Installing and configuring Bind-DLZ for Samba-AD

Although Samba-AD comes by default with its own internal DNS server, Tranquil IT recommends the use of Bind-DLZ.

The Samba-AD server will probably be on a NAT network and it will then be preferable to configure a DNS forwarder:

  • Install the Bind package:

    apt-get install bind9

  • Modify the options section of the file /etc/bind/named.conf.options (remember to modify the forwarder):

    options {
  directory "/var/cache/bind";

  forwarders {
          1.1.1.1;
  };

  allow-query {  any;};

  dnssec-validation no;

  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };

  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

  minimal-responses yes;
};

  • Modify the local section of the file /etc/bind/named.conf.local:

    dlz "mydomain.lan" {
# For BIND 9.10.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};

  • Disable IPv6 bind on the local network in /etc/default/named:

    # run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-4 -u bind"

Hint

The DLZ plugin must directly access Samba’s LDB databases (the equivalent of NTDS.DIT). This mode of operation is certainly not optimal for the separation of services within the AD. However, it is necessary.

  • In /etc/samba/smb.conf, add the following line and comment the line dns forwarders:

    [global]
...
server services = -dns
# dns forwarder =

Hint

The following commands will create an account in the AD server for the Bind server. This is not necessary if you do not want to benefit from dynamic updates (which may be desirable).

  • Create two directories in /var/lib/samba:

    mkdir /var/lib/samba/bind-dns
mkdir /var/lib/samba/bind-dns/dns

  • Configure dynamic updates of DNS entries:

    samba_upgradedns --dns-backend=BIND9_DLZ

  • Finally restart the samba and bind services:

    systemctl restart samba-ad-dc
systemctl restart bind9

Ensuring the correct configuration of Bind and DLZ

  • Ensure that it is the Bind server listening on port 53:

    netstat -tapn | grep 53
  tcp     0    0 192.168.149.11:53    0.0.0.0:*    LISTEN      5291/named

  • Test local and recursive queries:

    dig @localhost google.fr
dig @localhost srvads.mydomain.lan
dig -t SRV @localhost _ldap._tcp.mydomain.lan

Congratulations, your configuration is moving forward and you have just taken another step towards the solidity and efficacy of your Samba-AD installation.

Now, we will configure the NTP service so that your Samba-AD and the workstations of your network are all on the right time and synchronized!!