[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

getting BIND to work with Samba4

Posted on 2014-09-01
13
Medium Priority
?
2,425 Views
Last Modified: 2014-09-08
I'm having a heck of a time getting Samba4 to work with Bind. I am using Slackware 14.1 and Samba 4.1.11,

Prior to trying Samba4, I have a working BInd. My named.conf and zone files are as follows:

/etc/named.conf
options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
# dnssec-enable no;

        forwarders {            // These are the ISP provided name servers
            66.193.88.3;
            66.192.88.4;
        };

        allow-query {           // Permit querying by others in the domain
            192.168.0.0/24;
            127.0.0.1;
        };
};

zone "localhost" {
        type master;
        file "db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "db.127";
};

zone "hprs.local" in {
    type master;
    allow-update { 192.168.0.2; 127.0.0.1; };         // local DHCP server
    file "db.hprs.local";
};

zone "0.168.192.in-addr.arpa" in {
    type master;
    allow-update { 192.168.0.2; 127.0.0.1; };           // local DHCP server
    file "db.192.168.0";
};

Open in new window

/var/named/db.hprs.local:
$ORIGIN .
$TTL 4H
hprs.local              IN SOA  mail.hprs.local. sysadmin.mail.ohprs.org. (
                                100     ; serial
                                3H      ; refresh (3 hours)
                                1H      ; retry (1 hour)
                                8H      ; expire (1 week)
                                1H      ; minimum (1 hour)
                                )
                        NS      mail.hprs.local.
$ORIGIN hprs.local.
$TTL 4H
mail                    A       192.168.0.2
richo                   A       192.168.0.20

Open in new window

/var/named/db.192.168.0
$ORIGIN .
$TTL 4H
0.168.192.in-addr.arpa  IN SOA  mail.hprs.local. sysadmin.mail.ohprs.org. (
                                100     ; serial
                                3H      ; refresh (3 hours)
                                1H      ; retry (1 hour)
                                8H      ; expire (1 week)
                                1H      ; minimum (1 hour)
                                )
                        NS      mail.hprs.local.
$ORIGIN 0.168.192.in-addr.arpa.
$TTL 4H
2                       PTR     mail.hprs.local.
20                      PTR     richo.hprs.local.

Open in new window

The above setup works fine and works with DHCPD. Now, I want to get it working with Samba4.

The page https://wiki.samba.org/index.php/DNS#Which_DNS_backend_should_I_choose.3F says, "BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in." So, I followed the instructions in https://wiki.samba.org/index.php/Changing_the_DNS_backend to set the DNS backend to BIND_DLZ, which were to run:
$ samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
Reading records from zone file /etc/samba/private/dns/hprs.local.zone
Creating DNS partitions
Looking up IPv4 addresses
Looking up IPv6 addresses
Populating DNS partitions
Importing records from zone file
dns-mail account already exists
Unable to find group id for BIND,
                set permissions to sam.ldb* files manually
See /etc/samba/private/named.conf for an example configuration include file for BIND
and /etc/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Open in new window

The referenced /etc/samba/private/named.conf file is:
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/etc/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    database "dlopen /usr/lib64/bind9/dlz_bind9.so";

    # For BIND 9.9.0
     database "dlopen /usr/lib64/bind9/dlz_bind9_9.so";
};

Open in new window

I have bind 9.9.5, so I uncommented the corresponding database line. I added

include "/etc/samba/private/named.conf";

To the end of my /etc/named.conf.

When I then tried to start bind, I got the following message:
$ /etc/rc.d/rc.bind start
Starting BIND:  /usr/sbin/named
WARNING:  named did not start.
Attempting to start named again:  /usr/sbin/named
FAILED:  Sorry, a second attempt to start named has also failed.
There may be a configuration error that needs fixing.  Good luck!

Open in new window

/var/log/syslog has:
Sep  1 16:35:31 mail named[6546]: /etc/samba/private/named.conf:17: 'database' redefined near 'database'
Sep  1 16:35:31 mail named[6546]: loading configuration: already exists
Sep  1 16:35:31 mail named[6546]: exiting (due to fatal error)
Sep  1 16:35:32 mail named[6555]: /etc/samba/private/named.conf:17: 'database' redefined near 'database'
Sep  1 16:35:32 mail named[6555]: loading configuration: already exists
Sep  1 16:35:32 mail named[6555]: exiting (due to fatal error)

