The Samba AD DNS Back Ends: Difference between revisions
AmitayIsaacs (talk | contribs) |
Mmuehlfeld (talk | contribs) (Removing the 'changing the DNS backend sections'. It) |
||
Line 7: | Line 7: | ||
If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.), that are currently not supported by the internal DNS, BIND should be the preferred backend. |
If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.), that are currently not supported by the internal DNS, BIND should be the preferred backend. |
||
The choice for a DNS backend during provisioning/upgrading is not a one way street. If you find out, that your choice doesn't fit your requirements, you can flip over and [[ |
The choice for a DNS backend during provisioning/upgrading is not a one way street. If you find out, that your choice doesn't fit your requirements, you can flip over and [[Changing_the_DNS_backend|change the DNS backend]]. |
||
Line 28: | Line 28: | ||
# If recursive queries = yes is set, the following is also needed |
# If recursive queries = yes is set, the following is also needed |
||
dns forwarder = <ip addr of external dns server> |
dns forwarder = <ip addr of external dns server> |
||
== Limitations / Known issues == |
== Limitations / Known issues == |
||
Line 38: | Line 40: | ||
* [[DNS/ToDo/stub_zones|Stub zones]] are not implemented |
* [[DNS/ToDo/stub_zones|Stub zones]] are not implemented |
||
* Zone axfr is not allowed from internal samba DNS |
* Zone axfr is not allowed from internal samba DNS |
||
== Tests == |
== Tests == |
||
Line 61: | Line 65: | ||
See the [[DNS_Backend_BIND|Bind as DNS backend HowTo]] for a detailed instruction. |
See the [[DNS_Backend_BIND|Bind as DNS backend HowTo]] for a detailed instruction. |
||
= Changing the DNS backend = |
|||
== Changing from Internal DNS to BIND == |
|||
* [[DNS_Backend_BIND|Setup BIND]] |
|||
* Shutdown Samba |
|||
* Migrate the zonefiles to BIND9_DLZ: |
|||
...../sbin/samba_upgradedns --dns-backend=BIND9_DLZ |
|||
* Remove the 'dns' option from the 'server services = ' parameter in your smb.conf, or change it to '-dns': |
|||
server services = ........ -dns |
|||
* Start BIND and Samba |
|||
== Changing from BIND to Internal DNS == |
|||
* Shutdown BIND and Samba |
|||
* Migrate the zonefiles to internal DNS: |
|||
...../sbin/samba_upgradedns --dns-backend=SAMBA_INTERNAL |
|||
* Add 'dns' option to the 'server services = ' parameter in your smb.conf: |
|||
server services = ........ dns |
|||
* Start Samba |
|||
= Troubleshooting = |
= Troubleshooting = |
||
Line 125: | Line 103: | ||
And dynamic updates should work ok. |
And dynamic updates should work ok. |
||
== RHEL/CENTOS 6 using BIND backend == |
== RHEL/CENTOS 6 using BIND backend == |
Revision as of 22:55, 14 June 2014
Which DNS backend should I choose?
The DNS backend should be choosen, on the requirements of your network or existing DNS installations.
The internal DNS is a new implementation, that allows to quick and easy setup of the DNS backend, that is required for every AD installation. No further work is required to set it up. Currently it covers the important and required parts for AD.
If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.), that are currently not supported by the internal DNS, BIND should be the preferred backend.
The choice for a DNS backend during provisioning/upgrading is not a one way street. If you find out, that your choice doesn't fit your requirements, you can flip over and change the DNS backend.
Internal DNS
The internal DNS server is built into Samba and uses AD as backend. Also it is the default DNS solution when you provisioning/upgrading an Samba AD controller.
Configuration
If you chose the internal server as DNS backend for your environment, there are three options that can be added to your smb.conf to control the behavior of DNS at this point:
# Don't allow any updates | allow unsigned updates | only allow signed updates allow dns updates = False | nonsecure | signed # If recursive queries = yes is set, the following is also needed dns forwarder = <ip addr of external dns server>
Limitations / Known issues
- The internal server is not a caching resolver.
- The samba_dnsupdate command produces warnings when used with signed updates. We're currenly investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine.
- Currently, recursive queries are not possible without using a forwarder
- Negative replies do not come with an authority record (not required by RFC, but Windows seems to like that)
- Shared-key TSIG is not implemented
- Stub zones are not implemented
- Zone axfr is not allowed from internal samba DNS
Tests
Run during make test
TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns
Run against external servers (Windows or BIND)
SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns
BIND DLZ plug-in (for BIND 9.8 and 9.9)
BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in. Please note that BIND server must run on the same machine Samba AD DC.
Installation / Setup
See the Bind as DNS backend HowTo for a detailed instruction.
Troubleshooting
Fix DNS dynamic updates with updated Samba versions
If you are running Samba 4.0.7 or later the bug https://bugzilla.samba.org/show_bug.cgi?id=9559 is already fixed. But if your samba was updated from old releases and it´s not a fresh installation you may have problems with dynamic DNS updates with Windows XP sp3 and Windows 7.
To fix the problem you need to follow this steps:
- first of all, update your samba version if it is not the latest.
- you may want to do a kinit to avoid samba-tool asking you for a password
kinit administrator
Search for all the registry entries that contain the broken records using:
samba-tool dns query SERVER DOMAIN @ ALL
You´ll find registries like this:
Name=WORKSTATION, Records=0, Children=0
For every registry entry found like the one above you´ll need to issue the following commands
/usr/local/samba/bin/samba-tool dns add SERVER DOMAIN WORKSTATION A IP -k yes
/usr/local/samba/bin/samba-tool dns delete SERVER DOMAIN WORKSTATION A IP -k yes
On windows workstations you can run
ipconfig /registerdns
And dynamic updates should work ok.
RHEL/CENTOS 6 using BIND backend
In the default configuration of Bind in the centos distribution you will find that the secured updates do not work with Samba 4. You will receive errors in /var/log/messages indicating update '<name of client>' denied. This is because the rpm has been compiled with the 'disable-isc-spnego' flag. In order to fix this you will need to recompile the rpm.
First make sure you have your RPM build environment setup and then install the source rpm for bind. The instructions that follow are for CENTOS 6.4 with 9.8.2-0.17.rc1.el6_4.6 being the latest version at the time of writing.
rpm -i http://vault.centos.org/6.4/updates/Source/SPackages/bind-9.8.2-0.17.rc1.el6_4.6.src.rpm
Then locate and edit SPEC file, if your rpm build directory is ~/rpmbuild then it will be ~/rpmbuild/SPECS/bind.spec
now locate and remove the line that reads
--disable-isc-spnego
On the example rpm provided it is line 361
now recompile your rpm
rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
Once finished you should find the replacement rpms in the RPMS/{arch} path of your build root. Replace {arch} with the relevant architecture of your machine (e.g. x86_64 or i686). Install them over the top of your existing rpms and updates should all be working again. Remember if you update with yum it may replace your copy of bind so you will either want to exclude bind* in your yum configuration or use priorities and add these rpms to a local repository.