Comment 5 for bug 975973

As this seems the best place to put it, samba version 4.3.11+dfsg-0ubuntu0.16.04.1 adds a new file /var/lib/samba/private/named.conf.update to bind's config when using the BIND9_FLATFILE config.

According to the sample named.conf generated by samba's domain provisioning command, it's an empty file that's populated at runtime by samba for defining what domain controllers can issue a DNS record update to bind, and what records they are permitted to update.

By default, bind's access to this file is also blocked by apparmor.

When using the BIND9_DLZ config, apparmor still blocks access to the /var/lib/samba/private/named.conf file, in additon to the /var/lib/samba/private/dns/sam.ldb file. Fixing apparmor allows bind and samba to work as intended.

According to https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

the BIND9_FLATFILE config option is unsupported and will be removed in a future release of samba, which means only BIND9_DLZ will work at that point. The reason I bring it up, is that bug#127184 wants to put bind into a chroot, which will currently break BIND9_DLZ as it requires access to samba's libraries and database files. (As per: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End ) As such currently this bug would be in opposition to bug#127184 unless both samba and bind were placed in the same chroot.