BIND9 DLZ DNS Back End: Difference between revisions
(Small addition on the use service name of bind9 in the override. *(debian/related = bind9 , redhat/related = named.)) |
|||
(64 intermediate revisions by 11 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
Samba provides support for using the BIND DNS server as the DNS back end on a Samba Active Directory (AD) domain controller (DC). The <code>BIND9_DLZ</code> back end is recommended for complex DNS setups that the Samba internal DNS server does not support. |
|||
This HowTo describes how to compile and configure a basic Bind installation, that can be used as Samba DC DNS backend. |
|||
{{Imbox |
|||
Bind as DNS backend is recommended, if you plan setup a complexer DNS setup, than the Samba 4 internal DNS currently made possible. |
|||
| type = note |
|||
| text = This documentation only supports BIND versions that are actively maintained by ISC. For details about the ISC BIND life cycle, see https://www.isc.org/downloads/software-support-policy/ |
|||
}} |
|||
The <code>BIND9_DLZ</code> module is a BIND9 plugin that accesses the Samba Active Directory (AD) database directly for registered zones. For this reason: |
|||
* BIND must be installed on the same machine as the Samba AD domain controller (DC). |
|||
* BIND must not run in a changed root environment. |
|||
* zones are stored and replicated within the directory. |
|||
{{Imbox |
|||
| type = note |
|||
| text = If you are using the internal DNS server and wish to use Bind9 instead, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]]. |
|||
}} |
|||
= Setting up a basic Bind installation = |
|||
Skip this section if you already having an existing Bind installation; that can be used as a Samba AD backend. |
|||
= Software Architecture = |
|||
Bind9 operates a threading model with the 'worker threads' concept. Each plugin has an associated mutex, so no two worker threads can call API functions provided by our plugin at once. Database access by the plugin is guarded by a fcntl lock. |
|||
== Installing Bind == |
|||
Bind as backend for your Samba Active Directory Domain Controller is currently supported in version 9.8 and 9.9 only. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[#Bind_9.7_2|DNS dynamic updates via Kerberos for Bind 9.7]] for instructions on configuring Bind 9.7. |
|||
If you install Bind from the repositories of your distribution, you can skip the following two steps. But make sure that your vendor compiled Bind with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as Samba AD DNS backend. |
|||
=== Downloading === |
|||
= Recommended Architecture = |
|||
Download your desired and Samba 4 supported version from [https://www.isc.org/software/bind https://www.isc.org/software/bind]. |
|||
For high traffic environments, it is not recommended to use BIND9_DLZ-backed samba as a primary DNS server. Instead, use an external server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node. |
|||
=== Compiling Bind === |
|||
To use Bind 9.8.1 or later as Samba AD backend, at least the following two configure options are required: |
|||
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes |
|||
Please check if there are other options you require for your environment. For building Bind 9.8.0, you must use '--with-dlz-dlopen=yes' instead of '--with-dlopen=yes'. |
|||
= Setting up BIND = |
|||
To build and install: |
|||
For details, see [[Setting_up_a_BIND_DNS_Server|Setting up a BIND DNS Server]]. |
|||
# make |
|||
# make install |
|||
== Configuration == |
|||
=== Setting up a basic named.conf === |
|||
= Configuring the BIND9_DLZ Module = |
|||
The following example is a basic 'named.conf' for a pure minimal Bind installation without any Samba AD parts. We will add the Samba required parameters later. |
|||
During the domain provisioning, join, or classic upgrade, the <code>/usr/local/samba/bind-dns/named.conf</code> file has been created. |
|||
# /etc/named.conf |
|||
# Global Bind configuration options |
|||
{{Imbox |
|||
| type = note |
|||
| text = For Samba v4.7 and earlier, the <code>named.conf</code> filepath is slightly different: <code>/usr/local/samba/private/named.conf</code>. If you're using an older version of Samba, take care to use the correct filepath in the instructions that follow. |
|||
}} |
|||
To enable the <code>BIND9_DLZ</code> module for your BIND version: |
|||
* Add the following <code>include</code> statement to your BIND <code>named.conf</code> file: |
|||
include "/usr/local/samba/bind-dns/named.conf"; |
|||
* Display the BIND version: |
|||
# named -v |
|||
BIND 9.9.4 |
|||
* Edit the <code>/usr/local/samba/bind-dns/named.conf</code> file and uncomment the module for your BIND version. For example: |
|||
dlz "AD DNS Zone" { |
|||
# For BIND 9.8.x |
|||
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; |
|||
# For BIND 9.9.x |
|||
options { |
|||
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; |
|||
# For BIND 9.10.x |
|||
auth-nxdomain yes; |
|||
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so"; |
|||
directory "/var/named"; |
|||
notify no; |
|||
empty-zones-enable no; |
|||
# For BIND 9.11.x |
|||
allow-query { |
|||
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so"; |
|||
127.0.0.1; |
|||
10.1.1.0/24; |
|||
# add other networks you want to allow to query your DNS |
|||
}; |
|||
