[Samba] Migration from Windows to Samba4
Taylor, Jonn
jonnt at taylortelephone.com
Sat Oct 26 13:22:05 MDT 2013
On 10/26/2013 02:00 PM, Rob Janssen wrote:
> Taylor, Jonn wrote:
>> On 10/26/2013 01:42 PM, Rob Janssen wrote:
>>> Taylor, Jonn wrote:
>>>> Run this command to update your DNS.
>>>>
>>>> samba_dnsupdate --verbose --all-names
>>>
>>> Hmmm... this command now outputs:
>>> ; TSIG error with server: tsig verify failure
>>> for every update it attempts to do (the updates look reasonable),
>>> ending with:
>>> Failed update of 21 entries
>>>
>>> This succeeded OK when I still used Bind, I tried it before.
>>> Could it be related to my switch to internal DNS?
>> Yes, looks like there is a problem with kerberos. I would go back to
>> bind.
>
> Funny (or nasty) thing is that with bind the samba-tool updates go ok
> but I never got
> the client updates working, and with internal DNS it appears to be the
> other way around.
There is a bug that if you update dns say from dhcp then samba can not
accept client updates. Some permissions problem. I have dhcp update all
client leases and just ignore that samba can not. So far no problems
with dns.
Here is my working dhcpd server config. I have nortel an avaya IP phones
so this looks more complicated than it is. It is also setup with a
fail-over dhcp server.
cat /etc/dhcp/dhcpd.conf
authoritative;
failover peer "dhcp-failover" {
primary; # declare this to be the primary server
address 192.168.173.2;
port 647;
peer address 192.168.173.13;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
mclt 1800;
split 128;
}
option nortel-callserver code 128 = string;
option nortel-callserver2 code 144 = string;
option nortel-2245 code 151 = ip-address;
option avaya9600 code 242 = string;
option tftp-server-name "192.168.173.243";
update-static-leases on;
# Vendor Class for i2002/i2004/1120e/1140e/1150e Internet Telephones
class "Nortel-i2004-A" {
match if substring (option vendor-class-identifier, 0, 14) =
"Nortel-i2004-A";
option nortel-callserver "Nortel-i2004-A,192.168.173.243:5000,1,10.";
option vendor-class-identifier "Nortel-i2004-A";
}
# Vendor Class for i2002/i2004/1120e/1140e/1150e Internet Telephones
class "Nortel-i2004-B" {
match if substring (option vendor-class-identifier, 0, 12) =
"Nortel-i2004-B";
option nortel-callserver2
"Nortel-i2004-B,lldp=n;zone=int.prv;prov=192.168.173.243;";
option vendor-class-identifier "Nortel-i2004-B";
}
# Vendor Class for 2210/2211 Wireless Phones
class "Nortel-221x-A" {
match if substring(option vendor-class-identifier, 0, 13) =
"Nortel-221x-A";
option nortel-callserver "Nortel-i2004-A,192.168.173.243:5000,1,10.";
option nortel-2245 192.168.99.10;
option vendor-class-identifier "Nortel-221x-A";
}
# Vendor Class for Avaya 1100/1200 IP SIP Phones (SIP firmware loaded)
class "Nortel-SIP-Phone-A" {
match if substring(option vendor-class-identifier, 0, 18) =
"Nortel-SIP-Phone-A";
option vendor-class-identifier "Nortel-SIP-Phone-A";
}
# Vendor Class for Avaya 9600
class "Avaya-9600" {
match if substring (option vendor-class-identifier, 0, 16) = "";
option avaya9600
"sipsrvraddr=192.168.173.243,httpsrvr=192.168.173.243";
option vendor-class-identifier "Avaya9600";
}
# Office
subnet 192.168.173.0 netmask 255.255.255.0 {
authoritative;
allow unknown-clients;
option domain-name "taylortelephone.com";
option netbios-name-servers 192.168.173.3, 192.168.173.4;
option netbios-dd-server 192.168.173.3, 192.168.173.4;
option netbios-node-type 8;
option ntp-servers 192.168.173.254;
option nis-domain "taylortelephone.com";
option domain-name-servers 192.168.173.3, 192.168.173.4, 192.168.173.2;
option routers 192.168.173.254;
pool{
failover peer "dhcp-failover";
range 192.168.173.20 192.168.173.99;
on commit {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name, host-decl-name);
execute("/etc/dhcpd/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
execute("/etc/dhcpd/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}
}
}
And here is the script that I use. Make sure that bind can read your
krb5.conf and keytab files.
ls -al /etc/dhcpd
drwxr-xr-x 2 dhcpd dhcpd 4096 Oct 26 07:56 .
drwxr-xr-x. 83 root root 4096 Oct 14 15:23 ..
-rwxrwxrwx 1 dhcpd dhcpd 4427 Oct 3 08:27 dhcp-dyndns.sh
-rw------- 1 dhcpd dhcpd 7894 Sep 19 09:55 ldap.keytab
-rw------- 1 dhcpd dhcpd 2536 Oct 26 07:56 ldap.krb5cc
ls -al /usr/local/samba/private/
drwxr-xr-x 7 root root 4096 Oct 26 14:19 .
drwxr-xr-x 11 root root 4096 Oct 1 14:08 ..
drwxrwxr-x 3 named named 4096 Oct 2 14:55 dns
-rw-r--r-- 1 named named 837 Oct 2 11:47 dns.keytab
cat /etc/dhcpd/dhcp-dyndns.sh
#!/bin/sh
# This script is for secure DDNS updates using GSS/TSIG
# Version: 0.1
## CONFIGURATION ##
# Kerberos realm
realm="TAYLORTELEPHONE.COM"
# Kerberos principal
principal="ldap@$realm"
# Kerberos keytab
keytab="/etc/dhcpd/ldap.keytab"
# Kerberos credentials cache
krb5cc="/etc/dhcpd/ldap.krb5cc"
# Use MIT kerberos args instead of heimdal.
KRB5MIT="YES"
# Domain appended to hostname
domain="taylortelephone.com"
# Space separated list of DNS servers for sending updates to
NSRVS="192.168.173.2 192.168.173.13"
# Default DNS resource records TTL
RRTTL="3600"
# Do not use TXT RRs (rfc4701)
NOTXTRRS="YES"
# Additional nsupdate flags, e.g. "-d" for debug or -g for GSS/TSIG updates
NSUPDFLAGS="-g"
# Run in the foreground (for manual run only!!!), it's better to use
"-d" as script's first argument
#DEBUG="YES"
######################################################
## VARIABLES ##
[ "$1" = "-d" ] && DEBUG="YES" && shift
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
[ -n "$5" ] && RRTTL="$5"
_usage() {
echo "Usage:"
echo " `basename $0` [-d] add ip-address dhcid|mac-address hostname
[dns-ttl]"
echo " `basename $0` [-d] delete ip-address dhcid|mac-address"
}
_kerberos() {
export KRB5_KTNAME="$keytab"
export KRB5CCNAME="$krb5cc"
if [ "$KRB5MIT" = "YES" ]; then
KLISTARG="-s"
else
KLISTARG="-t"
fi
klist $KLISTARG || kinit -k -t "$keytab" -c "$krb5cc" "$principal" || {
echo "DDNS: kinit failed"; exit 1; }
}
_main() {
umask 77
if [ -z "$ip" ] || [ -z "$DHCID" ]; then
_usage
exit 1
fi
## NSUPDATE ##
case "$action" in
add)
RRPTR="$name.$domain"
if [ "$NOTXTRRS" != "YES" ]; then
NOTXTRRS=""
RRAOLD=`host $RRPTR | awk '/has address/ {print $4}'`
if [ -n "$RRAOLD" ]; then
RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive
text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
[ -z "$RRTXTOLD" ] && echo "DDNS: adding records for $ip
($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1
RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
RRTXT="000101${RRTXT%% *}"
[ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: adding records for
$ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
else
RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
RRTXT="000101${RRTXT%% *}"
fi
else
NOTXTRRS=";"
fi
RRPTRNAME=`echo $ip | awk -F '.' '{print
$4"."$3"."$2"."$1".in-addr.arpa"}'`
_kerberos
for NSRV in $NSRVS; do
nsupdate $NSUPDFLAGS << UPDATE
server $NSRV
realm $realm
update delete $RRPTR. $RRTTL A
${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
${NOTXTRRS}update add $RRPTR. $RRTTL TXT $RRTXT
update add $RRPTR. $RRTTL A $ip
send
update delete $RRPTRNAME. $RRTTL PTR
update add $RRPTRNAME. $RRTTL PTR $name.$domain.
send
UPDATE
result=$?
[ "$result" -eq "0" ] && echo "DDNS: adding records for $ip
($RRPTR) succeeded" && exit 0
done
[ "$result" != "0" ] && echo "DDNS: adding records for $ip ($RRPTR)
FAILED: nsupdate status $result" && exit "$result"
;;
delete)
RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5);
print $5}'`
if [ "$NOTXTRRS" != "YES" ]; then
NOTXTRRS=""
if [ -n "$RRPTR" ]; then
RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive
text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
[ -z "$RRTXTOLD" ] && echo "DDNS: removing records for $ip
($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1
RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
RRTXT="000101${RRTXT%% *}"
[ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: removing records for
$ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
else
echo "DDNS: removing records for $ip FAILED: has no PTR, can
not determine A record" && exit 1
fi
else
NOTXTRRS=";"
fi
RRPTRNAME=`echo $ip | awk -F '.' '{print
$4"."$3"."$2"."$1".in-addr.arpa"}'`
_kerberos
for NSRV in $NSRVS; do
nsupdate $NSUPDFLAGS << UPDATE
server $NSRV
realm $realm
update delete $RRPTR. $RRTTL A
${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
send
update delete $RRPTRNAME. $RRTTL PTR
send
UPDATE
result=$?
[ "$result" -eq "0" ] && echo "DDNS: removing records for $ip
($RRPTR) succeeded" && exit 0
done
[ "$result" != "0" ] && echo "DDNS: removing records for $ip
($RRPTR) FAILED: nsupdate status $result" && exit "$result"
;;
*)
_usage && exit 1
;;
esac
}
if [ "$DEBUG" = "YES" ]; then
_main
else
:
_main | logger -s -t dhcpd &
fi
cat /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-recursion { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
forwarders {
192.168.173.240;
192.168.173.241;
8.8.8.8;
};
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/usr/local/samba/private/named.conf";
> I see some postings that say "ignore that error it works OK" but it
> does not appear to
> correct my DNS setup. I.e. the DNS queries do return the correct data
> but also the one
> I mentioned does return old data. No idea if the dnsupdate command is
> supposed to
> delete wrong data or will only add valid data.
>
> However, what I find disturbing is that the returns from the DNS
> queries are not
> consistent with the view from the management tools. What can that be?
> Is there a way to dump the entire database in a readable form?
I have seen this too. I posted a comment on the dev list and never got a
response. These phantom dns entries seem to come and go.
>>>>
>>>> Also post the output of samba-tool drs showrepl
>> This is good. That means that you got all the metadata out for the
>> old DC.
> yes I think I got that correct, I deleted all references to the old DC
> from AD using ADexplorer.
> (at all places where there were two references, one to the old and one
> to the new DC)
>
> Rob
More information about the samba
mailing list