[Samba] How to switch from internal DNS to Bind

[James]

Hello,

I'm attempting to switch from the internal DNS to Bind. This is for
my Samba test environment on a VM running Samba 4.3.1 on Ubuntu server
12.04.1. Installed Samba using all the defaults.

./configure
make
make install

Pulled up the wiki link

https://wiki.samba.org/index.php/Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ

Not sure if this is the correct start page. After the introduction I see
the link "Setup Bind". I figure I need to start there? So I click the
link and in the introduction I see another link for
"Setup_a_basic_BIND_installation". Maybe this is where I should begin? I
install BIND via. the repository.

apt-get install bind9

The wiki then says "*make sure that it was compiled with the
'--with-gssapi' and '--with-dlopen' options*". I check by using

named -V | grep "gssapi"

'--with-gssapi=/usr'

Is this sufficient or do I need the absolute path to
--with-gssapi=/usr/include/gssapi?

named -V | grep "dlopen"

Returns nothing. Can I add these options after the fact or do I need to
uninstall and compile on my own before proceeding any further? Thanks.




--
-James

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland penny]

What version of bind9 ?
later versions have dlopen builtin, but I seem to remember (from when I
used 12.04) having to build bind9. Could you upgrade to 14.04, this will
definitely give you a working bind9

Rowland

[James]

It's 9.8.1.

I decided to compile myself seeing as this is just a test environment.
I'll make note of possibly needing a newer distro in order to avoid
building in the future. Thanks.

--
-James

[Rowland penny]

You need a later version, this is what I used to do:

apt-get -y remove bind9 &> /dev/null # <-- this was only installed to
get all the required configuration files!
wget ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz
tar zxf bind-9.9.2-P2.tar.gz
cd bind-9.9.2-P2
./configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var
--enable-threads --enable-largefile --with-libtool --enable-shared
--enable-static --with-openssl=/usr --with-gssapi=/usr
--with-dlopen=yes --with-gnu-ld --enable-ipv6
CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2'
LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro'
CPPFLAGS='-D_FORTIFY_SOURCE=2'
make
make install

NOTE: this was some time ago, there are newer versions available, if you
do go with a newer version and it throws an error about dlopen, just
remove '--with-dlopen=yes'

Rowland

[James]

Thanks for those compile suggestions. I'll build again using those options.


--
-James

[James]

On 12/30/2015 4:14 PM, Rowland penny wrote:

> ./configure --prefix=/usr --mandir=/usr/share/man
> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var
> --enable-threads --enable-largefile --with-libtool --enable-shared
> --enable-static --with-openssl=/usr --with-gssapi=/usr
> --with-dlopen=yes --with-gnu-ld --enable-ipv6
> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2'
> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro'
> CPPFLAGS='-D_FORTIFY_SOURCE=2'

I seem to have a few errors in my syslog.

Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named':
Permission denied
Dec 31 09:35:17 VMDC1 named[24025]: generating session key for dynamic DNS
Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named':
Permission denied
Dec 31 09:35:17 VMDC1 named[24025]: could not create
/var/run/named/session.key
Dec 31 09:35:17 VMDC1 named[24025]: failed to generate session key for
dynamic DNS: permission denied
Dec 31 09:35:17 VMDC1 named[24025]: sizing zone task pool based on 3 zones
Dec 31 09:35:17 VMDC1 named[24025]: set up managed keys zone for view
_default, file 'managed-keys.bind'
Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from
'/etc/bind/rndc.key'
Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel
127.0.0.1#953: file not found
Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from
'/etc/bind/rndc.key'
Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel
::1#953: file not found
Dec 31 09:35:17 VMDC1 named[24025]: the working directory is not writable
Dec 31 09:35:17 VMDC1 named[24025]: managed-keys-zone: loaded serial 0
Dec 31 09:35:17 VMDC1 named[24025]: zone 0.0.127.in-addr.arpa/IN: loaded
serial 2013050101
Dec 31 09:35:17 VMDC1 named[24025]: zone localhost/IN: loaded serial
2013050101
Dec 31 09:35:17 VMDC1 named[24025]: all zones loaded
Dec 31 09:35:17 VMDC1 named[24025]: running

I compiled using 9.9.8-P2 and your suggested configure options. I see
/run is owned by root:root. Should I give group 'named' permission to
this folder? It's not documented in the wiki as needed.

