samba - Jun 2020 - Samba AD + adblocking in bind9

All,

I am running samba as an AD on a Debian buster:






*ii  python-samba                      2:4.9.5+dfsg-5+deb10u1       armel
     Python bindings for Sambaii  samba
2:4.9.5+dfsg-5+deb10u1       armel        SMB/CIFS file, print, and login
server for Unixii  samba-common                      2:4.9.5+dfsg-5+deb10u1
      all          common files used by both the Samba server and clientii
 samba-common-bin                  2:4.9.5+dfsg-5+deb10u1       armel
 Samba common files used by both the server and the clientii
 samba-dsdb-modules:armel          2:4.9.5+dfsg-5+deb10u1       armel
 Samba Directory Services Databaseii  samba-libs:armel
 2:4.9.5+dfsg-5+deb10u1       armel        Samba core librariesii
 samba-vfs-modules:armel           2:4.9.5+dfsg-5+deb10u1       armel
 Samba Virtual FileSystem plugins*

I am using bind9 as a DNS backend:
*ii  bind9                             1:9.11.5.P4+dfsg-5.1+deb10u1 armel
     Internet Domain Name Server*

Provisioning went smooth and all is working. I can login to the domain on
the windows boxes and the DNS verification described in
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
works as it should.

I am trying to use this machine as an adblocker as well, so I have read
https://www.it-dan.com/blog/block-ads-linux-and-bind9 and added this to my
configuration.

I have an named.conf.ads containing all sites I want blocked; example:
*zone "secure.flashtalking.com <http://secure.flashtalking.com>"
{ type
master; notify no; file "/etc/bind/db.ads"; };*

I have a db.ads that looks like this:













*; File: db.ads; Last modified: 23/02/2014$TTL    86400   ; one day@
IN      SOA     ns.home.sweet.home. admin.home.sweet.home. (
        2005071005 ; serial number YYYYMMDDNN                        28800
     ; refresh  8 hours                        7200       ; retry    2
hours                        864000     ; expire  10 days
      86400 )    ; min ttl  1 day                NS
 ns.home.sweet.home.                A       127.0.0.1*               IN
 A       127.0.0.1*

And I include the named.conf.ads in my named.conf.local:

*include "/etc/bind/named.conf.ads";include
"/var/lib/samba/bind-dns/named.conf";*

This works. When I try to click on an ad, I get redirected to localhost,
which is fine. Samba, complains however:

Jun 30 06:37:34 bubba-b3-two systemd[1]: Started Samba AD Daemon.
Jun 30 06:37:34 bubba-b3-two winbindd[3237]: [2020/06/30 06:37:34.807028,
 0] ../lib/util/become_daemon.c:138(daemon_ready)
Jun 30 06:37:34 bubba-b3-two winbindd[3237]:   daemon_ready: STATUS=daemon
'winbindd' finished starting up and ready to serve connections
Jun 30 06:37:35 bubba-b3-two smbd[3227]: [2020/06/30 06:37:35.111599,  0]
../lib/util/become_daemon.c:138(daemon_ready)
Jun 30 06:37:35 bubba-b3-two smbd[3227]:   daemon_ready: STATUS=daemon
'smbd' finished starting up and ready to serve connections



*Jun 30 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
[2020/06/30 06:37:41.132173,  0]
../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)Jun 30
06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code
110Jun 30 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
[2020/06/30 06:37:41.231985,  0]
../source4/dsdb/dns/dns_update.c:353(dnsupdate_spnupdate_done)Jun 30
06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
../source4/dsdb/dns/dns_update.c:353: Failed SPN update - with error code
110*

I guess this is normal, since samba cannot "update" the db.ads file,
where
we are master for. So, any ideas how I can combine this? So make DNS
updates work in Samba and have the adblocker as well?


Many thanks in advance.


regards,

Kenneth

I suggest, setup squid for that or you need to for
if you want a config, im happy to share it. 

I use squid with ssl (also in one of my repo's). 

