[Samba] sernet documentation
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Aug 26 22:04:57 UTC 2015
On 26/08/15 22:56, Mark Foley wrote:
> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware 64 14.1
> for many months now in a production environment and it works just fine. There
> are a few tweaks here and there to get bind/dhcp to play nicely with Samba ...
>
> Note, conf file locations are Slackware, but you'll know where the same thing
> goes in your distro. In the examples below, my Domain IP range is
> 192.168.0.0/24. My AD/DC (also DNS and DHCP server and router) is 192.168.0.2.
> My domain name is hprs.local.
>
> First off, I provisioned my Samba as follows:
>
> $ samba-tool domain provision --use-rfc2307 \
> --server-role='dc' --realm=hprs.local --domain=HPRS \
> --adminpass='password' --dns-backend=BIND9_FLATFILE \
> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>
>
> In the standard /etc/named.conf, in the option section you need:
>
> ----------snip-----------
> options {
>
> forwarders { // These are the ISP provided name servers
> 66.193.88.3;
> 66.192.88.4;
> };
>
> allow-query { // Permit querying by others in the domain
> 192.168.0.0/24;
> 127.0.0.1;
> };
> };
> ----------un-snip-----------
>
> I've kept my local zone files defined in this named.conf:
>
> ----------snip-----------
> zone "localhost" IN {
> type master;
> file "/var/named/db.local";
> };
>
> zone "127.in-addr.arpa" IN {
> type master;
> file "/var/named/db.127";
> };
> ----------un-snip-----------
>
> but now I reference Samba's config files for the domain stuff:
>
> ----------snip-----------
> include "/etc/samba/private/named.conf";
> ----------un-snip-----------
>
> Complete /etc/named.conf file:
>
> ----------snip-----------
> options {
> // directory "/var/named";
>
> forwarders { // These are the ISP provided name servers
> 209.18.47.61;
> 209.18.47.62;
> };
>
> allow-query { // Permit querying by others in the domain
> 192.168.0.0/24;
> 127.0.0.1;
> };
> };
>
> zone "localhost" IN {
> type master;
> file "/var/named/db.local";
> };
>
> zone "127.in-addr.arpa" IN {
> type master;
> file "/var/named/db.127";
> };
>
> include "/etc/samba/private/named.conf";
> ----------un-snip-----------
>
> The samba-tool provisioning step will have created the referenced
> /etc/samba/private/named.conf file. Listed below is this file with my changes.
>
> I've commented out line 15.
>
> More importantly, the domain Windows workstations will want to update the zone
> files via Samba. If they cannot, you will continuously get the syslog message:
>
> syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update 'hprs.local/IN' denied
>
> Hence the "allow-update" in lines 8 and 25.
>
> Finally, I've added the "optional" reverse zone in lines 23-26.
>
> ----------snip-----------
> 1 # This file should be included in your main BIND configuration file
> 2 #
> 3 # For example with
> 4 # include "/etc/samba/private/named.conf";
> 5
> 6 zone "hprs.local." IN {
> 7 type master;
> 8 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
> 9 file "/etc/samba/private/dns/hprs.local.zone";
> 10 /*
> 11 * the list of principals and what they can change is created
> 12 * dynamically by Samba, based on the membership of the domain controllers
> 13 * group. The provision just creates this file as an empty file.
> 14 */
> 15 # include "/etc/samba/private/named.conf.update";
> 16
> 17 /* we need to use check-names ignore so _msdcs A records can be created */
> 18 check-names ignore;
> 19 };
> 20
> 21 # The reverse zone configuration is optional.
> 22
> 23 zone "0.168.192.in-addr.arpa" in {
> 24 type master;
> 25 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
> 26 file "/etc/samba/private/dns/db.192.168.0";
> 27 };
> 28
> 29 # Note that the reverse zone file is not created during the provision process.
> 30
> 31 # The most recent BIND versions (9.8 or later) support secure GSS-TSIG
> 32 # updates. If you are running an earlier version of BIND, or if you do not wish
> 33 # to use secure GSS-TSIG updates, you may remove the update-policy sections in
> 34 # both examples above.
> ----------un-snip-----------
>
> For DNS, that's about it. I hand-tweaked a few things in the samba-tool
> provisioned zone files to change the hostmaster email address and the various
> refresh, retry, etc. timers. I'll not post those unless you need them because
> they can be fairly lengthy. Except, you mentioned static IP. As an example, I
> just added the following to my /etc/samba/private/dns/hprs.local.zone file:
>
> $TTL 3600 ; 1 hour
> vaio A 192.168.0.102
>
> Important note!!! I've found that samba and DNS must be NOT RUNNING when you add
> these statis IP to the zone file. Otherwise, they seem to get clobbered/removed.
>
> For DHCP, I've simply added the following to my dhcpd.conf. All these are
> important, but the first 4 are needed for Samba to be able to update leases on
> behalf of clients.
