samba - Jul 2017 - using samba with bind dlz

On Mon, Jul 10, 2017 at 8:02 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 10 Jul 2017 06:43:37 -0600
> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
> > Bind-9.11 is installed. How do you configure it? Does it need anything
> > special in the config for samba to build the ...samba.../named.conf
> > file that I should be able to include in my /etc/named.conf
> > afterwards?
>
> With Fedora being a bit 'bleeding edge', I just wondered if they
had
> started using Bind10, but 9.11 should be okay, Samba knows all about
> that version ;-)
>
> >
> >  My guess is that some directory is missing. But if I start fresh and
> > configure samba with the internal dns it gets all the way through
it's
> > configuration with no errors.
>
> Not sure, all I can tell you is what packages I install when creating a
> DC on Devuan:
>
> samba acl attr quota fam winbind libpam-winbind libpam-krb5
> libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools bind9
> bind9utils
>
> of course fedora would have all different package names.
I avoided installing bind-chroot and  bind-sdb-chroot.x86_64 as the bind
dlz  info on samba
said not to chroot bind I'm not sure what bind99 libs are but I installed
all other bind
packages listed with "dnf list bind*"

[root at dc1 ~]# dnf list dns* |grep -v i686
Last metadata expiration check: 2:40:26 ago on Mon 10 Jul 2017 05:51:50 AM
MDT.
Installed Packages
dnsjava.noarch                             2.1.3-12.fc26
 @rawhide
Available Packages
dnscap.x86_64                              141-11.fc26
 rawhide
dnscrypt-proxy.x86_64                      1.9.0-2.fc26
rawhide
dnscrypt-proxy-gui.x86_64                  1.11.10-1.fc27
rawhide
dnsdist.x86_64                             1.1.0-6.fc27
rawhide
dnsenum.noarch                             1.2.4.2-7.fc27
rawhide
dnsjava-javadoc.noarch                     2.1.3-12.fc26
 rawhide
dnsmap.x86_64                              0.30-11.fc26
rawhide
dnsmasq.x86_64                             2.77-3.fc27
 rawhide
dnsmasq-utils.x86_64                       2.77-3.fc27
 rawhide
dnsperf.x86_64                             2.1.0.0-7.fc27
rawhide
dnssec-check.x86_64                        2.1-7.fc26
rawhide
dnssec-nodes.x86_64                        2.1-6.fc26
rawhide
dnssec-system-tray.x86_64                  2.1-6.fc26
rawhide
dnssec-tools.x86_64                        2.2-3.fc25
rawhide
dnssec-tools-libs.x86_64                   2.2-3.fc25
rawhide
dnssec-tools-libs-devel.x86_64             2.2-3.fc25
rawhide
dnssec-tools-perlmods.x86_64               2.2-3.fc25
rawhide
dnssec-trigger.x86_64                      0.13-3.fc27
 rawhide
dnssec-trigger-panel.x86_64                0.13-3.fc27
 rawhide
dnssec4j.noarch                            0.1.6-3.fc26
rawhide
dnssec4j-javadoc.noarch                    0.1.6-3.fc26
rawhide
dnstop.x86_64                              20140915-4.fc26
 rawhide
dnstracer.x86_64                           1.9-16.fc27
 rawhide
dnsyo.noarch                               2.0.7-3.fc26
rawhide

dnssec-tools look interesting but when I try to install those I get errors.

[root at dc1 ~]# dnf install dnssec-*
Last metadata expiration check: 2:41:47 ago on Mon 10 Jul 2017 05:51:50 AM
MDT.
Error:
 Problem 1: conflicting requests
  - nothing provides perl(:MODULE_COMPAT_5.24.0) needed by
dnssec-tools-2.2-3.fc25.x86_64
 Problem 2: conflicting requests
  - nothing provides libperl.so.5.24()(64bit) needed by
dnssec-tools-perlmods-2.2-3.fc25.x86_64

I'll have to go plead with the package maintainer. Although I'm not sure
even if I install those if that is really what it is complaining about.
I wonder what tool the samba-tool uses. I'll have to go try and see if I
can figure it out so I know what it is I really need.

nothing interesting listing in lippam*
I installed a lot of pam* that looks like what I might need. I have pam_krb5

>
> > I've tried without named running and with it running and get the
same
> > error. Mayke something missing in the python scripts building the dns
> > file.
> >
>
> I just install Bind9, configure it, but do not start it. I then
> provision Samba. I then start Bind9 followed by Samba and it just
> works. Perhaps there is something wrong in your bind conf files ?
>
>
If i do a query against the local dns I get a return so it looks like when
running it works fine.

my named.conf looks like so

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

/etc/crypto-policies/back-ends/bind.config looks like

disable-algorithms "." {
RSAMD5;
};
disable-ds-digests "." {
GOST;
};


> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I found the
file /usr/lib64/python2.7/site-packages/samba/provision/sambadns.py
I was looking through it and seemed to come across the area where I am
having problems.

In the create_dns_dir function

I wanted to see what paths.dns had and what dns_dir where getting set to.

so I did a simple print and found

paths.dir is set
to /var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone
and
dns_dir is set to /var/lib/samba/private/dns

next I check those directories

[root at dc1 ~]# ls -l
/var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone
ls: cannot access
'/var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone': No such
file or directory
[root at dc1 ~]# mkdir -p
/var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone

it looks like samba-tool removes that directory

I'll keep looking for the culprit in that function.




On Mon, Jul 10, 2017 at 8:50 AM, Jeff Sadowski <jeff.sadowski at
gmail.com>
wrote:
>
> On Mon, Jul 10, 2017 at 8:02 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Mon, 10 Jul 2017 06:43:37 -0600
>> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>
>> > Bind-9.11 is installed. How do you configure it? Does it need
anything
>> > special in the config for samba to build the
...samba.../named.conf
>> > file that I should be able to include in my /etc/named.conf
>> > afterwards?
>>
>> With Fedora being a bit 'bleeding edge', I just wondered if
they had
>> started using Bind10, but 9.11 should be okay, Samba knows all about
>> that version ;-)
>>
>> >
>> >  My guess is that some directory is missing. But if I start fresh
and
>> > configure samba with the internal dns it gets all the way through
it's
>> > configuration with no errors.
>>
>> Not sure, all I can tell you is what packages I install when creating a
>> DC on Devuan:
>>
>> samba acl attr quota fam winbind libpam-winbind libpam-krb5
>> libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools bind9
>> bind9utils
>>
>> of course fedora would have all different package names.
> I avoided installing bind-chroot and  bind-sdb-chroot.x86_64 as the bind
> dlz  info on samba
> said not to chroot bind I'm not sure what bind99 libs are but I
installed
> all other bind
> packages listed with "dnf list bind*"
>
> [root at dc1 ~]# dnf list dns* |grep -v i686
> Last metadata expiration check: 2:40:26 ago on Mon 10 Jul 2017 05:51:50 AM
> MDT.
> Installed Packages
> dnsjava.noarch                             2.1.3-12.fc26
>  @rawhide
> Available Packages
> dnscap.x86_64                              141-11.fc26
>  rawhide
> dnscrypt-proxy.x86_64                      1.9.0-2.fc26
> rawhide
> dnscrypt-proxy-gui.x86_64                  1.11.10-1.fc27
> rawhide
> dnsdist.x86_64                             1.1.0-6.fc27
> rawhide
> dnsenum.noarch                             1.2.4.2-7.fc27
> rawhide
> dnsjava-javadoc.noarch                     2.1.3-12.fc26
>  rawhide
> dnsmap.x86_64                              0.30-11.fc26
> rawhide
> dnsmasq.x86_64                             2.77-3.fc27
>  rawhide
> dnsmasq-utils.x86_64                       2.77-3.fc27
>  rawhide
> dnsperf.x86_64                             2.1.0.0-7.fc27
> rawhide
> dnssec-check.x86_64                        2.1-7.fc26
> rawhide
> dnssec-nodes.x86_64                        2.1-6.fc26
> rawhide
> dnssec-system-tray.x86_64                  2.1-6.fc26
> rawhide
> dnssec-tools.x86_64                        2.2-3.fc25
> rawhide
> dnssec-tools-libs.x86_64                   2.2-3.fc25
> rawhide
> dnssec-tools-libs-devel.x86_64             2.2-3.fc25
> rawhide
> dnssec-tools-perlmods.x86_64               2.2-3.fc25
> rawhide
> dnssec-trigger.x86_64                      0.13-3.fc27
>  rawhide
> dnssec-trigger-panel.x86_64                0.13-3.fc27
>  rawhide
> dnssec4j.noarch                            0.1.6-3.fc26
> rawhide
> dnssec4j-javadoc.noarch                    0.1.6-3.fc26
> rawhide
> dnstop.x86_64                              20140915-4.fc26
>  rawhide
> dnstracer.x86_64                           1.9-16.fc27
>  rawhide
> dnsyo.noarch                               2.0.7-3.fc26
> rawhide
>
> dnssec-tools look interesting but when I try to install those I get errors.
>
> [root at dc1 ~]# dnf install dnssec-*
> Last metadata expiration check: 2:41:47 ago on Mon 10 Jul 2017 05:51:50 AM
> MDT.
> Error:
>  Problem 1: conflicting requests
>   - nothing provides perl(:MODULE_COMPAT_5.24.0) needed by
> dnssec-tools-2.2-3.fc25.x86_64
>  Problem 2: conflicting requests
>   - nothing provides libperl.so.5.24()(64bit) needed by
> dnssec-tools-perlmods-2.2-3.fc25.x86_64
>
> I'll have to go plead with the package maintainer. Although I'm not
sure
> even if I install those if that is really what it is complaining about.
> I wonder what tool the samba-tool uses. I'll have to go try and see if
I
> can figure it out so I know what it is I really need.
>
> nothing interesting listing in lippam*
> I installed a lot of pam* that looks like what I might need. I have
> pam_krb5
>
>
> >
>> > I've tried without named running and with it running and get
the same
>> > error. Mayke something missing in the python scripts building the
dns
>> > file.
>> >
>>
>> I just install Bind9, configure it, but do not start it. I then
>> provision Samba. I then start Bind9 followed by Samba and it just
>> works. Perhaps there is something wrong in your bind conf files ?
>>
>>
> If i do a query against the local dns I get a return so it looks like when
> running it works fine.
>
> my named.conf looks like so
>
> options {
>         listen-on port 53 { 127.0.0.1; };
>         listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         allow-query     { localhost; };
>         recursion yes;
>         dnssec-enable yes;
>         dnssec-validation yes;
>         managed-keys-directory "/var/named/dynamic";
>         pid-file "/run/named/named.pid";
>         session-keyfile "/run/named/session.key";
>         include "/etc/crypto-policies/back-ends/bind.config";
> };
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> /etc/crypto-policies/back-ends/bind.config looks like
>
> disable-algorithms "." {
> RSAMD5;
> };
> disable-ds-digests "." {
> GOST;
> };
>
>
>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

