2

I have a device running Samba as an Active Directory Domain Controller using BIND_DLZ as a backend.

On top of that I am running a secondary device also configured as an Active Directory Domain Controller also with BIND_DLZ as backend for redundancy purpose.

IP addresses are assigned by ISC DHCP server which are able to update DNS ressource records using an ecryption key (TSIG).

Anyway: Onto my problem.

Here is my current setup

named.conf.options:

options 
{
     directory "/var/cache/bind";

     forwarders {
            2001:4860:4860::8888;
            2001:4860:4860::8844;
            8.8.8.8;
            8.8.4.4;
     };

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { any; };

     listen-on port 53 { 192.168.1.240; };
     listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.

     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
     minimal-responses yes;
     recursion yes;
};

acl "home-net"
{
    127.0.0.1;
    192.168.1.0/24;
    2001:db8:cafe:beef::/56; # <-- I am using a IPv6 range from Tunnelbroker in real life.
};

view "normal"
{
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.internal";

    # Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.
    include "/etc/bind/netflix-ipv6-blackhole.conf";  

    match-clients
    {
        home-net; # <-- Only respond to queries originating from my own network.
    };

    dnssec-enable yes;
    dnssec-validation auto;

    allow-query { any; };
    allow-query-cache { home-net; };
    allow-recursion { home-net; };

    forwarders {
      8.8.8.8;
      8.8.4.4;
      2001:4860:4860::8888;
      2001:4860:4860::8844;
   };
};

named.conf.internal:

zone "1.168.192.in-addr.arpa"
{
    type master;
    file "/etc/bind/db.192.168.1.rev";
    notify yes;

    allow-query { any; };
    allow-transfer { xfer; };

    # If allow-update is enabled instead of the include named.conf.update line, 
    # then Dynamic DNS works fine due to ISC DHCP can update the ressource records. 
    #
    # Sadly you can't have both lines enabled. It is either / or.

    // allow-update { key ddns-key; };

    include "/var/lib/samba/bind-dns/named.conf.update"; # <-- Having issues with THIS line only.
};

include "/var/lib/samba/bind-dns/named.conf";

/var/lib/samba/bind-dns/named.conf:

dlz "AD DNS Zone" {
    # For BIND 9.11.x
    database "dlopen /usr/lib/arm-linux-gnueabihf/samba/bind9/dlz_bind9_11.so";
};

/var/lib/samba/bind-dns/named.conf.update:

/* this file is auto-generated - do not edit */
update-policy {
        grant EXAMPLE.COM ms-self * A AAAA;
        grant Administrator@EXAMPLE.COM wildcard * A AAAA SRV CNAME;

        # Main Active Directory Domain Controller
        grant HARDY$@example.com wildcard * A AAAA SRV CNAME;

        # Backup Active Directory Domain Controller
        grant LAUREL$@example.com wildcard * A AAAA SRV CNAME;
};

If I try to start bind with this configuration I will get a rather odd error that I cannot figure out:

/var/lib/samba/bind-dns/named.conf.update:3: name field not set to placeholder value '.'

Is there anyone who can clue me into what is wrong with named.conf.update?

Lasse Michael Mølgaard
  • 947
  • 10
  • 27

1 Answers1

0

OK, you have two Samba AD DC's using Bind9 for the dns server and you are having problems with dns, I wonder if it could have anything to do with your your incorrect bind files ?

One major problem is that you have the reverse zone in a flat file, this is not allowed, you need to create it AD, you can use samba-tool to do this. You also cannot use 'views'

Try these bind9 conf files:

/etc/bind/named.conf

include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

options {

directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { 127.0.0.1; 192.168.1.0/24; };
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
forwarders {
        2001:4860:4860::8888;
        2001:4860:4860::8844;
        8.8.8.8;
        8.8.4.4;
};
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { any; };
listen-on port 53 { 192.168.1.240; };
listen-on port 53 { 192.168.1.240; 127.0.0.1; };
listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.

tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;

};

/etc/bind/named.conf.local

include "/var/lib/samba/bind-dns/named.conf";

// Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.

include "/etc/bind/netflix-ipv6-blackhole.conf";

If you backed up /var/lib/samba/bind-dns/named.conf.update Then reinstate from the backup. If not, then change it to this:

/* this file is auto-generated - do not edit */ update-policy {

grant EXAMPLE.COM ms-self * A AAAA;
grant Administrator@EXAMPLE.COM wildcard * A AAAA SRV CNAME;
grant HARDY$@example.com wildcard * A AAAA SRV CNAME;
grant LAUREL$@example.com wildcard * A AAAA SRV CNAME;

};

Rowland Penny
  • 171
  • 2
  • Well to be honest: I find management of reverse DNS in `samba-tool` and in particular Windows Administration Kit to be broken, when Samba is running as a AD DC. Especially if you want to manage a reverse IPv6 zone. Besides that I prefer as much of DNS related stuff can be administered from Bind config files, I have experienced Netflix filter running one DNS, Samba on another and general stuff on a third and reverse ipv6 DNS on a forth instance, external view on a fifth. It was a nightmare keeping track of what happening where. Hence my need to simplify as much as possible. – Lasse Michael Mølgaard Mar 25 '20 at 16:37
  • Most Samba AD domains have no need for IPv6, so unless you really need it, I would suggest turning it off on Samba AD. All you should really have on the DC is DNS records for the domain (this includes the reverse records). There is nothing wrong with 'samba-tool dns' (as far as I am aware), if you do have errors, can you provide these errors and I will look into fixing them. – Rowland Penny Mar 25 '20 at 18:46