Open in new window

and /var/log/messages has:
Sep  1 16:35:31 mail named[6546]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  1 16:35:31 mail named[6546]: ----------------------------------------------------
Sep  1 16:35:31 mail named[6546]: BIND 9 is maintained by Internet Systems Consortium,
Sep  1 16:35:31 mail named[6546]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  1 16:35:31 mail named[6546]: corporation.  Support and training for BIND 9 are
Sep  1 16:35:31 mail named[6546]: available at https://www.isc.org/support
Sep  1 16:35:31 mail named[6546]: ----------------------------------------------------
Sep  1 16:35:31 mail named[6546]: adjusted limit on open files from 4096 to 1048576
Sep  1 16:35:31 mail named[6546]: found 2 CPUs, using 2 worker threads
Sep  1 16:35:31 mail named[6546]: using 2 UDP listeners per interface
Sep  1 16:35:31 mail named[6546]: using up to 4096 sockets
Sep  1 16:35:31 mail named[6546]: loading configuration from '/etc/named.conf'
Sep  1 16:35:32 mail named[6555]: starting BIND 9.9.5-P1
Sep  1 16:35:32 mail named[6555]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  1 16:35:32 mail named[6555]: ----------------------------------------------------
Sep  1 16:35:32 mail named[6555]: BIND 9 is maintained by Internet Systems Consortium,
Sep  1 16:35:32 mail named[6555]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  1 16:35:32 mail named[6555]: corporation.  Support and training for BIND 9 are
Sep  1 16:35:32 mail named[6555]: available at https://www.isc.org/support
Sep  1 16:35:32 mail named[6555]: ----------------------------------------------------
Sep  1 16:35:32 mail named[6555]: adjusted limit on open files from 4096 to 1048576
Sep  1 16:35:32 mail named[6555]: found 2 CPUs, using 2 worker threads
Sep  1 16:35:32 mail named[6555]: using 2 UDP listeners per interface
Sep  1 16:35:32 mail named[6555]: using up to 4096 sockets
Sep  1 16:35:32 mail named[6555]: loading configuration from '/etc/named.conf'

Open in new window

I have no clue what's wrong. The only error message I get is "/etc/samba/private/named.conf:17: 'database' redefined near 'database'", which is about as cryptic as it gets.

Can anyone help?
0
Comment
Question by:jmarkfoley
  • 8
  • 5
13 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40297471
Run named-checkconf and address found issues.

You can have just one database backend at any given time.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40297698
named-checkconf give me the same error:
$ named-checkconf
/etc/samba/private/named.conf:17: 'database' redefined near 'database'

Open in new window

Again, no clue what this means. Thus far google turns up nothing on this error.

> You can have just one database backend at any given time.

Have I defined more than one? Would having zone ... { file "db..."; ... } in named.conf mean I am defining a database?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 2000 total points
ID: 40297766
dlz "AD DNS Zone" {
    # For BIND 9.8.0
(1)    database "dlopen /usr/lib64/bind9/dlz_bind9.so";

    # For BIND 9.9.0
(2)     database "dlopen /usr/lib64/bind9/dlz_bind9_9.so";
};
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:jmarkfoley
ID: 40298742
Duh! OK, I thought that 1st one was commented out. Did that and re-ran. Still error, but different:

/var/log/syslog
Sep  2 11:33:35 mail named[27337]: zone 'hprs.local' allows updates by IP address, which is insecure
Sep  2 11:33:35 mail named[27337]: zone '0.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Sep  2 11:33:35 mail named[27337]: samba_dlz: Failed to configure zone 'hprs.local'
Sep  2 11:33:35 mail named[27337]: loading configuration: already exists
Sep  2 11:33:35 mail named[27337]: exiting (due to fatal error)
Sep  2 11:33:36 mail named[27346]: zone 'hprs.local' allows updates by IP address, which is insecure
Sep  2 11:33:36 mail named[27346]: zone '0.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Sep  2 11:33:37 mail named[27346]: samba_dlz: Failed to configure zone 'hprs.local'
Sep  2 11:33:37 mail named[27346]: loading configuration: already exists
Sep  2 11:33:37 mail named[27346]: exiting (due to fatal error)

Open in new window

/var/log/messages
Sep  2 11:33:35 mail named[27337]: starting BIND 9.9.5-P1
Sep  2 11:33:35 mail named[27337]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  2 11:33:35 mail named[27337]: ----------------------------------------------------
Sep  2 11:33:35 mail named[27337]: BIND 9 is maintained by Internet Systems Consortium,
Sep  2 11:33:35 mail named[27337]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  2 11:33:35 mail named[27337]: corporation.  Support and training for BIND 9 are
Sep  2 11:33:35 mail named[27337]: available at https://www.isc.org/support
Sep  2 11:33:35 mail named[27337]: ----------------------------------------------------
Sep  2 11:33:35 mail named[27337]: adjusted limit on open files from 4096 to 1048576
Sep  2 11:33:35 mail named[27337]: found 2 CPUs, using 2 worker threads
Sep  2 11:33:35 mail named[27337]: using 2 UDP listeners per interface
Sep  2 11:33:35 mail named[27337]: using up to 4096 sockets
Sep  2 11:33:35 mail named[27337]: loading configuration from '/etc/named.conf'
Sep  2 11:33:35 mail named[27337]: reading built-in trusted keys from file '/etc/bind.keys'
Sep  2 11:33:35 mail named[27337]: using default UDP/IPv4 port range: [1024, 65535]
Sep  2 11:33:35 mail named[27337]: using default UDP/IPv6 port range: [1024, 65535]
Sep  2 11:33:35 mail named[27337]: listening on IPv4 interface lo, 127.0.0.1#53
Sep  2 11:33:35 mail named[27337]: listening on IPv4 interface eth0, 64.129.23.170#53
Sep  2 11:33:35 mail named[27337]: listening on IPv4 interface eth1, 192.168.0.2#53
Sep  2 11:33:35 mail named[27337]: generating session key for dynamic DNS
Sep  2 11:33:35 mail named[27337]: sizing zone task pool based on 4 zones
Sep  2 11:33:35 mail named[27337]: Loading 'AD DNS Zone' using driver dlopen
Sep  2 11:33:35 mail named[27337]: samba_dlz: started for DN DC=hprs,DC=local
Sep  2 11:33:35 mail named[27337]: samba_dlz: starting configure
Sep  2 11:33:35 mail named[27337]: samba_dlz: shutting down
Sep  2 11:33:36 mail named[27346]: starting BIND 9.9.5-P1
Sep  2 11:33:36 mail named[27346]: built with '--prefix=/usr' '--libdir=/usr/lib64' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--with-idn=/usr' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--enable-threads' '--with-openssl=/usr' '--build=x86_64-slackware-linux' 'build_alias=x86_64-slackware-linux' 'CFLAGS=-O2 -fPIC'
Sep  2 11:33:36 mail named[27346]: ----------------------------------------------------
Sep  2 11:33:36 mail named[27346]: BIND 9 is maintained by Internet Systems Consortium,
Sep  2 11:33:36 mail named[27346]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep  2 11:33:36 mail named[27346]: corporation.  Support and training for BIND 9 are
Sep  2 11:33:36 mail named[27346]: available at https://www.isc.org/support
Sep  2 11:33:36 mail named[27346]: ----------------------------------------------------
Sep  2 11:33:36 mail named[27346]: adjusted limit on open files from 4096 to 1048576
Sep  2 11:33:36 mail named[27346]: found 2 CPUs, using 2 worker threads
Sep  2 11:33:36 mail named[27346]: using 2 UDP listeners per interface
Sep  2 11:33:36 mail named[27346]: using up to 4096 sockets
Sep  2 11:33:36 mail named[27346]: loading configuration from '/etc/named.conf'
Sep  2 11:33:36 mail named[27346]: reading built-in trusted keys from file '/etc/bind.keys'
Sep  2 11:33:36 mail named[27346]: using default UDP/IPv4 port range: [1024, 65535]
Sep  2 11:33:36 mail named[27346]: using default UDP/IPv6 port range: [1024, 65535]
Sep  2 11:33:36 mail named[27346]: listening on IPv4 interface lo, 127.0.0.1#53
Sep  2 11:33:36 mail named[27346]: listening on IPv4 interface eth0, 64.129.23.170#53
Sep  2 11:33:36 mail named[27346]: listening on IPv4 interface eth1, 192.168.0.2#53
Sep  2 11:33:36 mail named[27346]: generating session key for dynamic DNS
Sep  2 11:33:36 mail named[27346]: sizing zone task pool based on 4 zones
Sep  2 11:33:36 mail named[27346]: Loading 'AD DNS Zone' using driver dlopen
Sep  2 11:33:37 mail named[27346]: samba_dlz: started for DN DC=hprs,DC=local
Sep  2 11:33:37 mail named[27346]: samba_dlz: starting configure
Sep  2 11:33:37 mail named[27346]: samba_dlz: shutting down

Open in new window

0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40298746
I commented out the hprs.local zone in the named.conf file and this time it seems to have run OK. Does that make sense to you? I will do some testing on name resolution and post back the results.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40298749
You must keep this intact:
/etc/samba/private/named.conf

If the zone you removed is defined somewhere else you can delete it safely.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40298829
Still having problems (but getting closer, I think). After commenting out the hprs.local zone in named.conf, restarting bind and starting samba, I tried `ipconfig /release && ipconfig /renew` on one of the Windows client workstations. The messages file shows "samba_dlz: cancelling transation on zone hprs.local". The syslog shows "update ... denied".

Might be a permissions issue. Note that in line 17 of my `samba_upgradedns` output (initial posting) I got the error "Unable to find group id for BIND, / set permissions to sam.ldb* files manually". These files are in /etc/samba/private/dns and are all owned by root.root. They were created that way when `samba-tool provision` was run. I changed them to have group rw, but that didn't help. Before I mess up these files too much, what do you suggest? Creating a BIND group and making the group for these files BIND?

