Jiří Černý
2018-Aug-21 12:37 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> There doesn't seem anything wrong there, the only comment I would make, > is '/var/lib/samba/bind-dns/named.conf' pointing to the correct version > of named ?Yes cat /var/lib/samba/bind-dns/named.conf dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; # For BIND 9.9.x database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so"; # For BIND 9.11.x # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so"; }; named -V BIND 9.9.4-RedHat-9.9.4-61.el7 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' using OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017 using libxml2 version: 2.9.1> How did you change to using Bind9 ?It was very painful journey to migrate Samba from CentOS 6 to Centos 7. I had to preserve IP addresses of DCs because we have many static IP configured devices which use Samba DCs as DNS servers. So after that one DC is brand new (hostname and IP), second DC is "half" new (new hostname but original IP) and third DC - master in SOA of DNS zones, FSMO owner is just copied over from CentOS 6 to CentOS 7. Even if I transfered FSMO and cleaned DNS Samba did not like it very much - I was unable to join it back. And so I gave it up, and I just copied /var/lib/samba. I have been very careful to take care not to damage Samba database, so every time I made on DC's I first stopped Samba AD service on all DCs, then made snapshots of that VMs and than started them again. So everything was consistent. But maybe something went wrong during this process. But it's very interesting, that nonsecure dynamic DNS work with internal DNS with all clients and secure ones with only several clients, but also with Bind. Secure DNS updates never worked well on our environment. I made some tests in time after upgrading from Samba 3 in 2015 which resulted to setting option "nonsecure" in smb.conf. We can live with internal DNS as we have lived with the previous three years, but I was curious about why the Bind could not work too.> Please post the log where an update fails.There is nothing in /var/log/samba/log.samba even with "log level = dns:10".>From /var/log/messages:Aug 21 14:22:08 dc03x named[15860]: samba_dlz: starting transaction on zone samdom.svmetal.cz Aug 21 14:22:08 dc03x named[15860]: client 192.168.45.26#63596: update 'samdom.svmetal.cz/IN' denied Aug 21 14:22:08 dc03x named[15860]: samba_dlz: cancelling transaction on zone samdom.svmetal.cz systemctl status named: srp 21 14:22:08 dc03x named[15860]: samba_dlz: starting transaction on zone samdom.svmetal.cz srp 21 14:22:08 dc03x named[15860]: client 192.168.45.26#63596: update 'samdom.svmetal.cz/IN' denied srp 21 14:22:08 dc03x named[15860]: samba_dlz: cancelling transaction on zone samdom.svmetal.cz> RowlandJiri
Rowland Penny
2018-Aug-21 13:11 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
On Tue, 21 Aug 2018 14:37:27 +0200 Jiří Černý via samba <samba at lists.samba.org> wrote:> > There doesn't seem anything wrong there, the only comment I would > > make, is '/var/lib/samba/bind-dns/named.conf' pointing to the > > correct version of named ? > > > > How did you change to using Bind9 ? > It was very painful journey to migrate Samba from CentOS 6 to Centos > 7. I had to preserve IP addresses of DCs because we have many static > IP configured devices which use Samba DCs as DNS servers. So after > that one DC is brand new (hostname and IP), second DC is "half" new > (new hostname but original IP) and third DC - master in SOA of DNS > zones, FSMO owner is just copied over from CentOS 6 to CentOS 7. Even > if I transfered FSMO and cleaned DNS Samba did not like it very much > - I was unable to join it back. And so I gave it up, and I just > copied /var/lib/samba. I have been very careful to take care not to > damage Samba database, so every time I made on DC's I first stopped > Samba AD service on all DCs, then made snapshots of that VMs and than > started them again. So everything was consistent. But maybe something > went wrong during this process. But it's very interesting, that > nonsecure dynamic DNS work with internal DNS with all clients and > secure ones with only several clients, but also with Bind. Secure DNS > updates never worked well on our environment. I made some tests in > time after upgrading from Samba 3 in 2015 which resulted to setting > option "nonsecure" in smb.conf.So you never read this: https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC Which means that you probably never ran the aptly named 'samba_upgradedns' It shouldn't have been 'painful' to upgrade, you could have done an in place dist-upgrade. If this is not possible, you should have demoted the old one and then joined a new DC with the same IP but a new name. There is another flaw in your thinking, all DC's running a dns nameserver are SOA masters.> > We can live with internal DNS as we have lived with the previous > three years, but I was curious about why the Bind could not work too. > > > > Please post the log where an update fails. > There is nothing in /var/log/samba/log.samba even with "log level > dns:10". > > From /var/log/messages: > Aug 21 14:22:08 dc03x named[15860]: samba_dlz: starting transaction > on zone samdom.svmetal.cz Aug 21 14:22:08 dc03x named[15860]: client > 192.168.45.26#63596: update 'samdom.svmetal.cz/IN' denied Aug 21 > 14:22:08 dc03x named[15860]: samba_dlz: cancelling transaction on > zone samdom.svmetal.cz >That is where I expected them to be ;-) The only thing that can change the dns records is whatever owns them, it looks like whatever is trying to change the records is being refused because it doesn't own them. Rowland
Apparently Analagous Threads
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates