getting BIND to work with Samba4

I'm having a heck of a time getting Samba4 to work with Bind. I am using Slackware 14.1 and Samba 4.1.11,

Prior to trying Samba4, I have a working BInd. My named.conf and zone files are as follows:

/etc/named.conf
options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
# dnssec-enable no;

        forwarders {            // These are the ISP provided name servers
            66.193.88.3;
            66.192.88.4;
        };

        allow-query {           // Permit querying by others in the domain
            192.168.0.0/24;
            127.0.0.1;
        };
};

zone "localhost" {
        type master;
        file "db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "db.127";
};

zone "hprs.local" in {
    type master;
    allow-update { 192.168.0.2; 127.0.0.1; };         // local DHCP server
    file "db.hprs.local";
};

zone "0.168.192.in-addr.arpa" in {
    type master;
    allow-update { 192.168.0.2; 127.0.0.1; };           // local DHCP server
    file "db.192.168.0";
};

Open in new window

/var/named/db.hprs.local:
$ORIGIN .
$TTL 4H
hprs.local              IN SOA  mail.hprs.local. sysadmin.mail.ohprs.org. (
                                100     ; serial
                                3H      ; refresh (3 hours)
                                1H      ; retry (1 hour)
                                8H      ; expire (1 week)
                                1H      ; minimum (1 hour)
                                )
                        NS      mail.hprs.local.
$ORIGIN hprs.local.
$TTL 4H
mail                    A       192.168.0.2
richo                   A       192.168.0.20

Open in new window

/var/named/db.192.168.0
$ORIGIN .
$TTL 4H
0.168.192.in-addr.arpa  IN SOA  mail.hprs.local. sysadmin.mail.ohprs.org. (
                                100     ; serial
                                3H      ; refresh (3 hours)
                                1H      ; retry (1 hour)
                                8H      ; expire (1 week)
                                1H      ; minimum (1 hour)
                                )
                        NS      mail.hprs.local.
$ORIGIN 0.168.192.in-addr.arpa.
$TTL 4H
2                       PTR     mail.hprs.local.
20                      PTR     richo.hprs.local.

Open in new window

The above setup works fine and works with DHCPD. Now, I want to get it working with Samba4.

The page https://wiki.samba.org/index.php/DNS#Which_DNS_backend_should_I_choose.3F says, "BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in." So, I followed the instructions in https://wiki.samba.org/index.php/Changing_the_DNS_backend to set the DNS backend to BIND_DLZ, which were to run:
$ samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
Reading records from zone file /etc/samba/private/dns/hprs.local.zone
Creating DNS partitions
Looking up IPv4 addresses
Looking up IPv6 addresses
Populating DNS partitions
Importing records from zone file
dns-mail account already exists
Unable to find group id for BIND,
                set permissions to sam.ldb* files manually
See /etc/samba/private/named.conf for an example configuration include file for BIND
and /etc/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Open in new window

The referenced /etc/samba/private/named.conf file is:
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/etc/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    database "dlopen /usr/lib64/bind9/dlz_bind9.so";

    # For BIND 9.9.0
     database "dlopen /usr/lib64/bind9/dlz_bind9_9.so";
};

Open in new window

I have bind 9.9.5, so I uncommented the corresponding database line. I added

include "/etc/samba/private/named.conf";

To the end of my /etc/named.conf.

When I then tried to start bind, I got the following message:
$ /etc/rc.d/rc.bind start
Starting BIND:  /usr/sbin/named
WARNING:  named did not start.
Attempting to start named again:  /usr/sbin/named
FAILED:  Sorry, a second attempt to start named has also failed.
There may be a configuration error that needs fixing.  Good luck!

Open in new window

/var/log/syslog has:
Sep  1 16:35:31 mail named[6546]: /etc/samba/private/named.conf:17: 'database' redefined near 'database'
Sep  1 16:35:31 mail named[6546]: loading configuration: already exists
Sep  1 16:35:31 mail named[6546]: exiting (due to fatal error)
Sep  1 16:35:32 mail named[6555]: /etc/samba/private/named.conf:17: 'database' redefined near 'database'
Sep  1 16:35:32 mail named[6555]: loading configuration: already exists
Sep  1 16:35:32 mail named[6555]: exiting (due to fatal error)

Open in new window

and /var/log/messages has:
Sep  1 16:35:31 mail named[6546]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  1 16:35:31 mail named[6546]: ----------------------------------------------------
Sep  1 16:35:31 mail named[6546]: BIND 9 is maintained by Internet Systems Consortium,
Sep  1 16:35:31 mail named[6546]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  1 16:35:31 mail named[6546]: corporation.  Support and training for BIND 9 are
Sep  1 16:35:31 mail named[6546]: available at https://www.isc.org/support
Sep  1 16:35:31 mail named[6546]: ----------------------------------------------------
Sep  1 16:35:31 mail named[6546]: adjusted limit on open files from 4096 to 1048576
Sep  1 16:35:31 mail named[6546]: found 2 CPUs, using 2 worker threads
Sep  1 16:35:31 mail named[6546]: using 2 UDP listeners per interface
Sep  1 16:35:31 mail named[6546]: using up to 4096 sockets
Sep  1 16:35:31 mail named[6546]: loading configuration from '/etc/named.conf'
Sep  1 16:35:32 mail named[6555]: starting BIND 9.9.5-P1
Sep  1 16:35:32 mail named[6555]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  1 16:35:32 mail named[6555]: ----------------------------------------------------
Sep  1 16:35:32 mail named[6555]: BIND 9 is maintained by Internet Systems Consortium,
Sep  1 16:35:32 mail named[6555]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  1 16:35:32 mail named[6555]: corporation.  Support and training for BIND 9 are
Sep  1 16:35:32 mail named[6555]: available at https://www.isc.org/support
Sep  1 16:35:32 mail named[6555]: ----------------------------------------------------
Sep  1 16:35:32 mail named[6555]: adjusted limit on open files from 4096 to 1048576
Sep  1 16:35:32 mail named[6555]: found 2 CPUs, using 2 worker threads
Sep  1 16:35:32 mail named[6555]: using 2 UDP listeners per interface
Sep  1 16:35:32 mail named[6555]: using up to 4096 sockets
Sep  1 16:35:32 mail named[6555]: loading configuration from '/etc/named.conf'

Open in new window

I have no clue what's wrong. The only error message I get is "/etc/samba/private/named.conf:17: 'database' redefined near 'database'", which is about as cryptic as it gets.

Can anyone help?
LVL 1
jmarkfoleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Run named-checkconf and address found issues.

You can have just one database backend at any given time.
0
jmarkfoleyAuthor Commented:
named-checkconf give me the same error:
$ named-checkconf
/etc/samba/private/named.conf:17: 'database' redefined near 'database'

Open in new window

Again, no clue what this means. Thus far google turns up nothing on this error.

> You can have just one database backend at any given time.

Have I defined more than one? Would having zone ... { file "db..."; ... } in named.conf mean I am defining a database?
0
gheistCommented:
dlz "AD DNS Zone" {
    # For BIND 9.8.0
(1)    database "dlopen /usr/lib64/bind9/dlz_bind9.so";

    # For BIND 9.9.0
(2)     database "dlopen /usr/lib64/bind9/dlz_bind9_9.so";
};
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

jmarkfoleyAuthor Commented:
Duh! OK, I thought that 1st one was commented out. Did that and re-ran. Still error, but different:

/var/log/syslog
Sep  2 11:33:35 mail named[27337]: zone 'hprs.local' allows updates by IP address, which is insecure
Sep  2 11:33:35 mail named[27337]: zone '0.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Sep  2 11:33:35 mail named[27337]: samba_dlz: Failed to configure zone 'hprs.local'
Sep  2 11:33:35 mail named[27337]: loading configuration: already exists
Sep  2 11:33:35 mail named[27337]: exiting (due to fatal error)
Sep  2 11:33:36 mail named[27346]: zone 'hprs.local' allows updates by IP address, which is insecure
Sep  2 11:33:36 mail named[27346]: zone '0.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Sep  2 11:33:37 mail named[27346]: samba_dlz: Failed to configure zone 'hprs.local'
Sep  2 11:33:37 mail named[27346]: loading configuration: already exists
Sep  2 11:33:37 mail named[27346]: exiting (due to fatal error)

Open in new window

/var/log/messages
Sep  2 11:33:35 mail named[27337]: starting BIND 9.9.5-P1
Sep  2 11:33:35 mail named[27337]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  2 11:33:35 mail named[27337]: ----------------------------------------------------
Sep  2 11:33:35 mail named[27337]: BIND 9 is maintained by Internet Systems Consortium,
Sep  2 11:33:35 mail named[27337]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  2 11:33:35 mail named[27337]: corporation.  Support and training for BIND 9 are
Sep  2 11:33:35 mail named[27337]: available at https://www.isc.org/support
Sep  2 11:33:35 mail named[27337]: ----------------------------------------------------
Sep  2 11:33:35 mail named[27337]: adjusted limit on open files from 4096 to 1048576
Sep  2 11:33:35 mail named[27337]: found 2 CPUs, using 2 worker threads
Sep  2 11:33:35 mail named[27337]: using 2 UDP listeners per interface
Sep  2 11:33:35 mail named[27337]: using up to 4096 sockets
Sep  2 11:33:35 mail named[27337]: loading configuration from '/etc/named.conf'
Sep  2 11:33:35 mail named[27337]: reading built-in trusted keys from file '/etc/bind.keys'
Sep  2 11:33:35 mail named[27337]: using default UDP/IPv4 port range: [1024, 65535]
Sep  2 11:33:35 mail named[27337]: using default UDP/IPv6 port range: [1024, 65535]
Sep  2 11:33:35 mail named[27337]: listening on IPv4 interface lo, 127.0.0.1#53
Sep  2 11:33:35 mail named[27337]: listening on IPv4 interface eth0, 64.129.23.170#53
Sep  2 11:33:35 mail named[27337]: listening on IPv4 interface eth1, 192.168.0.2#53
Sep  2 11:33:35 mail named[27337]: generating session key for dynamic DNS
Sep  2 11:33:35 mail named[27337]: sizing zone task pool based on 4 zones
Sep  2 11:33:35 mail named[27337]: Loading 'AD DNS Zone' using driver dlopen
Sep  2 11:33:35 mail named[27337]: samba_dlz: started for DN DC=hprs,DC=local
Sep  2 11:33:35 mail named[27337]: samba_dlz: starting configure
Sep  2 11:33:35 mail named[27337]: samba_dlz: shutting down
Sep  2 11:33:36 mail named[27346]: starting BIND 9.9.5-P1
Sep  2 11:33:36 mail named[27346]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  2 11:33:36 mail named[27346]: ----------------------------------------------------
Sep  2 11:33:36 mail named[27346]: BIND 9 is maintained by Internet Systems Consortium,
Sep  2 11:33:36 mail named[27346]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  2 11:33:36 mail named[27346]: corporation.  Support and training for BIND 9 are
Sep  2 11:33:36 mail named[27346]: available at https://www.isc.org/support
Sep  2 11:33:36 mail named[27346]: ----------------------------------------------------
Sep  2 11:33:36 mail named[27346]: adjusted limit on open files from 4096 to 1048576
Sep  2 11:33:36 mail named[27346]: found 2 CPUs, using 2 worker threads
Sep  2 11:33:36 mail named[27346]: using 2 UDP listeners per interface
Sep  2 11:33:36 mail named[27346]: using up to 4096 sockets
Sep  2 11:33:36 mail named[27346]: loading configuration from '/etc/named.conf'
Sep  2 11:33:36 mail named[27346]: reading built-in trusted keys from file '/etc/bind.keys'
Sep  2 11:33:36 mail named[27346]: using default UDP/IPv4 port range: [1024, 65535]
Sep  2 11:33:36 mail named[27346]: using default UDP/IPv6 port range: [1024, 65535]
Sep  2 11:33:36 mail named[27346]: listening on IPv4 interface lo, 127.0.0.1#53
Sep  2 11:33:36 mail named[27346]: listening on IPv4 interface eth0, 64.129.23.170#53
Sep  2 11:33:36 mail named[27346]: listening on IPv4 interface eth1, 192.168.0.2#53
Sep  2 11:33:36 mail named[27346]: generating session key for dynamic DNS
Sep  2 11:33:36 mail named[27346]: sizing zone task pool based on 4 zones
Sep  2 11:33:36 mail named[27346]: Loading 'AD DNS Zone' using driver dlopen
Sep  2 11:33:37 mail named[27346]: samba_dlz: started for DN DC=hprs,DC=local
Sep  2 11:33:37 mail named[27346]: samba_dlz: starting configure
Sep  2 11:33:37 mail named[27346]: samba_dlz: shutting down

Open in new window

0
jmarkfoleyAuthor Commented:
I commented out the hprs.local zone in the named.conf file and this time it seems to have run OK. Does that make sense to you? I will do some testing on name resolution and post back the results.
0
gheistCommented:
You must keep this intact:
/etc/samba/private/named.conf

If the zone you removed is defined somewhere else you can delete it safely.
0
jmarkfoleyAuthor Commented:
Still having problems (but getting closer, I think). After commenting out the hprs.local zone in named.conf, restarting bind and starting samba, I tried `ipconfig /release && ipconfig /renew` on one of the Windows client workstations. The messages file shows "samba_dlz: cancelling transation on zone hprs.local". The syslog shows "update ... denied".

Might be a permissions issue. Note that in line 17 of my `samba_upgradedns` output (initial posting) I got the error "Unable to find group id for BIND, / set permissions to sam.ldb* files manually". These files are in /etc/samba/private/dns and are all owned by root.root. They were created that way when `samba-tool provision` was run. I changed them to have group rw, but that didn't help. Before I mess up these files too much, what do you suggest? Creating a BIND group and making the group for these files BIND?

Note also that the same `samba_upgradedns` output shows:

3: DNS accounts already exist
10: dns-mail account already exists

Not sure what this means because there is no DNS account in /etc/passwd.

Here are the logfiles:
I'll continue researching. Logfile output below.

/var/log/messages
[code]
Sep  2 11:50:58 mail dhcpd: DHCPRELEASE of 192.168.0.100 from 00:25:b3:bf:f5:42 (hplaptop) via eth1 (found)
Sep  2 11:50:59 mail dhcpd: DHCPDISCOVER from 00:25:b3:bf:f5:42 via eth1
Sep  2 11:51:00 mail dhcpd: DHCPOFFER on 192.168.0.100 to 00:25:b3:bf:f5:42 (hplaptop) via eth1
Sep  2 11:51:00 mail named[29041]: samba_dlz: starting transaction on zone hprs.local
Sep  2 11:51:00 mail named[29041]: samba_dlz: cancelling transaction on zone hprs.local
Sep  2 11:51:00 mail dhcpd: DHCPREQUEST for 192.168.0.100 (192.168.0.2) from 00:25:b3:bf:f5:42 (hplaptop) via eth1
Sep  2 11:51:00 mail dhcpd: DHCPACK on 192.168.0.100 to 00:25:b3:bf:f5:42 (hplaptop) via eth1

Open in new window

/var/log/syslog
Sep  2 11:51:00 mail named[29041]: client 192.168.0.2#12212: update 'hprs.local/IN' denied
Sep  2 11:51:00 mail dhcpd: Unable to add forward map from hplaptop.hprs.local. to 192.168.0.100: REFUSED

Open in new window

0
jmarkfoleyAuthor Commented:
> If the zone you removed is defined somewhere else you can delete it safely.

I'm assuming the hprs.local zone is defined in the DLZ configuration and that was why I was getting the "loading configuration: already exists" error. Once I commented out that zone in named.conf named at least ran -- though still having issues as explained in my last post.
0
gheistCommented:
So that was the dynamic zone for samba.
0
jmarkfoleyAuthor Commented:
> So that was the dynamic zone for samba.

I suppose that is so. there is only one real forward zone: hprs.local. The files created by samba_upgradedns are shown below. Only hprs.local appears to be configured.

So, what's up with my "updated denied" problem? Any ideas?

/etc/samba/private/dns/sam.ldb.d/
-rw-rw---- 1 root root 7348224 2014-09-01 16:18 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 1 root root 8560640 2014-09-01 16:18 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root 4247552 2014-09-01 16:18 DC\=DOMAINDNSZONES,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root 4247552 2014-09-01 16:18 DC\=FORESTDNSZONES,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw-r-- 1 root root 1286144 2014-09-01 16:18 DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root  421888 2014-09-02 11:49 metadata.tdb

Open in new window

0
jmarkfoleyAuthor Commented:
Well, I've decided to abandon the BIND_DLZ method. If, when I monkey-type instructions things don't work, it's usually because *I* messed something up (such as my example of uncommenting 2 databases). However, when errors get esoteric and cryptic, it indicates to me that the package configuration isn't quite there yet and/or the solution requires more depth of knowledge than I have. Sometimes, just a couple of more words of diagnostic or error message would do the trick. For example, samba_upgradedns  gave me the message, "Unable to find group id for BIND, / set permissions to sam.ldb* files manually". Set it to ... what? This may be the crux of the problem, but it would have been nice if the program author had either set the permissions automatically or at least said what they should be.

I also get the syslog message:
samba /usr/sbin/samba_dnsupdate: /usr/bin/nsupdate: cannot specify -g^Ior -o, program not linked with GSS API Library

Open in new window

Again, cryptic gibberish to me, but hints that the dnsupdate program was not built to work with things the BIND_DLZ backend needs.

So, of my three choices: Internal DNS, BIND DLZ, and BIND9_FLATFILE; I can't get BIND_DLZ to work. I can't quite glean from the documenation if Internal DNS will work with DHCPD or how I would configure zones, and there are a bunch of limitations (https://wiki.samba.org/index.php/DNS). That leaves BIND9_FLATFILE which is supposedly not recommended (though I can't find where I read that).

In any case, the BIND9_FLATFILE backend appears to work just fine. Zone and journal files get update in /etc/samba/private/dns when DHCP clients connect. No errors in syslog or message. So, I'll stick with that for now.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
You can allow dynamic updates from samba's IP address. No need to authenticate yet while testing.
0
jmarkfoleyAuthor Commented:
I changed my approach to this problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.