samba - Jul 2018 - Internal DNS migrate to Bind9_DLZ

Hello Rowland,

See below as requested.

/etc/named.conf
# Global Configuration Options

include "/var/lib/samba/bind-dns/named.conf";

options {

    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

    # IP addresses and network ranges allowed to query the DNS server:
    allow-query {
    any;
    };

    # IP addresses and network ranges allowed to run recursive queries:
    # (Zones not served by this DNS server)
    allow-recursion {
    any;
    };

    # Forward queries that can not be answered from own zones
    # to these DNS servers:
    forwarders {
         8.8.8.8;
    };

    # Disable zone transfers
    allow-transfer {
        none;
    };
 };

# Root Servers
# (Required for recursive DNS queries)
zone "." {
   type hint;
   file "named.root";
};

# localhost zone
zone "localhost" {
    type master;
    file "master/localhost.zone";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

/var/lib/samba/bind-dns/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
     database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
};
Regards

On Mon, Jul 30, 2018 at 10:52 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 30 Jul 2018 10:41:14 +0200
> Eben Victor via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I hope that someone can perhaps assist me or just guide me in the
> > right direction.
> >
> > I've been following all the steps for setting up and migrating my
> > Samba Internal DNS to Bind9_DLZ.
> > https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
> > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
> >
> > But this doesn't seem to work for me, I can get bind started up
100%
> > when I remove include "/var/lib/samba/bind-dns/named.conf"
from
> > named.conf, but as soon as I add this line back then everything fails
> > with below error.
> >
> > 30-Jul-2018 10:26:39.719 generating session key for dynamic DNS
> > 30-Jul-2018 10:26:39.719 sizing zone task pool based on 3 zones
> > 30-Jul-2018 10:26:39.722 Loading 'AD DNS Zone' using driver
dlopen
> > 30-Jul-2018 10:26:40.026 samba_dlz: started for DN DC=domain,DC=corp
> > 30-Jul-2018 10:26:40.027 samba_dlz: starting configure
> > 30-Jul-2018 10:26:40.049 dns_rdata_fromtext: buffer-0x7facd1f60dc0:1:
> > near eof: unexpected end of input
> > 30-Jul-2018 10:26:40.049 Failed to put rr
> > 30-Jul-2018 10:26:40.269 zone domain.corp/NONE: has 0 SOA records
> > 30-Jul-2018 10:26:40.269 zone domain.corp/NONE: has no NS records
> > 30-Jul-2018 10:26:40.270 samba_dlz: Failed to configure zone
> > 'domain.corp' 30-Jul-2018 10:26:40.270 loading configuration:
bad zone
> > 30-Jul-2018 10:26:40.270 exiting (due to fatal error)
> > 30-Jul-2018 10:26:40.271 samba_dlz: shutting down
> >
> > domain.corp is just an alias, not the actual domain name.
> >
> > I even tried the migration by removing ALL reverse & forwarded
zones
> > but still no luck.
> >
> > Env:
> > Version 4.8.3-SerNet-RedHat-11.el7
> > Red Hat Enterprise Linux Server release 7.5 (Maipo)
> > BIND 9.9.4-RedHat-9.9.4-61.el7 (Extended Support Version)
> >
> > Kind Regards
>
> Please post your /etc/named.conf
> and /var/lib/samba/bind-dns/named.conf files
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Eben Victor
Cell:  +27 82 759 5266
Email: eben.victor at gmail.com

On Mon, 30 Jul 2018 10:57:11 +0200
Eben Victor <eben.victor at gmail.com> wrote:
> Hello Rowland,
> 
> See below as requested.
> 
> /etc/named.conf
> # Global Configuration Options
> 
> include "/var/lib/samba/bind-dns/named.conf";
> 
> options {
> 
>     dump-file   "/var/named/data/cache_dump.db";
>     statistics-file "/var/named/data/named_stats.txt";
>     memstatistics-file "/var/named/data/named_mem_stats.txt";
>     auth-nxdomain yes;
>     directory "/var/named";
>     notify no;
>     empty-zones-enable no;
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> 
>     # IP addresses and network ranges allowed to query the DNS server:
>     allow-query {
>     any;
>     };
> 
>     # IP addresses and network ranges allowed to run recursive
> queries: # (Zones not served by this DNS server)
>     allow-recursion {
>     any;
>     };
> 
>     # Forward queries that can not be answered from own zones
>     # to these DNS servers:
>     forwarders {
>          8.8.8.8;
>     };
> 
>     # Disable zone transfers
>     allow-transfer {
>         none;
>     };
>  };
> 
> # Root Servers
> # (Required for recursive DNS queries)
> zone "." {
>    type hint;
>    file "named.root";
> };
> 
> # localhost zone
> zone "localhost" {
>     type master;
>     file "master/localhost.zone";
> };
> 
> # 127.0.0. zone.
> zone "0.0.127.in-addr.arpa" {
>     type master;
>     file "master/0.0.127.zone";
> };
> 
> /var/lib/samba/bind-dns/named.conf
> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
> support. #
> # This file should be included in your main BIND configuration file
> #
> # For example with
> # include "/var/lib/samba/bind-dns/named.conf";
> 
> #
> # This configures dynamically loadable zones (DLZ) from AD schema
> # Uncomment only single database line, depending on your BIND version
> #
> dlz "AD DNS Zone" {
>     # For BIND 9.8.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
> 
>     # For BIND 9.9.x
>      database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
> 
>     # For BIND 9.10.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
> 
>     # For BIND 9.11.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
> };
>
There doesn't seem to be anything wrong there, but I may know what the
problem is. 
You are trying to change to Bind9 from the internal dns server, but
have you read this:

https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC

Rowland

Yes I have added "server services = -dns"  to my smb.conf file and
also
removed "dns forwarder ="
I've done the same setup but on Samba 4.7.7, RHEL6, named 9.8 and this
works perfect.


On Mon, Jul 30, 2018 at 11:18 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 30 Jul 2018 10:57:11 +0200
> Eben Victor <eben.victor at gmail.com> wrote:
>
> > Hello Rowland,
> >
> > See below as requested.
> >
> > /etc/named.conf
> > # Global Configuration Options
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> > options {
> >
> >     dump-file   "/var/named/data/cache_dump.db";
> >     statistics-file "/var/named/data/named_stats.txt";
> >     memstatistics-file
"/var/named/data/named_mem_stats.txt";
> >     auth-nxdomain yes;
> >     directory "/var/named";
> >     notify no;
> >     empty-zones-enable no;
> >     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> >
> >     # IP addresses and network ranges allowed to query the DNS server:
> >     allow-query {
> >     any;
> >     };
> >
> >     # IP addresses and network ranges allowed to run recursive
> > queries: # (Zones not served by this DNS server)
> >     allow-recursion {
> >     any;
> >     };
> >
> >     # Forward queries that can not be answered from own zones
> >     # to these DNS servers:
> >     forwarders {
> >          8.8.8.8;
> >     };
> >
> >     # Disable zone transfers
> >     allow-transfer {
> >         none;
> >     };
> >  };
> >
> > # Root Servers
> > # (Required for recursive DNS queries)
> > zone "." {
> >    type hint;
> >    file "named.root";
> > };
> >
> > # localhost zone
> > zone "localhost" {
> >     type master;
> >     file "master/localhost.zone";
> > };
> >
> > # 127.0.0. zone.
> > zone "0.0.127.in-addr.arpa" {
> >     type master;
> >     file "master/0.0.127.zone";
> > };
> >
> > /var/lib/samba/bind-dns/named.conf
> > # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
> > support. #
> > # This file should be included in your main BIND configuration file
> > #
> > # For example with
> > # include "/var/lib/samba/bind-dns/named.conf";
> >
> > #
> > # This configures dynamically loadable zones (DLZ) from AD schema
> > # Uncomment only single database line, depending on your BIND version
> > #
> > dlz "AD DNS Zone" {
> >     # For BIND 9.8.x
> >     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
> >
> >     # For BIND 9.9.x
> >      database "dlopen
/usr/lib64/samba/bind9/dlz_bind9_9.so";
> >
> >     # For BIND 9.10.x
> >     # database "dlopen
/usr/lib64/samba/bind9/dlz_bind9_10.so";
> >
> >     # For BIND 9.11.x
> >     # database "dlopen
/usr/lib64/samba/bind9/dlz_bind9_11.so";
> > };
> >
>
> There doesn't seem to be anything wrong there, but I may know what the
> problem is.
> You are trying to change to Bind9 from the internal dns server, but
> have you read this:
>
> https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Eben Victor
Cell:  +27 82 759 5266
Email: eben.victor at gmail.com

No hints when named id started as eg

named -d7 -f -g

?
Michal

2018-07-30 10:57 GMT+02:00 Eben Victor via samba <samba at
lists.samba.org>:
> Hello Rowland,
>
> See below as requested.
>
> /etc/named.conf
> # Global Configuration Options
>
> include "/var/lib/samba/bind-dns/named.conf";
>
> options {
>
>     dump-file   "/var/named/data/cache_dump.db";
>     statistics-file "/var/named/data/named_stats.txt";
>     memstatistics-file "/var/named/data/named_mem_stats.txt";
>     auth-nxdomain yes;
>     directory "/var/named";
>     notify no;
>     empty-zones-enable no;
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
>     # IP addresses and network ranges allowed to query the DNS server:
>     allow-query {
>     any;
>     };
>
>     # IP addresses and network ranges allowed to run recursive queries:
>     # (Zones not served by this DNS server)
>     allow-recursion {
>     any;
>     };
>
>     # Forward queries that can not be answered from own zones
>     # to these DNS servers:
>     forwarders {
>          8.8.8.8;
>     };
>
>     # Disable zone transfers
>     allow-transfer {
>         none;
>     };
>  };
>
> # Root Servers
> # (Required for recursive DNS queries)
> zone "." {
>    type hint;
>    file "named.root";
> };
>
> # localhost zone
> zone "localhost" {
>     type master;
>     file "master/localhost.zone";
> };
>
> # 127.0.0. zone.
> zone "0.0.127.in-addr.arpa" {
>     type master;
>     file "master/0.0.127.zone";
> };
>
> /var/lib/samba/bind-dns/named.conf
> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
> support.
> #
> # This file should be included in your main BIND configuration file
> #
> # For example with
> # include "/var/lib/samba/bind-dns/named.conf";
>
> #
> # This configures dynamically loadable zones (DLZ) from AD schema
> # Uncomment only single database line, depending on your BIND version
> #
> dlz "AD DNS Zone" {
>     # For BIND 9.8.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
>
>     # For BIND 9.9.x
>      database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
>
>     # For BIND 9.10.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
>
>     # For BIND 9.11.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
> };
> Regards
>
> On Mon, Jul 30, 2018 at 10:52 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> > On Mon, 30 Jul 2018 10:41:14 +0200
> > Eben Victor via samba <samba at lists.samba.org> wrote:
> >
> > > Hello,
> > >
> > > I hope that someone can perhaps assist me or just guide me in the
> > > right direction.
> > >
> > > I've been following all the steps for setting up and
migrating my
> > > Samba Internal DNS to Bind9_DLZ.
> > > https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
> > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
> > >
> > > But this doesn't seem to work for me, I can get bind started
up 100%
> > > when I remove include
"/var/lib/samba/bind-dns/named.conf" from
> > > named.conf, but as soon as I add this line back then everything
fails
> > > with below error.
> > >
> > > 30-Jul-2018 10:26:39.719 generating session key for dynamic DNS
> > > 30-Jul-2018 10:26:39.719 sizing zone task pool based on 3 zones
> > > 30-Jul-2018 10:26:39.722 Loading 'AD DNS Zone' using
driver dlopen
> > > 30-Jul-2018 10:26:40.026 samba_dlz: started for DN
DC=domain,DC=corp
> > > 30-Jul-2018 10:26:40.027 samba_dlz: starting configure
> > > 30-Jul-2018 10:26:40.049 dns_rdata_fromtext:
buffer-0x7facd1f60dc0:1:
> > > near eof: unexpected end of input
> > > 30-Jul-2018 10:26:40.049 Failed to put rr
> > > 30-Jul-2018 10:26:40.269 zone domain.corp/NONE: has 0 SOA records
> > > 30-Jul-2018 10:26:40.269 zone domain.corp/NONE: has no NS records
> > > 30-Jul-2018 10:26:40.270 samba_dlz: Failed to configure zone
> > > 'domain.corp' 30-Jul-2018 10:26:40.270 loading
configuration: bad zone
> > > 30-Jul-2018 10:26:40.270 exiting (due to fatal error)
> > > 30-Jul-2018 10:26:40.271 samba_dlz: shutting down
> > >
> > > domain.corp is just an alias, not the actual domain name.
> > >
> > > I even tried the migration by removing ALL reverse &
forwarded zones
> > > but still no luck.
> > >
> > > Env:
> > > Version 4.8.3-SerNet-RedHat-11.el7
> > > Red Hat Enterprise Linux Server release 7.5 (Maipo)
> > > BIND 9.9.4-RedHat-9.9.4-61.el7 (Extended Support Version)
> > >
> > > Kind Regards
> >
> > Please post your /etc/named.conf
> > and /var/lib/samba/bind-dns/named.conf files
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> Eben Victor
> Cell:  +27 82 759 5266
> Email: eben.victor at gmail.com
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

