Difference between revisions of "BIND9 DLZ DNS Back End"

(Bind 9.8.0 or newer)
(Complete re-write, plus adding many more information (compile bind, setup basic zones, infos to fix issues, etc.) to make it a real detailed Bind-backend HowTo.)
Line 1: Line 1:
==== Bind 9.8.0 or newer ====
+
= Introduction =
  
* Note: Bind must be installed on the same machine as samba is.
+
This HowTo describes how to compile and configure a basic Bind installation, that can be used as Samba DC DNS backend.
  
If using BIND, the next step to get a working DNS setup for Samba is to start
+
Bind as DNS backend is recommended, if you plan setup a complexer DNS setup, than the Samba 4 internal DNS currently made possible.
with the DNS configuration file that is created by the
 
[[Samba_AD_DC_HOWTO_TEMP#Provision_Samba|provision step]] or if you are using any of the other samba-tool options (classicupgrade for example) you can specify --dns-backend=BIND9_DLZ or --dns-backend=BIND9_FLATFILE.
 
  
You can
+
 
activate the configuration that the provision has created by including this configuration file in bind's named configuration file.  This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system. Once located, add the following line to the configuration file:
+
 
 +
 
 +
= Setting up a basic Bind installation =
 +
 
 +
Skip this section if you already having an existing Bind installation, that can be used as Samba AD backend.
 +
 
 +
 
 +
 
 +
== Installing Bind ==
 +
 
 +
Bind as backend for your Samba Active Directory Domain Controller, is currently supported in version 9.8 and 9.9 only. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[#Bind_9.7_2|DNS dynamic updates via Kerberos for Bind 9.7]] for instructions on configuring Bind 9.7.
 +
 
 +
If you install Bind from the repositories of your distribution, you can skip the following two steps. But make sure, that your vendor compiled Bind with the '--with-gssapi' and '--with-dlopen' options (see below), to use it as Samba AD DNS backend.
 +
 
 +
 
 +
=== Downloading ===
 +
 
 +
Download your desired and Samba 4 supported version from [https://www.isc.org/software/bind https://www.isc.org/software/bind].
 +
 
 +
 
 +
=== Compiling Bind ===
 +
 
 +
To use Bind as Samba AD backend, at least the following two configure options are required to use:
 +
 
 +
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
 +
 
 +
Please check if there are other options you require for your environment.
 +
 
 +
To build an install:
 +
 
 +
# make
 +
# make install
 +
 
 +
 
 +
 
 +
== Configuration ==
 +
 
 +
=== Setting up a basic named.conf ===
 +
 
 +
The following example is a basic 'named.conf' for a pure minimal Bind installation without any Samba AD parts. We will add the Samba required parameters later.
 +
 
 +
# Global options
 +
options {
 +
 +
        auth-nxdomain yes;
 +
 +
        directory "/var/named";
 +
 +
        forwarders { 8.8.8.8; 8.8.4.4; };
 +
 +
        allow-transfer { none; };
 +
        notify no;
 +
 +
        empty-zones-enable no;
 +
 +
        allow-query {
 +
                10.1.1.0/24;
 +
                ...other networks you want to allow to query your DNS...;
 +
        };
 +
 +
        allow-recursion {
 +
                10.1.1.0/24;
 +
                ...other networks you want to allow to do recursive queries...;
 +
        };
 +
 +
};
 +
 +
 +
# Root servers (required zone for recursive queries)
 +
zone "." {
 +
        type hint;
 +
        file "named.root";
 +
  };
 +
 +
 +
# Required localhost forward-/reverse zones
 +
  zone "localhost" {
 +
        type master;
 +
        file "master/localhost.zone";
 +
};
 +
 +
zone "0.0.127.in-addr.arpa" {
 +
        type master;
 +
        file "master/0.0.127.zone";
 +
};
 +
 
 +
We choosed '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions.
 +
 
 +
For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'.
 +
 
 +
 
 +
 
 +
=== Adding a user and group for Bind ===
 +
 
 +
If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group (adapt the UID/GID if required):
 +
 
 +
# groupadd -g 25 named
 +
# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named
 +
 
 +
 
 +
 
 +
=== Getting the root name server list ===
 +
 
 +
Download the root name server list from InterNIC:
 +
 
 +
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
 +
# chown named:named /var/named/named.root
 +
 
 +
To have always the current file, you can add a cronjob to automatically download.
 +
 
 +
 
 +
 
 +
=== Creating the localhost zone file ===
 +
 
 +
Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone:
 +
 
 +
$TTL 3D
 +
 +
$ORIGIN localhost.
 +
 +
@      1D      IN    SOA    @      root (
 +
                        2013050101      ; serial
 +
                        8H              ; refresh
 +
                        2H              ; retry
 +
                        4W              ; expiry
 +
                        1D              ; minimum
 +
                        )
 +
 +
@      IN      NS      @
 +
        IN      A      127.0.0.1
 +
 
 +
 
 +
 
 +
=== Creating the 0.0.127.in-addr.arpa zone file ===
 +
 
 +
Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone:
 +
 
 +
$TTL 3D
 +
 +
@      IN      SOA    localhost. root.localhost. (
 +
                        2013050101      ; Serial
 +
                        8H              ; Refresh
 +
                        2H              ; Retry
 +
                        4W              ; Expire
 +
                        1D              ; Minimum TTL
 +
                        )
 +
 +
        IN      NS      localhost.
 +
 +
1      IN      PTR    localhost.
 +
 
 +
 
 +
 
 +
=== Set permissions on the zone files ===
 +
 
 +
# chown named:named /var/named/master/*.zone
 +
# chmod 640 /var/named/master/*.zone
 +
 
 +
 
 +
 
 +
 
 +
 
 +
== Starting Bind ==
 +
 
 +
# named -u named
 +
 
 +
If the configuration is valid, you should see no errors on the console and in the system logfile.
 +
 
 +
To have Bind automatically started at boot time, it's recommended, to create a init.d script or start it by systemd.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
== Testing your zone ==
 +
 
 +
Now we try to lookup our zone entries. We tell the 'host' command, to use the resolver on 127.0.0.1, so that we don't query an foreign DNS server, that is maybe also configured in '/etc/resolv.conf'.
 +
 
 +
First check the forward lookup for 'localhost':
 +
# host localhost 127.0.0.1
 +
Using domain server:
 +
Name: 127.0.0.1
 +
Address: 127.0.0.1#53
 +
Aliases:
 +
 +
localhost has address 127.0.0.1
 +
 
 +
And then the reverse lookup for '127.0.0.1':
 +
# host 127.0.0.1 127.0.0.1
 +
Using domain server:
 +
Name: 127.0.0.1
 +
Address: 127.0.0.1#53
 +
Aliases:
 +
 +
1.0.0.127.in-addr.arpa domain name pointer localhost.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Configuring Bind as Samba Active Directory backend =
 +
 
 +
* Note: Bind must be installed on the same machine as samba.
 +
 
 +
 
 +
 
 +
== Bind 9.8 / 9.9 ==
 +
 
 +
During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, that must be included in your Bind named.conf:
  
 
  include "/usr/local/samba/private/named.conf";
 
  include "/usr/local/samba/private/named.conf";
  
Edit that file to uncomment the correct dlz plugin line, based on your version of bind.  Open the <tt>/usr/local/samba/private/named.conf</tt> file in a text editor and follow the instructions inside.
+
Depending on the Bind version you are running, you should edit '/usr/local/samba/private/named.conf' and enable the right version of the DLZ module.
 +
 
 +
Restart Bind to have the included file being used. Check the logfiles for errors and problems. If available, you can 'run named-checkconf' to help you fix any problems with your Bind configuration.
 +
 
 +
 
 +
 
 +
== Bind 9.7==
 +
 
 +
Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[#Bind_9.7_2|DNS dynamic updates via Kerberos for Bind 9.7]] for instructions on configuring Bind 9.7.
  
After adding that line you should restart your Bind server and check
 
in the system logs for any problems.  If available, you can run <tt>named-checkconf</tt> to help you fix any problems with your named configuration.
 
  
==== Bind 9.7.x ====
 
  
Users of bind-9.7.x are strongly encouraged to upgrade to bind-9.8 or bind-9.9.  If this is not possible, refer to the section [[Dns-backend_bind#Configure_DNS_Dynamic_Updates_via_Kerberos|Configure Kerberos DNS Dynamic Updates]] for instructions on configuring bind-9.7.
+
== DNS dynamic updates via Kerberos (optional, but recommended) ==
  
==== Bind (All Versions) ====
+
Samba has the capability to automatically update the Bind zone files via Kerberos.
  
A common problem you may encounter is that many modern Linux distributions activate
+
To setup dynamic DNS updates you need to have a recent version of Bind installed. It is highly recommended that you run at least version 9.8.0, as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. Please use 9.8 or 9.9 if possible!
'Apparmor' or 'SELinux' by default, and these may be configured to
 
deny access to Bind for your the <tt>named.conf</tt> and zone files created in
 
the provision. If your Bind logs show that Bind is getting a access
 
denied error accessing these files, please see your local system
 
documentation for how to enable access to these files in Bind (hint:
 
for Apparmor systems such as Ubuntu, the command <tt>aa-logprof</tt> may be
 
useful).
 
  
*Note: On Debian systems, the zone auto-generation might detect and use <tt>127.0.1.1</tt> as the domain controller's IP address.  This will cause problems when trying to connect to the server from client machines.  To fix this, you will need to adjust <tt>/usr/local/samba/private/named.conf</tt> by changing <tt>127.0.1.1</tt> to reflect the actual IP address of the server you're setting up.
+
To find out what version of Bind you are running, use
*Note: On Debian SID (bind9 package), <tt>/etc/bind/named.conf.options</tt> is missing and this will cause the <tt>named</tt> daemon to fail to start.  To fix this either create an empty file, or comment out corresponding line in <tt>/etc/bind/named.conf</tt>.  See your syslog messages for more information.
 
  
 +
# named -V
  
== Configure DNS Dynamic Updates via Kerberos ==
+
If your operating system does not have Bind 9.8 or 9.9, please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind) or [[#Installing_Bind|compile it by yourself]].
  
Samba has the capability to automatically update the bind zone files via Kerberos.  While this step is optional, it is highly recommended.  If you are using Samba's internal DNS server, no configuration is needed, and you can skip this step.
 
  
To setup dynamic DNS updates you need to have a recent version of bind installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible.
 
  
You can tell what version of bind you have using the command <tt>/usr/sbin/named -V</tt>. If your OS does not have bind-9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind).
+
=== Bind 9.8 / 9.9 ===
  
=== Bind 9.8.0 or Later ===
+
A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of your named.conf:
  
When using bind-9.8.0 or later you need to add the following to the options section of your bind config:
 
 
  options {
 
  options {
  [...]
+
      [...]
  tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
+
      tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
  [...]
+
      [...]
  };
+
};
 +
 
 +
 
 +
 
 +
=== Bind 9.7 ===
 +
 
 +
If you have Bind 9.7.x (specifically 9.7.2 or later), then first determine if you can at all possibly run 9.8 or 9.9. You will have far fewer problems! Otherwise, follow these instructions:
 +
 
 +
The Samba provision will have created a custom '/usr/local/samba/private/named.conf.update' configuration file. You need to include this file in your 'named.conf' to allow Samba/Kerberos DNS updates to automatically take place.
  
This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system.
+
include "/usr/local/samba/private/named.conf.update";
  
=== Bind 9.7.x ===
+
Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start!
  
If you have bind-9.7.x (specifically 9.7.2 or later), then first determine if you can
+
You additionally need to set two environment variables when using 9.7:
at all possibly run bind-9.8.  You will have far fewer problems.  Otherwise, follow these instructions.
 
  
The Samba provision will have created a custom <tt>/usr/local/samba/private/named.conf.update</tt> configuration file. You need to include this file in your master <tt>named.conf</tt> to allow Samba/Kerberos DNS updates to automatically take placeBe advised that if you include this file in Bind versions that don't support it, Bind will fail to start.
+
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
 +
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
 +
  export KEYTAB_FILE
 +
export KRB5_KTNAME
  
You additionally need to set two environment variables when using bind-9.7.x:
+
These should be put in your settings file for Bind. On Debian based systems (including Ubuntu) this is in '/etc/default/bind9'. On RedHat and SuSE derived systems it is in '/etc/sysconfig/named'. Please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking, you only either need KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distribution, so it's easier to just set both.
  
  KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
+
The 'dns.keytab' must be readable by the bind server process:
  KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
 
  export KEYTAB_FILE
 
  export KRB5_KTNAME
 
  
These should be put in your settings file for bind. On Debian based
+
# chown named:named /usr/local/samba/private/dns.keytab
systems (including Ubuntu) this is in <tt>/etc/default/bind9</tt>. On RedHat and SUSE derived systems it is
 
in <tt>/etc/sysconfig/named</tt>, please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking you only either need
 
<tt>KEYTAB_FILE</tt> or <tt>KRB5_KTNAME</tt>, but which you need depends on your distribution,
 
so it's easier to just set both.
 
