Difference between revisions of "The Samba AD DNS Back Ends"

m (common Bind9 Compile flags for BIND DLZ for bind 9.9)
m (/* minor update)
 
(38 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Which DNS backend should I choose? =
+
__TOC__
  
You should choose the DNS backend based on the requirements of your network or existing DNS installations.
+
= Introduction =
  
The internal DNS is a new implementation, that allows you to quickly and easily setup the DNS backend that is required for every AD installation. No further work is required to set it up. Currently it covers the important and required parts for AD.
+
In an Active Directory (AD), DNS is a very important service. It is used for:
 +
* name resolution
 +
* locating services, such as Kerberos and LDAP
 +
* locating local domain controllers (DC) when using AD sites. For details, see [[Active_Directory_Sites|Active Directory Sites]].
  
If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.) that are currently not supported by the internal DNS, BIND should be the preferred backend.
+
{{Imbox
 +
| type = note
 +
| text = All clients and server in an AD must use a DNS server that is able to resolve the AD DNS zones.
 +
}}
  
Your choice of a DNS backend during provisioning/upgrading is not final. If you find that your choice doesn't fit your requirements, you can flip over and [[Changing_the_DNS_backend|change the DNS backend]].
 
  
= Internal DNS =
 
  
The internal DNS server is built into Samba and uses AD as backend. Also it is the default DNS solution when you provision/upgrade a Samba AD controller.
 
  
  
 +
= Supported DNS Back Ends =
  
== Configuration ==
+
Samba supports the following DNS back ends:
  
If you chose the internal server as DNS backend for your environment, there are two options that can be added to your smb.conf to control the behaviour of DNS at this point:
+
* [[Samba_Internal_DNS_Back_End|Samba Internal DNS Back End]]
 +
:* Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
 +
:* No additional software or DNS knowledge is required.
 +
:* Use this back end for simple DNS setups. For a list of limitations, see [[Samba_Internal_DNS_Back_End#Limitations|Limitations]].
  
# Don't allow any updates | allow unsigned updates | only allow signed updates
+
* [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]
allow dns updates = False | nonsecure | signed
+
:* Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see [[Setting_up_a_BIND_DNS_Server|Setting up a BIND DNS Server]].
+
:* Requires knowledge about the BIND DNS server and how to configure the service.
# If recursive queries = yes is set, the following is also needed
+
:* Use this back end for complex DNS scenarios, you can not configure in the internal DNS.
dns forwarder = <ip addr of external dns server>
 
  
  
 +
If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]].
  
== Limitations / Known issues ==
 
  
* The internal server is not a [[DNS/ToDo/caching_resolver|caching resolver]].
+
{{Imbox
* The samba_dnsupdate command produces warnings when used with [[DNS/ToDo/signed_updates|signed updates]]. We're currently investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine.
+
| type = important
* Currently, recursive queries are not possible [[DNS/ToDo/recursive_queries_without_forwarder|without using a forwarder]]
+
| text = Do not use the <code>BIND9_FLATFILE</code> DNS back end. It is not supported and will be formally deprecated when 4.11.0 is released and removed at 4.12.0.
* Negative replies do not come with an [[DNS/ToDo/add_authority_record|authority record]] (not required by RFC, but Windows seems to like that)
+
}}
* [[DNS/ToDo/shared_key_tsig|Shared-key TSIG]] is not implemented
 
* [[DNS/ToDo/stub_zones|Stub zones]] are not implemented
 
* Zone axfr is not allowed from internal samba DNS
 
  
  
  
== Tests ==
 
  
Run during make test
 
TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns
 
  
Run against external servers (Windows or BIND)
+
= Selecting the AD Forest Root Domain =
SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns
 
  
 +
Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].
  
 +
{{Imbox
 +
| type = warning
 +
| text = Samba does not support renaming the AD forest root domain.
 +
}}
  
 +
Best practices:
  
 +
* Use a domain name you own.
 +
* Use a subdomain of your domain, such as <code>ad.example.com</code>.
 +
* Do not use <code>.local</code> domains. They can cause problems with Mac OS X and Zeroconf.
  
 +
For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].
  
= BIND DLZ plug-in (for BIND 9.8 and 9.9) =
 
  
BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in. Please note that BIND server must run on the same machine as the Samba AD DC.
 
  
  
  
== Installation / Setup ==
+
----
 
+
[[Category:Active Directory]]
See the [[DNS_Backend_BIND|Bind as DNS backend HowTo]] for a detailed instruction.
+
[[Category:DNS]]
 
 
 
 
 
 
 
 
 
 
 
 
= Troubleshooting =
 
 
 
== Fix DNS dynamic updates with updated Samba versions ==
 
 
 
If you are running Samba 4.0.7 or later the bug https://bugzilla.samba.org/show_bug.cgi?id=9559 is already fixed.
 
But if your samba was updated from old releases and it´s not a fresh installation you may have problems with dynamic DNS updates with Windows XP sp3 and Windows 7.
 
 
 
To fix the problem you need to follow this steps:
 
 
 
* first of all, update your samba version if it is not the latest.
 
 
 
* you may want to do a kinit to avoid samba-tool asking you for a password
 
 
 
kinit administrator
 
 
 
Search for all the registry entries that contain the broken records using:
 
 
 
samba-tool dns query SERVER DOMAIN @ ALL
 
 
 
You´ll find registries like this:
 
 
 
Name=WORKSTATION, Records=0, Children=0
 
 
 
For every registry entry found like the one above you´ll need to issue the following commands
 
 
 
/usr/local/samba/bin/samba-tool dns add SERVER DOMAIN WORKSTATION A IP -k yes
 
 
 
/usr/local/samba/bin/samba-tool dns delete SERVER DOMAIN WORKSTATION A IP -k yes
 
 
 
On windows workstations you can run
 
 
 
ipconfig /registerdns
 
 
 
And dynamic updates should work ok.
 
 
 
 
 
 
 
 
 
== using ISC BIND backend with secured / signed dns updates  ==
 
 
 
In the default configuration of Distributed ISC Bind  in many Distributions you will find that the secured updates do not work with Samba 4.  You will receive errors in /var/log/messages indicating update '<name of client>' denied i.e.
 
This is because the rpm/deb/pkg has been compiled with the 'disable-isc-spnego' flag. 
 
In order to fix this you will need to recompile/rebuild the distribution rpm / deb / pkg .
 
 
 
 
 
 
 
=== common Bind9 Compile flags for BIND DLZ for bind 9.9 ===
 
 
 
Samba4 and up  require for BIND DLZ at least --with-dlz-ldap , --with-dlz-filesystem=yes,
 
 
 
Common used configure flags for BIND9.8.6  and up :
 
 
 
<pre>
 
CONFIGURE_OPTIONS="\
 
...
 
--with-openssl \
 
--enable-threads \
 
--with-gssapi=yes \
 
--with-libtool \
 
--with-libxml2 \
 
--with-dlopen=yes \
 
--with-dlz-mysql \
 
--with-dlz-bdb \
 
--with-dlz-ldap \
 
--with-dlz-filesystem=yes \
 
--with-dlz-bdb=yes \
 
--enable-filter-aaaa \
 
--enable-rrl \
 
--with-ecdsa \
 
--enable-threads \
 
--with-idnlib='-L/usr/lib -R/usr/lib -lidn -lidn2' \
 
...
 
</pre>
 
 
 
The parameters for "-L" "-R" can differ from Distribution needs.
 
 
 
... we ask herein  i386 / x64_64 and  Child Distribution Maintainers Members to update the package specs
 
for Bind 9.8.5 and up to cover this for Samba4 in permanent.
 
 
 
 
 
 
 
==== RHEL / CENTOS / FC + clones -  ReBuild Distrubuted ISC Bind RPM ====
 
 
 
First make sure you have your RPM build environment setup and then install the source rpm for bind.  The instructions that follow are .
 
For CENTOS 6.4 with 9.8.2-0.17.rc1.el6_4.6 being the latest version at the time of writing:
 
 
 
  rpm -i http://vault.centos.org/6.4/updates/Source/SPackages/bind-9.8.2-0.17.rc1.el6_4.6.src.rpm
 
 
 
Then locate and edit SPEC file, if your rpm build directory is ~/rpmbuild then it will be ~/rpmbuild/SPECS/bind.spec
 
 
 
now locate and remove the line that reads
 
 
 
  --disable-isc-spnego
 
 
 
On the example rpm provided it is line 361
 
 
 
now recompile your rpm
 
 
 
  rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
 
 
 
Once finished you should find the replacement rpms in the RPMS/{arch} path of your build root.  Replace {arch} with the relevant architecture of your machine (e.g. x86_64 or i686). Install them over the top of your existing rpms and updates should all be working again. Remember if you update with yum it may replace your copy of bind so you will either want to exclude bind* in your yum configuration or use priorities and add these rpms to a local repository.
 
 
 
 
 
 
 
==== OpenSuSE using ISC BIND backend ====
 
 
 
In the default configuration of Bind in the OpenSuSE  distribution you will find that the secured updates do not work with Samba 4.1 and up .
 
In order to fix this you will need to recompile the https://build.opensuse.org/package/show/openSUSE:Factory/bind .
 
 
 
[[User:Remsnet]] Published  https://github.com/remsnet/OpenSuSE-Samba-DC/blob/master/bind-9.9.4-P1.spec
 
 
 
  with Build Instructions at https://github.com/remsnet/OpenSuSE-Samba-DC/blob/master/Samba4-DC-DLZ.Readme
 
 
 
=== RHEL/CENTOS/FC + clones - RPM  Build New ISC Bind 9.9 / 9.10 ===
 
 
 
Benjamin Kraft publishes on his [http://bkraft.fr/blog/bind_9_10_1_and_bind_9_9_6_and_bind_9_8_8/]  Bind9 Security Fixes Page.
 
Cleanly Patching Bind9 has almost been a task for experts ...
 
 
 
[[User:Remsnet]] Published https://github.com/remsnet/CentOS-Bind-DLZ SPEC File for SRPMS to Build a Clean and updated Bind9 with DLZ .
 
 
 
 
 
=== Debian / Ubuntu + clones - Build New ISC Bind 9.8 / 9.9 / 9.10 ===
 
 
 
While following the official Samba4 HOWTO I found out that  bind would not start
 
giving me the following error (taken from my syslog):
 
 
 
Loading ‘AD DNS Zone’ using driver dlopen
 
unsupported DLZ database driver ‘dlopen’.  AD DNS Zone not loaded.
 
 
 
If you want some technical background as to what dlopen is read this blog post, but in short, Samba4 needs some features only available in Bind 9.8 and above. If you are getting the error I described above, you either have an earlier version or your binary version of Bind 9.8 or above was not compiled with support for dlz drivers.
 
 
 
To fix it I backported Bind9 from SID. This was the first time I ever did such a thing so I am no expert… if you know a better way to accomplish this please leave a comment.
 
 
 
Note: whenever Bing 9.8 gets backported it will become much easier to install, you will only have to follow the steps described here. For now, follow the instructions below.
 
Let’s remove the old version of bind first:
 
 
 
sudo apt-get remove bind9
 
 
 
Install required packages:
 
 
 
sudo apt-get install devscripts build-essential libkrb5-dev debhelper libssl-dev libtool bison libdb-dev libldap2-dev libxml2-dev libpcap2-dev hardening-wrapper libgeoip-dev dpkg-dev
 
 
 
Download bind9 .dsc file (check here for the latest link to the .dsc file):
 
 
 
mkdir bind9
 
cd bind9
 
dget -x http://ftp.de.debian.org/debian/pool/main/b/bind9/bind9_9.8.1.dfsg-1.dsc
 
 
 
Now unpack bind:
 
 
 
tar xvzf bind9_9.8.1.dfsg.orig.tar.gz
 
cd bind9_9.8.1.dfsg/
 
 
 
Note: I will skip applying the .diff file from sid. When I tried applying it the source would not compile and, most importantly, it stopped recognising the –with-dlz-dlopen parameter which is the reason why I had to do this in the first place.
 
Configure and then compile Bind9 source code:
 
 
 
fakeroot ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info \
 
        --sysconfdir=/etc/bind --localstatedir=/var --enable-threads --enable-largefile --with-libtool \
 
        --enable-shared --enable-static --with-openssl=/usr --with-gssapi=/usr --with-gnu-ld \
 
        --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes --with-dlz-filesystem=yes \
 
        --with-dlz-ldap=yes  --with-dlz-stub=yes --with-dlz-dlopen=yes \
 
          --with-geoip=/usr --enable-ipv6 CFLAGS=-fno-strict-aliasing
 
 
 
If you are using bind9 9.8.1 you may find a compilation error which can be fixed with the patch described here. You can apply the patch manually, all you have to do is edit the file contrib/dlz/drivers/sdlz_helper.c and remove the “#ifdef DLZ” line and the “#endif” line at the end of the file.
 
Now let’s compile and install bind9:
 
 
 
make install
 
 
 
Last step, we need to manually create the /var/cache/bind directory:
 
 
 
sudo mkdir /var/cache/bind
 
 
 
Start the service:
 
 
 
sudo /etc/init.d bind9 start
 
 
 
Hopefully, bind9 will start just fine.
 
 
 
Congratulations, bind9 should be working now. If you are following the Samba4 HOWTO like I was, make sure you run the provisioning steps again with bind9 running.
 

Latest revision as of 12:30, 28 August 2019

Introduction

In an Active Directory (AD), DNS is a very important service. It is used for:

  • name resolution
  • locating services, such as Kerberos and LDAP
  • locating local domain controllers (DC) when using AD sites. For details, see Active Directory Sites.



Supported DNS Back Ends

Samba supports the following DNS back ends:

  • Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
  • No additional software or DNS knowledge is required.
  • Use this back end for simple DNS setups. For a list of limitations, see Limitations.
  • Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see Setting up a BIND DNS Server.
  • Requires knowledge about the BIND DNS server and how to configure the service.
  • Use this back end for complex DNS scenarios, you can not configure in the internal DNS.


If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see Changing the DNS Back End of a Samba AD DC.




Selecting the AD Forest Root Domain

Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see Active Directory Naming FAQ.

Best practices:

  • Use a domain name you own.
  • Use a subdomain of your domain, such as ad.example.com.
  • Do not use .local domains. They can cause problems with Mac OS X and Zeroconf.

For details, see Active Directory Naming FAQ.