Samba / BIND Automatic Reverse DNS Updating
Jeremy McClintock
jmcclintock at americannatural.com
Tue May 27 17:30:57 MDT 2014
Hello, All!
This is my first time hitting up the list for help, as well as my first foray into this depth of Samba administration, so please excuse any missing info...
After a great deal of trial-by-fire learning, I've got a new PDC up and running. I'm able to join a Win7x64 Pro host to the domain, login as the domain admin, get/check Kerberos ticket, & even access everything via the remote server admin tools. The issue I'm running into is with DNS automatic updates. The auto-update of the A record works perfectly... was even able to verify by nslookup/host from another machine. The problem is the PTR records do not update. I've burned an ungodly amount of man-hours scouring everything I could find online, most especially this list's archive (seems like this has been somewhat of an issue in some respect for a while)! I've manually created the reverse zone via the Win DNS tool, and verified via Samba CLI:
samba-tool dns zonelist pdc
3 zone(s) found
pszZoneName : domain.site.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.domain.site.com
pszZoneName : aa.aa.aa.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.domain.site.com
pszZoneName : _msdcs.domain.site.com
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.domain.site.com
Here's the rest of my setup:
CentOS release 6.5 (Final)
Samba Version 4.1.7-SerNet-RedHat-8.el6 - One thing important to note is that wherever you'd expect to see /usr/local/samba (as is shown in all the tutorials), SerNet has defaulted to /var/lib/samba instead.
BIND 9.9.5 (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-filesystem=yes' '--with-gssapi=/usr/include/gssapi' '--with-dlopen=yes' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' '--with-openssl' '--with-randomdev=/dev/urandom'
compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-4)
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.7.6
Here are the config files (scrubbed domain/ip info, but these are the actual files):
NAMED.CONF:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
auth-nxdomain yes;
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
forwarders { yy.yy.yy.yy; zz.zz.zz.zz; };
allow-query { any; }; # NETWORK to serve
allow-transfer { localhost; }; # SECONDARY Bind DNS IP Address
notify no;
allow-recursion { any; };
empty-zones-enable no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
/* Path to Samba dns.key */
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/private/named.conf";
include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { localhost; } keys { "rndc-key"; };
};
RESOLV.CONF:
domain domain.site.com
search domain.site.com
nameserver xx.xx.xx.xx
nameserver yy.yy.yy.yy
nameserver zz.zz.zz.zz
SMB.CONF:
# Global parameters
[global]
workgroup = DOMAIN
realm = DOMAIN.SITE.COM
netbios name = PDC
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/domain.site.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
KRB5.CONF:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.SITE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[kdc]
check-ticket-addresses = false
[realms]
DOMAIN.SITE.COM = {
kdc = pdc.domain.site.com
admin_server = pdc.domain.site.com
}
[domain_realm]
.domain.site.com = DOMAIN.SITE.COM
domain.site.com = DOMAIN.SITE.COM
In all of my searching, there are two things that I've come across that appear to be related (though I'm hoping someone here can confirm).
1. /var/lib/samba/private/dns_update_list has no mention of reverse/PTR recorts whatsoever...
cat /var/lib/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${DNSDOMAIN} $IP
A ${HOSTNAME} $IP
AAAA ${DNSDOMAIN} $IP
AAAA ${HOSTNAME} $IP
A gc._msdcs.${DNSFOREST} $IP
AAAA gc._msdcs.${DNSFOREST} $IP
CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
SRV _kerberos._tcp.dc._msdcs.${DNSFOREST} ${HOSTNAME} 88
SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSFOREST} ${HOSTNAME} 88
SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.dc._msdcs.${DNSFOREST} ${HOSTNAME} 389
SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.pdc._msdcs.${DNSFOREST} ${HOSTNAME} 389
SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSFOREST} ${HOSTNAME} 389
SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
2. There's a setting, used by windows (mentioned somewhat often on msdn) called "fAutoReverseZones" that Samba has set to false with no apparent way to change:
samba-tool dns serverinfo pdc
dwVersion : 0xece0205
fBootMethod : DNS_BOOT_METHOD_DIRECTORY
fAdminConfigured : FALSE
fAllowUpdate : TRUE
fDsAvailable : TRUE
pszServerName : PDC.domain.site.com
pszDsContainer : CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=site,DC=com
aipServerAddrs : ['xx.xx.xx.xx (53)']
aipListenAddrs : ['xx.xx.xx.xx (53)']
aipForwarders : []
dwLogLevel : 0
dwDebugLevel : 0
dwForwardTimeout : 3
dwRpcPrototol : 0x5
dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES
cAddressAnswerLimit : 0
dwRecursionRetry : 3
dwRecursionTimeout : 8
dwMaxCacheTtl : 86400
dwDsPollingInterval : 180
dwScavengingInterval : 0
dwDefaultRefreshInterval : 168
dwDefaultNoRefreshInterval : 168
fAutoReverseZones : FALSE
fAutoCacheUpdate : FALSE
fRecurseAfterForwarding : FALSE
fForwardDelegations : TRUE
fNoRecursion : FALSE
fSecureResponses : FALSE
fRoundRobin : TRUE
fLocalNetPriority : FALSE
fBindSecondaries : FALSE
fWriteAuthorityNs : FALSE
fStrictFileParsing : FALSE
fLooseWildcarding : FALSE
fDefaultAgingState : FALSE
dwRpcStructureVersion : 0x2
aipLogFilter : []
pwszLogFilePath : None
pszDomainName : domain.site.com
pszForestName : domain.site.com
pszDomainDirectoryPartition : DC=DomainDnsZones,DC=domain,DC=site,DC=com
pszForestDirectoryPartition : DC=ForestDnsZones,DC=domain,DC=site,DC=com
dwLocalNetPriorityNetMask : 0xff
dwLastScavengeTime : 0
dwEventLogLevel : 4
dwLogFileMaxSize : 0
dwDsForestVersion : 4
dwDsDomainVersion : 4
dwDsDsaVersion : 4
fReadOnlyDC : FALSE
I could likely fudge my way through editing the dns_update_list (and associated scripts), but I can't find a single thing on where the 'samba-tool dns serverinfo' is pulling from, let alone how to change the Boolean value for fAutoReverseZones. Aside from that, I'm pretty much stuck on getting Samba/AD automatic PTR records to work properly.
I really need to get this working because part of standing up this new DC is implementing an IPAM-type suite (currently testing gestioip) that relies on correct forward AND reverse DNS, and having DNS managed in more than one place is a huge pain! If there's anyone that is willing/able to work with me to get it situated, I'll be more than happy to write-up a tutorial/how-to for inclusion on the Samba wiki (or wherever else it is needed)!
Thanks so much & REALLY looking forward to learning more about this!!
Respectfully,
Jeremy M.
This e-mail and its contents are confidential. If you have received it in error, please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy, disclose or use it for any purposes. Thank you for your cooperation.
More information about the samba-technical
mailing list