Note also that the same `samba_upgradedns` output shows:

3: DNS accounts already exist
10: dns-mail account already exists

Not sure what this means because there is no DNS account in /etc/passwd.

Here are the logfiles:
I'll continue researching. Logfile output below.

/var/log/messages
[code]
Sep  2 11:50:58 mail dhcpd: DHCPRELEASE of 192.168.0.100 from 00:25:b3:bf:f5:42 (hplaptop) via eth1 (found)
Sep  2 11:50:59 mail dhcpd: DHCPDISCOVER from 00:25:b3:bf:f5:42 via eth1
Sep  2 11:51:00 mail dhcpd: DHCPOFFER on 192.168.0.100 to 00:25:b3:bf:f5:42 (hplaptop) via eth1
Sep  2 11:51:00 mail named[29041]: samba_dlz: starting transaction on zone hprs.local
Sep  2 11:51:00 mail named[29041]: samba_dlz: cancelling transaction on zone hprs.local
Sep  2 11:51:00 mail dhcpd: DHCPREQUEST for 192.168.0.100 (192.168.0.2) from 00:25:b3:bf:f5:42 (hplaptop) via eth1
Sep  2 11:51:00 mail dhcpd: DHCPACK on 192.168.0.100 to 00:25:b3:bf:f5:42 (hplaptop) via eth1

Open in new window

/var/log/syslog
Sep  2 11:51:00 mail named[29041]: client 192.168.0.2#12212: update 'hprs.local/IN' denied
Sep  2 11:51:00 mail dhcpd: Unable to add forward map from hplaptop.hprs.local. to 192.168.0.100: REFUSED

Open in new window

0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40298841
> If the zone you removed is defined somewhere else you can delete it safely.

I'm assuming the hprs.local zone is defined in the DLZ configuration and that was why I was getting the "loading configuration: already exists" error. Once I commented out that zone in named.conf named at least ran -- though still having issues as explained in my last post.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40299311
So that was the dynamic zone for samba.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40299557
> So that was the dynamic zone for samba.

I suppose that is so. there is only one real forward zone: hprs.local. The files created by samba_upgradedns are shown below. Only hprs.local appears to be configured.

So, what's up with my "updated denied" problem? Any ideas?

/etc/samba/private/dns/sam.ldb.d/
-rw-rw---- 1 root root 7348224 2014-09-01 16:18 CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 1 root root 8560640 2014-09-01 16:18 CN\=SCHEMA,CN\=CONFIGURATION,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root 4247552 2014-09-01 16:18 DC\=DOMAINDNSZONES,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root 4247552 2014-09-01 16:18 DC\=FORESTDNSZONES,DC\=HPRS,DC\=LOCAL.ldb
-rw-rw-r-- 1 root root 1286144 2014-09-01 16:18 DC\=HPRS,DC\=LOCAL.ldb
-rw-rw---- 2 root root  421888 2014-09-02 11:49 metadata.tdb

Open in new window

0
 
LVL 1

Accepted Solution

by:
jmarkfoley earned 0 total points
ID: 40302191
Well, I've decided to abandon the BIND_DLZ method. If, when I monkey-type instructions things don't work, it's usually because *I* messed something up (such as my example of uncommenting 2 databases). However, when errors get esoteric and cryptic, it indicates to me that the package configuration isn't quite there yet and/or the solution requires more depth of knowledge than I have. Sometimes, just a couple of more words of diagnostic or error message would do the trick. For example, samba_upgradedns  gave me the message, "Unable to find group id for BIND, / set permissions to sam.ldb* files manually". Set it to ... what? This may be the crux of the problem, but it would have been nice if the program author had either set the permissions automatically or at least said what they should be.

I also get the syslog message:
samba /usr/sbin/samba_dnsupdate: /usr/bin/nsupdate: cannot specify -g^Ior -o, program not linked with GSS API Library

Open in new window

Again, cryptic gibberish to me, but hints that the dnsupdate program was not built to work with things the BIND_DLZ backend needs.

So, of my three choices: Internal DNS, BIND DLZ, and BIND9_FLATFILE; I can't get BIND_DLZ to work. I can't quite glean from the documenation if Internal DNS will work with DHCPD or how I would configure zones, and there are a bunch of limitations (https://wiki.samba.org/index.php/DNS). That leaves BIND9_FLATFILE which is supposedly not recommended (though I can't find where I read that).

In any case, the BIND9_FLATFILE backend appears to work just fine. Zone and journal files get update in /etc/samba/private/dns when DHCP clients connect. No errors in syslog or message. So, I'll stick with that for now.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40302881
You can allow dynamic updates from samba's IP address. No need to authenticate yet while testing.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40309469
I changed my approach to this problem.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question