>
> ----------snip-----------
> ddns-updates on;
> update-static-leases on;
> allow unknown-clients; # default, deprecated (man dhcpd.conf)
> ignore client-updates; # see https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore client-updates
> ddns-update-style interim;
>
> zone hprs.local. { primary 192.168.0.2; }
> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>
> subnet 192.168.0.0 netmask 255.255.255.0 {
> option routers 192.168.0.2;
> range 192.168.0.100 192.168.0.254;
> option domain-name-servers 192.168.0.2;
> option domain-name "hprs.local";
> ddns-domainname = "hprs.local.";
> ddns-rev-domainname = "in-addr.arpa.";
> }
>
> // Example of DHCP static IP
>
> host ricoh {
> hardware ethernet 00:26:73:55:63:AB;
> fixed-address 192.168.0.20;
> }
> ----------un-snip-----------
>
> This all works just fine. I've routed my log messages for DNS and DHCPD to
> their own file (not shown) and I can tail -f this file and see REQUESTs and ACKs
> scrolling by in fine style.
>
> Not to put too much in one message, but I had to do the following on each Windows
> workstation (command line) to get time to synchronize with ntpd where "mail" is
> the hostname of my AD/DC and domain time server:
>
> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> w32tm /config /update
>
> reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>
> Hope this helps
>
> --Mark
>
> -----Original Message-----
>> Date: Wed, 26 Aug 2015 21:28:55 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at lists.samba.org
>> Subject: Re: [Samba] sernet documentation
>>
>> On 26/08/15 21:07, Robert Moskowitz wrote:
>>>
>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
>>>>>
>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
>>>>>>> One of the Centos 7 arm developers built the sernet 4.2 for me to
>>>>>>> start testing.
>>>>>>>
>>>>>>> http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
>>>>>>>
>>>>>>> Since these were built on qemu, not requiring specific armv7
>>>>>>> hardware, Perhaps at some point they can be adopted by Sernet. But
>>>>>>> for now, how to test....
>>>>>>>
>>>>>>> I don't see any specific Sernet documentation. Like what is here
>>>>>>> and how to set it up, perhaps different, from generic Samba 4.
>>>>>>>
>>>>>>> I searched the sernet web site and this list and came up empty,
>>>>>>> but my search foo is weak.
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> If Sernet just built samba for ARM, I do not think that it should
>>>>>> be any different to set up, so just follow the relevant
>>>>>> documentation on the samba wiki:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Main_Page
>>>>> I was thinking that PERHAPS te sernet build could have specific
>>>>> configs for BIND and DHCP at the least. Unless Samba has already
>>>>> included these. For things like DYNDNS.
>>>>>
>>>> Could you be a bit more specific, you can use Bind with samba4 but it
>>>> is up to the sysadmin to set this up, though there is a page on the
>>>> samba wiki. DHCP, again the sysadmin will have to set this, but there
>>>> is not much on the wiki about this, but if all else fails, I can help
>>>> with this. Finally, I don't see where DYNDNS comes in here.
>>> Plowing through the wiki...
>>>
>>> I see where if I use the internal DNS provided, I will have to set up
>>> a forwarder. No problem, I have done that a lot. But I plan on using
>>> a private tld, htt. and the zone home.htt. I want these zones known
>>> to other systems on my network, so I want to slave them to my main DNS
>>> internal servers (I actually have a production and 2 distinct test DNS
>>> servers). Perhaps I will find in the wiki how to do this, or find my
>>> old notes.
>>>
>>> Are workstations assigned DNS entries when they get their DHCP lease?
>>> So that 'den' becomes den.home.htt and diningroom becomes
>>> diningroom.home.htt? That is what I would think DYNDNS would be
>>> doing. Of course the file servers, nevia and vega would be
>>> nevia.home.htt and vega.home.htt? But since these are statically
>>> assigned, again, I am assuming there are ways to get them into the
>>> internal DNS.
>> Unless things have changed, DHCP doesn't work with the samba internal
>> DNS server, it does however work with the Bind9 DNS server, I have been
>> using it since Dec 2012 on my home network 192.168.0.0/24 with the
>> domain name of home.lan. To get the domain name applied to the clients,
>> you just have to set them to ask for it and the DHCP to send it. As for
>> the static clients, you can use samba-tool to add these.
>>
>>> Finally I am testing on one RFC1918 subnet (check out the authors of
>>> 1918) and then will move all the servers to another one. what will I
>>> need to do for this migration?
>>>
>> What do you need to migrate ? if you set the first DC in a domain and
>> then add another DC, all the AD database will be replicated to it.
>>
>> Rowland
>>
>> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if you are,
>> sorry but until this post, I had never heard of you :-) )
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Ah, but what if you have Unix clients and what about the reverse zone ?
Rowland
More information about the samba
mailing list