BIND9 DLZ DNS Back End: Difference between revisions
Mmuehlfeld (talk | contribs) (Complete re-write, plus adding many more information (compile bind, setup basic zones, infos to fix issues, etc.) to make it a real detailed Bind-backend HowTo.) |
|||
Line 1: | Line 1: | ||
= Introduction = |
|||
==== Bind 9.8.0 or newer ==== |
|||
This HowTo describes how to compile and configure a basic Bind installation, that can be used as Samba DC DNS backend. |
|||
* Note: Bind must be installed on the same machine as samba is. |
|||
Bind as DNS backend is recommended, if you plan setup a complexer DNS setup, than the Samba 4 internal DNS currently made possible. |
|||
with the DNS configuration file that is created by the |
|||
[[Samba_AD_DC_HOWTO_TEMP#Provision_Samba|provision step]] or if you are using any of the other samba-tool options (classicupgrade for example) you can specify --dns-backend=BIND9_DLZ or --dns-backend=BIND9_FLATFILE. |
|||
You can |
|||
activate the configuration that the provision has created by including this configuration file in bind's named configuration file. This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system. Once located, add the following line to the configuration file: |
|||
= Setting up a basic Bind installation = |
|||
Skip this section if you already having an existing Bind installation, that can be used as Samba AD backend. |
|||
== Installing Bind == |
|||
Bind as backend for your Samba Active Directory Domain Controller, is currently supported in version 9.8 and 9.9 only. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[#Bind_9.7_2|DNS dynamic updates via Kerberos for Bind 9.7]] for instructions on configuring Bind 9.7. |
|||
If you install Bind from the repositories of your distribution, you can skip the following two steps. But make sure, that your vendor compiled Bind with the '--with-gssapi' and '--with-dlopen' options (see below), to use it as Samba AD DNS backend. |
|||
=== Downloading === |
|||
Download your desired and Samba 4 supported version from [https://www.isc.org/software/bind https://www.isc.org/software/bind]. |
|||
=== Compiling Bind === |
|||
To use Bind as Samba AD backend, at least the following two configure options are required to use: |
|||
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes |
|||
Please check if there are other options you require for your environment. |
|||
To build an install: |
|||
# make |
|||
# make install |
|||
== Configuration == |
|||
=== Setting up a basic named.conf === |
|||
The following example is a basic 'named.conf' for a pure minimal Bind installation without any Samba AD parts. We will add the Samba required parameters later. |
|||
# Global options |
|||
options { |
|||
auth-nxdomain yes; |
|||
directory "/var/named"; |
|||
forwarders { 8.8.8.8; 8.8.4.4; }; |
|||
allow-transfer { none; }; |
|||
notify no; |
|||
empty-zones-enable no; |
|||
allow-query { |
|||
10.1.1.0/24; |
|||
...other networks you want to allow to query your DNS...; |
|||
}; |
|||
allow-recursion { |
|||
10.1.1.0/24; |
|||
...other networks you want to allow to do recursive queries...; |
|||
}; |
|||
}; |
|||
# Root servers (required zone for recursive queries) |
|||
zone "." { |
|||
type hint; |
|||
file "named.root"; |
|||
}; |
|||
# Required localhost forward-/reverse zones |
|||
zone "localhost" { |
|||
type master; |
|||
file "master/localhost.zone"; |
|||
}; |
|||
zone "0.0.127.in-addr.arpa" { |
|||
type master; |
|||
file "master/0.0.127.zone"; |
|||
}; |
|||
We choosed '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions. |
|||
For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'. |
|||
=== Adding a user and group for Bind === |
|||
If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group (adapt the UID/GID if required): |
|||
# groupadd -g 25 named |
|||
# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named |
|||
=== Getting the root name server list === |
|||
Download the root name server list from InterNIC: |
|||
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root |
|||
# chown named:named /var/named/named.root |
|||
To have always the current file, you can add a cronjob to automatically download. |
|||
=== Creating the localhost zone file === |
|||
Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone: |
|||
$TTL 3D |
|||
$ORIGIN localhost. |
|||
@ 1D IN SOA @ root ( |
|||
2013050101 ; serial |
|||
8H ; refresh |
|||
2H ; retry |
|||
4W ; expiry |