# For BIND 9.12.x |
|||
allow-recursion { |
|||
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so"; |
|||
10.1.1.0/24; |
|||
# add other networks you want to allow to do recursive queries |
|||
}; |
|||
# For BIND 9.14.x |
|||
forwarders { |
|||
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_14.so"; |
|||
# Google public DNS server here - replace with your own if necessary |
|||
8.8.8.8; |
|||
8.8.4.4; |
|||
}; |
|||
allow-transfer { |
|||
# this config is for a single master DNS server |
|||
none; |
|||
}; |
|||
}; |
|||
# Root servers (required zone for recursive queries) |
|||
zone "." { |
|||
type hint; |
|||
file "named.root"; |
|||
}; |
|||
# Required localhost forward-/reverse zones |
|||
zone "localhost" { |
|||
type master; |
|||
file "master/localhost.zone"; |
|||
}; |
|||
# For BIND 9.16.x |
|||
zone "0.0.127.in-addr.arpa" { |
|||
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so"; |
|||
type master; |
|||
file "master/0.0.127.zone"; |
|||
}; |
}; |
||
We chose '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions. |
|||
:The following table shows the supported BIND versions and from which version of Samba the support started: |
|||
For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'. |
|||
:{| class="wikitable" |
|||
=== Adding a user and group for Bind === |
|||
!BIND Version |
|||
!Supported in Samba Version |
|||
|- |
|||
|BIND 9.16 |
|||
|Samba 4.12.10 , 4.13.2 and later |
|||
|- |
|||
|BIND 9.14 |
|||
|Samba 4.12.10 , 4.13.2 and later |
|||
|- |
|||
|BIND 9.12 |
|||
|Samba 4.12.10 , 4.13.2 and later |
|||
|- |
|||
|BIND 9.11 |
|||
|Samba 4.5.2 and later |
|||
|- |
|||
If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group. |
|||
|BIND 9.10 |
|||
|Samba 4.2 and later |
|||
|- |
|||
|BIND 9.9 |
|||
|Samba 4.0 and later |
|||
|- |
|||
|BIND 9.8 |
|||
|Samba 4.0 and later |
|||
|} |
|||
First check if we have an existing `named` group: |
|||
# getent group|grep named |
|||
Add the user and group if none exists (adapt the UID/GID if required) : |
|||
# groupadd -g 25 named |
|||
# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named |
|||
= Setting up BIND9 options and keytab for Kerberos = |
|||
=== Getting the root name server list === |
|||
Samba needs to have some options set to allow Kerberos clients to automatically update the Active Directory (AD) zone managed by the <code>BIND9_DLZ</code> back end and improve performance. |
|||
Download the root name server list from InterNIC: |
|||
{{Imbox |
|||
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root |
|||
| type = note |
|||
# chown named:named /var/named/named.root |
|||
| text = Dynamic DNS updates require minimum BIND version 9.8. |
|||
}} |
|||
To enable dynamic DNS updates using Kerberos and avoid returning NS records in all responses: |
|||
To have always the current file, you can add a cronjob to automatically download. |
|||
* Add the following to the <code>options {}</code> section of your BIND <code>named.conf</code> file. For example: |
|||
options { |
|||
[...] |
|||
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; |
|||
minimal-responses yes; |
|||
}; |
|||
* If you provisioned or joined an AD forest or run the classic upgrade using a Samba version prior to 4.4.0, the BIND Kerberos key tab file was generated using wrong permissions. To fix, enable read access for the BIND user: |
|||
=== Creating the localhost zone file === |
|||
# chmod 640 /usr/local/samba/private/dns.keytab |
|||
Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone: |
|||
# chown root:named /usr/local/samba/private/dns.keytab |
|||
* If you upgrade from a version earlier than 4.8.0, you should check the permissions on the <code>/usr/local/samba/bind-dns</code> directory, these should be: |
|||
$TTL 3D |
|||
# chmod 770 /usr/local/samba/bind-dns |
|||
# chown root:named /usr/local/samba/bind-dns |
|||
$ORIGIN localhost. |
|||
@ 1D IN SOA @ root ( |
|||
2013050101 ; serial |
|||
8H ; refresh |
|||
2H ; retry |
|||
4W ; expiry |
|||
1D ; minimum |
|||
) |
|||
@ IN NS @ |
|||
IN A 127.0.0.1 |
|||
:{{Imbox |
|||
| type = note |
|||
| text = If you have joined a DC using a version of Samba >= 4.8.0 , there is a bug with the <code>dns.keytab</code> file. The code to create the keytab in the correct location does not exist, see https://bugzilla.samba.org/show_bug.cgi?id=14535 . The fix (at the moment) is to change to the internal dns server and then upgrade to Bind9 again, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]]. |
|||
}} |
|||
:{{Imbox |
|||
| type = note |
|||
| text = If you are installing installing Samba using packages, validate that the BIND user is able to read the <code>dns.keytab</code> file. Some package installations set to restrictive permissions on higher folders. |
|||
}} |
|||
* Verify that your <code>/etc/krb5.conf</code> Kerberos client configuration file is readable by your BIND user. For example: |
|||
=== Creating the 0.0.127.in-addr.arpa zone file === |
|||
# ls -l /etc/krb5.conf |
|||
Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone: |
|||
-rw-r--r--. 1 root named 99 2. Sep 2014 /etc/krb5.conf |
|||
* Verify that the <code>nsupdate</code> utility exists on your domain controller (DC): |
|||
$TTL 3D |
|||
@ IN SOA localhost. root.localhost. ( |
|||
2013050101 ; Serial |
|||
8H ; Refresh |
|||
2H ; Retry |
|||
4W ; Expire |
|||