  
The <tt>dns.keytab</tt> must be readable by the bind server process.  Generally, this is accomplished by executing:
+
Normally, the provision/update should have setup these permissions for you automatically.
  $ chown named:named /usr/local/samba/private/dns.keytab
 
  
(the provision should have setup these permissions for you automatically).
+
Finally, you need to add the following to the options section of your named.conf:
  
Finally, you need to add the following to the options section of your bind config:
 
 
  options {
 
  options {
  [...]
+
      [...]
  tkey-gssapi-credential "DNS/server.samdom.example.com";
+
      tkey-gssapi-credential "DNS/server.samdom.example.com";
  tkey-domain "SAMDOM.EXAMPLE.COM";
+
      tkey-domain "SAMDOM.EXAMPLE.COM";
  [...]
+
      [...]
  };
+
};
 +
 
 +
The last part of the credential in the first line must match the dns name of the server, you have set up.
 +
 
 +
 
 +
 
 +
=== Testing/Debugging dynamic DNS updates ===
 +
 
 +
The way the automatic DNS update in Samba works, is that the provision will create a file '/usr/local/samba/private/dns_update_list', which contains a list of DNS entries that Samba will try to dynamically update at startup and every 10 minutes thereafter using the 'samba_dnsupdate' utility. Updates will only happen if the DNS entries do not already exist. Remember that you need the 'nsupdate' utility from Bind the distribution for all these to work.
  
The last part of the credential in the first line must match the dns name of the server you have set up.  This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system.
+
If you want to test or debug this process, then please run as root:
  
=== Testing/Debugging Dynamic DNS Updates ===
+
# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
  
The way the automatic DNS update in Samba works is that the provision
+
The command line options specified will force an update of all records in the 'dns_update_list', as well as output detailed information on what is being done.  
will create a file <tt>/usr/local/samba/private/dns_update_list</tt>, which
 
contains a list of DNS entries that Samba will try to dynamically
 
update at startup and every 10 minutes thereafter using <tt>samba_dnsupdate</tt> utility.
 
Updates will only happen if the DNS entries do not already exist.
 
Remember that you need <tt>nsupdate</tt> utility from bind the distribution
 
for all these to work.
 
  
If you want to test or debug this process, then please run this as root:
 
  
/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
 
  
The command line options specified will force an update of all records in the <tt>dns_update_list</tt>, as well as output detailed information on what is being done.
 
  
=== Interaction With Apparmor or SELinux ===
 
  
If you are using Apparmor or SELinux, you have to ensure that the bind process has read access to the <tt>/usr/local/samba/private/dns.keytab</tt> file, the
+
= Interaction with AppArmor or SELinux =
<tt>/usr/local/samba/private/named.conf</tt> file as well as read-write access to the <tt>/usr/local/samba/private/dns</tt> directory and it's own zone file. The Samba provision tries to setup the permissions
 
correctly for these files, but you may find you need to make changes
 
in your Apparmor or SELinux configuration if you are running either of
 
those. If you are using Apparmor then the <tt>aa-logprof</tt> command may help
 
you add any missing permissions you need to add after you start Samba
 
and bind for the first time after configuring them.
 
  
== Permissions, SELinux Labeling and Policy ==
+
If you are using AppArmor or SELinux, you have to ensure that the Bind process has read access to the following files:
 +
* /usr/local/samba/private/dns.keytab
 +
* /usr/local/samba/private/named.conf
 +
as well read-write access to the
 +
* /usr/local/samba/private/dns/
 +
directory and it's own zone file(s).
  
These instructions are intended for RedHat 6.X, but may serve as a guide for other distributions/versions.
+
The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your AppArmor or SELinux configuration if you are running either of those. If you are using AppArmor, then the 'aa-logprof' command may help you add any missing permissions you need to add after you start Samba and Bind for the first time after configuring them.
  
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be
+
Permissions, SELinux Labeling and Policy
able to have everything working '''without''' disabling SELinux.
+
 
 +
These instructions are intended for RHEL6, but may serve as a guide for other distributions/versions.
 +
 
 +
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux.
  
 
For all the commands below, make sure you have set the following environment variable:
 
For all the commands below, make sure you have set the following environment variable:
 
  MYREALM="samdom.example.com"
 
  MYREALM="samdom.example.com"
  
=== Bind ===
+
Set Permissions:
  
Set Permissions:
 
 
  chown named:named /usr/local/samba/private/dns
 
  chown named:named /usr/local/samba/private/dns
 
  chgrp named /usr/local/samba/private/dns.keytab
 
  chgrp named /usr/local/samba/private/dns.keytab
Line 135: Line 336:
  
 
Label files:
 
Label files:
 +
 
  chcon -t named_conf_t /usr/local/samba/private/dns.keytab
 
  chcon -t named_conf_t /usr/local/samba/private/dns.keytab
 
  chcon -t named_conf_t /usr/local/samba/private/named.conf.update
 
  chcon -t named_conf_t /usr/local/samba/private/named.conf.update
Line 141: Line 343:
  
 
Set Label Persistence:
 
Set Label Persistence:
 +
 
  semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab
 
  semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab
 
  semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf
 
  semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf
Line 147: Line 350:
 
  semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
 
  semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
 
  semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
 
  semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
 +
 +
 +
 +
 +
 +
= Known issues and ways to fix/workaround =
 +
 +
== Debian: Bind is listening on wrong IP address ==
 +
 +
On Debian systems, the AD zone auto-generation might detect and use '127.0.1.1' as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust '/usr/local/samba/private/named.conf' by changing '127.0.1.1' to reflect the actual IP address of the server you're setting up.
 +
 +
 +
 +
== Debian Sid: Named does not start ==
 +
 +
On Debian Sid (Bind 9 package), '/etc/bind/named.conf.options' is missing and this will cause the named daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in '/etc/bind/named.conf'. See your syslog messages for more information.
 +
 +
 +
 +
== New added DNS entries are not resolvable ==
 +
 +
If you have problems with resolving new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following:
 +
 +
Files in 'samba/private/dns/sam.ldb.d/' are hardlinks to 'samba/private/sam.ldb.d/'.
 +
Maybe you've copied/moved it across filesystems and the hardlinking got lost
 +
and you're now running with two different copies of the databases at the moment
 +
(You can test this by adding a new DNS entry, e. g. by 'samba-tool'. If you can't
 +
resolve it, check if the inodes differ).
 +
 +
If you 'ls -i' on the two folders, you should see, that the following files
 +
have the same inodes (what indicates, that they are hard-linked):
 +
 +
# ls -lai .../samba/private/sam.ldb.d/
 +
17344368 -rw-rw---- 2 root named  4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
 +
17344370 -rw-rw---- 2 root named  4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
 +
17344372 -rw-rw---- 2 root named  421888 11. Nov 17:53 metadata.tdb
 +
 +
# ls -lai .../samba/private/dns/sam.ldb.d/
 +
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
 +
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
 +
17344372 -rw-rw---- 2 root named  421888 11. Nov 17:53 metadata.tdb
 +
 +
If the files in the two folders have different inode numbers, then they
 +
aren't hard-links. To fix this, run
 +
 +
# samba_upgradedns --dns-backend=BIND9_DLZ
 +
 +
This will recreate the DNS files with correct hard links and permissions.
 +
 +
Then restart Bind.
 +
 +
 +
 +
== DDNS updates not working ==
 +
 +
Check that the file '/etc/krb5.conf' is readable by Bind.

Revision as of 18:03, 5 May 2013

Introduction

This HowTo describes how to compile and configure a basic Bind installation, that can be used as Samba DC DNS backend.

Bind as DNS backend is recommended, if you plan setup a complexer DNS setup, than the Samba 4 internal DNS currently made possible.



Setting up a basic Bind installation

Skip this section if you already having an existing Bind installation, that can be used as Samba AD backend.


Installing Bind

Bind as backend for your Samba Active Directory Domain Controller, is currently supported in version 9.8 and 9.9 only. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section DNS dynamic updates via Kerberos for Bind 9.7 for instructions on configuring Bind 9.7.

If you install Bind from the repositories of your distribution, you can skip the following two steps. But make sure, that your vendor compiled Bind with the '--with-gssapi' and '--with-dlopen' options (see below), to use it as Samba AD DNS backend.


Downloading

Download your desired and Samba 4 supported version from https://www.isc.org/software/bind.


Compiling Bind

To use Bind as Samba AD backend, at least the following two configure options are required to use:

# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes

Please check if there are other options you require for your environment.

To build an install:

# make
# make install


Configuration

Setting up a basic named.conf

The following example is a basic 'named.conf' for a pure minimal Bind installation without any Samba AD parts. We will add the Samba required parameters later.

# Global options
options {

       auth-nxdomain yes;

       directory "/var/named";

       forwarders { 8.8.8.8; 8.8.4.4; };

       allow-transfer { none; };
       notify no;

       empty-zones-enable no;

       allow-query {
               10.1.1.0/24;
               ...other networks you want to allow to query your DNS...;
       };

       allow-recursion {
               10.1.1.0/24;
               ...other networks you want to allow to do recursive queries...;
       };

};


# Root servers (required zone for recursive queries)
zone "." {
       type hint;
       file "named.root";
};


# Required localhost forward-/reverse zones
 zone "localhost" {
       type master;
       file "master/localhost.zone";
};

zone "0.0.127.in-addr.arpa" {
       type master;
       file "master/0.0.127.zone";
};

We choosed '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions.

For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'.


Adding a user and group for Bind

If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group (adapt the UID/GID if required):

# groupadd -g 25 named
# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named


Getting the root name server list

Download the root name server list from InterNIC:

# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
# chown named:named /var/named/named.root

To have always the current file, you can add a cronjob to automatically download.


Creating the localhost zone file

Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone:

$TTL 3D

$ORIGIN localhost.

@       1D      IN     SOA     @       root (
                       2013050101      ; serial
                       8H              ; refresh
                       2H              ; retry
                       4W              ; expiry
                       1D              ; minimum
                       )

@       IN      NS      @
        IN      A       127.0.0.1


Creating the 0.0.127.in-addr.arpa zone file

Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone:

$TTL 3D

@       IN      SOA     localhost. root.localhost. (
                        2013050101      ; Serial
                        8H              ; Refresh
                        2H              ; Retry
                        4W              ; Expire
                        1D              ; Minimum TTL
                        )

       IN      NS      localhost.

1      IN      PTR     localhost.


Set permissions on the zone files

# chown named:named /var/named/master/*.zone
# chmod 640 /var/named/master/*.zone



Starting Bind

# named -u named

If the configuration is valid, you should see no errors on the console and in the system logfile.

To have Bind automatically started at boot time, it's recommended, to create a init.d script or start it by systemd.



Testing your zone

Now we try to lookup our zone entries. We tell the 'host' command, to use the resolver on 127.0.0.1, so that we don't query an foreign DNS server, that is maybe also configured in '/etc/resolv.conf'.

First check the forward lookup for 'localhost':

# host localhost 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

localhost has address 127.0.0.1

And then the reverse lookup for '127.0.0.1':

# host 127.0.0.1 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

1.0.0.127.in-addr.arpa domain name pointer localhost.



Configuring Bind as Samba Active Directory backend

  • Note: Bind must be installed on the same machine as samba.


Bind 9.8 / 9.9

During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, that must be included in your Bind named.conf:

include "/usr/local/samba/private/named.conf";

Depending on the Bind version you are running, you should edit '/usr/local/samba/private/named.conf' and enable the right version of the DLZ module.

Restart Bind to have the included file being used. Check the logfiles for errors and problems. If available, you can 'run named-checkconf' to help you fix any problems with your Bind configuration.


Bind 9.7

Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section DNS dynamic updates via Kerberos for Bind 9.7 for instructions on configuring Bind 9.7.


DNS dynamic updates via Kerberos (optional, but recommended)

Samba has the capability to automatically update the Bind zone files via Kerberos.

To setup dynamic DNS updates you need to have a recent version of Bind installed. It is highly recommended that you run at least version 9.8.0, as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. Please use 9.8 or 9.9 if possible!

To find out what version of Bind you are running, use

# named -V

If your operating system does not have Bind 9.8 or 9.9, please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind) or compile it by yourself.


Bind 9.8 / 9.9

A DNS keytab file was automatically created during provisioning/updating. Add the following' tkey-gssapi-keytab' option to the 'options' section of your named.conf:

options {
     [...]
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
     [...]
};


Bind 9.7

If you have Bind 9.7.x (specifically 9.7.2 or later), then first determine if you can at all possibly run 9.8 or 9.9. You will have far fewer problems! Otherwise, follow these instructions:

The Samba provision will have created a custom '/usr/local/samba/private/named.conf.update' configuration file. You need to include this file in your 'named.conf' to allow Samba/Kerberos DNS updates to automatically take place.

include "/usr/local/samba/private/named.conf.update";

Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start!

You additionally need to set two environment variables when using 9.7:

KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME

These should be put in your settings file for Bind. On Debian based systems (including Ubuntu) this is in '/etc/default/bind9'. On RedHat and SuSE derived systems it is in '/etc/sysconfig/named'. Please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking, you only either need KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distribution, so it's easier to just set both.

The 'dns.keytab' must be readable by the bind server process:

# chown named:named /usr/local/samba/private/dns.keytab

Normally, the provision/update should have setup these permissions for you automatically.

Finally, you need to add the following to the options section of your named.conf:

options {
     [...]
     tkey-gssapi-credential "DNS/server.samdom.example.com";
     tkey-domain "SAMDOM.EXAMPLE.COM";
     [...]
};

The last part of the credential in the first line must match the dns name of the server, you have set up.


Testing/Debugging dynamic DNS updates

The way the automatic DNS update in Samba works, is that the provision will create a file '/usr/local/samba/private/dns_update_list', which contains a list of DNS entries that Samba will try to dynamically update at startup and every 10 minutes thereafter using the 'samba_dnsupdate' utility. Updates will only happen if the DNS entries do not already exist. Remember that you need the 'nsupdate' utility from Bind the distribution for all these to work.

If you want to test or debug this process, then please run as root:

# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names

The command line options specified will force an update of all records in the 'dns_update_list', as well as output detailed information on what is being done.



Interaction with AppArmor or SELinux

If you are using AppArmor or SELinux, you have to ensure that the Bind process has read access to the following files:

  • /usr/local/samba/private/dns.keytab
  • /usr/local/samba/private/named.conf

as well read-write access to the

  • /usr/local/samba/private/dns/

directory and it's own zone file(s).

The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your AppArmor or SELinux configuration if you are running either of those. If you are using AppArmor, then the 'aa-logprof' command may help you add any missing permissions you need to add after you start Samba and Bind for the first time after configuring them.

Permissions, SELinux Labeling and Policy

These instructions are intended for RHEL6, but may serve as a guide for other distributions/versions.

There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux.

For all the commands below, make sure you have set the following environment variable:

MYREALM="samdom.example.com"

Set Permissions:

chown named:named /usr/local/samba/private/dns
chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
chmod 775 /usr/local/samba/private/dns

Label files:

chcon -t named_conf_t /usr/local/samba/private/dns.keytab
chcon -t named_conf_t /usr/local/samba/private/named.conf.update
chcon -t named_var_run_t /usr/local/samba/private/dns
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone

Set Label Persistence:

semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl



Known issues and ways to fix/workaround

Debian: Bind is listening on wrong IP address

On Debian systems, the AD zone auto-generation might detect and use '127.0.1.1' as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust '/usr/local/samba/private/named.conf' by changing '127.0.1.1' to reflect the actual IP address of the server you're setting up.


Debian Sid: Named does not start

On Debian Sid (Bind 9 package), '/etc/bind/named.conf.options' is missing and this will cause the named daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in '/etc/bind/named.conf'. See your syslog messages for more information.


New added DNS entries are not resolvable

If you have problems with resolving new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following:

Files in 'samba/private/dns/sam.ldb.d/' are hardlinks to 'samba/private/sam.ldb.d/'. Maybe you've copied/moved it across filesystems and the hardlinking got lost and you're now running with two different copies of the databases at the moment (You can test this by adding a new DNS entry, e. g. by 'samba-tool'. If you can't resolve it, check if the inodes differ).

If you 'ls -i' on the two folders, you should see, that the following files have the same inodes (what indicates, that they are hard-linked):

# ls -lai .../samba/private/sam.ldb.d/
17344368 -rw-rw---- 2 root named  4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344370 -rw-rw---- 2 root named  4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344372 -rw-rw---- 2 root named   421888 11. Nov 17:53 metadata.tdb

# ls -lai .../samba/private/dns/sam.ldb.d/
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344372 -rw-rw---- 2 root named  421888 11. Nov 17:53 metadata.tdb

If the files in the two folders have different inode numbers, then they aren't hard-links. To fix this, run

# samba_upgradedns --dns-backend=BIND9_DLZ

This will recreate the DNS files with correct hard links and permissions.

Then restart Bind.


DDNS updates not working

Check that the file '/etc/krb5.conf' is readable by Bind.