.. Reminder for header structure:
Parts (H1) : #################### with overline
Chapters (H2) : ******************** with overline
Sections (H3) : ====================
Subsections (H4) : --------------------
Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
Paragraphs (H6) : """""""""""""""""""""
.. |date| date::
.. meta::
:description: Installing and configuring Bind-DLZ for Samba-AD
:keywords: installer, Bind-DLZ, configurer, documentation
.. _server_install_binddlz_redhat:
##########################################################
Installing and configuring Bind-DLZ for Samba-AD on RedHat
##########################################################
Although Samba-AD comes by default with its own internal DNS server, Tranquil IT recommends the use of Bind-DLZ.
Samba’s internal DNS server does not manage a cache, so it will make a request to the forwarder for every DNS request that doesn’t match its domain.
The Bind-DLZ operation makes use of the Bind cache for recursion requests.
The requests for the domain itself are passed to the DLZ module each time, it has no cache at this level.
The Bind-DLZ feature is not compatible with the multi-view feature of Bind.
.. hint::
Under RedHat8 and derived distributions, for Bind to work, you need to disable :abbr:`SElinux (Security Enhanced Linux)` located in :file:`/etc/selinux/config` and change the ``SELINUX`` parameter to *disabled*.
To take this change into account, reboot the machine.
* Install the Bind and DLZ packages:
.. code-block:: bash
yum install bind samba-dc-bind-dlz bind-utils
* Modify the options section of the file :file:`/etc/named.conf` (remember to modify the *forwarder*):
.. code-block:: ini
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
forwarders { 1.1.1.1; }; # modify depending on your local DNS forwarder
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-recursion { any; };
allow-query-cache { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
minimal-responses yes;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dlz "mydomain.lan" {
database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
};
* Disable IPv6 Bind on the local network in :file:`/etc/sysconfig/named`:
.. code-block:: ini
OPTIONS="-4"
.. hint::
The DLZ plugin must directly access Samba’s LDB databases (the equivalent of :file:`NTDS.DIT` under Microsoft Active Directory).
This mode of operation is certainly not optimal for the separation of services within the AD and this operation prevents the activation of SELinux.
However, the DLZ plugin is required.
* In :file:`/etc/samba/smb.conf`, add the following line and comment the line **dns forwarders**:
.. code-block:: ini
[global]
...
server services = -dns
# dns forwarders =
.. hint::
The following commands will create an account in the AD server for the Bind server.
This is not necessary if you do not want to benefit from dynamic updates (which may be desirable).
* Create two directories in :file:`/var/lib/samba`:
.. code-block:: bash
mkdir /var/lib/samba/bind-dns
mkdir /var/lib/samba/bind-dns/dns
* Configure dynamic updates for DNS entries:
.. code-block:: bash
samba_upgradedns --dns-backend=BIND9_DLZ
* Finally restart the **samba** and **bind** services:
.. code-block:: bash
systemctl restart samba
systemctl restart named
**************************************************
Ensuring the correct configuration of Bind and DLZ
**************************************************
* Ensure that it is the Bind server listening on port 53:
.. code-block:: bash
netstat -tapn | grep 53
tcp 0 0 192.168.149.11:53 0.0.0.0:* LISTEN 5291/named
* Test local and recursive queries:
.. code-block:: bash
dig @localhost google.fr
dig @localhost srvads.mydomain.lan
dig -t SRV @localhost _ldap._tcp.mydomain.lan
Congratulations, your configuration is moving forward and you have just taken another step towards the solidity and efficacy of your Samba-AD installation.
Now, we will :ref:`configure the NTP service <server_install_ntp_redhat>` so that your Samba-AD and the workstations of your network are all on the right time and synchronized!!