Samba / BIND Automatic Reverse DNS Updating
Amitay Isaacs
amitay at gmail.com
Tue May 27 18:38:46 MDT 2014
Hi Jeremy,
On Wed, May 28, 2014 at 9:30 AM, Jeremy McClintock <
jmcclintock at americannatural.com> wrote:
> Hello, All!
>
> This is my first time hitting up the list for help, as well as my first
> foray into this depth of Samba administration, so please excuse any missing
> info...
>
> After a great deal of trial-by-fire learning, I've got a new PDC up and
> running. I'm able to join a Win7x64 Pro host to the domain, login as the
> domain admin, get/check Kerberos ticket, & even access everything via the
> remote server admin tools. The issue I'm running into is with DNS
> automatic updates. The auto-update of the A record works perfectly... was
> even able to verify by nslookup/host from another machine. The problem is
> the PTR records do not update. I've burned an ungodly amount of man-hours
> scouring everything I could find online, most especially this list's
> archive (seems like this has been somewhat of an issue in some respect for
> a while)! I've manually created the reverse zone via the Win DNS tool, and
> verified via Samba CLI:
> samba-tool dns zonelist pdc
> 3 zone(s) found
>
> pszZoneName : domain.site.com
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.domain.site.com
>
> pszZoneName : aa.aa.aa.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.domain.site.com
>
> pszZoneName : _msdcs.domain.site.com
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.domain.site.com
>
>
>
> Here's the rest of my setup:
> CentOS release 6.5 (Final)
>
> Samba Version 4.1.7-SerNet-RedHat-8.el6 - One thing important to note is
> that wherever you'd expect to see /usr/local/samba (as is shown in all the
> tutorials), SerNet has defaulted to /var/lib/samba instead.
>
> BIND 9.9.5 (Extended Support Version) <id:f9b8a50e> built by make with
> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
> '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
> '--disable-static' '--disable-openssl-version-check'
> '--with-dlz-filesystem=yes' '--with-gssapi=/usr/include/gssapi'
> '--with-dlopen=yes'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> '--enable-fixed-rrset' '--with-openssl' '--with-randomdev=/dev/urandom'
> compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-4)
> using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
> using libxml2 version: 2.7.6
>
> Here are the config files (scrubbed domain/ip info, but these are the
> actual files):
>
> NAMED.CONF:
> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> // server as a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
>
> options {
> auth-nxdomain yes;
>
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> forwarders { yy.yy.yy.yy; zz.zz.zz.zz; };
> allow-query { any; }; # NETWORK to serve
> allow-transfer { localhost; }; # SECONDARY Bind DNS
> IP Address
> notify no;
> allow-recursion { any; };
>
> empty-zones-enable no;
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> /* Path to Samba dns.key */
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
> managed-keys-directory "/var/named/dynamic";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/var/lib/samba/private/named.conf";
> include "/etc/rndc.key";
>
> controls {
> inet 127.0.0.1 port 953
> allow { localhost; } keys { "rndc-key"; };
> };
>
> RESOLV.CONF:
> domain domain.site.com
> search domain.site.com
> nameserver xx.xx.xx.xx
> nameserver yy.yy.yy.yy
> nameserver zz.zz.zz.zz
>
> SMB.CONF:
> # Global parameters
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.SITE.COM
> netbios name = PDC
> server role = active directory domain controller
> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/domain.site.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> KRB5.CONF:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN.SITE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [kdc]
> check-ticket-addresses = false
>
> [realms]
> DOMAIN.SITE.COM = {
> kdc = pdc.domain.site.com
> admin_server = pdc.domain.site.com
> }
>
> [domain_realm]
> .domain.site.com = DOMAIN.SITE.COM
> domain.site.com = DOMAIN.SITE.COM
>
>
> In all of my searching, there are two things that I've come across that
> appear to be related (though I'm hoping someone here can confirm).
>
>
> 1. /var/lib/samba/private/dns_update_list has no mention of
> reverse/PTR recorts whatsoever...
>
> cat /var/lib/samba/private/dns_update_list
>
> # this is a list of DNS entries which will be put into DNS using
>
> # dynamic DNS update. It is processed by the samba_dnsupdate script
>
> A
> ${DNSDOMAIN} $IP
>
> A
> ${HOSTNAME} $IP
>
> AAAA
> ${DNSDOMAIN} $IP
>
> AAAA
> ${HOSTNAME} $IP
>
>
>
> A
> gc._msdcs.${DNSFOREST}
> $IP
>
> AAAA
> gc._msdcs.${DNSFOREST} $IP
>
>
>
> CNAME ${NTDSGUID}._msdcs.${DNSFOREST}
> ${HOSTNAME}
>
>
>
> SRV _kpasswd._tcp.${DNSDOMAIN}
> ${HOSTNAME} 464
>
> SRV _kpasswd._udp.${DNSDOMAIN}
> ${HOSTNAME} 464
>
>
>
> SRV _kerberos._tcp.${DNSDOMAIN}
> ${HOSTNAME} 88
>
> SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 88
>
> SRV _kerberos._tcp.dc._msdcs.${DNSFOREST}
> ${HOSTNAME} 88
>
> SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}
> ${HOSTNAME} 88
>
> SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 88
>
> SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSFOREST}
> ${HOSTNAME} 88
>
>
>
> SRV _kerberos._udp.${DNSDOMAIN}
> ${HOSTNAME} 88
>
>
>
> SRV _ldap._tcp.${DNSDOMAIN}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.dc._msdcs.${DNSFOREST}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.gc._msdcs.${DNSFOREST}
> ${HOSTNAME} 3268
>
> SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.pdc._msdcs.${DNSFOREST}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSFOREST}
> ${HOSTNAME} 389
>
> SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}
> ${HOSTNAME} 3268
>
> SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}
> ${HOSTNAME} 389
>
>
>
>
>
> SRV _gc._tcp.${DNSFOREST}
> ${HOSTNAME} 3268
>
> SRV _gc._tcp.${SITE}._sites.${DNSFOREST}
> ${HOSTNAME} 3268
>
>
>
> 2. There's a setting, used by windows (mentioned somewhat often on
> msdn) called "fAutoReverseZones" that Samba has set to false with no
> apparent way to change:
>
> samba-tool dns serverinfo pdc
>
> dwVersion : 0xece0205
>
> fBootMethod : DNS_BOOT_METHOD_DIRECTORY
>
> fAdminConfigured : FALSE
>
> fAllowUpdate : TRUE
>
> fDsAvailable : TRUE
>
> pszServerName : PDC.domain.site.com
>
> pszDsContainer :
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=site,DC=com
>
> aipServerAddrs : ['xx.xx.xx.xx (53)']
>
> aipListenAddrs : ['xx.xx.xx.xx (53)']
>
> aipForwarders : []
>
> dwLogLevel : 0
>
> dwDebugLevel : 0
>
> dwForwardTimeout : 3
>
> dwRpcPrototol : 0x5
>
> dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES
>
> cAddressAnswerLimit : 0
>
> dwRecursionRetry : 3
>
> dwRecursionTimeout : 8
>
> dwMaxCacheTtl : 86400
>
> dwDsPollingInterval : 180
>
> dwScavengingInterval : 0
>
> dwDefaultRefreshInterval : 168
>
> dwDefaultNoRefreshInterval : 168
>
> fAutoReverseZones : FALSE
>
> fAutoCacheUpdate : FALSE
>
> fRecurseAfterForwarding : FALSE
>
> fForwardDelegations : TRUE
>
> fNoRecursion : FALSE
>
> fSecureResponses : FALSE
>
> fRoundRobin : TRUE
>
> fLocalNetPriority : FALSE
>
> fBindSecondaries : FALSE
>
> fWriteAuthorityNs : FALSE
>
> fStrictFileParsing : FALSE
>
> fLooseWildcarding : FALSE
>
> fDefaultAgingState : FALSE
>
> dwRpcStructureVersion : 0x2
>
> aipLogFilter : []
>
> pwszLogFilePath : None
>
> pszDomainName : domain.site.com
>
> pszForestName : domain.site.com
>
> pszDomainDirectoryPartition : DC=DomainDnsZones,DC=domain,DC=site,DC=com
>
> pszForestDirectoryPartition : DC=ForestDnsZones,DC=domain,DC=site,DC=com
>
> dwLocalNetPriorityNetMask : 0xff
>
> dwLastScavengeTime : 0
>
> dwEventLogLevel : 4
>
> dwLogFileMaxSize : 0
>
> dwDsForestVersion : 4
>
> dwDsDomainVersion : 4
>
> dwDsDsaVersion : 4
>
> fReadOnlyDC : FALSE
>
>
> I could likely fudge my way through editing the dns_update_list (and
> associated scripts), but I can't find a single thing on where the
> 'samba-tool dns serverinfo' is pulling from, let alone how to change the
> Boolean value for fAutoReverseZones. Aside from that, I'm pretty much
> stuck on getting Samba/AD automatic PTR records to work properly.
>
> I really need to get this working because part of standing up this new DC
> is implementing an IPAM-type suite (currently testing gestioip) that relies
> on correct forward AND reverse DNS, and having DNS managed in more than one
> place is a huge pain! If there's anyone that is willing/able to work with
> me to get it situated, I'll be more than happy to write-up a
> tutorial/how-to for inclusion on the Samba wiki (or wherever else it is
> needed)!
>
> Thanks so much & REALLY looking forward to learning more about this!!
>
> Respectfully,
> Jeremy M.
>
>
>
> This e-mail and its contents are confidential. If you have received it in
> error, please notify us immediately by reply e-mail and then delete this
> message from your system. Please do not copy, disclose or use it for any
> purposes. Thank you for your cooperation.
>
As far as I know, windows does not update PTR record, so it must be updated
by some other means. Since we don't have unified DNS solution in Samba,
implementation of fAutoReverse feature involves fair amount of work.
That's why most of the settings for DNS via MMC plugin will not work since
we don't yet have proper support.
However, various people have managed to get PTR updates working via DHCP
server. Quick search through archives found this link:
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
May be this would be useful. I'm sure others who have played with this can
comment and provide more details.
Amitay.
More information about the samba-technical
mailing list