BIND9 DLZ DNS Back End

Revision as of 00:27, 10 October 2016 by Mmuehlfeld (talk | contribs) (Rewrote "Configuring BIND9 DLZ as Back End for Samba AD". Clearer structure, removed unnecessary/duplicate content, moved Apparmor/SELinux content to a separate page.)

Introduction

Samba provides support for the BIND DNS server as DNS back end on a Samba Active Directory (AD) domain controller (DC). The BIND9_DLZ back end is recommend for complex DNS setups, the Samba internal DNS server not supports.

The BIND9_DLZ module accesses the Samba Active Directory (AD) database directly. For this reason:

  • BIND must be installed on the same machine as the Samba AD domain controller (DC).
  • BIND must not run in a changed root environment.
  • zones are stored and replicated within the directory.



Configuring the BIND9_DLZ module

During the domain provisioning, join, or classic upgrade, the /usr/local/samba/private/named.conf file has been created. To enable the BIND9_DLZ module for your BIND version:

  • Add the following include statement to your BIND named.conf file:
include "/usr/local/samba/private/named.conf";
  • Display the BIND version:
# named -v
BIND 9.9.4
  • Edit the /usr/local/samba/private/named.conf file and uncomment the module for your BIND version. For example:
dlz "AD DNS Zone" {
    # For BIND 9.8
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";

    # For BIND 9.10
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";
    
    # For BIND 9.11
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
};
The following table shows which BIND version is supported in which Samba version:
Supported BIND Version Samba Version
BIND 9.11 Samba 4.6 and later
BIND 9.10 Samba 4.2 and later
BIND 9.9 Samba 4.0 and later
BIND 9.8 Samba 4.0 and later



Setting up Dynamic DNS Updates Using Kerberos

Samba is able to automatically update the Active Directory (AD) zone managed by the BIND9_DLZ back end.

To enable dynamic DNS updates using Kerberos:

  • Add the following include statement to the options {} section of your BIND named.conf file. For example:
options {
     [...]
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
     [...]
};
  • If you provisioned or joined an AD forest or run the classic upgrade using a Samba version prior to 4.4.0, the BIND Kerberos key tab file was generated using wrong permissions. To fix, enable read access for the BIND user:
# chmod 640 /usr/local/samba/private/dns.keytab
# chown root:named /usr/local/samba/private/dns.keytab
  • Verify that your /etc/krb5.conf Kerberos client configuration file is readable by your BIND user. For example:
# ls -l /etc/krb5.conf
-rw-r--r--. 1 root named 99  2. Sep 2014  /etc/krb5.conf
  • Verify that the nsupdate utility exists on your domain controller (DC):
# which nsupdate
/usr/bin/nsupdate
The nsupdate command is used to update the DNS. If the utility is missing, see you distribution's documentation how to identify the package containing the command and how to install.



Starting the BIND Service

  • Before you start the service, verify the BIND configuration:
# named-checkconf
If no output is shown, the BIND configuration is valid.
  • Start the BIND service.



Testing Dynamic DNS Updates

To test the dynamic DNS updates, run as user root on your Samba domain controller (DC):

# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names

This commands forces an update of all records specified in the /usr/local/samba/private/dns_update_list file.

The samba_dnsupdate utility updates the DNS. It automatically checks for missing DNS records specified in the dns_update_list file when the samba daemon starts and after every 10 minutes.



Troubleshooting

Debugging the BIND9_DLZ Module

To set a log level for the BIND9_DLZ module:

  • Append the -d parameter and log level to the module in the /usr/local/samba/private/named.conf file. For example:
database "dlopen .../bin/modules/bind9/dlz_bind9_9.so -d 3";
  • Stop the BIND service.
  • Start BIND manually to display the debug out put and to capture the log output in the /tmp/named.log file:
 # named -u named -f -g 2>&1 | tee /etc/named.log
See the named (8) man page for details about the used parameters.


New DNS Entries Are Not Resolvable

If you create new DNS records in the directory and are not able to resolve them using the nslookup, host or other DNS lookup tools, the database hard links can got lost. This happens, for example, if you move the databases across mount points.

To verify that the domain and forest partition as well as the metadata.tdb database are hard linked in both directories, run

# ls -lai /usr/local/samba/private/sam.ldb.d/
17344368 -rw-rw---- 2 root named  4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344370 -rw-rw---- 2 root named  4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344372 -rw-rw---- 2 root named   421888 11. Nov 17:53 metadata.tdb

# ls -lai /usr/local/samba/private/dns/sam.ldb.d/
17344368 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DDOMAINDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344370 -rw-rw---- 2 root named 4251648 11. Nov 18:27 DC%3DFORESTDNSZONES,DC%3DSAMBA,DC%3DEXAMPLE,DC%3DCOM.ldb
17344372 -rw-rw---- 2 root named  421888 11. Nov 17:53 metadata.tdb

The same files must have the same inode number in the first column of the output in the both directories. If they differ, the hard link got lost and Samba and BIND use separate database files and thus DNS updates in the directory are not resolveable through the BIND DNS server.

To auto-repair the hard linking:

  • Rerun the back end configuration:
# samba_upgradedns --dns-backend=BIND9_DLZ
  • Restart the BIND service to take effect.