[Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)

Wed Mar 21 00:28:25 MDT 2012

Am 20.03.2012 19:20, schrieb Charles Tryon:
> Hi Andreas,
> 
>   Yes, I did a lot of work trying to get that script working (along with a
> bunch of other people on that discussion thread).  I have it mostly
> functional, but have largely backed away from that approach, since it runs
> against what appears to be the more accepted policy of letting the machines
> (in particular, the Windows machines) do their own secure update of the DNS
> records.  The unfortunate part is that the Linux clients don't seem to have
> a way to do this by default.  I have no idea how the Mac machines handle
> their DNS once they get a DHCP response.  Servers, which mostly use static
> IP assignments, are a moot point, since I can just manually create the DNS
> records and be done with it.
> 
>   The issue is the fact that DNS remembers "who" created (owns) the DNS
> record, and based on that ownership, who it will allow to change it.  If it
> is created by some dhcpd initiated transaction, then the Windows client
> itself is not allowed to update the record in the future.
> 
>   My feeling at this point is to try to follow the Windows Way for the time
> being (since that's the bulk of the machines on the network), and handle
> the few Linux clients (oddballs like myself) as special cases.  We also use
> DHCP reservations based on the machine's MAC address, so largely it's a
> non-issue.  (Or, at least I've got bigger fish to fry first before I go
> back and make sure the DHCP/DLZ behavior is tidy.)
> 
> 
> 
> On Sun, Mar 18, 2012 at 3:38 AM, Andreas Oster <aoster at novanetwork.de>wrote:
> 
>> Am 17.03.2012 21:06, schrieb Matthieu Patou:
>>> On 03/17/2012 10:00 AM, Andreas Oster wrote:
>>>> Hello all,
>>>>
>>>> I have set up a samba4 server with bind9 and the bind_dlz module.
>>>> Everything is working as it should but now I need to allow the dhcp
>>>> server to add entries to the forwarding zone. Has anybody implemented
>>>> such a configuration ? Can this be done with the kerberos DNS dynamic
>>>> update configuration.
>>> I had it working with flat file backend.
>>> I think that the way dhcp and bind do their DDNS is different form the
>>> way windows do it's DDNS, as far as I know dlz_plugin only support the
>>> later one so far.
>>>
>>>> I want to achieve the following:
>>>>
>>>> 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd
>>>> 2) allow Windows machines (joined to AD) to update their own entries
>>>>
>>>> 2 - already works with the configuration from samba wiki
>>>>
>>> I put our DNS experts in direct copy maybe then can advise you better
>>> than I.
>>>
>> Hello Mattieu,
>>
>> thank you for you answer. I searched the web allot, but the
>> only useful stuff I found was a script by Michael Kuron which
>> has been slightly modified by Charles Tryon but I have no
>> clue how to integrate this with bind9 dlz, see:
>>
>>
>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>>
>> It would be great if someone could help me with the DDNS setup.
>>
>> best regards
>>
>> Andreas
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 
> 
Hello Charles,

first I would like to thank you for this great script.

For our small network,50 or so clients, I modified your script just a
little. I have added an additional name comparison to check if the name
contains a special string ( in our case all Windows workstations are
named like DOMAINNAME+WS+Number) and if it does just exit the script.
This way I do not get the ownership issue. All other machines either do
have static IPs or are not members in the AD.

Thanks

best regards

Andreas