samba - Jan 2018 - Switching from Internal DNS to Bind9_DLZ

On 1/2/2018 12:25 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 12:09:33 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>>       Installing bind9 on my Ubuntu 14.04 via. apt-get displays the
>> following options.
>>
>>    #named -V
>> BIND 9.9.5-3ubuntu0.16-Ubuntu (Extended Support Version)
>> <id:f9b8a50e> built by make with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
>> '--enable-largefile' '--with-libtool'
'--enable-shared'
>> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr'
'--with-atf=no' '--enable-ipv6'
>> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2'
>>
>> The Samba wiki states I should see;
>>
>> named -V
>> BIND 9.x.y built with ... '--with-dlopen=yes'
'--with-gssapi=yes' ...
>>
>> As you can see I have;
>>
>> '--with-gssapi=/usr' and *NO* '--with-dlopen=yes'
>>
>> Is it possible to enable '--with-dlopen=yes' without compiling?
>> Thanks.
>>
>>
>>
> No, but funnily enough, you won't be able enable it by compiling it
> either ;-)
>
> It is now built into the standard compiled Bind9, so I suppose the real
> answer to your question is that you can use the standard Bind9 package
> on 14.04 with Samba.
>
> I will update the wiki page.
>
> Rowland
A few other observations while attempting to switch.

  * I do not have a dns.keytab file. Should I or is created after
    attempting to switch?
  * running 'named-checkconf' throws an error.

named-checkconf
/etc/bind/named.conf:15: 'options' redefined near 'options'

My 'named.conf' is the following

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/usr/local/samba/private/named.conf";

# Global Configuration Options
options {

     auth-nxdomain yes;
     directory "/var/named";
     notify no;
     empty-zones-enable no;
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

     # IP addresses and network ranges allowed to query the DNS server:
     allow-query {
         127.0.0.1;
         172.0.0.0/8;
     };

     # IP addresses and network ranges allowed to run recursive queries:
     # (Zones not served by this DNS server)
     allow-recursion {
         127.0.0.1;
         172.0.0.0/8;
     };

     # Forward queries that can not be answered from own zones
     # to these DNS servers:
     forwarders {
         8.8.8.8;
         8.8.4.4;
     };

     # Disable zone transfers
     allow-transfer {
         none;
     };
  };

# Root Servers
# (Required for recursive DNS queries)
zone "." {
    type hint;
    file "named.root";
};

# localhost zone
zone "localhost" {
     type master;
     file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
     type master;
     file "master/0.0.127.zone";
};


-- 
--
James

On Tue, 2 Jan 2018 13:38:52 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:

> 
> A few other observations while attempting to switch.
> 
>   * I do not have a dns.keytab file. Should I or is created after
>     attempting to switch?
See my earlier post about samba_dnsupgrade.
>   * running 'named-checkconf' throws an error.
It would, it cannot find the zones files that are now in AD.

Rowland

On 1/2/2018 1:51 PM, Rowland Penny wrote:
> On Tue, 2 Jan 2018 13:38:52 -0500
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>
>> A few other observations while attempting to switch.
>>
>>    * I do not have a dns.keytab file. Should I or is created after
>>      attempting to switch?
> See my earlier post about samba_dnsupgrade.
>
>>    * running 'named-checkconf' throws an error.
> It would, it cannot find the zones files that are now in AD.
>
> Rowland
Rowland,

     I think I'm on the home stretch :). However I am running into a 
issue after switching the backend. The switch command completes 
successfully. Bind starts but I get errors when attempting to run this 
command after reboot.

samba_dnsupdate --verbose --all-names

I get this error for all updates.

TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as DDC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.domain.local.   900     IN      A       172.16.22.27


I can connect to the server via. Windows DNS Manager and browse.


-- 
--
James