|||
1D ; minimum |
|||
) |
|||
@ IN NS @ |
|||
IN A 127.0.0.1 |
|||
=== Creating the 0.0.127.in-addr.arpa zone file === |
|||
Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone: |
|||
$TTL 3D |
|||
@ IN SOA localhost. root.localhost. ( |
|||
2013050101 ; Serial |
|||
8H ; Refresh |
|||
2H ; Retry |
|||
4W ; Expire |
|||
1D ; Minimum TTL |
|||
) |
|||
IN NS localhost. |
|||
1 IN PTR localhost. |
|||
=== Set permissions on the zone files === |
|||
# chown named:named /var/named/master/*.zone |
|||
# chmod 640 /var/named/master/*.zone |
|||
== Starting Bind == |
|||
# named -u named |
|||
If the configuration is valid, you should see no errors on the console and in the system logfile. |
|||
To have Bind automatically started at boot time, it's recommended, to create a init.d script or start it by systemd. |
|||
== Testing your zone == |
|||
Now we try to lookup our zone entries. We tell the 'host' command, to use the resolver on 127.0.0.1, so that we don't query an foreign DNS server, that is maybe also configured in '/etc/resolv.conf'. |
|||
First check the forward lookup for 'localhost': |
|||
# host localhost 127.0.0.1 |
|||
Using domain server: |
|||
Name: 127.0.0.1 |
|||
Address: 127.0.0.1#53 |
|||
Aliases: |
|||
localhost has address 127.0.0.1 |
|||
And then the reverse lookup for '127.0.0.1': |
|||
# host 127.0.0.1 127.0.0.1 |
|||
Using domain server: |
|||
Name: 127.0.0.1 |
|||
Address: 127.0.0.1#53 |
|||
Aliases: |
|||
1.0.0.127.in-addr.arpa domain name pointer localhost. |
|||
= Configuring Bind as Samba Active Directory backend = |
|||
* Note: Bind must be installed on the same machine as samba. |
|||
== Bind 9.8 / 9.9 == |
|||
During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, that must be included in your Bind named.conf: |
|||
include "/usr/local/samba/private/named.conf"; |
include "/usr/local/samba/private/named.conf"; |
||
Depending on the Bind version you are running, you should edit '/usr/local/samba/private/named.conf' and enable the right version of the DLZ module. |
|||
Restart Bind to have the included file being used. Check the logfiles for errors and problems. If available, you can 'run named-checkconf' to help you fix any problems with your Bind configuration. |
|||
After adding that line you should restart your Bind server and check |
|||
in the system logs for any problems. If available, you can run <tt>named-checkconf</tt> to help you fix any problems with your named configuration. |
|||
==== Bind 9.7.x ==== |
|||
Users of bind-9.7.x are strongly encouraged to upgrade to bind-9.8 or bind-9.9. If this is not possible, refer to the section [[Dns-backend_bind#Configure_DNS_Dynamic_Updates_via_Kerberos|Configure Kerberos DNS Dynamic Updates]] for instructions on configuring bind-9.7. |
|||
== Bind 9.7== |
|||
Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[#Bind_9.7_2|DNS dynamic updates via Kerberos for Bind 9.7]] for instructions on configuring Bind 9.7. |
|||
A common problem you may encounter is that many modern Linux distributions activate |
|||
'Apparmor' or 'SELinux' by default, and these may be configured to |
|||
deny access to Bind for your the <tt>named.conf</tt> and zone files created in |
|||
the provision. If your Bind logs show that Bind is getting a access |
|||
denied error accessing these files, please see your local system |
|||
documentation for how to enable access to these files in Bind (hint: |
|||
for Apparmor systems such as Ubuntu, the command <tt>aa-logprof</tt> may be |
|||
useful). |
|||
*Note: On Debian systems, the zone auto-generation might detect and use <tt>127.0.1.1</tt> as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust <tt>/usr/local/samba/private/named.conf</tt> by changing <tt>127.0.1.1</tt> to reflect the actual IP address of the server you're setting up. |
|||
*Note: On Debian SID (bind9 package), <tt>/etc/bind/named.conf.options</tt> is missing and this will cause the <tt>named</tt> daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in <tt>/etc/bind/named.conf</tt>. See your syslog messages for more information. |
|||
== |
== DNS dynamic updates via Kerberos (optional, but recommended) == |
||
Samba has the capability to automatically update the |
Samba has the capability to automatically update the Bind zone files via Kerberos. |
||
To setup dynamic DNS updates you need to have a recent version of |