But if you really want it in bind9, well forward the dns request and setup 
Just look here : https://pi-hole.net/  ;-) 

Im running about the same as that pi-hole. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Kenneth Westelinck via samba
> Verzonden: dinsdag 30 juni 2020 14:41
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba AD + adblocking in bind9
> 
> All,
> 
> I am running samba as an AD on a Debian buster:
> 
> 
> 
> 
> 
> 
> *ii  python-samba                      2:4.9.5+dfsg-5+deb10u1 
>       armel
>      Python bindings for Sambaii  samba
> 2:4.9.5+dfsg-5+deb10u1       armel        SMB/CIFS file, 
> print, and login
> server for Unixii  samba-common                      
> 2:4.9.5+dfsg-5+deb10u1
>       all          common files used by both the Samba server 
> and clientii
>  samba-common-bin                  2:4.9.5+dfsg-5+deb10u1       armel
>  Samba common files used by both the server and the clientii
>  samba-dsdb-modules:armel          2:4.9.5+dfsg-5+deb10u1       armel
>  Samba Directory Services Databaseii  samba-libs:armel
>  2:4.9.5+dfsg-5+deb10u1       armel        Samba core librariesii
>  samba-vfs-modules:armel           2:4.9.5+dfsg-5+deb10u1       armel
>  Samba Virtual FileSystem plugins*
> 
> I am using bind9 as a DNS backend:
> *ii  bind9                             
> 1:9.11.5.P4+dfsg-5.1+deb10u1 armel
>      Internet Domain Name Server*
> 
> Provisioning went smooth and all is working. I can login to 
> the domain on
> the windows boxes and the DNS verification described in
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> _Directory_Domain_Controller
> works as it should.
> 
> I am trying to use this machine as an adblocker as well, so I 
> have read
> https://www.it-dan.com/blog/block-ads-linux-and-bind9 and 
> added this to my
> configuration.
> 
> I have an named.conf.ads containing all sites I want blocked; example:
> *zone "secure.flashtalking.com 
> <http://secure.flashtalking.com>" { type
> master; notify no; file "/etc/bind/db.ads"; };*
> 
> I have a db.ads that looks like this:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> *; File: db.ads; Last modified: 23/02/2014$TTL    86400   ; one day@
> IN      SOA     ns.home.sweet.home. admin.home.sweet.home. (
>         2005071005 ; serial number YYYYMMDDNN                 
>        28800
>      ; refresh  8 hours                        7200       ; retry    2
> hours                        864000     ; expire  10 days
>       86400 )    ; min ttl  1 day                NS
>  ns.home.sweet.home.                A       127.0.0.1*        
>        IN
>  A       127.0.0.1*
> 
> And I include the named.conf.ads in my named.conf.local:
> 
> *include "/etc/bind/named.conf.ads";include
> "/var/lib/samba/bind-dns/named.conf";*
> 
> This works. When I try to click on an ad, I get redirected to 
> localhost,
> which is fine. Samba, complains however:
> 
> Jun 30 06:37:34 bubba-b3-two systemd[1]: Started Samba AD Daemon.
> Jun 30 06:37:34 bubba-b3-two winbindd[3237]: [2020/06/30 
> 06:37:34.807028,
>  0] ../lib/util/become_daemon.c:138(daemon_ready)
> Jun 30 06:37:34 bubba-b3-two winbindd[3237]:   daemon_ready: 
> STATUS=daemon
> 'winbindd' finished starting up and ready to serve connections
> Jun 30 06:37:35 bubba-b3-two smbd[3227]: [2020/06/30 
> 06:37:35.111599,  0]
> ../lib/util/become_daemon.c:138(daemon_ready)
> Jun 30 06:37:35 bubba-b3-two smbd[3227]:   daemon_ready: STATUS=daemon
> 'smbd' finished starting up and ready to serve connections
> 
> 
> 
> *Jun 30 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> [2020/06/30 06:37:41.132173,  0]
> ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)Jun 30
> 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - 
> with error code
> 110Jun 30 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> [2020/06/30 06:37:41.231985,  0]
> ../source4/dsdb/dns/dns_update.c:353(dnsupdate_spnupdate_done)Jun 30
> 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> ../source4/dsdb/dns/dns_update.c:353: Failed SPN update - 
> with error code
> 110*
> 
> I guess this is normal, since samba cannot "update" the 
> db.ads file, where
> we are master for. So, any ideas how I can combine this? So make DNS
> updates work in Samba and have the adblocker as well?
> 
> 
> Many thanks in advance.
> 
> 
> regards,
> 
> Kenneth
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Thanks for the update. Indeed pi-hole might be a better alternative here,
no need to fiddle with bind then ;) I will look into it.