On Mon, 10 Jul 2017 09:17:52 -0600
Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> I found the
> file /usr/lib64/python2.7/site-packages/samba/provision/sambadns.py
> I was looking through it and seemed to come across the area where I am
> having problems.
> 
> In the create_dns_dir function
> 
> I wanted to see what paths.dns had and what dns_dir where getting set
> to.
> 
> so I did a simple print and found
> 
> paths.dir is set
> to /var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone
> and
> dns_dir is set to /var/lib/samba/private/dns
> 
> next I check those directories
> 
> [root at dc1 ~]# ls -l
> /var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone
> ls: cannot access
> '/var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone': No
> such file or directory
It doesn't work like that ;-)
You should have something like this:

ls -la /usr/local/samba/private/dns
total 2956
drwxrwx--- 3 root bind     4096 Nov 23  2016 .
drwxr-sr-x 8 root staff    4096 Jul 10 16:36 ..
-rw-rw---- 1 root bind  3014656 Sep 12  2016 sam.ldb
drwxrwx--- 2 root bind     4096 Nov 23  2016 sam.ldb.d

and sam.ldb.d:

ls -la /usr/local/samba/private/dns/sam.ldb.d/
total 28060
drwxrwx--- 2 root bind    4096 Nov 23  2016 .
drwxrwx--- 3 root bind    4096 Nov 23  2016 ..
-rw-rw---- 1 root bind 8925184 Sep 12  2016
CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- 1 root bind 9187328 Sep 12  2016
CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- 2 root bind 4247552 Jul 10 16:32
DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- 2 root bind 4247552 Jul 10 16:32
DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- 1 root bind 1286144 Sep 12  2016 DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- 2 root bind  831488 Jul 10 16:32 metadata.tdb

Your cow inspired dns zone should be in there, note: do note edit the
ldb files directly.

> [root at dc1 ~]# mkdir -p
> /var/lib/samba/private/dns/fedora.methanemaker.mooo.com.zone
> 
> it looks like samba-tool removes that directory
No, it is never creating it ;-)
> 
> I'll keep looking for the culprit in that function.
Not sure anything is wrong in python, it has always worked for me

Rowland

In /usr/lib64/python2.7/site-packages/samba/provision/sambadns.py

Update: It is failing in create_samdb_copy specifically here:

    # Copy root, config, schema partitions (and any other if any)
    # Since samdb is open in the current process, copy them in a child
process
    try:
        tdb_copy(os.path.join(private_dir, "sam.ldb"),
                 os.path.join(dns_dir, "sam.ldb"))
        for nc in partfile:
            pfile = partfile[nc]
            tdb_copy(os.path.join(private_dir, pfile),
                     os.path.join(dns_dir, pfile))

Let me try and figure out what his is doing and I'll write some prints to
find out what the culprit is.


On Mon, Jul 10, 2017 at 9:17 AM, Jeff Sadowski <jeff.sadowski at
gmail.com>
wrote:
> I found the file /usr/lib64/python2.7/site-packages/samba/provision/
> sambadns.py
> I was looking through it and seemed to come across the area where I am
> having problems.
>
> In the create_dns_dir function
>
> I wanted to see what paths.dns had and what dns_dir where getting set to.
>
> so I did a simple print and found
>
> paths.dir is set to /var/lib/samba/private/dns/
> fedora.methanemaker.mooo.com.zone
> and
> dns_dir is set to /var/lib/samba/private/dns
>
> next I check those directories
>
> [root at dc1 ~]# ls -l /var/lib/samba/private/dns/
> fedora.methanemaker.mooo.com.zone
> ls: cannot access
'/var/lib/samba/private/dns/fedora.methanemaker.mooo.com
> .zone': No such file or directory
> [root at dc1 ~]# mkdir -p /var/lib/samba/private/dns/
> fedora.methanemaker.mooo.com.zone
>
> it looks like samba-tool removes that directory
>
> I'll keep looking for the culprit in that function.
>
>
>
>
> On Mon, Jul 10, 2017 at 8:50 AM, Jeff Sadowski <jeff.sadowski at
gmail.com>
> wrote:
>
>>
>> On Mon, Jul 10, 2017 at 8:02 AM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Mon, 10 Jul 2017 06:43:37 -0600
>>> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>>
>>> > Bind-9.11 is installed. How do you configure it? Does it need
anything
>>> > special in the config for samba to build the
...samba.../named.conf
>>> > file that I should be able to include in my /etc/named.conf
>>> > afterwards?
>>>
>>> With Fedora being a bit 'bleeding edge', I just wondered if
they had
>>> started using Bind10, but 9.11 should be okay, Samba knows all
about
>>> that version ;-)
>>>
>>> >
>>> >  My guess is that some directory is missing. But if I start
fresh and
>>> > configure samba with the internal dns it gets all the way
through it's
>>> > configuration with no errors.
>>>
>>> Not sure, all I can tell you is what packages I install when
creating a
>>> DC on Devuan:
>>>
>>> samba acl attr quota fam winbind libpam-winbind libpam-krb5
>>> libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools bind9
>>> bind9utils
>>>
>>> of course fedora would have all different package names.
>> I avoided installing bind-chroot and  bind-sdb-chroot.x86_64 as the
bind
>> dlz  info on samba
>> said not to chroot bind I'm not sure what bind99 libs are but I
installed
>> all other bind
>> packages listed with "dnf list bind*"
>>
>> [root at dc1 ~]# dnf list dns* |grep -v i686
>> Last metadata expiration check: 2:40:26 ago on Mon 10 Jul 2017 05:51:50
>> AM MDT.
>> Installed Packages
>> dnsjava.noarch                             2.1.3-12.fc26
>>  @rawhide
>> Available Packages
>> dnscap.x86_64                              141-11.fc26
>>  rawhide
>> dnscrypt-proxy.x86_64                      1.9.0-2.fc26
>> rawhide
>> dnscrypt-proxy-gui.x86_64                  1.11.10-1.fc27
>> rawhide
>> dnsdist.x86_64                             1.1.0-6.fc27
>> rawhide
>> dnsenum.noarch                             1.2.4.2-7.fc27
