[Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Andreas Oster
aoster at novanetwork.de
Thu Mar 22 00:23:49 MDT 2012
Am 19.03.2012 01:31, schrieb Amitay Isaacs:
> Hi Andreas,
>
> On Sun, Mar 18, 2012 at 7:06 AM, Matthieu Patou <mat at samba.org> wrote:
>> On 03/17/2012 10:00 AM, Andreas Oster wrote:
>>>
>>> Hello all,
>>>
>>> I have set up a samba4 server with bind9 and the bind_dlz module.
>>> Everything is working as it should but now I need to allow the dhcp
>>> server to add entries to the forwarding zone. Has anybody implemented
>>> such a configuration ? Can this be done with the kerberos DNS dynamic
>>> update configuration.
>>
>> I had it working with flat file backend.
>> I think that the way dhcp and bind do their DDNS is different form the way
>> windows do it's DDNS, as far as I know dlz_plugin only support the later one
>> so far.
>>
>>> I want to achieve the following:
>>>
>>> 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd
>
> You need to configure secure updates from dhcpd as dlz_bind9 plugin
> only supports secure dynamic updates. Following link might help to set
> up secure dynamic updates from dhcpd.
>
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
>>> 2) allow Windows machines (joined to AD) to update their own entries
>>>
>>> 2 - already works with the configuration from samba wiki
>
> This should work automatically with the current master. But remember
> that if you update a DNS entry for windows machine through DHCP, then
> the windows machine itself may not be able to update its own entry
> because of the ACLs.
>
> Amitay.
Hello Amitay,
with your great work on the samba_upgradedns script I was able to move
my flatfile bind9 config to the DLZ backend, but realized afterwards
that I was no longer able to add DNS entries via dhcpd. Luckily I have
found Charles Tryon's script on the web and managed to setup secure
dynamic updates from dhcpd to bind9. To circumvent the problem with
windows machines being unable to update their own records, I have
modified the script to exclude those machines from being added to the
DNS database by dhcpd. This was easy, because in our setup Windows
machines are all named the same way DOMAIN+WS+NUMBER.
Thanks
best regards
Andreas
More information about the samba
mailing list