On Tue, Jun 30, 2020 at 2:51 PM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> I suggest, setup squid for that or you need to for
> if you want a config, im happy to share it.
>
> I use squid with ssl (also in one of my repo's).
>
> But if you really want it in bind9, well forward the dns request and setup
> Just look here : https://pi-hole.net/  ;-)
>
> Im running about the same as that pi-hole.
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Kenneth Westelinck via samba
> > Verzonden: dinsdag 30 juni 2020 14:41
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba AD + adblocking in bind9
> >
> > All,
> >
> > I am running samba as an AD on a Debian buster:
> >
> >
> >
> >
> >
> >
> > *ii  python-samba                      2:4.9.5+dfsg-5+deb10u1
> >       armel
> >      Python bindings for Sambaii  samba
> > 2:4.9.5+dfsg-5+deb10u1       armel        SMB/CIFS file,
> > print, and login
> > server for Unixii  samba-common
> > 2:4.9.5+dfsg-5+deb10u1
> >       all          common files used by both the Samba server
> > and clientii
> >  samba-common-bin                  2:4.9.5+dfsg-5+deb10u1       armel
> >  Samba common files used by both the server and the clientii
> >  samba-dsdb-modules:armel          2:4.9.5+dfsg-5+deb10u1       armel
> >  Samba Directory Services Databaseii  samba-libs:armel
> >  2:4.9.5+dfsg-5+deb10u1       armel        Samba core librariesii
> >  samba-vfs-modules:armel           2:4.9.5+dfsg-5+deb10u1       armel
> >  Samba Virtual FileSystem plugins*
> >
> > I am using bind9 as a DNS backend:
> > *ii  bind9
> > 1:9.11.5.P4+dfsg-5.1+deb10u1 armel
> >      Internet Domain Name Server*
> >
> > Provisioning went smooth and all is working. I can login to
> > the domain on
> > the windows boxes and the DNS verification described in
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> > _Directory_Domain_Controller
> > works as it should.
> >
> > I am trying to use this machine as an adblocker as well, so I
> > have read
> > https://www.it-dan.com/blog/block-ads-linux-and-bind9 and
> > added this to my
> > configuration.
> >
> > I have an named.conf.ads containing all sites I want blocked; example:
> > *zone "secure.flashtalking.com
> > <http://secure.flashtalking.com>" { type
> > master; notify no; file "/etc/bind/db.ads"; };*
> >
> > I have a db.ads that looks like this:
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *; File: db.ads; Last modified: 23/02/2014$TTL    86400   ; one day@
> > IN      SOA     ns.home.sweet.home. admin.home.sweet.home. (
> >         2005071005 ; serial number YYYYMMDDNN
> >        28800
> >      ; refresh  8 hours                        7200       ; retry    2
> > hours                        864000     ; expire  10 days
> >       86400 )    ; min ttl  1 day                NS
> >  ns.home.sweet.home.                A       127.0.0.1*
> >        IN
> >  A       127.0.0.1*
> >
> > And I include the named.conf.ads in my named.conf.local:
> >
> > *include "/etc/bind/named.conf.ads";include
> > "/var/lib/samba/bind-dns/named.conf";*
> >
> > This works. When I try to click on an ad, I get redirected to
> > localhost,
> > which is fine. Samba, complains however:
> >
> > Jun 30 06:37:34 bubba-b3-two systemd[1]: Started Samba AD Daemon.
> > Jun 30 06:37:34 bubba-b3-two winbindd[3237]: [2020/06/30
> > 06:37:34.807028,
> >  0] ../lib/util/become_daemon.c:138(daemon_ready)
> > Jun 30 06:37:34 bubba-b3-two winbindd[3237]:   daemon_ready:
> > STATUS=daemon
> > 'winbindd' finished starting up and ready to serve connections
> > Jun 30 06:37:35 bubba-b3-two smbd[3227]: [2020/06/30
> > 06:37:35.111599,  0]
> > ../lib/util/become_daemon.c:138(daemon_ready)
> > Jun 30 06:37:35 bubba-b3-two smbd[3227]:   daemon_ready: STATUS=daemon
> > 'smbd' finished starting up and ready to serve connections
> >
> >
> >
> > *Jun 30 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> > [2020/06/30 06:37:41.132173,  0]
> > ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done)Jun 30
> > 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> > ../source4/dsdb/dns/dns_update.c:330: Failed DNS update -
> > with error code
> > 110Jun 30 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> > [2020/06/30 06:37:41.231985,  0]
> > ../source4/dsdb/dns/dns_update.c:353(dnsupdate_spnupdate_done)Jun 30
> > 06:37:41 bubba-b3-two samba[3238]: task[dnsupdate][3238]:
> > ../source4/dsdb/dns/dns_update.c:353: Failed SPN update -
> > with error code
> > 110*
> >
> > I guess this is normal, since samba cannot "update" the
> > db.ads file, where
> > we are master for. So, any ideas how I can combine this? So make DNS
> > updates work in Samba and have the adblocker as well?
> >
> >
> > Many thanks in advance.
> >
> >
> > regards,
> >
> > Kenneth
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>