1D ; Minimum TTL |
|||
) |
|||
IN NS localhost. |
|||
1 IN PTR localhost. |
|||
# which nsupdate |
|||
/usr/bin/nsupdate |
|||
:The <code>nsupdate</code> command is used to update the DNS. If the utility is missing, see you distribution's documentation how to identify the package containing the command and how to install. |
|||
=== Set permissions on the zone files === |
|||
# chown named:named /var/named/master/*.zone |
|||
# chmod 640 /var/named/master/*.zone |
|||
= AppArmor and SELinux Integration = |
|||
For details, see [[BIND9_DLZ_AppArmor_and_SELinux_Integration|BIND9_DLZ AppArmor and SELinux Integration]]. |
|||
== Starting Bind == |
|||
# named -u named |
|||
If the configuration is valid, you should see no errors on the console and in the system logfile. |
|||
To have Bind automatically started at boot time, it's recommended, to create a init.d script or start it by systemd. |
|||
= Starting the BIND Service = |
|||
* Before you start the service, verify the BIND configuration: |
|||
# named-checkconf |
|||
: If no output is shown, the BIND configuration is valid. |
|||
* Start the BIND service. |
|||
== Testing your zone == |
|||
Now we try to lookup our zone entries. We tell the 'host' command, to use the resolver on 127.0.0.1, so that we don't query an foreign DNS server, that is maybe also configured in '/etc/resolv.conf'. |
|||
First check the forward lookup for 'localhost': |
|||
# host localhost. 127.0.0.1 |
|||
Using domain server: |
|||
Name: 127.0.0.1 |
|||
Address: 127.0.0.1#53 |
|||
Aliases: |
|||
localhost has address 127.0.0.1 |
|||
And then the reverse lookup for '127.0.0.1': |
|||
# host 127.0.0.1 127.0.0.1 |
|||
Using domain server: |
|||
Name: 127.0.0.1 |
|||
Address: 127.0.0.1#53 |
|||
Aliases: |
|||
1.0.0.127.in-addr.arpa domain name pointer localhost. |
|||
= Testing Dynamic DNS Updates = |
|||
For details, see [[Testing_Dynamic_DNS_Updates|Testing Dynamic DNS Updates]]. |
|||
= Configuring Bind as Samba Active Directory backend = |
|||
* Note: BIND must be installed on the same machine as Samba AD DC. Since BIND DLZ module accesses AD database directly, BIND for AD zones must be on the same machine. |
|||
= The Lockup Problem = |
|||
When a BIND thread calls one of the BIND9_DLZ plugin API calls, execution can be blocked on database access calls if locks are out on the database at the time. Unfortunately, during that time, BIND will not be able to serve any queries, even external (non-samba) queries. Bind has a "-n" option that can increase the number of worker threads but testing has shown that increasing this number does not fix the problem, indicating that BIND's threading and queueing models are probably a bit broken. |
|||
== Bind 9.8 / 9.9 == |
|||
In small-scale environments this problem is unlikely to come up, but, in high-traffic environments, it may cause DNS outage. The only solution right now is to use an external DNS server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node. |
|||
During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, that must be included in your Bind named.conf: |
|||
include "/usr/local/samba/private/named.conf"; |
|||
If you had provisioned with the internal DNS, there are some few steps required first to [[Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ|switch to Bind]]. |
|||
Depending on the Bind version you are running, you should edit '/usr/local/samba/private/named.conf' and enable the right version of the DLZ module. |
|||
= Troubleshooting = |
|||
Restart Bind to have the included file being used. Check the logfiles for errors and problems. If available, you can run <code>named-checkconf</code> to help you fix any problems with your Bind configuration. |
|||
== Reconfiguring the BIND9_DLZ Back End == |
|||
== Bind 9.7== |
|||
Running the <code>BIND9_DLZ</code> back end setup automatically fixes several problems, such as recreating the Active Directory (AD) BIND DNS account (<code>dns-*</code>) and BIND Kerberos keytab file problems. |
|||
Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[#Bind_9.7_2|DNS dynamic updates via Kerberos for Bind 9.7]] for instructions on configuring Bind 9.7. |
|||
To fix the problem: |
|||
* Run the auto-reconfiguration: |
|||
# samba_upgradedns --dns-backend=BIND9_DLZ |
|||
== DNS dynamic updates via Kerberos (optional, but recommended) == |
|||
Reading domain information |
|||
DNS accounts already exist |
|||
No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone |
|||
DNS records will be automatically created |
|||
DNS partitions already exist |
|||
dns-DC1 account already exists |
|||
See /usr/local/samba/private/named.conf for an example configuration include file for BIND |
|||
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates |
|||
Finished upgrading DNS |
|||
* Restart the BIND service. |
|||
Samba has the capability to automatically update the Bind zone files via Kerberos. |
|||
To setup dynamic DNS updates you need to have a recent version of Bind installed. It is highly recommended that you run at least version 9.8.0, as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. Please use 9.8 or 9.9 if possible! |
|||
To find out what version of Bind you are running, use |
|||
# named -V |
|||
If your operating system does not have Bind 9.8 or 9.9, please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind) or [[#Installing_Bind|compile it by yourself]]. |
|||
== Debugging the BIND9_DLZ Module == |
|||
To set a log level for the <code>BIND9_DLZ</code> module: |
|||
* Append the <code>-d</code> parameter and log level to the module in the <code>/usr/local/samba/bind-dns/named.conf</code> file. For example: |
|||
=== Bind 9.8 / 9.9 === |
|||
database "dlopen .../bin/modules/bind9/dlz_bind9_9.so -d 3"; |
|||
A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of your named.conf: |
|||
* Stop the BIND service. |
|||
options { |
|||
[...] |
|||
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; |
|||
[...] |
|||
}; |
|||
* Start BIND manually to display the debug out put and to capture the log output in the <code>/tmp/named.log</code> file: |
|||
# named -u named -f -g 2>&1 | tee /tmp/named.log |
|||
: See the <code>named (8)</code> man page for details about the used parameters. |
|||
=== Bind 9.7 === |
|||
If you have Bind 9.7.x (specifically 9.7.2 or later), then first determine if you can at all possibly run 9.8 or 9.9. You will have far fewer problems! Otherwise, follow these instructions: |
|||
The Samba provision will have created a custom '/usr/local/samba/private/named.conf.update' configuration file. You need to include this file in your 'named.conf' to allow Samba/Kerberos DNS updates to automatically take place. |
|||
include "/usr/local/samba/private/named.conf.update"; |
|||
Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start! |
|||
== New DNS Entries Are Not Resolvable == |
|||
You additionally need to set two environment variables when using 9.7: |
|||
If you create new DNS records in the directory and are not able to resolve them using the <code>nslookup</code>, <code>host</code> or other DNS lookup tools, the database hard links can got lost. This happens, for example, if you move the databases across mount points. |
|||
KEYTAB_FILE="/usr/local/samba/private/dns.keytab" |
|||
KRB5_KTNAME="/usr/local/samba/private/dns.keytab" |
|||
export KEYTAB_FILE |
|||
export KRB5_KTNAME |
|||
To verify that the domain and forest partition as well as the <code>metadata.tdb</code> database are hard linked in both directories, run |
|||
These should be put in your settings file for Bind. On Debian based systems (including Ubuntu) this is in '/etc/default/bind9'. On RedHat and SuSE derived systems it is in '/etc/sysconfig/named'. Please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking, you only either need KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distribution, so it's easier to just set both. |
|||
# ls -lai /usr/local/samba/private/sam.ldb.d/ |
|||
The 'dns.keytab' must be readable by the bind server process: |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
# ls -lai /usr/local/samba/private/dns/sam.ldb.d/ |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
The same files must have the same inode number in the first column of the output in the both directories. If they differ, the hard link got lost and Samba and BIND use separate database files and thus DNS updates in the directory are not resolveable through the BIND DNS server. |
|||
# chown named:named /usr/local/samba/private/dns.keytab |
|||
To auto-repair the hard linking, see [[#Reconfiguring_the_BIND9_DLZ_Back_End|Reconfiguring the BIND9_DLZ Back End]]. |
|||
Normally, the provision/update should have setup these permissions for you automatically. |
|||
{{Imbox |
|||
Finally, you need to add the following to the options section of your named.conf: |
|||
| type = note |
|||
| text = The binddns dir was changed at Samba 4.8.0 from <code>/usr/local/samba/private/dns</code> to <code>/usr/local/samba/bind-dns/dns</code>. |
|||
}} |
|||
options { |
|||
[...] |
|||
tkey-gssapi-credential "DNS/server.samdom.example.com"; |
|||
tkey-domain "SAMDOM.EXAMPLE.COM"; |
|||
[...] |
|||
}; |
|||
The last part of the credential in the first line must match the dns name of the server, you have set up. |
|||
== Updating the DNS Fails: NOTAUTH == |
|||
If BIND uses incorrect Kerberos settings on the Samba Active Directory (AD) domain controller (DC), dynamic DNS updates fail. For example: |
|||
The way the automatic DNS update in Samba works, is that the provision will create a file '/usr/local/samba/private/dns_update_list', which contains a list of DNS entries that Samba will try to dynamically update at startup and every 10 minutes thereafter using the 'samba_dnsupdate' utility. Updates will only happen if the DNS entries do not already exist. Remember that you need the 'nsupdate' utility from Bind the distribution for all these to work. |
|||
# samba_dnsupdate --verbose |
|||
If you want to test or debug this process, then please run as root: |
|||
... |
|||
update(nsupdate): SRV _gc._tcp.Default-First-Site-Name._sites.samdom.example.com DC1.samdom.example.com 3268 |
|||
Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.samdom.example.com DC1.samdom.example.com 3268 (add) |
|||
Outgoing update query: |
|||
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 |
|||
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 |
|||
;; UPDATE SECTION: |
|||
_gc._tcp.Default-First-Site-Name._sites.samdom.example.com. 900 IN SRV 0 100 3268 DC1.samdom.example.com. |
|||
update failed: NOTAUTH |
|||
To solve the problem: |
|||
# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names |
|||
