Installing and configuring Bind-DLZ for Samba-AD

Installing and configuring Bind-DLZ for Samba-AD on RedHatInstalling and configuring Bind-DLZ for Samba-AD on Debian

Warning

Tranquil IT, recommends to use DNS hybrid.

The Bind-DLZ method is now considered obsolete and has been replaced by the hybrid DNS mode, which is the recommended approach for integrating Bind9 with Samba AD since version 4.17.

Samba’s internal DNS server does not manage a cache, so it will make a request to the forwarder for every DNS request that doesn’t match its domain. The Bind-DLZ operation makes use of the Bind cache for recursion requests. The requests for the domain itself are passed to the DLZ module each time, it has no cache at this level.

The Bind-DLZ feature is not compatible with the multi-view feature of Bind.

Hint

Under RedHat10 and derived distributions, for Bind to work, you need to disable SElinux located in /etc/selinux/config and change the SELINUX parameter to disabled. To take this change into account, reboot the machine.

• Install the Bind and DLZ packages:

  yum install bind samba-dc-bind-dlz bind-utils
  

• Modify the options section of the file /etc/named.conf (remember to modify the forwarder):

  options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    forwarders { 1.1.1.1; }; # modify depending on your local DNS forwarder
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query { any; };
    allow-recursion { any; };
    allow-query-cache { any; };
    recursion yes;
    dnssec-enable no;
    dnssec-validation no;
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    minimal-responses yes;
  };
  logging {
    channel default_debug {
    file "data/named.run";
    severity dynamic;
    };
  };
  zone "." IN {
    type hint;
    file "named.ca";
    };
  include "/etc/named.rfc1912.zones";
  include "/etc/named.root.key";
  dlz "mydomain.lan" {
    database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
    };
  

• Disable IPv6 Bind on the local network in /etc/sysconfig/named:

  OPTIONS="-4"
  

Hint

The DLZ plugin must directly access Samba’s LDB databases (the equivalent of NTDS.DIT under Microsoft Active Directory). This mode of operation is certainly not optimal for the separation of services within the AD and this operation prevents the activation of SELinux. However, the DLZ plugin is required.

• In /etc/samba/smb.conf, add the following line and comment the line dns forwarders:

  [global]
  ...
  server services = -dns
  # dns forwarders =
  

Hint

The following commands will create an account in the AD server for the Bind server. This is not necessary if you do not want to benefit from dynamic updates (which may be desirable).

• Create two directories in /var/lib/samba:

  mkdir /var/lib/samba/bind-dns
  mkdir /var/lib/samba/bind-dns/dns
  

• Configure dynamic updates for DNS entries:

  samba_upgradedns --dns-backend=BIND9_DLZ
  

• Finally restart the samba and bind services:

  systemctl restart samba
  systemctl restart named
  

Ensuring the correct configuration of Bind and DLZ

• Ensure that it is the Bind server listening on port 53:

  netstat -tapn | grep 53
  
  tcp     0    0 192.168.149.11:53    0.0.0.0:*    LISTEN      5291/named
  

• Test local and recursive queries:

  dig @localhost google.fr
  dig @localhost srvads.mydomain.lan
  dig -t SRV @localhost _ldap._tcp.mydomain.lan
  

Congratulations, your configuration is moving forward and you have just taken another step towards the solidity and efficacy of your Samba-AD installation.

Now, we will configure the NTP service so that your Samba-AD and the workstations of your network are all on the right time and synchronized!!