To setup dynamic DNS updates you need to have a recent version of Bind installed. It is highly recommended that you run at least version 9.8.0, as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. Please use 9.8 or 9.9 if possible! |
||
To find out what version of Bind you are running, use |
|||
You can tell what version of bind you have using the command <tt>/usr/sbin/named -V</tt>. If your OS does not have bind-9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind). |
|||
# named -V |
|||
=== Bind 9.8.0 or Later === |
|||
If your operating system does not have Bind 9.8 or 9.9, please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind) or [[#Installing_Bind|compile it by yourself]]. |
|||
=== Bind 9.8 / 9.9 === |
|||
A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of your named.conf: |
|||
When using bind-9.8.0 or later you need to add the following to the options section of your bind config: |
|||
options { |
options { |
||
[...] |
[...] |
||
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; |
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; |
||
[...] |
[...] |
||
}; |
|||
This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system. |
|||
=== Bind 9.7.x === |
|||
=== Bind 9.7 === |
|||
If you have bind-9.7.x (specifically 9.7.2 or later), then first determine if you can |
|||
at all possibly run bind-9.8. You will have far fewer problems. Otherwise, follow these instructions. |
|||
If you have Bind 9.7.x (specifically 9.7.2 or later), then first determine if you can at all possibly run 9.8 or 9.9. You will have far fewer problems! Otherwise, follow these instructions: |
|||
The Samba provision will have created a custom <tt>/usr/local/samba/private/named.conf.update</tt> configuration file. You need to include this file in your master <tt>named.conf</tt> to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start. |
|||
The Samba provision will have created a custom '/usr/local/samba/private/named.conf.update' configuration file. You need to include this file in your 'named.conf' to allow Samba/Kerberos DNS updates to automatically take place. |
|||
You additionally need to set two environment variables when using bind-9.7.x: |
|||
include "/usr/local/samba/private/named.conf.update"; |
|||
KRB5_KTNAME="/usr/local/samba/private/dns.keytab" |
|||
export KEYTAB_FILE |
|||
export KRB5_KTNAME |
|||
Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start! |
|||
These should be put in your settings file for bind. On Debian based |
|||
systems (including Ubuntu) this is in <tt>/etc/default/bind9</tt>. On RedHat and SUSE derived systems it is |
|||
in <tt>/etc/sysconfig/named</tt>, please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking you only either need |
|||
<tt>KEYTAB_FILE</tt> or <tt>KRB5_KTNAME</tt>, but which you need depends on your distribution, |
|||
so it's easier to just set both. |
|||
You additionally need to set two environment variables when using 9.7: |
|||
The <tt>dns.keytab</tt> must be readable by the bind server process. Generally, this is accomplished by executing: |
|||
$ chown named:named /usr/local/samba/private/dns.keytab |
|||
KEYTAB_FILE="/usr/local/samba/private/dns.keytab" |
|||
(the provision should have setup these permissions for you automatically). |
|||
KRB5_KTNAME="/usr/local/samba/private/dns.keytab" |
|||
export KEYTAB_FILE |
|||
export KRB5_KTNAME |
|||
These should be put in your settings file for Bind. On Debian based systems (including Ubuntu) this is in '/etc/default/bind9'. On RedHat and SuSE derived systems it is in '/etc/sysconfig/named'. Please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking, you only either need KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distribution, so it's easier to just set both. |
|||
The 'dns.keytab' must be readable by the bind server process: |
|||
# chown named:named /usr/local/samba/private/dns.keytab |
|||
Normally, the provision/update should have setup these permissions for you automatically. |
|||
Finally, you need to add the following to the options section of your named.conf: |
|||
Finally, you need to add the following to the options section of your bind config: |
|||
options { |
options { |
||
[...] |
[...] |
||
tkey-gssapi-credential "DNS/server.samdom.example.com"; |
tkey-gssapi-credential "DNS/server.samdom.example.com"; |
||
tkey-domain "SAMDOM.EXAMPLE.COM"; |
tkey-domain "SAMDOM.EXAMPLE.COM"; |
||
[...] |
[...] |
||
}; |
|||
