Web lists-archives.com

Re: [Samba] ,Re: samba Digest, Vol 172, Issue 2




Hi Karl

Im running for years with samba now with bind_dlz and on stock debian samba and bind runs fine. 

I went through your mails on the list and i noticed the following.

> client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update 
> failed: rejected by secure update (REFUSED) 

> samba_dlz: disallowing update of signer=client006\$\@MY.DOMAIN.DE 
> name=client006.my.domain.de type=AAAA error=insufficient access rights

This shows me 2 things. 
The first is rejected by bind, and thats because it was catched by somewhere in your config of bind. 

The second is rejected by bind_DLZ. 
And in my opinion these both has nothing todo with rights in /var/lib/samba/private.  Because the messages above actively are denying things. ( not an error ) 
If the rights really where a problem then you should see that in you syslog.


So in my opinion start with a correct/working/well-tested  bind config. 
Change you bind setup to the following. 

Backup your or bind folder.
cp /etc/bind{,.backup}

Change the acl all-networks to your network and change the forwarders to your ISP dns servers.

The bind config. Best is to never change this file. 
The loading order is important. 

named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


named.conf.options
acl all-networks {
        192.168.1.0/24; 10.150.0.0/16;
};
options {
        directory "/var/cache/bind";
        version "0.0.7";
        forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; };
        dnssec-validation no;
        auth-nxdomain yes;    # conform to RFC1035 =no
        listen-on-v6 { "none"; };
        listen-on port 53 { IPv4-IP_OF_YOUR_SERVER; 127.0.0.1; };
        notify no;
        empty-zones-enable no;
        //  Add any subnets or hosts you want to allow to use this DNS server
        allow-query { "all-networks"; 127.0.0.1/32; };
        //  Add any subnets or hosts you want to allow to use recursive queries
        allow-recursion {  "all-networks"; 127.0.0.1/32; };

        // https://wiki.samba.org/index.php/Dns-backend_bind
        // DNS dynamic updates via Kerberos (optional, but recommended)
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};


named.conf.local
// the samba install defaults to bind9.8
include "/var/lib/samba/private/named.conf";


chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab

And restart bind.
Systemctl restart bind 

Run: 
klist -k /var/lib/samba/private/dns.keytab 
check you see your DNS/hostname-DC.fqdn and dns-hostname-DC$@REALM>

run 
ldbsearch -H /var/lib/samba/private/sam.ldb 'cn=hostname-DC' dn

and run :  samba_dnsupdate --verbose --all-names
( see: https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates ) 

And in smb.conf try it with these: 

        server services = -dns
	  # please set the interfaces and bind interfaces like this. 
        interfaces = YOUR_IP 127.0.0.1
        bind interfaces only = yes

now reboot the server.
Reboot the pc. 

And try again. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Karl Heinz Wichmann [mailto:wichmann-karl@xxxxxx]
> Verzonden: maandag 3 april 2017 17:32
> Aan: L.P.H. van Belle
> Onderwerp: ,Re: [Samba] samba Digest, Vol 172, Issue 2
> 
> Hello Louis
> 
> The right are ok. If i change to internal dns of samba, the record will
> be greated.
> 
> I think bind9 at debian 8.7 was default not compiled with
> "--with-dlopen=yes" only with '--with-gssapi=/usr'
> 
> Reagards
> 
> Karl Heinz
> 
> 
> 
> i suspect the ad right in the dns is wrong.
> 
> Start the windows dns manager, go to the A (and ptr) get the properties
> and check the owner and set it to the computername$ and try again.
> 
> Greetz,
> Louis
> 
>  > Op 2 apr. 2017 om 17:14 heeft Marc Muehlfeld via samba
> <samba@xxxxxxxxxxxxxxx> het volgende geschreven:
>  >
>  > Hello Karl Heinz,
>  >
>  >> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
>  >> I change the right from 600 (root:root) to 660 (root:bind) and i get
>  >> following errormessage.
>  >>
>  >> -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
>  >
>  > Please revert these insecure permissions to the ones we set during the
>  > provisioning.
>  >
>  > Using these permissions, the BIND user account is enabled to read and
>  > write to the whole AD database file. The sam.ldb must have 600
>  > permissions and owned by root:root to be protected:
>  >
>  > -rw------- root root /usr/local/samba/private/sam.ldb
>  >
>  > sam.ldb is a virtual view to all AD partitions.
>  >
>  >
>  >
>  >> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
>  >
>  > The permissions on this directory is correct. However, please check the
>  > permissions of the raw AD partition database files in it. If you
> changed
>  > them, reset them to the secure permissions we set during the
> provisioning:
>  >
>  > -rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
>  > -rw------- root root
>  > CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
>  > -rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
>  > -rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
>  > -rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
>  > -rw-rw---- root named metadata.tdb
>  >
>  >
>  >
>  > Some background information: The sam.ldb.d directory is required to
>  > enable the third-party daemon BIND to access the AD DNS partitions,
>  > without allowing access to any other partition.
>  >
>  > The samb.ldb.d directory contains the raw AD partition databases, while
>  > the sam.ldb file is a view to all of them.
>  >
>  > That's why BIND needs write access to the two DNS partition databases
>  > files (+ metadata.ldb) and must not have access to any other file in
> the
>  > sam.ldb.d directory, nor to the sam.ldb file.
>  >
>  >
>  >
>  > Regards,
>  > Marc
>  >
>  >
>  >
>  > --
>  > To unsubscribe from this list go to the following URL and read the
>  > instructions:  https://lists.samba.org/mailman/options/samba
>  >
> 
> 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba