As this seems the best place to put it, samba version 4.3.11+dfsg- 0ubuntu0.16.04.1 adds a new file /var/lib/samba/private/named.conf.update to bind's config when using the BIND9_FLATFILE config.
According to the sample named.conf generated by samba's domain provisioning command, it's an empty file that's populated at runtime by samba for defining what domain controllers can issue a DNS record update to bind, and what records they are permitted to update. By default, bind's access to this file is also blocked by apparmor. When using the BIND9_DLZ config, apparmor still blocks access to the /var/lib/samba/private/named.conf file, in additon to the /var/lib/samba/private/dns/sam.ldb file. Fixing apparmor allows bind and samba to work as intended. According to https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller the BIND9_FLATFILE config option is unsupported and will be removed in a future release of samba, which means only BIND9_DLZ will work at that point. The reason I bring it up, is that bug#127184 wants to put bind into a chroot, which will currently break BIND9_DLZ as it requires access to samba's libraries and database files. (As per: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End ) As such currently this bug would be in opposition to bug#127184 unless both samba and bind were placed in the same chroot. ** Attachment added: "Journalctl logs for bind's apparmor access blocks" https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/975973/+attachment/4794588/+files/apparmor_blocks.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/975973 Title: Please integrate Samba 4 with bind9 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/975973/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