The last part of the credential in the first line must match the dns name of the server you have set up |
The last part of the credential in the first line must match the dns name of the server, you have set up. |
||
=== Testing/Debugging Dynamic DNS Updates === |
|||
The way the automatic DNS update in Samba works is that the provision |
|||
will create a file <tt>/usr/local/samba/private/dns_update_list</tt>, which |
|||
contains a list of DNS entries that Samba will try to dynamically |
|||
update at startup and every 10 minutes thereafter using <tt>samba_dnsupdate</tt> utility. |
|||
Updates will only happen if the DNS entries do not already exist. |
|||
Remember that you need <tt>nsupdate</tt> utility from bind the distribution |
|||
for all these to work. |
|||
=== Testing/Debugging dynamic DNS updates === |
|||
If you want to test or debug this process, then please run this as root: |
|||
The way the automatic DNS update in Samba works, is that the provision will create a file '/usr/local/samba/private/dns_update_list', which contains a list of DNS entries that Samba will try to dynamically update at startup and every 10 minutes thereafter using the 'samba_dnsupdate' utility. Updates will only happen if the DNS entries do not already exist. Remember that you need the 'nsupdate' utility from Bind the distribution for all these to work. |
|||
/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names |
|||
If you want to test or debug this process, then please run as root: |
|||
The command line options specified will force an update of all records in the <tt>dns_update_list</tt>, as well as output detailed information on what is being done. |
|||
# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names |
|||
=== Interaction With Apparmor or SELinux === |
|||
The command line options specified will force an update of all records in the 'dns_update_list', as well as output detailed information on what is being done. |
|||
If you are using Apparmor or SELinux, you have to ensure that the bind process has read access to the <tt>/usr/local/samba/private/dns.keytab</tt> file, the |
|||
<tt>/usr/local/samba/private/named.conf</tt> file as well as read-write access to the <tt>/usr/local/samba/private/dns</tt> directory and it's own zone file. The Samba provision tries to setup the permissions |
|||
correctly for these files, but you may find you need to make changes |
|||
in your Apparmor or SELinux configuration if you are running either of |
|||
those. If you are using Apparmor then the <tt>aa-logprof</tt> command may help |
|||
you add any missing permissions you need to add after you start Samba |
|||
and bind for the first time after configuring them. |
|||
== Permissions, SELinux Labeling and Policy == |
|||
These instructions are intended for RedHat 6.X, but may serve as a guide for other distributions/versions. |
|||
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be |
|||
able to have everything working '''without''' disabling SELinux. |
|||
= Interaction with AppArmor or SELinux = |
|||
If you are using AppArmor or SELinux, you have to ensure that the Bind process has read access to the following files: |
|||
* /usr/local/samba/private/dns.keytab |
|||
* /usr/local/samba/private/named.conf |
|||
as well read-write access to the |
|||
* /usr/local/samba/private/dns/ |
|||
directory and it's own zone file(s). |
|||
The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your AppArmor or SELinux configuration if you are running either of those. If you are using AppArmor, then the 'aa-logprof' command may help you add any missing permissions you need to add after you start Samba and Bind for the first time after configuring them. |
|||
Permissions, SELinux Labeling and Policy |
|||
These instructions are intended for RHEL6, but may serve as a guide for other distributions/versions. |
|||
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux. |
|||
For all the commands below, make sure you have set the following environment variable: |
For all the commands below, make sure you have set the following environment variable: |
||
MYREALM="samdom.example.com" |
MYREALM="samdom.example.com" |
||
=== Bind === |
|||
Set Permissions: |
Set Permissions: |
||
chown named:named /usr/local/samba/private/dns |
chown named:named /usr/local/samba/private/dns |
||
chgrp named /usr/local/samba/private/dns.keytab |
chgrp named /usr/local/samba/private/dns.keytab |
||
Line 135: | Line 336: | ||
Label files: |
