Patch for Bug #27457: Since upstream commit 341979cc9a14fa0ab1cbb60ae81ce1fb985d0f0e the dlz_bind9 does not look any longer into the domain partition for DNS zones but instead it uses two separate application partitions. This is according to the behaviour of an AD domain with domain function level 2003. Samba Alpha17 (UCS 3.0) used the Windows 2000 style approach of storing the DNS data in the main domain partition. For the upstream switch from domain partition to application partitions the following steps were necessary, quoting the upstream commit message: ================================================================= s4-provision: Create a samdb copy for access by dlz_bind9 module This creates a copy of rootdse, configuration and schema partitions for dlz_bind9 use in dns/ directory. Since dlz_bind9 requires write access to DNS partitions (DomainDnsZones and ForestDnsZones), those partitions are hard-linked (or symlinked) to the actual partitions. An empty domain partition is created so samdb layer can work. ================================================================= Effectively the final sentence means, that the dlz_bind9 no longer reads the current domain partition data, but only a dummy. Tests show, that this is actually necessary, because otherwise it would load zones twice, first from the old place in the domain partition and second in the new application partition "CN=MicrosoftDNS,DC=DomainDnsZones,$ldap_base". Loading zones twice makes named abort operations. This patch restores the old behaviour of reading DNS data from the main domain partition, if any DNS zone is found there. This seems necessary to maintain compatibility with UCS 3.0-x systems in the domain, which probably will not replicate the application partitions properly yet. If they did, they would probably suddenly suffer the same named problem of duplicate zone loading. Note that this patch is the first step to solve this situation. The basic idea is: 1. Due to this patch for UCS 3.1 dlz_bind9 reads from the proper /var/lib/samba/private/sam.ldb, thus picking up the pre-2k3 zones. If it finds a pre-2k3 zone, it neglects the 2k3 application partitions. ( /var/lib/samba/private/sam.ldb.d/CN=.*DNSZONES,$ldap_base.ldb ) 2. If all systems in the domain are enforced to be UCS 3.1 before the update to UCS 3.2 we could remove this patch, such that: dlz_bind9 reads from /var/lib/samba/private/dns/sam.ldb which contains a hardlink /var/lib/samba/private/dns/sam.ldb.d/CN=DOMAINDNSZONES,$ldap_base.ldb but does not contain the Windows 2000 DNS data of the real domain partition. The problem then comes down to migrating the existing DNS data from the domain partition to the application partition and for the S4 connector to accept the new DNs. Once all DNS Zones are removed from the domain partition, the zones on the application partitions will be used automatically. diff -Nuarp -x '*.orig' samba4-4.0.0~rc2.orig/source4/dns_server/dlz_bind9.c samba4-4.0.0~rc2/source4/dns_server/dlz_bind9.c --- samba4-4.0.0~rc2.orig/source4/dns_server/dlz_bind9.c 2012-11-27 12:38:50.000000000 +0100 +++ samba4-4.0.0~rc2/source4/dns_server/dlz_bind9.c 2012-11-26 15:22:32.180000376 +0100 @@ -640,7 +640,7 @@ _PUBLIC_ isc_result_t dlz_create(const c } if (state->options.url == NULL) { - state->options.url = lpcfg_private_path(state, state->lp, "dns/sam.ldb"); + state->options.url = lpcfg_private_path(state, state->lp, "sam.ldb"); if (state->options.url == NULL) { result = ISC_R_NOMEMORY; goto failed; @@ -1107,6 +1107,7 @@ _PUBLIC_ isc_result_t dlz_configure(dns_ TALLOC_CTX *tmp_ctx; struct ldb_dn *dn; int i; + bool zone_found = false; state->log(ISC_LOG_INFO, "samba_dlz: starting configure"); if (state->writeable_zone == NULL) { @@ -1163,6 +1164,12 @@ _PUBLIC_ isc_result_t dlz_configure(dns_ return result; } state->log(ISC_LOG_INFO, "samba_dlz: configured writeable zone '%s'", zone); + zone_found = true; + } + + // skip the application partitions if there is a pre-2k3 zone on the domain partition + if (!strcmp(zone_prefixes[i], "CN=MicrosoftDNS,CN=System") && zone_found) { + break; } }