BIND9 DLZ DNS Back End

From SambaWiki
Revision as of 21:36, 22 January 2013 by Rixter (talk | contribs)

Bind 9.8.0 or newer

If using BIND, the next step to get a working DNS setup for Samba is to start with the DNS configuration file that is created by the provision step or if you are using any of the other samba-tool options (classicupgrade for example) you can specify --dns-backend=BIND9_DLZ or --dns-backend=BIND9_FLATFILE.

You can activate the configuration that the provision has created by including this configuration file in bind's named configuration file. This file is typically located in the /etc/bind directory, please refer to your distribution documentation for the location of this file on your system. Once located, add the following line to the configuration file:

include "/usr/local/samba/private/named.conf";

Edit that file to uncomment the correct dlz plugin line, based on your version of bind. Open the /usr/local/samba/private/named.conf file in a text editor and follow the instructions inside.

After adding that line you should restart your Bind server and check in the system logs for any problems. If available, you can run named-checkconf to help you fix any problems with your named configuration.

Bind 9.7.x

Users of bind-9.7.x are strongly encouraged to upgrade to bind-9.8 or bind-9.9. If this is not possible, refer to the section Configure Kerberos DNS Dynamic Updates for instructions on configuring bind-9.7.

Bind (All Versions)

A common problem you may encounter is that many modern Linux distributions activate 'Apparmor' or 'SELinux' by default, and these may be configured to deny access to Bind for your the named.conf and zone files created in the provision. If your Bind logs show that Bind is getting a access denied error accessing these files, please see your local system documentation for how to enable access to these files in Bind (hint: for Apparmor systems such as Ubuntu, the command aa-logprof may be useful).

  • Note: On Debian systems, the zone auto-generation might detect and use 127.0.1.1 as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust /usr/local/samba/private/named.conf by changing 127.0.1.1 to reflect the actual IP address of the server you're setting up.
  • Note: On Debian SID (bind9 package), /etc/bind/named.conf.options is missing and this will cause the named daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in /etc/bind/named.conf. See your syslog messages for more information.


Configure DNS Dynamic Updates via Kerberos

Samba has the capability to automatically update the bind zone files via Kerberos. While this step is optional, it is highly recommended. If you are using Samba's internal DNS server, no configuration is needed, and you can skip this step.

To setup dynamic DNS updates you need to have a recent version of bind installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible.

You can tell what version of bind you have using the command /usr/sbin/named -V. If your OS does not have bind-9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind).

Bind 9.8.0 or Later

When using bind-9.8.0 or later you need to add the following to the options section of your bind config:

options {
 [...]
 tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
 [...]
 };

This file is typically located in the /etc/bind directory, please refer to your distribution documentation for the location of this file on your system.

Bind 9.7.x

If you have bind-9.7.x (specifically 9.7.2 or later), then first determine if you can at all possibly run bind-9.8. You will have far fewer problems. Otherwise, follow these instructions.

The Samba provision will have created a custom /usr/local/samba/private/named.conf.update configuration file. You need to include this file in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.

You additionally need to set two environment variables when using bind-9.7.x:

 KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
 KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
 export KEYTAB_FILE
 export KRB5_KTNAME

These should be put in your settings file for bind. On Debian based systems (including Ubuntu) this is in /etc/default/bind9. On RedHat and SUSE derived systems it is in /etc/sysconfig/named, please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking you only either need KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distribution, so it's easier to just set both.

The dns.keytab must be readable by the bind server process. Generally, this is accomplished by executing:

  $ chown named:named /usr/local/samba/private/dns.keytab

(the provision should have setup these permissions for you automatically).

Finally, you need to add the following to the options section of your bind config:

options {
 [...]
 tkey-gssapi-credential "DNS/server.samdom.example.com";
 tkey-domain "SAMDOM.EXAMPLE.COM";
 [...]
 };

The last part of the credential in the first line must match the dns name of the server you have set up. This file is typically located in the /etc/bind directory, please refer to your distribution documentation for the location of this file on your system.

Testing/Debugging Dynamic DNS Updates

The way the automatic DNS update in Samba works is that the provision will create a file /usr/local/samba/private/dns_update_list, which contains a list of DNS entries that Samba will try to dynamically update at startup and every 10 minutes thereafter using samba_dnsupdate utility. Updates will only happen if the DNS entries do not already exist. Remember that you need nsupdate utility from bind the distribution for all these to work.

If you want to test or debug this process, then please run this as root:

/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names

The command line options specified will force an update of all records in the dns_update_list, as well as output detailed information on what is being done.

Interaction With Apparmor or SELinux

If you are using Apparmor or SELinux, you have to ensure that the bind process has read access to the /usr/local/samba/private/dns.keytab file, the /usr/local/samba/private/named.conf file as well as read-write access to the /usr/local/samba/private/dns directory and it's own zone file. The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your Apparmor or SELinux configuration if you are running either of those. If you are using Apparmor then the aa-logprof command may help you add any missing permissions you need to add after you start Samba and bind for the first time after configuring them.

Permissions, SELinux Labeling and Policy

These instructions are intended for RedHat 6.X, but may serve as a guide for other distributions/versions.

There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux.

For all the commands below, make sure you have set the following environment variable:

MYREALM="samdom.example.com"

Bind

Set Permissions:

chown named:named /usr/local/samba/private/dns
chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
chmod 775 /usr/local/samba/private/dns

Label files:

chcon -t named_conf_t /usr/local/samba/private/dns.keytab
chcon -t named_conf_t /usr/local/samba/private/named.conf.update
chcon -t named_var_run_t /usr/local/samba/private/dns
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone

Set Label Persistence:

semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl