[Samba] samba4+bind on centos
Rowland Penny
rpenny at f2s.com
Tue Jun 11 04:52:16 MDT 2013
You need to create the reverse zone using samba-tool.
Example using '192.168.0.10' for the Samba 4 server and the realm
'DOMAIN.LAN'
samba-tool dns zonecreate 192.168.0.10 0.168.192.in-addr.arpa -U
Administrator at DOMAIN.LAN
Now add the AD server to the reverse zone. Here the Samba 4 servers FQDN is
'adserver.domain.lan'
samba-tool dns add 192.168.0.10 0.168.192.in-addr.arpa 10 PTR
adserver.domain.lan -U Administrator at DOMAIN.LAN
Rowland
On 11 June 2013 11:35, NOC <noc at nieuwland.nl> wrote:
> On 06/11/2013 12:15 PM, Rowland Penny wrote:
>
>> Have you created the reverse zone? Samba, for some reason, does not
>> automatically create it. If I run your command, I get:
>>
>> IPs: ['192.168.0.2']
>> Calling nsupdate for A domain.lan 192.168.0.2
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> domain.lan. 900 IN A 192.168.0.2
>>
>> and so on ~~~~~
>>
>> Rowland
>>
>>
> Hi Rowland,
>
> do you mean the samba_dnsupdate command?
> I don't think the command, when I run it, gets as far as you get.
>
> Where do you propose to create the reverse zone? statically in bind or by
> editing the file /usr/local/samba/private/dns_**update_list?
>
> Cheers
>
> Simon
>
>
>> On 11 June 2013 10:54, NOC <noc at nieuwland.nl <mailto:noc at nieuwland.nl>>
>> wrote:
>>
>> Hi All
>>
>> I've started again from scratch, following the wikipage at
>> https://wiki.samba.org/index.**php/Dns-backend_bind#Bind_9.8_**
>> .2F_9.9<https://wiki.samba.org/index.php/Dns-backend_bind#Bind_9.8_.2F_9.9>
>>
>> I'm using bind 9.8.5-P1 and samba4 master (from yesterday I guess)
>>
>> compiling from scratch:
>> bind: ./configure --with-gssapi=/usr/include/**gssapi
>> --with-dlopen=yes
>>
>> And the given named.conf in /etc/bind/ (as this is where I want
>> the config to reside)
>>
>> I've include the local zones as provided and I modified the named
>> in a few places:
>> diff orig-named.conf /etc/bind/named.conf
>> 6c6
>> < directory "/var/named";
>> ---
>> > directory "/etc/bind";
>> 8c8
>> < forwarders { 8.8.8.8; 8.8.4.4; };
>> ---
>> > forwarders { 172.16.1.12; 172.16.1.18; };
>> 16,17c16,18
>> < 10.1.1.0/24 <http://10.1.1.0/24>;
>>
>> < ...other networks you want to allow to query your
>> DNS...;
>> ---
>> > 192.168.6.0/24 <http://192.168.6.0/24>;
>> > 127.0.0.0/8 <http://127.0.0.0/8>;
>>
>> > #...other networks you want to allow to query
>> your DNS...;
>> 21,22c22,24
>> < 10.1.1.0/24 <http://10.1.1.0/24>;
>>
>> < ...other networks you want to allow to do
>> recursive queries...;
>> ---
>> > 192.168.6.0/24 <http://192.168.6.0/24>;
>> > 127.0.0.0/8 <http://127.0.0.0/8>;
>>
>> > #...other networks you want to allow to do
>> recursive queries...;
>> 24a27,28
>> > tkey-gssapi-keytab "/usr/local/samba/private/dns.**keytab";
>> >
>> 26a31
>> > include "/usr/local/samba/private/**named.conf";
>>
>>
>> This is just so bind actually works and the files created by
>> provision are included
>>
>> Provision was done using:
>> samba-tool domain provision
>> Realm: example
>> Domain [example]: example.com <http://example.com>
>>
>> Server Role (dc, member, standalone) [dc]: dc
>> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)
>> [SAMBA_INTERNAL]: BIND9_DLZ
>> Administrator password:
>> Retype password:
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up share.ldb
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Adding DomainDN: DC=example
>> Adding configuration container
>> Setting up sam.ldb schema
>> Setting up sam.ldb configuration data
>> Setting up display specifiers
>> Modifying display specifiers
>> Adding users container
>> Modifying users container
>> Adding computers container
>> Modifying computers container
>> Setting up sam.ldb data
>> Setting up well known security principals
>> Setting up sam.ldb users and groups
>> Setting up self join
>> Adding DNS accounts
>> Creating CN=MicrosoftDNS,CN=System,DC=**example
>> Creating DomainDnsZones and ForestDnsZones partitions
>> Populating DomainDnsZones and ForestDnsZones partitions
>> See /usr/local/samba/private/**named.conf for an example
>> configuration include file for BIND
>> and /usr/local/samba/private/**named.txt for further documentation
>> required for secure DNS updates
>> Setting up sam.ldb rootDSE marking as synchronized
>> Fixing provision GUIDs
>> A Kerberos configuration suitable for Samba 4 has been generated
>> at /usr/local/samba/private/krb5.**conf
>> Once the above files are installed, your Samba4 server will be
>> ready to use
>> Server Role: active directory domain controller
>> Hostname: sambabind02
>> NetBIOS Domain: EXAMPLE.COM <http://EXAMPLE.COM>
>>
>> DNS Domain: example
>> DOMAIN SID: S-1-5-21-294307859-3325552197-**969134079
>>
>>
>> stopped/started bind using the new config file
>>
>> Then I started /usr/local/samba/sbin/samba -D
>>
>> Then command:
>> # /usr/local/samba/sbin/samba_**dnsupdate --verbose --all-names
>> IPs: ['192.168.6.86']
>>
>> Traceback (most recent call last):
>> File "/usr/local/samba/sbin/samba_**dnsupdate", line 511, in
>> <module>
>> get_credentials(lp)
>> File "/usr/local/samba/sbin/samba_**dnsupdate", line 124, in
>> get_credentials
>> raise e
>> RuntimeError: kinit for SAMBABIND02$@EXAMPLE failed (Cannot
>> contact any KDC for requested realm)
>>
>> It appears that samba_dnsupdate tries to get a ticket from the KDC
>> that it tries to find using DNS, but the record isn't yet inserted
>> in the bind dns database. Is it a chicken/egg problem?
>>
>> Now either the wiki hasn't been fully tested or it's missing a
>> obvious step
>>
>> Any clues?
>>
>> /Simon
>>
>>
>>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
More information about the samba
mailing list