[Samba] Securring DHCP, with DDNS
Rowland penny
rpenny at samba.org
Tue Jan 26 16:07:55 UTC 2016
On 26/01/16 15:33, Sam wrote:
> Hello All,
>
> I have 2 samba4 AD server with dhpd and dynamic DNS.
> I have well understand that for now it's not possible to have 2 DHCP
> server running in the same time.
> So I would have at a time only one dhcp server running.
> If the first server got a problem I want to manually start the
> isc-dhcp service in the second to rescue the system.
>
> But It's not working as I expected...
>
> If I switch off Isc-dhcp service in the first DC and switch on in the
> other one I get these errors :
>
> ipconfig /release
> Jan 26 11:41:36 S4 named[2308]: samba_dlz: starting transaction on
> zone ariane.intra
> Jan 26 11:41:36 S4 named[2308]: client 172.20.4.2#54917: update
> 'ariane.intra/IN' denied
> Jan 26 11:41:36 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Jan 26 11:41:36 S4 named[2308]: samba_dlz: starting transaction on
> zone ariane.intra
> Jan 26 11:41:36 S4 named[2308]: samba_dlz: disallowing update of
> signer=client7-pcbis\$\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> type=A*error=**insufficient access rights*
> Jan 26 11:41:36 S4 named[2308]: client 172.20.4.2#65046: updating zone
> 'ariane.intra/NONE': update failed: rejected by secure update (REFUSED)
> Jan 26 11:41:36 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
>
> ipconfig /renew
> Jan 26 11:43:22 S4 dhcpd: DHCPDISCOVER from 00:50:56:8f:55:b6 via eth0
> Jan 26 11:43:23 S4 dhcpd: DHCPOFFER on 172.20.4.2 to 00:50:56:8f:55:b6
> (client7-PCbis) via eth0
> Jan 26 11:43:23 S4 dhcpd: execute_statement argv[0] =
> /etc/dhcp/bin/dhcp-dyndns-debian.sh
> Jan 26 11:43:23 S4 dhcpd: execute_statement argv[1] = add
> Jan 26 11:43:23 S4 dhcpd: execute_statement argv[2] = 172.20.4.2
> Jan 26 11:43:23 S4 dhcpd: execute_statement argv[3] = client7-PCbis
> Jan 26 11:43:23 S4 dhcpd: execute_statement argv[4] = 0:50:56:8f:55:b6
> Jan 26 11:43:23 S4 dhcpd: DHCPREQUEST for 172.20.4.2 (172.20.2.2) from
> 00:50:56:8f:55:b6 (client7-PCbis) via eth0
> Jan 26 11:43:23 S4 dhcpd: DHCPACK on 172.20.4.2 to 00:50:56:8f:55:b6
> (client7-PCbis) via eth0
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: starting transaction on
> zone ariane.intra
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> tcpaddr=172.20.2.2 type=A key=1616985151.sig-s4.ariane.intra/160/0
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> tcpaddr=172.20.2.2 type=A key=1616985151.sig-s4.ariane.intra/160/0
> Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#57599: updating zone
> 'ariane.intra/NONE': deleting rrset at 'client7-PCbis.ariane.intra' A
> Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#57599: updating zone
> 'ariane.intra/NONE': adding an RR at 'client7-PCbis.ariane.intra' A
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset
> client7-PCbis.ariane.intra
> 'client7-PCbis.ariane.intra.#0113600#011IN#011A#011172.20.4.2'
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: subtracted rdataset
> ariane.intra 'ariane.intra.#0113600#011IN#011SOA#011s4.ariane.intra.
> admin.ariane.intra. 98438 900 600 86400 3600'
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset ariane.intra
> 'ariane.intra.#0113600#011IN#011SOA#011s4.ariane.intra.
> admin.ariane.intra. 98439 900 600 86400 3600'
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: committed transaction on
> zone ariane.intra
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: starting transaction on
> zone 4.20.172.in-addr.arpa
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=2.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=1880656139.sig-s4.ariane.intra/160/0
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=2.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=1880656139.sig-s4.ariane.intra/160/0
> Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#39255: updating zone
> '4.20.172.in-addr.arpa/NONE': deleting rrset at
> '2.4.20.172.in-addr.arpa' PTR
> Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#39255: updating zone
> '4.20.172.in-addr.arpa/NONE': adding an RR at
> '2.4.20.172.in-addr.arpa' PTR
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset
> 2.4.20.172.in-addr.arpa
> '2.4.20.172.in-addr.arpa.#0113600#011IN#011PTR#011client7-PCbis.ariane.intra.'
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: subtracted rdataset
> 4.20.172.in-addr.arpa
> '4.20.172.in-addr.arpa.#0113600#011IN#011SOA#011s4.ariane.intra.
> admin.ariane.intra. 34 900 600 86400 3600'
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset
> 4.20.172.in-addr.arpa
> '4.20.172.in-addr.arpa.#0113600#011IN#011SOA#011s4.ariane.intra.
> admin.ariane.intra. 35 900 600 86400 3600'
> Jan 26 11:43:23 S4 named[2308]: samba_dlz: committed transaction on
> zone 4.20.172.in-addr.arpa
> Jan 26 11:43:23 S4 dhcpd: DDNS: adding records for 172.20.4.2
> (client7-PCbis.ariane.intra) succeeded
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on
> zone ariane.intra
> Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#49708: update
> 'ariane.intra/IN' denied
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on
> zone ariane.intra
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: disallowing update of
> signer=client7-pcbis\$\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> type=AAAA*error=insufficient access rights*
> Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#58780: updating zone
> 'ariane.intra/NONE': update failed: rejected by secure update (REFUSED)
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on
> zone ariane.intra
> Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#62901: update
> 'ariane.intra/IN' denied
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on
> zone ariane.intra
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: disallowing update of
> signer=client7-pcbis\$\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> type=AAAA*error=insufficient access rights*
> Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#60619: updating zone
> 'ariane.intra/NONE': update failed: rejected by secure update (REFUSED)
> Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Jan 26 11:43:30 S4 dhcpd: DHCPINFORM from 172.20.4.2 via eth0
> Jan 26 11:43:30 S4 dhcpd: DHCPACK to 172.20.4.2 (00:50:56:8f:55:b6)
> via eth0
>
>
> How to start quickly with the second DHCP server without mistakes and
> without manually remove the DNS entries?
>
> Thank you in advance for the answers!
>
> Sam
You don't, you run both of the dhcp servers in fail-over mode.
Rowland
More information about the samba
mailing list