--
-James

[Reindl Harald]

Am 31.12.2015 um 15:43 schrieb James:
> On 12/30/2015 4:14 PM, Rowland penny wrote:
>> ./configure --prefix=/usr --mandir=/usr/share/man
>> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var
>> --enable-threads --enable-largefile --with-libtool --enable-shared
>> --enable-static --with-openssl=/usr --with-gssapi=/usr
>> --with-dlopen=yes --with-gnu-ld --enable-ipv6
>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro'
>> CPPFLAGS='-D_FORTIFY_SOURCE=2'
> I seem to have a few errors in my syslog.
>
> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named':
> Permission denied

> I compiled using 9.9.8-P2 and your suggested configure options. I see
> /run is owned by root:root. Should I give group 'named' permission to
> this folder? It's not documented in the wiki as needed

nobody but root has a business directly on /run
you should create the subfolder as any bind-package does

on modern systems /run is a tmpfs and hence empty at boot
so it's "tmpfiles" job to re-create them at boot

that config is typically part of the bind package

[root@srv-rhsoft:~]$ cat /usr/lib/tmpfiles.d/named.conf
d /run/named 0755 named named -

[Rowland penny]

Did you run 'make install' as root or via sudo ? sorry, but I should
have been a bit more explicit. I don't remember having to change
anything. I will dig out my notes and see if there was anything else.

Rowland

[Rowland penny]

On 31/12/15 14:55, Reindl Harald wrote:
>
>
> Am 31.12.2015 um 15:43 schrieb James:
>> On 12/30/2015 4:14 PM, Rowland penny wrote:
>>> ./configure --prefix=/usr --mandir=/usr/share/man
>>> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var
>>> --enable-threads --enable-largefile --with-libtool --enable-shared
>>> --enable-static --with-openssl=/usr --with-gssapi=/usr
>>> --with-dlopen=yes --with-gnu-ld --enable-ipv6
>>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro'
>>> CPPFLAGS='-D_FORTIFY_SOURCE=2'
>> I seem to have a few errors in my syslog.
>>
>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named':
>> Permission denied
>> I compiled using 9.9.8-P2 and your suggested configure options. I see
>> /run is owned by root:root. Should I give group 'named' permission to
>> this folder? It's not documented in the wiki as needed
>
> nobody but root has a business directly on /run
> you should create the subfolder as any bind-package does

I totally agree

>
> on modern systems /run is a tmpfs and hence empty at boot
> so it's "tmpfiles" job to re-create them at boot

Ah, but the OP is using Ubuntu 12.04 and I don't think that it uses the
'tmpfile' /run, I am sure it used the 'fixed' /var/run instead.

>
>
> that config is typically part of the bind package

Yes, that is where I got it from, it puts everything where the distro
package did, you can then use the distro's init script etc. If he was to
move to a later distro, then he wouldn't have to compile Bind9 :-)

>
> [root@srv-rhsoft:~]$ cat /usr/lib/tmpfiles.d/named.conf
> d /run/named 0755 named named -
>

I have checked and all I did after compiling bind9 was to provision
samba4, setup bind with samba and then started bind and samba.

Rowland

[James]

I seem to be missing the tmpfiles.d folder.

cat: /usr/lib/tmpfiles.d/named.conf: No such file or directory

I tried to use locate and didn't receive any results.

[James]

I did everything as root.

--
-James

[James]

I'm going to update my distro and see what happens. As a FYI Ubuntu
12.04 seems to treat /var/run as a sysmlink.

lrwxrwxrwx 1 root root 4 Dec 31 10:06 /var/run -> /run

--
-James

[Rowland penny]

Can you post your bind conf files, and your bind init file
Also does /var/run exist

Rowland

[Reindl Harald]

Am 31.12.2015 um 16:31 schrieb James:
> I'm going to update my distro and see what happens

nothing else when you deal with your self built binaries

> 12.04 seems to treat /var/run as a sysmlink.
>
> lrwxrwxrwx 1 root root 4 Dec 31 10:06 /var/run -> /run

that's normal, the main question is if it's enough to create /run/named
with the correct permissions once or if it needs to be done before the
service at every boot (in case it's a tmpfs)

[root@local:~]$ mount | grep /run
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)

[Rowland penny]

I am certain it didn't use to be like that, but if you upgrade to 14.04,
you will not need to compile bind.