> /etc/named.conf
> # Global Configuration Options
>
> include "/var/lib/samba/bind-dns/named.conf";
>
> options {
>
>     dump-file   "/var/named/data/cache_dump.db";
>     statistics-file "/var/named/data/named_stats.txt";
>     memstatistics-file "/var/named/data/named_mem_stats.txt";
>     auth-nxdomain yes;
>     directory "/var/named";
>     notify no;
>     empty-zones-enable no;
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
/var/lib/samba...?
Do you have the file in there? I have
/usr/local/samba/bind-dns/dns.keytab

Michal

On Tue, 31 Jul 2018 11:39:56 +0200
Michal <Michal67M at seznam.cz> wrote:
> > /etc/named.conf
> > # Global Configuration Options
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> > options {
> >
> >     dump-file   "/var/named/data/cache_dump.db";
> >     statistics-file "/var/named/data/named_stats.txt";
> >     memstatistics-file
"/var/named/data/named_mem_stats.txt";
> >     auth-nxdomain yes;
> >     directory "/var/named";
> >     notify no;
> >     empty-zones-enable no;
> >     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> >
> 
> /var/lib/samba...?
> Do you have the file in there? I have
> /usr/local/samba/bind-dns/dns.keytab
> 
> Michal
AGGHHHH

Did you compile Samba yourself ?
If not, then /var/lib/samba will probably be the correct path.
Try looking there.

Rowland

>
> > > /etc/named.conf
> > > # Global Configuration Options
> > >
> > > include "/var/lib/samba/bind-dns/named.conf";
> > >
> > > options {
> > >
> > >     dump-file   "/var/named/data/cache_dump.db";
> > >     statistics-file "/var/named/data/named_stats.txt";
> > >     memstatistics-file
"/var/named/data/named_mem_stats.txt";
> > >     auth-nxdomain yes;
> > >     directory "/var/named";
> > >     notify no;
> > >     empty-zones-enable no;
> > >     tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
> > >
> >
> > /var/lib/samba...?
> > Do you have the file in there? I have
> > /usr/local/samba/bind-dns/dns.keytab
> >
> > Michal
>
> AGGHHHH
>
> Did you compile Samba yourself ?
> If not, then /var/lib/samba will probably be the correct path.
>

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End

options {
     [...]
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
     [...]
};

Michal

On Tue, 31 Jul 2018 12:30:32 +0200
Michal via samba <samba at lists.samba.org> wrote:
> >
> > > > /etc/named.conf
> > > > # Global Configuration Options
> > > >
> > > > include "/var/lib/samba/bind-dns/named.conf";
> > > >
> > > > options {
> > > >
> > > >     dump-file   "/var/named/data/cache_dump.db";
> > > >     statistics-file
"/var/named/data/named_stats.txt";
> > > >     memstatistics-file
"/var/named/data/named_mem_stats.txt";
> > > >     auth-nxdomain yes;
> > > >     directory "/var/named";
> > > >     notify no;
> > > >     empty-zones-enable no;
> > > >     tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
> > > >
> > >
> > > /var/lib/samba...?
> > > Do you have the file in there? I have
> > > /usr/local/samba/bind-dns/dns.keytab
> > >
> > > Michal
> >
> > AGGHHHH
> >
> > Did you compile Samba yourself ?
> > If not, then /var/lib/samba will probably be the correct path.
> >
> 
> 
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
> 
> options {
>      [...]
>      tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>      [...]
> };
> 
> Michal
All the paths on the Samba wiki refer to self compiled versions of
Samba, where the 'PREFIX' isn't set with 'configure'. This
means that,
by default, everything ends up in '/var/lib/samba'

If you use distro Samba packages, then the Samba packages can be, and
usually are, anywhere.

Rowland

On Tue, 31 Jul 2018 12:59:11 +0200
Majkl Majkl <themajklthe at gmail.com> wrote:
> 2018-07-31 12:40 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Tue, 31 Jul 2018 12:30:32 +0200
> > Michal via samba <samba at lists.samba.org> wrote:
> >
> > > >
> > > > > > /etc/named.conf
> > > > > > # Global Configuration Options
> > > > > >
> > > > > > include
"/var/lib/samba/bind-dns/named.conf";
> > > > > >
> > > > > > options {
> > > > > >
> > > > > >     dump-file  
"/var/named/data/cache_dump.db";
> > > > > >     statistics-file
"/var/named/data/named_stats.txt";
> > > > > >     memstatistics-file
> > > > > > "/var/named/data/named_mem_stats.txt";
auth-nxdomain yes;
> > > > > >     directory "/var/named";
> > > > > >     notify no;
> > > > > >     empty-zones-enable no;
> > > > > >     tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
> > > > > >
> > > > >
> > > > > /var/lib/samba...?
> > > > > Do you have the file in there? I have
> > > > > /usr/local/samba/bind-dns/dns.keytab
> > > > >
> > > > > Michal
> > > >
> > > > AGGHHHH
> > > >
> > > > Did you compile Samba yourself ?
> > > > If not, then /var/lib/samba will probably be the correct
path.
> > > >
> > >
> > >
> > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
> > >
> > > options {
> > >      [...]
> > >      tkey-gssapi-keytab
"/usr/local/samba/private/dns.keytab";
> > >      [...]
> > > };
> > >
> > > Michal
> >
> > All the paths on the Samba wiki refer to self compiled versions of
> > Samba, where the 'PREFIX' isn't set with
'configure'. This means
> > that, by default, everything ends up in '/var/lib/samba'
> >
> > If you use distro Samba packages, then the Samba packages can be,
> > and usually are, anywhere.
> >
> 
> I do not follow.  There is "tkey-gssapi-keytab
> "/usr/local/samba/private/dns.keytab;" in Samba wiki page.
> 
> And Samba 4.8.3  src configure
> ...
> --prefix=PREFIX
>             installation prefix (configuration) [default:
> '/usr/local/samba']
>  ...
> 
> So what do you mean by "everything ends up in /var/lib/samba"?
> 
> Michal
> 
Ah, I was hoping you would spot my deliberate mistake (that's my story
and I am sticking to it) ;-)

Obviously I real meant '/usr/local/samba'
I also checked that twice to make sure I got it right this time ;-)

Rowland