* Verify that BIND configuration is set up correctly. For further details, see [[#Setting_up_Dynamic_DNS_Updates_Using_Kerberos|Setting up Dynamic DNS Updates Using Kerberos]]. |
|||
The command line options specified will force an update of all records in the 'dns_update_list', as well as output detailed information on what is being done. |
|||
* Recreate the BIND back end settings. For details, see [[#Reconfiguring_the_BIND9_DLZ_Back_End|Reconfiguring the BIND9_DLZ Back End]]. |
|||
= Interaction with AppArmor or SELinux = |
|||
If you are getting an error from samba_dnsupdate and nsupdate '''return dns_tkey_negotiategss: TKEY is unacceptable''' try the following: |
|||
If you are using AppArmor or SELinux, you have to ensure that the Bind process has read access to the following files: |
|||
* /usr/local/samba/private/dns.keytab |
|||
* /usr/local/samba/private/named.conf |
|||
as well read-write access to the |
|||
* /usr/local/samba/private/dns/ |
|||
directory and it's own zone file(s). |
|||
The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your AppArmor or SELinux configuration if you are running either of those. If you are using AppArmor, then the 'aa-logprof' command may help you add any missing permissions you need to add after you start Samba and Bind for the first time after configuring them. |
|||
Permissions, SELinux Labeling and Policy |
|||
== Updating the DNS Fails: dns_tkey_negotiategss: TKEY is unacceptable == |
|||
These instructions are intended for RHEL6, but may serve as a guide for other distributions/versions. |
|||
For details, see [[Dns_tkey_negotiategss:_TKEY_is_unacceptable|dns_tkey_negotiategss: TKEY is unacceptable]]. |
|||
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux. |
|||
For all the commands below, make sure you have set the following environment variable: |
|||
MYREALM="samdom.example.com" |
|||
Set Permissions (SELinux): |
|||
chown named:named /usr/local/samba/private/dns |
|||
chgrp named /usr/local/samba/private/dns.keytab |
|||
chmod g+r /usr/local/samba/private/dns.keytab |
|||
chmod 775 /usr/local/samba/private/dns |
|||
Label files (SELinux): |
|||
== Reloading the Bind9 DNS Server == |
|||
chcon -t named_conf_t /usr/local/samba/private/dns.keytab |
|||
chcon -t named_conf_t /usr/local/samba/private/named.conf.update |
|||
chcon -t named_var_run_t /usr/local/samba/private/dns |
|||
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone |
|||
If you <code>reload</code> Bind9, you are likely to see lines similar to these in the logs: |
|||
Set Label Persistence (SELinux): |
|||
named[29534]: samba_dlz: Ignoring duplicate zone |
|||
You cannot <code>reload</code> Bind9 on a Samba AD DC, you must use <code>restart</code>. |
|||
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab |
|||
You should check if logrotate is using <code>reload</code> and change it if it is. |
|||
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf |
|||
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update |
|||
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns |
|||
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone |
|||
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl |
|||
AppArmor Configuration : |
|||
If using systemd this can be disabled or changed to restart. |
|||
Add the following to the end of /etc/apparmor.d/local/usr.sbin.named (create it if it doesn't already exist). |
|||
You can do this in a systemd override file or the bind9.service file. |
|||
If 'systemctl edit' is used, an override file is automatically created: |
|||
/etc/systemd/system/bind9.service.d/override.conf |
|||
run: |
|||
# Samba4 DLZ and Active Directory Zones (default source installation) |
|||
systemctl edit bind9.service |
|||
/usr/local/samba/lib/** rm, |
|||
/usr/local/samba/private/dns.keytab r, |
|||
/usr/local/samba/private/named.conf r, |
|||
/usr/local/samba/private/dns/** rwk, |
|||
add: |
|||
= Debugging Bind as Samba AD backend = |
|||
[Service] |
|||
For enabling debugging on the Bind DLZ module, change the following line in '/usr/local/samba/private/named.conf' from |
|||
# Disable reloading completely. |
|||
ExecReload= |
|||
# Or set it to restart |
|||
#ExecReload=/usr/sbin/rndc restart |
|||
Ensure that Samba always starts after Bind9: |
|||
database "dlopen .../bin/modules/bind9/dlz_bind9.so"; |
|||
systemctl edit samba-ad-dc.service |
|||
to |
|||
This creates: /etc/systemd/system/samba-ad-dc.service.d/override.conf |
|||
database "dlopen .../bin/modules/bind9/dlz_bind9.so -d 3"; |
|||
Add: |
|||
If you are running Bind 9.9, then add the '-d 3' to the corresponding line. |
|||
[Unit] |
|||
Stop Bind and run the service manually to capture logs: |
|||
After=network.target network-online.target bind9.service |
|||
# /usr/sbin/named -u named -f -g 2>&1 | tee named.log |
|||
Depending on the OS used, you might need to change bind9.service to named.service. |
|||
== Starting Bind9 DNS Server fails with "unhandled record type 65281" (Windows AD + Samba AD)== |
|||
= Known issues and ways to fix/workaround = |
|||
If when starting Bind9 DNS Server you see something like: |
|||
== Chroot Bind == |
|||
samba_dlz: starting configure |
|||
If you use Bind as Backend for your Samba AD, it must not run chroot, because it must be able to live access files and databases from your Samba installation. |
|||
samba_dlz b9_format: unhandled record type 65281 |