Label files: |
||
chcon -t named_conf_t /usr/local/samba/private/dns.keytab |
chcon -t named_conf_t /usr/local/samba/private/dns.keytab |
||
chcon -t named_conf_t /usr/local/samba/private/named.conf.update |
chcon -t named_conf_t /usr/local/samba/private/named.conf.update |
||
Line 141: | Line 343: | ||
Set Label Persistence: |
Set Label Persistence: |
||
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab |
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab |
||
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf |
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf |
||
Line 147: | Line 350: | ||
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone |
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone |
||
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl |
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl |
||
= Known issues and ways to fix/workaround = |
|||
== Debian: Bind is listening on wrong IP address == |
|||
On Debian systems, the AD zone auto-generation might detect and use '127.0.1.1' as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust '/usr/local/samba/private/named.conf' by changing '127.0.1.1' to reflect the actual IP address of the server you're setting up. |
|||
== Debian Sid: Named does not start == |
|||
On Debian Sid (Bind 9 package), '/etc/bind/named.conf.options' is missing and this will cause the named daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in '/etc/bind/named.conf'. See your syslog messages for more information. |
|||
== New added DNS entries are not resolvable == |
|||
If you have problems with resolving new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following: |
|||
Files in 'samba/private/dns/sam.ldb.d/' are hardlinks to 'samba/private/sam.ldb.d/'. |
|||
Maybe you've copied/moved it across filesystems and the hardlinking got lost |
|||
and you're now running with two different copies of the databases at the moment |
|||
(You can test this by adding a new DNS entry, e. g. by 'samba-tool'. If you can't |
|||
resolve it, check if the inodes differ). |
|||
If you 'ls -i' on the two folders, you should see, that the following files |
|||
have the same inodes (what indicates, that they are hard-linked): |
|||
# ls -lai .../samba/private/sam.ldb.d/ |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
# ls -lai .../samba/private/dns/sam.ldb.d/ |
|||
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb |
|||
17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb |
|||
If the files in the two folders have different inode numbers, then they |
|||
aren't hard-links. To fix this, run |
|||
# samba_upgradedns --dns-backend=BIND9_DLZ |
|||
This will recreate the DNS files with correct hard links and permissions. |
|||
Then restart Bind. |
|||
== DDNS updates not working == |
|||
Check that the file '/etc/krb5.conf' is readable by Bind. |
Revision as of 18:03, 5 May 2013
Introduction
This HowTo describes how to compile and configure a basic Bind installation, that can be used as Samba DC DNS backend.
Bind as DNS backend is recommended, if you plan setup a complexer DNS setup, than the Samba 4 internal DNS currently made possible.
Setting up a basic Bind installation
Skip this section if you already having an existing Bind installation, that can be used as Samba AD backend.
Installing Bind
Bind as backend for your Samba Active Directory Domain Controller, is currently supported in version 9.8 and 9.9 only. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section DNS dynamic updates via Kerberos for Bind 9.7 for instructions on configuring Bind 9.7.
If you install Bind from the repositories of your distribution, you can skip the following two steps. But make sure, that your vendor compiled Bind with the '--with-gssapi' and '--with-dlopen' options (see below), to use it as Samba AD DNS backend.
Downloading
Download your desired and Samba 4 supported version from https://www.isc.org/software/bind.
Compiling Bind
To use Bind as Samba AD backend, at least the following two configure options are required to use:
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
Please check if there are other options you require for your environment.
To build an install:
# make # make install
Configuration
Setting up a basic named.conf
The following example is a basic 'named.conf' for a pure minimal Bind installation without any Samba AD parts. We will add the Samba required parameters later.
# Global options options { auth-nxdomain yes; directory "/var/named"; forwarders { 8.8.8.8; 8.8.4.4; }; allow-transfer { none; }; notify no; empty-zones-enable no; allow-query { 10.1.1.0/24; ...other networks you want to allow to query your DNS...; }; allow-recursion { 10.1.1.0/24; ...other networks you want to allow to do recursive queries...; }; }; # Root servers (required zone for recursive queries) zone "." { type hint; file "named.root"; }; # Required localhost forward-/reverse zones zone "localhost" { type master; file "master/localhost.zone"; }; zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone"; };
We choosed '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions.
For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'.
Adding a user and group for Bind
If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group (adapt the UID/GID if required):
# groupadd -g 25 named # useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named
Getting the root name server list
Download the root name server list from InterNIC:
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root # chown named:named /var/named/named.root
To have always the current file, you can add a cronjob to automatically download.
Creating the localhost zone file
Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone:
$TTL 3D $ORIGIN localhost. @ 1D IN SOA @ root ( 2013050101 ; serial 8H ; refresh 2H ; retry 4W ; expiry 1D ; minimum ) @ IN NS @ IN A 127.0.0.1
Creating the 0.0.127.in-addr.arpa zone file
Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone:
$TTL 3D @ IN SOA localhost. root.localhost. ( 2013050101 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D ; Minimum TTL ) IN NS localhost. 1 IN PTR localhost.
Set permissions on the zone files
# chown named:named /var/named/master/*.zone # chmod 640 /var/named/master/*.zone
Starting Bind
# named -u named
If the configuration is valid, you should see no errors on the console and in the system logfile.
To have Bind automatically started at boot time, it's recommended, to create a init.d script or start it by systemd.
Testing your zone
Now we try to lookup our zone entries. We tell the 'host' command, to use the resolver on 127.0.0.1, so that we don't query an foreign DNS server, that is maybe also configured in '/etc/resolv.conf'.
First check the forward lookup for 'localhost':
# host localhost 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: localhost has address 127.0.0.1
And then the reverse lookup for '127.0.0.1':
# host 127.0.0.1 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: 1.0.0.127.in-addr.arpa domain name pointer localhost.
Configuring Bind as Samba Active Directory backend
- Note: Bind must be installed on the same machine as samba.
Bind 9.8 / 9.9
During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, that must be included in your Bind named.conf:
include "/usr/local/samba/private/named.conf";
Depending on the Bind version you are running, you should edit '/usr/local/samba/private/named.conf' and enable the right version of the DLZ module.
Restart Bind to have the included file being used. Check the logfiles for errors and problems. If available, you can 'run named-checkconf' to help you fix any problems with your Bind configuration.
Bind 9.7
Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section DNS dynamic updates via Kerberos for Bind 9.7 for instructions on configuring Bind 9.7.
DNS dynamic updates via Kerberos (optional, but recommended)
Samba has the capability to automatically update the Bind zone files via Kerberos.
To setup dynamic DNS updates you need to have a recent version of Bind installed. It is highly recommended that you run at least version 9.8.0, as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. Please use 9.8 or 9.9 if possible!
To find out what version of Bind you are running, use
# named -V
If your operating system does not have Bind 9.8 or 9.9, please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind) or compile it by yourself.
Bind 9.8 / 9.9
A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of your named.conf:
options { [...] tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; [...] };
Bind 9.7
If you have Bind 9.7.x (specifically 9.7.2 or later), then first determine if you can at all possibly run 9.8 or 9.9. You will have far fewer problems! Otherwise, follow these instructions:
The Samba provision will have created a custom '/usr/local/samba/private/named.conf.update' configuration file. You need to include this file in your 'named.conf' to allow Samba/Kerberos DNS updates to automatically take place.
include "/usr/local/samba/private/named.conf.update";
Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start!
You additionally need to set two environment variables when using 9.7:
KEYTAB_FILE="/usr/local/samba/private/dns.keytab" KRB5_KTNAME="/usr/local/samba/private/dns.keytab" export KEYTAB_FILE export KRB5_KTNAME
These should be put in your settings file for Bind. On Debian based systems (including Ubuntu) this is in '/etc/default/bind9'. On RedHat and SuSE derived systems it is in '/etc/sysconfig/named'. Please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking, you only either need KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distribution, so it's easier to just set both.