>> rawhide
>> dnsjava-javadoc.noarch                     2.1.3-12.fc26
>>  rawhide
>> dnsmap.x86_64                              0.30-11.fc26
>> rawhide
>> dnsmasq.x86_64                             2.77-3.fc27
>>  rawhide
>> dnsmasq-utils.x86_64                       2.77-3.fc27
>>  rawhide
>> dnsperf.x86_64                             2.1.0.0-7.fc27
>> rawhide
>> dnssec-check.x86_64                        2.1-7.fc26
>> rawhide
>> dnssec-nodes.x86_64                        2.1-6.fc26
>> rawhide
>> dnssec-system-tray.x86_64                  2.1-6.fc26
>> rawhide
>> dnssec-tools.x86_64                        2.2-3.fc25
>> rawhide
>> dnssec-tools-libs.x86_64                   2.2-3.fc25
>> rawhide
>> dnssec-tools-libs-devel.x86_64             2.2-3.fc25
>> rawhide
>> dnssec-tools-perlmods.x86_64               2.2-3.fc25
>> rawhide
>> dnssec-trigger.x86_64                      0.13-3.fc27
>>  rawhide
>> dnssec-trigger-panel.x86_64                0.13-3.fc27
>>  rawhide
>> dnssec4j.noarch                            0.1.6-3.fc26
>> rawhide
>> dnssec4j-javadoc.noarch                    0.1.6-3.fc26
>> rawhide
>> dnstop.x86_64                              20140915-4.fc26
>>  rawhide
>> dnstracer.x86_64                           1.9-16.fc27
>>  rawhide
>> dnsyo.noarch                               2.0.7-3.fc26
>> rawhide
>>
>> dnssec-tools look interesting but when I try to install those I get
>> errors.
>>
>> [root at dc1 ~]# dnf install dnssec-*
>> Last metadata expiration check: 2:41:47 ago on Mon 10 Jul 2017 05:51:50
>> AM MDT.
>> Error:
>>  Problem 1: conflicting requests
>>   - nothing provides perl(:MODULE_COMPAT_5.24.0) needed by
>> dnssec-tools-2.2-3.fc25.x86_64
>>  Problem 2: conflicting requests
>>   - nothing provides libperl.so.5.24()(64bit) needed by
>> dnssec-tools-perlmods-2.2-3.fc25.x86_64
>>
>> I'll have to go plead with the package maintainer. Although I'm
not sure
>> even if I install those if that is really what it is complaining about.
>> I wonder what tool the samba-tool uses. I'll have to go try and see
if I
>> can figure it out so I know what it is I really need.
>>
>> nothing interesting listing in lippam*
>> I installed a lot of pam* that looks like what I might need. I have
>> pam_krb5
>>
>>
>> >
>>> > I've tried without named running and with it running and
get the same
>>> > error. Mayke something missing in the python scripts building
the dns
>>> > file.
>>> >
>>>
>>> I just install Bind9, configure it, but do not start it. I then
>>> provision Samba. I then start Bind9 followed by Samba and it just
>>> works. Perhaps there is something wrong in your bind conf files ?
>>>
>>>
>> If i do a query against the local dns I get a return so it looks like
>> when running it works fine.
>>
>> my named.conf looks like so
>>
>> options {
>>         listen-on port 53 { 127.0.0.1; };
>>         listen-on-v6 port 53 { ::1; };
>>         directory       "/var/named";
>>         dump-file       "/var/named/data/cache_dump.db";
>>         statistics-file "/var/named/data/named_stats.txt";
>>         memstatistics-file
"/var/named/data/named_mem_stats.txt";
>>         allow-query     { localhost; };
>>         recursion yes;
>>         dnssec-enable yes;
>>         dnssec-validation yes;
>>         managed-keys-directory "/var/named/dynamic";
>>         pid-file "/run/named/named.pid";
>>         session-keyfile "/run/named/session.key";
>>         include "/etc/crypto-policies/back-ends/bind.config";
>> };
>> logging {
>>         channel default_debug {
>>                 file "data/named.run";
>>                 severity dynamic;
>>         };
>> };
>> zone "." IN {
>>         type hint;
>>         file "named.ca";
>> };
>> include "/etc/named.rfc1912.zones";
>> include "/etc/named.root.key";
>>
>> /etc/crypto-policies/back-ends/bind.config looks like
>>
>> disable-algorithms "." {
>> RSAMD5;
>> };
>> disable-ds-digests "." {
>> GOST;
>> };
>>
>>
>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>