[Samba] samba4+bind on centos

Rowland Penny rpenny at f2s.com
Tue Jun 11 04:52:16 MDT 2013 

You need to create the reverse zone using samba-tool.

Example using '192.168.0.10' for the Samba 4 server and the realm
'DOMAIN.LAN'

samba-tool dns zonecreate 192.168.0.10 0.168.192.in-addr.arpa -U
Administrator at DOMAIN.LAN

Now add the AD server to the reverse zone. Here the Samba 4 servers FQDN is
'adserver.domain.lan'

samba-tool dns add 192.168.0.10 0.168.192.in-addr.arpa 10 PTR
adserver.domain.lan -U Administrator at DOMAIN.LAN

Rowland


On 11 June 2013 11:35, NOC <noc at nieuwland.nl> wrote:

> On 06/11/2013 12:15 PM, Rowland Penny wrote:
>
>> Have you created the reverse zone? Samba, for some reason, does not
>> automatically create it. If I run your command, I get:
>>
>> IPs: ['192.168.0.2']
>> Calling nsupdate for A domain.lan 192.168.0.2
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> domain.lan.        900    IN    A    192.168.0.2
>>
>> and so on ~~~~~
>>
>> Rowland
>>
>>
> Hi Rowland,
>
> do you mean the samba_dnsupdate command?
> I don't think the command, when I run it, gets as far as you get.
>
> Where do you propose to create the reverse zone? statically in bind or by
> editing the file /usr/local/samba/private/dns_**update_list?
>
> Cheers
>
> Simon
>
>
>> On 11 June 2013 10:54, NOC <noc at nieuwland.nl <mailto:noc at nieuwland.nl>>
>> wrote:
>>
>>     Hi All
>>
>>     I've started again from scratch, following the wikipage at
>>     https://wiki.samba.org/index.**php/Dns-backend_bind#Bind_9.8_**
>> .2F_9.9<https://wiki.samba.org/index.php/Dns-backend_bind#Bind_9.8_.2F_9.9>
>>
>>     I'm using bind 9.8.5-P1 and samba4 master (from yesterday I guess)
>>
>>     compiling from scratch:
>>     bind: ./configure --with-gssapi=/usr/include/**gssapi
>> --with-dlopen=yes
>>
>>     And the given named.conf in /etc/bind/ (as this is where I want
>>     the config to reside)
>>
>>     I've include the local zones as provided and I modified the named
>>     in a few places:
>>      diff orig-named.conf /etc/bind/named.conf
>>     6c6
>>     <        directory "/var/named";
>>     ---
>>     >        directory "/etc/bind";
>>     8c8
>>     <        forwarders { 8.8.8.8; 8.8.4.4; };
>>     ---
>>     >        forwarders { 172.16.1.12; 172.16.1.18; };
>>     16,17c16,18
>>     < 10.1.1.0/24 <http://10.1.1.0/24>;
>>
>>     <                ...other networks you want to allow to query your
>>     DNS...;
>>     ---
>>     > 192.168.6.0/24 <http://192.168.6.0/24>;
>>     > 127.0.0.0/8 <http://127.0.0.0/8>;
>>
>>     >                #...other networks you want to allow to query
>>     your DNS...;
>>     21,22c22,24
>>     < 10.1.1.0/24 <http://10.1.1.0/24>;
>>
>>     <                ...other networks you want to allow to do
>>     recursive queries...;
>>     ---
>>     > 192.168.6.0/24 <http://192.168.6.0/24>;
>>     > 127.0.0.0/8 <http://127.0.0.0/8>;
>>
>>     >                #...other networks you want to allow to do
>>     recursive queries...;
>>     24a27,28
>>     >       tkey-gssapi-keytab "/usr/local/samba/private/dns.**keytab";
>>     >
>>     26a31
>>     > include "/usr/local/samba/private/**named.conf";
>>
>>
>>     This is just so bind actually works and the files created by
>>     provision are included
>>
>>     Provision was done using:
>>     samba-tool domain provision
>>     Realm: example
>>      Domain [example]: example.com <http://example.com>
>>
>>      Server Role (dc, member, standalone) [dc]: dc
>>      DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
>>     [SAMBA_INTERNAL]: BIND9_DLZ
>>     Administrator password:
>>     Retype password:
>>     Looking up IPv4 addresses
>>     Looking up IPv6 addresses
>>     No IPv6 address will be assigned
>>     Setting up share.ldb
>>     Setting up secrets.ldb
>>     Setting up the registry
>>     Setting up the privileges database
>>     Setting up idmap db
>>     Setting up SAM db
>>     Setting up sam.ldb partitions and settings
>>     Setting up sam.ldb rootDSE
>>     Pre-loading the Samba 4 and AD schema
>>     Adding DomainDN: DC=example
>>     Adding configuration container
>>     Setting up sam.ldb schema
>>     Setting up sam.ldb configuration data
>>     Setting up display specifiers
>>     Modifying display specifiers
>>     Adding users container
>>     Modifying users container
>>     Adding computers container
>>     Modifying computers container
>>     Setting up sam.ldb data
>>     Setting up well known security principals
>>     Setting up sam.ldb users and groups
>>     Setting up self join
>>     Adding DNS accounts
>>     Creating CN=MicrosoftDNS,CN=System,DC=**example
>>     Creating DomainDnsZones and ForestDnsZones partitions
>>     Populating DomainDnsZones and ForestDnsZones partitions
>>     See /usr/local/samba/private/**named.conf for an example
>>     configuration include file for BIND
>>     and /usr/local/samba/private/**named.txt for further documentation
>>     required for secure DNS updates
>>     Setting up sam.ldb rootDSE marking as synchronized
>>     Fixing provision GUIDs
>>     A Kerberos configuration suitable for Samba 4 has been generated
>>     at /usr/local/samba/private/krb5.**conf
>>     Once the above files are installed, your Samba4 server will be
>>     ready to use
>>     Server Role:           active directory domain controller
>>     Hostname:              sambabind02
>>     NetBIOS Domain: EXAMPLE.COM <http://EXAMPLE.COM>
>>
>>     DNS Domain:            example
>>     DOMAIN SID:            S-1-5-21-294307859-3325552197-**969134079
>>
>>
>>     stopped/started bind using the new config file
>>
>>     Then I started /usr/local/samba/sbin/samba -D
>>
>>     Then command:
>>     # /usr/local/samba/sbin/samba_**dnsupdate --verbose --all-names
>>     IPs: ['192.168.6.86']
>>
>>     Traceback (most recent call last):
>>       File "/usr/local/samba/sbin/samba_**dnsupdate", line 511, in
>> <module>
>>         get_credentials(lp)
>>       File "/usr/local/samba/sbin/samba_**dnsupdate", line 124, in
>>     get_credentials
>>         raise e
>>     RuntimeError: kinit for SAMBABIND02$@EXAMPLE failed (Cannot
>>     contact any KDC for requested realm)
>>
>>     It appears that samba_dnsupdate tries to get a ticket from the KDC
>>     that it tries to find using DNS, but the record isn't yet inserted
>>     in the bind dns database. Is it a chicken/egg problem?
>>
>>     Now either the wiki hasn't been fully tested or it's missing a
>>     obvious step
>>
>>     Any clues?
>>
>>     /Simon
>>
>>
>>
>>
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>

More information about the samba mailing list