The 'dns.keytab' must be readable by the bind server process:
# chown named:named /usr/local/samba/private/dns.keytab
Normally, the provision/update should have setup these permissions for you automatically.
Finally, you need to add the following to the options section of your named.conf:
options { [...] tkey-gssapi-credential "DNS/server.samdom.example.com"; tkey-domain "SAMDOM.EXAMPLE.COM"; [...] };
The last part of the credential in the first line must match the dns name of the server, you have set up.
Testing/Debugging dynamic DNS updates
The way the automatic DNS update in Samba works, is that the provision will create a file '/usr/local/samba/private/dns_update_list', which contains a list of DNS entries that Samba will try to dynamically update at startup and every 10 minutes thereafter using the 'samba_dnsupdate' utility. Updates will only happen if the DNS entries do not already exist. Remember that you need the 'nsupdate' utility from Bind the distribution for all these to work.
If you want to test or debug this process, then please run as root:
# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
The command line options specified will force an update of all records in the 'dns_update_list', as well as output detailed information on what is being done.
Interaction with AppArmor or SELinux
If you are using AppArmor or SELinux, you have to ensure that the Bind process has read access to the following files:
- /usr/local/samba/private/dns.keytab
- /usr/local/samba/private/named.conf
as well read-write access to the
- /usr/local/samba/private/dns/
directory and it's own zone file(s).
The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your AppArmor or SELinux configuration if you are running either of those. If you are using AppArmor, then the 'aa-logprof' command may help you add any missing permissions you need to add after you start Samba and Bind for the first time after configuring them.
Permissions, SELinux Labeling and Policy
These instructions are intended for RHEL6, but may serve as a guide for other distributions/versions.
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux.
For all the commands below, make sure you have set the following environment variable:
MYREALM="samdom.example.com"
Set Permissions:
chown named:named /usr/local/samba/private/dns chgrp named /usr/local/samba/private/dns.keytab chmod g+r /usr/local/samba/private/dns.keytab chmod 775 /usr/local/samba/private/dns
Label files:
chcon -t named_conf_t /usr/local/samba/private/dns.keytab chcon -t named_conf_t /usr/local/samba/private/named.conf.update chcon -t named_var_run_t /usr/local/samba/private/dns chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
Set Label Persistence:
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
Known issues and ways to fix/workaround
Debian: Bind is listening on wrong IP address
On Debian systems, the AD zone auto-generation might detect and use '127.0.1.1' as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust '/usr/local/samba/private/named.conf' by changing '127.0.1.1' to reflect the actual IP address of the server you're setting up.
Debian Sid: Named does not start
On Debian Sid (Bind 9 package), '/etc/bind/named.conf.options' is missing and this will cause the named daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in '/etc/bind/named.conf'. See your syslog messages for more information.
New added DNS entries are not resolvable
If you have problems with resolving new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following:
Files in 'samba/private/dns/sam.ldb.d/' are hardlinks to 'samba/private/sam.ldb.d/'. Maybe you've copied/moved it across filesystems and the hardlinking got lost and you're now running with two different copies of the databases at the moment (You can test this by adding a new DNS entry, e. g. by 'samba-tool'. If you can't resolve it, check if the inodes differ).
If you 'ls -i' on the two folders, you should see, that the following files have the same inodes (what indicates, that they are hard-linked):
# ls -lai .../samba/private/sam.ldb.d/ 17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb # ls -lai .../samba/private/dns/sam.ldb.d/ 17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb 17344372 -rw-rw---- 2 root named 421888 11. Nov 17:53 metadata.tdb
If the files in the two folders have different inode numbers, then they aren't hard-links. To fix this, run
# samba_upgradedns --dns-backend=BIND9_DLZ
This will recreate the DNS files with correct hard links and permissions.
Then restart Bind.
DDNS updates not working
Check that the file '/etc/krb5.conf' is readable by Bind.