[Pkg-samba-maint] Bug#927747: bind9_dlz backend is entirely broken in Debian

Steinar H. Gunderson sesse at debian.org
Mon Apr 22 16:26:27 BST 2019 

Package: samba
Version: 2:4.9.5+dfsg-3
Severity: grave

Hi,

I upgraded a DC from stretch to buster, and DNS for AD (via bind9_dlz)
started failing in strange ways. (In particular, when I changed the IP address
of the DC, samba-tool dns query would return the correct addresses, but actual
DNS lookups would return the old ones.) It turns out that upstream, bind9_dlz
data has moved from /var/lib/samba/private to /var/lib/samba/bind-dns; however,
there's no notice about this anywhere, and the path does not exist in Debian.
(Thus, the .conf file in use didn't even mention the BIND 9.11 .so file, much
less load it.) Furthermore, if you try to remedy this problem yourself by
mkdir-ing the new directory and running samba_dnsupgrade, BIND will no longer
start due to AppArmor policies being out of date:

  [84419.640664] audit: type=1400 audit(1555945763.230:88): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9043 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
  [84486.581899] audit: type=1400 audit(1555945830.170:89): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9171 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0

Given that AppArmor now seems to be default on in buster, this breaks
the functionality completely, even for new installations (not just for
upgrades from stretch).

I would suppose that postinst needs to check whether BIND9_DLZ is in use,
and if so, run samba_upgradedns --dns-backend=BIND9_DLZ and then finally
pop up a message saying that the admin will have to change the .conf path
in named.conf.local. And the AppArmor profile will need to be fixed.

Even after this, I had to run samba_dnsupdate once with --use-samba-tool,
and then it would finally run without “dns_tkey_gssnegotiate: TKEY is
unacceptable” the next time.

-- System Information:
Debian Release: buster/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.6 (SMP w/40 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba depends on:
ii  adduser              3.118
ii  dpkg                 1.19.6
ii  init-system-helpers  1.56+nmu1
ii  libbsd0              0.9.1-2
ii  libc6                2.28-8
ii  libldb1              2:1.5.1+really1.4.6-3
ii  libpam-modules       1.3.1-5
ii  libpam-runtime       1.3.1-5
ii  libpopt0             1.16-12
ii  libpython2.7         2.7.16-2
ii  libtalloc2           2.1.14-2
ii  libtdb1              1.3.16-2+b1
ii  libtevent0           0.9.37-1
ii  libwbclient0         2:4.9.5+dfsg-3
ii  lsb-base             10.2019031300
ii  procps               2:3.3.15-2
ii  python               2.7.16-1
pn  python-dnspython     <none>
pn  python-samba         <none>
ii  python2.7            2.7.16-2
pn  samba-common         <none>
pn  samba-common-bin     <none>
ii  samba-libs           2:4.9.5+dfsg-3
pn  tdb-tools            <none>
ii  update-inetd         4.49

Versions of packages samba recommends:
ii  attr                1:2.4.48-4
ii  logrotate           3.14.0-4
pn  samba-dsdb-modules  <none>
pn  samba-vfs-modules   <none>

Versions of packages samba suggests:
pn  bind9          <none>
pn  bind9utils     <none>
pn  ctdb           <none>
pn  ldb-tools      <none>
ii  ntp            1:4.2.8p12+dfsg-4
pn  smbldap-tools  <none>
pn  ufw            <none>
pn  winbind        <none>

More information about the Pkg-samba-maint mailing list