Rowland

[James]

I forgot, I do not want to update the distro at the moment. My
production is currently on 12.04. Want to keep things symmetrical. I'm
going to compile and build bind again.

mount | grep /run
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)



--
-James

[Reindl Harald]

Am 31.12.2015 um 16:51 schrieb James:
> I forgot, I do not want to update the distro at the moment. My
> production is currently on 12.04. Want to keep things symmetrical. I'm
> going to compile and build bind again.
>
> mount | grep /run
> tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
> none on /run/shm type tmpfs (rw,nosuid,nodev)

so it's like on every recent distribution not persistent
https://www.google.at/#q=ubuntu+12.04+/var/run

http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot

[James]

That second link proved helpful. Thank you.

The errors I posted were prior to using a init script. Creating one and
using the following eliminated the errors.

cat /etc/init/bind9.conf
# bind9 - bind9 job file
description "bind9 Domain Name Server For Samba4"

start on runlevel [2345]
stop on runlevel [!2345]

pre-start script
mkdir -p -m0777 /run/named
chown root:named /run/named
end script

exec /usr/sbin/named -u named

Do the permissions look about right for /run? I now get these errors.


Dec 31 12:01:59 VMDC1 named[939]: configuring command channel from
'/etc/bind/rndc.key'
Dec 31 12:01:59 VMDC1 named[939]: couldn't add command channel
127.0.0.1#953: file not found
Dec 31 12:01:59 VMDC1 named[939]: configuring command channel from
'/etc/bind/rndc.key'
Dec 31 12:01:59 VMDC1 named[939]: couldn't add command channel ::1#953:
file not found
Dec 31 12:01:59 VMDC1 named[939]: the working directory is not writable

If I make /etc/bind writable via. the init script. I still get these
messages. Maybe it's referring to another folder?

[James]

On 12/31/2015 11:01 AM, Reindl Harald wrote:
>
>

I think I can safely ignore these warnings for

configuring command channel from '/etc/bind/rndc.key'

couldn't add command channel 127.0.0.1#953: file not found

It appears rndc is for the following.

"BIND includes a utility called rndc which allows command line
administration of the named daemon from the localhost or a remote host."

I will be using either samba-tool or Microsoft tools to manage the dns.

[James]

On 12/31/2015 11:01 AM, Reindl Harald wrote:
>
>

It appears named.conf isn't created until after invoking the actual
upgrade command. Corrected that issue. I now see named.conf in
/usr/local/samba/private

However I still seem to have the

/etc/bind/named.conf:54: unknown option 'tkey-gssapi-keytab'

[James]

On 12/31/2015 11:01 AM, Reindl Harald wrote:
>
>

It appears I'm running into issues with the actual switch to bind.

loading configuration from '/etc/bind/named.conf'
Dec 31 12:48:49 VMDC1 named[918]:
/usr/local/samba/private/named.conf.update:2: unknown option 'update-policy'
Dec 31 12:48:49 VMDC1 named[918]: /etc/bind/named.conf:54: unknown
option 'tkey-gssapi-keytab'
Dec 31 12:48:49 VMDC1 named[918]: loading configuration: failure

The wiki says

During provisioning/upgrading, a file
('/usr/local/samba/private/named.conf') was created, this must be
included in your BIND named.conf:

include "/usr/local/samba/private/named.conf";


Mine actually is labeled 'named.conf.update'. Should I rename? I also
added per the wiki

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

cat /etc/bind/named.conf
# /etc/bind/named.conf
# Global BIND configuration options
include "/usr/local/samba/private/named.conf.update";

options {
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;

allow-query {
127.0.0.1;
192.168.1.0/24;
# add other networks you want to allow to query your DNS
};

allow-recursion {
192.168.1.0/24;
# add other networks you want to allow to do recursive queries
};

forwarders {
# Google public DNS server here - replace with your own if necessary
8.8.8.8;
8.8.4.4;
};

allow-transfer {
# this config is for a single master DNS server
none;
};

};


# Root servers (required zone for recursive queries)
zone "." {
type hint;
file "named.root";
};

# Required localhost forward-/reverse zones
zone "localhost" {
type master;
file "master/localhost.zone";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";

};

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

};

};

[James]

On 12/31/2015 11:01 AM, Reindl Harald wrote:
>
>

OK I think I solved the tkey-gssapi issue. Apparently It wasn't in the
correct location in named.conf. The syslog no longer shows any
meaningful bind errors. Looking at the samba log I do see some.


[2015/12/31 13:22:46.466800, 0]
../source4/smbd/server.c:370(binary_smbd_main)
samba version 4.2.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2014
ldb: unable to dlopen /usr/local/samba/lib/ldb/dns_notify.so :
/usr/local/samba/lib/private/liberrors-samba4.so: version `SAMBA_4.3.0'
not found (required by /usr/local/samba/lib/ldb/dns_notify. so)
ldb: unable to dlopen /usr/local/samba/lib/ldb/tombstone_reanimate.so :
/usr/local/samba/lib/private/libdsdb-module-samba4.so: version
`SAMBA_4.3.0' not found (required by /usr/local/samba/lib/l
db/tombstone_reanimate.so)
[2015/12/31 13:22:48.050030, 0]
../source4/smbd/server.c:488(binary_smbd_main)
samba: using 'standard' process model
[2015/12/31 13:22:48.358595, 0]
../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'samba' finished starting up and ready to serve connections
[2015/12/31 13:22:50.709103, 0]
../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_spnupdate: ldb: unable to dlopen
/usr/local/samba/lib/ldb/dns_notify.so :
/usr/local/samba/lib/private/liberrors-samba4.so: version `SAMBA_4.3.0'
not found (require d by
/usr/local/samba/lib/ldb/dns_notify.so)
[2015/12/31 13:22:51.022158, 0]
../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_spnupdate: ldb: unable to dlopen
/usr/local/samba/lib/ldb/tombstone_reanimate.so :
/usr/local/samba/lib/private/libdsdb-module-samba4.so: version
`SAMBA_4.3.0' not found (required by
/usr/local/samba/lib/ldb/tombstone_reanimate.so)
[2015/12/31 13:22:51.377786, 0]
../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: ldb: unable to dlopen
/usr/local/samba/lib/ldb/dns_notify.so :
/usr/local/samba/lib/private/liberrors-samba4.so: version `SAMBA_4.3.0'
not found (require d by
/usr/local/samba/lib/ldb/dns_notify.so)
[2015/12/31 13:22:51.800456, 0]
../lib/util/util_runcmd.c:324(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: ldb: unable to dlopen
/usr/local/samba/lib/ldb/tombstone_reanimate.so :
/usr/local/samba/lib/private/libdsdb-module-samba4.so: version
`SAMBA_4.3.0' not found (required by
/usr/local/samba/lib/ldb/tombstone_reanimate.so)


I need to update to Samba 4.3 in order to resolve this. What exactly do
I lose by not updating?

[Rowland penny]

OK James, I have just spent the last hour trying to compile bind9 on the
latest Ubuntu 12.04, well that is not entirely true. I have been trying
to install the require packages to compile bind9 and it seems that lots
of required packages are no longer available i.e.

Package gcc is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'gcc' has no installation candidate

So, sorry, but I have given up, I have had another thought, could your
problems be caused by apparmor ?

I still think that you would be better off upgrading to 14.04.

Rowland

[James]

Rowland I seem to have solved all of my Bind related issues on 12.04.

To summarize my main issues were

* Required upstart script to create /var/run/named temp directory.
* Ignore error configuring command channel from '/etc/bind/rndc.key'

couldn't add command channel 127.0.0.1#953: file not found

* Issue /usr/local/samba/sbin/samba_upgradedns --dns-backend=BIND9_DLZ
so it appears in /usr/local/samba/private
* Update to Samba 4.3 to resolve `SAMBA_4.3.0' not found (required by
/usr/local/samba/lib/ldb/dns_notify. so)
* Update to Samba 4.3 to resolve `SAMBA_4.3.0' not found (required by
/usr/local/samba/lib/l db/tombstone_reanimate.so)

I didn't seem to have any issues during the actual compile. Here is my
system info to compare to yours. Thanks for everyone's help.

root@VMDC1:~# apparmor_status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/ntpd
/usr/sbin/tcpdump
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/ntpd (1148)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
root@VMDC1:~# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"
NAME="Ubuntu"
VERSION="12.04.5 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.5 LTS)"
VERSION_ID="12.04"
root@VMDC1:~# cat /proc/version
Linux version 3.13.0-74-generic (buildd@lgw01-34) (gcc version 4.6.3
(Ubuntu/Linaro 4.6.3-1ubuntu5) ) #118~precise1-Ubuntu SMP Fri Dec 18
10:38:55 UTC 2015


--
-James