|||
zone example.local/NONE: could not find NS and/or SOA records |
|||
zone example.local/NONE: has 0 SOA records |
|||
zone example.local/NONE: has no NS records |
|||
samba_dlz: Failed to configure zone 'example.local' |
|||
To disable chroot for Bind, see the documentation for your distribution. In some, you can set |
|||
NAMED_RUN_CHROOTED="no" |
|||
in "/etc/sysconfig/named" and restart the service. |
|||
This is likely caused because you have a Windows Server Active Directory that has WINS entries and you are joining it. |
|||
To fix it, you have to disable WINS resolving in DNS of Windows Server DC direct search zones, restart Samba AD service, reload DNS config <code>samba_upgradedns --dns-backend=BIND9_DLZ</code>, and then, restart Bind9 service. |
|||
== Debian: Bind is listening on wrong IP address == |
|||
On Debian systems, the AD zone auto-generation might detect and use '127.0.1.1' as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust '/usr/local/samba/private/named.conf' by changing '127.0.1.1' to reflect the actual IP address of the server you're setting up. |
|||
== I cannot find the Bind9 dns directory == |
|||
You have searched for the dns folder <code>/usr/local/samba/bind-dns</code> but cannot find it. This directory was introduced at Samba version 4.8.0, but is only created if one of these three things has occurred: |
|||
* You provisioned Samba with the '--dns-backend=BIND9_DLZ' option. |
|||
== Debian Sid: Named does not start == |
|||
* You joined a DC with the '--dns-backend=BIND9_DLZ' option. |
|||
On Debian Sid (Bind 9 package), '/etc/bind/named.conf.options' is missing and this will cause the named daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in '/etc/bind/named.conf'. See your syslog messages for more information. |
|||
* You upgraded to Bind9 with 'samba_upgradedns' and the '--dns-backend=BIND9_DLZ' option. |
|||
== New added DNS entries are not resolvable == |
|||
If you have problems with resolving new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following: |
|||
== Bind9 does not start and throws a "Read-only file system" error == |
|||
The DNS zones and the metadata.ldb file in 'samba/private/dns/sam.ldb.d/' are hardlinks to 'samba/private/sam.ldb.d/'. |
|||
Maybe you've copied/moved it across filesystems and the hardlinking got lost |
|||
and you're now running with two different copies of the databases at the moment |
|||
(You can test this by adding a new DNS entry, e. g. by 'samba-tool'. If you can't |
|||
resolve it, check if the inodes differ). |
|||
If you see an error like: |
|||
If you 'ls -i' on the two folders, you should see, that the following files |
|||
have the same inodes (what indicates, that they are hard-linked): |
|||
samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb: Unable to open tdb '/var/lib/samba/bind-dns/dns/sam.ldb': Read-only file system: Operations error |
|||
# ls -lai .../samba/private/sam.ldb.d/ |
|||
samba_dlz: FAILED dlz_create call result=25 #refs=0 |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
dlz_dlopen of 'AD DNS Zone' failed |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
# ls -lai .../samba/private/dns/sam.ldb.d/ |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
Check if the Bind9 systemd's service file defines the "ReadWritePaths" option, you might need to add the path to the samba's LDB file where the zone is stored. To do so you can execute: |
|||
If the files in the two folders have different inode numbers, then they |
|||
aren't hard-links. To fix this, run |
|||
# systemctl edit named.service |
|||
# samba_upgradedns --dns-backend=BIND9_DLZ |
|||
*Note, you might need to change named.service to bind9.service. |
|||
This will recreate the DNS files with correct hard links and permissions. |
|||
And add the path to the list of current paths: |
|||
Then restart Bind. |
|||
[Service] |
|||
... |
|||
ReadWritePaths=/var/lib/named /run/named /var/lib/samba/bind-dns |
|||
... |
|||
== DDNS updates not working == |
|||
---- |
|||
Check that the file '/etc/krb5.conf' is readable by Bind. |
|||
[[Category:Active Directory]] |
|||
[[Category:DNS]] |
Latest revision as of 13:10, 3 June 2022
Introduction
Samba provides support for using the BIND DNS server as the DNS back end on a Samba Active Directory (AD) domain controller (DC). The BIND9_DLZ
back end is recommended for complex DNS setups that the Samba internal DNS server does not support.
This documentation only supports BIND versions that are actively maintained by ISC. For details about the ISC BIND life cycle, see https://www.isc.org/downloads/software-support-policy/ |
The BIND9_DLZ
module is a BIND9 plugin that accesses the Samba Active Directory (AD) database directly for registered zones. For this reason:
- BIND must be installed on the same machine as the Samba AD domain controller (DC).
- BIND must not run in a changed root environment.
- zones are stored and replicated within the directory.
If you are using the internal DNS server and wish to use Bind9 instead, see Changing the DNS Back End of a Samba AD DC. |
Software Architecture
Bind9 operates a threading model with the 'worker threads' concept. Each plugin has an associated mutex, so no two worker threads can call API functions provided by our plugin at once. Database access by the plugin is guarded by a fcntl lock.
Recommended Architecture
For high traffic environments, it is not recommended to use BIND9_DLZ-backed samba as a primary DNS server. Instead, use an external server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node.
Setting up BIND
For details, see Setting up a BIND DNS Server.
Configuring the BIND9_DLZ Module
During the domain provisioning, join, or classic upgrade, the /usr/local/samba/bind-dns/named.conf
file has been created.
For Samba v4.7 and earlier, the named.conf filepath is slightly different: /usr/local/samba/private/named.conf . If you're using an older version of Samba, take care to use the correct filepath in the instructions that follow. |
To enable the BIND9_DLZ
module for your BIND version:
- Add the following
include
statement to your BINDnamed.conf
file:
include "/usr/local/samba/bind-dns/named.conf";
- Display the BIND version:
# named -v BIND 9.9.4
- Edit the
/usr/local/samba/bind-dns/named.conf
file and uncomment the module for your BIND version. For example:
dlz "AD DNS Zone" { # For BIND 9.8.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; # For BIND 9.9.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; # For BIND 9.10.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so"; # For BIND 9.11.x database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so"; # For BIND 9.12.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so"; # For BIND 9.14.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_14.so"; # For BIND 9.16.x # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so"; };
- The following table shows the supported BIND versions and from which version of Samba the support started:
BIND Version Supported in Samba Version BIND 9.16 Samba 4.12.10 , 4.13.2 and later BIND 9.14 Samba 4.12.10 , 4.13.2 and later BIND 9.12 Samba 4.12.10 , 4.13.2 and later BIND 9.11 Samba 4.5.2 and later BIND 9.10 Samba 4.2 and later BIND 9.9 Samba 4.0 and later BIND 9.8 Samba 4.0 and later
Setting up BIND9 options and keytab for Kerberos
Samba needs to have some options set to allow Kerberos clients to automatically update the Active Directory (AD) zone managed by the BIND9_DLZ
back end and improve performance.
Dynamic DNS updates require minimum BIND version 9.8. |
To enable dynamic DNS updates using Kerberos and avoid returning NS records in all responses:
- Add the following to the
options {}
section of your BINDnamed.conf
file. For example:
options { [...] tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; minimal-responses yes; };
- If you provisioned or joined an AD forest or run the classic upgrade using a Samba version prior to 4.4.0, the BIND Kerberos key tab file was generated using wrong permissions. To fix, enable read access for the BIND user:
# chmod 640 /usr/local/samba/private/dns.keytab # chown root:named /usr/local/samba/private/dns.keytab
- If you upgrade from a version earlier than 4.8.0, you should check the permissions on the
/usr/local/samba/bind-dns
directory, these should be:
# chmod 770 /usr/local/samba/bind-dns # chown root:named /usr/local/samba/bind-dns
If you have joined a DC using a version of Samba >= 4.8.0 , there is a bug with the dns.keytab
file. The code to create the keytab in the correct location does not exist, see https://bugzilla.samba.org/show_bug.cgi?id=14535 . The fix (at the moment) is to change to the internal dns server and then upgrade to Bind9 again, see Changing the DNS Back End of a Samba AD DC.
If you are installing installing Samba using packages, validate that the BIND user is able to read the dns.keytab
file. Some package installations set to restrictive permissions on higher folders.
- Verify that your
/etc/krb5.conf
Kerberos client configuration file is readable by your BIND user. For example:
# ls -l /etc/krb5.conf -rw-r--r--. 1 root named 99 2. Sep 2014 /etc/krb5.conf
- Verify that the
nsupdate
utility exists on your domain controller (DC):
# which nsupdate /usr/bin/nsupdate
- The
nsupdate
command is used to update the DNS. If the utility is missing, see you distribution's documentation how to identify the package containing the command and how to install.
AppArmor and SELinux Integration
For details, see BIND9_DLZ AppArmor and SELinux Integration.
Starting the BIND Service
- Before you start the service, verify the BIND configuration:
# named-checkconf
- If no output is shown, the BIND configuration is valid.
- Start the BIND service.
Testing Dynamic DNS Updates
For details, see Testing Dynamic DNS Updates.
The Lockup Problem
When a BIND thread calls one of the BIND9_DLZ plugin API calls, execution can be blocked on database access calls if locks are out on the database at the time. Unfortunately, during that time, BIND will not be able to serve any queries, even external (non-samba) queries. Bind has a "-n" option that can increase the number of worker threads but testing has shown that increasing this number does not fix the problem, indicating that BIND's threading and queueing models are probably a bit broken. In small-scale environments this problem is unlikely to come up, but, in high-traffic environments, it may cause DNS outage. The only solution right now is to use an external DNS server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node.
Troubleshooting
Reconfiguring the BIND9_DLZ Back End
Running the BIND9_DLZ
back end setup automatically fixes several problems, such as recreating the Active Directory (AD) BIND DNS account (dns-*
) and BIND Kerberos keytab file problems.
To fix the problem:
- Run the auto-reconfiguration:
# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/SAMDOM.EXAMPLE.COM.zone DNS records will be automatically created DNS partitions already exist dns-DC1 account already exists See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS
- Restart the BIND service.
