other file in
> the
> > sam.ldb.d directory, nor to the sam.ldb file.
> >
> >
> >
> > Regards,
> > Marc
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
