[Pkg-samba-maint] Bug#927747: Bug#927747: bind9_dlz backend is entirely broken in Debian

Cameron Davidson bugs at davidsoncj.id.au
Fri Oct 25 03:58:56 BST 2019 

I would like to add my observations on this bug after upgrading from
stretch to 10.1.

The apparmor fixes seem OK so far.

My samba system was originally created by moving a samba-3 system from
CentOS 6 to Debian 9 and then using the samba tools to migrate to an
ad-dc system. I mention this, because that migration path, while
surprisingly smooth, was not without a need for some manual
intervention.  So some of what I obseved might be specific  to my
situation, since it was not installed on Debian from scratch.

At the end of the Buster upgrade, everything seemed to be running OK,
however once I needed to make some changes to and check the bind9 config
the problems became apparent.

1. the bind config was still pointing at
/var/lib/samba/private/named.conf and that file was still loading the
9.10 library, rather than 9.11.

2. After fixing that, I ran the suggested test of  "samba_dnsupdate 
--verbose --all-names"  and every line reported "failed".

3. I then tried the suggestion from the samba wiki of "samba_upgradedns
--dns-backend=BIND9_DLZ"

That failed due to the non-existence of the /var/lib/samba/bind-dns
directory, which led me to this bug report.

I manually created that directory, gave it what I guessed might be
suitable group ownership and permissions, and reran the samba_upgradedns
script.

The result of that was that there were no errors, and the program
reported that I needed to manually adjust the two entries in the bind9
config files to point to the new directory.


So it seems to me that the problem could be safely fixed by changing the
samba_upgradedns script to check for and create the bind-dns folder if
necessary. (I suppose that is an upstream issue and the full
ramifications would need to be considered)

Running this script in postinst would be appropriate, but you would
somehow need to determine that the user was already using the bind9_dlz
backend.


The result of the upgrade script running is that:

1. the new config file is created, that loads the correct version dlz
library (but "including" that file needs to be manually edited in main
bind9 config (options or local - wiki says .local, but mine was in
.options))

2. the gssapi-key  file is created as a hard link between private and
bind-dns locations, so old config still works, but user is advised to
manually update the bind9 .options file.


Cameorn.

More information about the Pkg-samba-maint mailing list