Debugging the BIND9_DLZ Module
To set a log level for the BIND9_DLZ
module:
- Append the
-d
parameter and log level to the module in the/usr/local/samba/bind-dns/named.conf
file. For example:
database "dlopen .../bin/modules/bind9/dlz_bind9_9.so -d 3";
- Stop the BIND service.
- Start BIND manually to display the debug out put and to capture the log output in the
/tmp/named.log
file:
# named -u named -f -g 2>&1 | tee /tmp/named.log
- See the
named (8)
man page for details about the used parameters.
New DNS Entries Are Not Resolvable
If you create new DNS records in the directory and are not able to resolve them using the nslookup
, host
or other DNS lookup tools, the database hard links can got lost. This happens, for example, if you move the databases across mount points.
To verify that the domain and forest partition as well as the metadata.tdb
database are hard linked in both directories, run
# ls -lai /usr/local/samba/private/sam.ldb.d/ 17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb # ls -lai /usr/local/samba/private/dns/sam.ldb.d/ 17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb
The same files must have the same inode number in the first column of the output in the both directories. If they differ, the hard link got lost and Samba and BIND use separate database files and thus DNS updates in the directory are not resolveable through the BIND DNS server.
To auto-repair the hard linking, see Reconfiguring the BIND9_DLZ Back End.
The binddns dir was changed at Samba 4.8.0 from /usr/local/samba/private/dns to /usr/local/samba/bind-dns/dns . |
Updating the DNS Fails: NOTAUTH
If BIND uses incorrect Kerberos settings on the Samba Active Directory (AD) domain controller (DC), dynamic DNS updates fail. For example:
# samba_dnsupdate --verbose ... update(nsupdate): SRV _gc._tcp.Default-First-Site-Name._sites.samdom.example.com DC1.samdom.example.com 3268 Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.samdom.example.com DC1.samdom.example.com 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.Default-First-Site-Name._sites.samdom.example.com. 900 IN SRV 0 100 3268 DC1.samdom.example.com. update failed: NOTAUTH
To solve the problem:
- Verify that BIND configuration is set up correctly. For further details, see Setting up Dynamic DNS Updates Using Kerberos.
- Recreate the BIND back end settings. For details, see Reconfiguring the BIND9_DLZ Back End.
Updating the DNS Fails: dns_tkey_negotiategss: TKEY is unacceptable
For details, see dns_tkey_negotiategss: TKEY is unacceptable.
Reloading the Bind9 DNS Server
If you reload
Bind9, you are likely to see lines similar to these in the logs:
named[29534]: samba_dlz: Ignoring duplicate zone
You cannot reload
Bind9 on a Samba AD DC, you must use restart
.
You should check if logrotate is using reload
and change it if it is.
If using systemd this can be disabled or changed to restart.
You can do this in a systemd override file or the bind9.service file.
If 'systemctl edit' is used, an override file is automatically created:
/etc/systemd/system/bind9.service.d/override.conf
run:
systemctl edit bind9.service
add:
[Service] # Disable reloading completely. ExecReload= # Or set it to restart #ExecReload=/usr/sbin/rndc restart
Ensure that Samba always starts after Bind9:
systemctl edit samba-ad-dc.service
This creates: /etc/systemd/system/samba-ad-dc.service.d/override.conf
Add:
[Unit] After=network.target network-online.target bind9.service
Depending on the OS used, you might need to change bind9.service to named.service.
Starting Bind9 DNS Server fails with "unhandled record type 65281" (Windows AD + Samba AD)
If when starting Bind9 DNS Server you see something like:
samba_dlz: starting configure samba_dlz b9_format: unhandled record type 65281 zone example.local/NONE: could not find NS and/or SOA records zone example.local/NONE: has 0 SOA records zone example.local/NONE: has no NS records samba_dlz: Failed to configure zone 'example.local'
This is likely caused because you have a Windows Server Active Directory that has WINS entries and you are joining it.
To fix it, you have to disable WINS resolving in DNS of Windows Server DC direct search zones, restart Samba AD service, reload DNS config samba_upgradedns --dns-backend=BIND9_DLZ
, and then, restart Bind9 service.
I cannot find the Bind9 dns directory
You have searched for the dns folder /usr/local/samba/bind-dns
but cannot find it. This directory was introduced at Samba version 4.8.0, but is only created if one of these three things has occurred:
- You provisioned Samba with the '--dns-backend=BIND9_DLZ' option.
- You joined a DC with the '--dns-backend=BIND9_DLZ' option.
- You upgraded to Bind9 with 'samba_upgradedns' and the '--dns-backend=BIND9_DLZ' option.
Bind9 does not start and throws a "Read-only file system" error
If you see an error like:
samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb: Unable to open tdb '/var/lib/samba/bind-dns/dns/sam.ldb': Read-only file system: Operations error samba_dlz: FAILED dlz_create call result=25 #refs=0 dlz_dlopen of 'AD DNS Zone' failed
Check if the Bind9 systemd's service file defines the "ReadWritePaths" option, you might need to add the path to the samba's LDB file where the zone is stored. To do so you can execute:
# systemctl edit named.service
- Note, you might need to change named.service to bind9.service.
And add the path to the list of current paths:
[Service] ... ReadWritePaths=/var/lib/named /run/named /var/lib/samba/bind-dns ...