[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Markus Roth
markusroth1983 at gmx.net
Sat Aug 16 16:46:57 MDT 2014
Hi Steve,
i don't know what i'm still doing wrong :-( I've create new vmware environments with centos 7 and windows 7. The hostname oft he centos 7 is server1 and the hostname from the windows 7 is client1. I've configured server1 as followed:
1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
3. edit /root/rpmbuild/SPECS/bind.spec and remove the line --disable-isc-spnego
4. rebuild bind with rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
5. remove all previous bind* and samba* installation files with yum remove
6. install bind-license, bind-libs* and bind9* with rpm -ivh
7. download samba 4.1.11
8. install dependencies for samba 4.1.11 with
yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5
8. install samba 4.1.11 with ./configure --enable-debug --enable-selftest than make than make install
9. configure samba 4.1.11 with samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
10. configure /etc/named.conf for samba4
11. chgrp named + rw access for named on dns.keytab, dns_update_list, named.conf under /usr/local/samba/private and the same on *.so files under
/usr/local/samba/lib/bind9. Next i activate the so file for bind9 in the samba named.conf
12. install sssd with yum install sssd
13. generatet he krb5.keytab with my servername in big letters fort he principal name
# samba-tool domain exportkeytab /etc/krb5.keytab --principal=SERVER1$
# chown root:root /etc/krb5.sssd.keytab
# chmod 600 /etc/krb5.sssd.keytab
14. generatet he sssd.conf with the same file permissions as the krb5.keytab + copy the samba4 krb5.conf to /etc and overwrite the existing one
15. Start named, sssd and samba daemon
16. generate reverse lookup zone with samba-tool dns zonecreate server1.winnet.local 178.168.192.in-addr.arpa
17. Start the client1 machine, give the server1 ip as the dns-server and joined the client1 to the domain
Here are my configuration files and the last log-file
Do you see any mistakes?
Named.conf
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
options {
listen-on port 53 { 127.0.0.1; 192.168.178.130; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.178.0/24; };
allow-recursion { localhost; 192.168.178.0/24; };
forwarders { 8.8.8.8; 8.8.4.4; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = winnet.local
[nss]
[pam]
[domain/winnet.local]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Smb.conf
# Global parameters
[global]
workgroup = WINNET
realm = WINNET.LOCAL
netbios name = SERVER1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Samba4 named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Var/log/messages
Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from unauthorised host 192.168.178.200 port 123
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#57474: update 'winnet.local/IN' denied
Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#59638: update '178.168.192.in-addr.arpa/IN' denied
Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
Von: steve <steve at steve-ss.com>
An: "Markus Roth" <markusroth1983 at gmx.net>
Cc: samba at lists.samba.org
Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On Sat, 2014-08-16 at 15:46 +0200, Markus Roth wrote:
> Hi Steve,
>
> update. I think nobody can say that i'm not creative :-) I've tried now
> ./samba-tool domain exportkeytab /etc/krb5.keytab without the --principal
> and change my sssd.conf back to:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = winnet.local
> [nss]
> [pam]
> [domain/winnet.local]
> id_provider = ad
> access_provider = ad
>
> Now i get also the denied messages, but the logs now seems to be different:
Very close now. This should do it:
http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
>
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> zone winnet.local
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> tcpaddr=192.168.178.130 type=A key=2171273687.sig-server1.winnet.local/160/0
> Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#49475/key
> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> at 'server1.winnet.local' A
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> server1.winnet.local 'server1.winnet.local. 3600 IN A
> 192.168.178.130'
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> winnet.local 'winnet.local. 3600 IN SOA
> server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> 'winnet.local. 3600 IN SOA server1.winnet.local.
> hostmaster.winnet.local. 5 900 600 86400 0'
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> zone winnet.local
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> zone winnet.local
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> tcpaddr=192.168.178.130 type=AAAA
> key=1458088344.sig-server1.winnet.local/160/0
> Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60843/key
> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> at 'server1.winnet.local' AAAA
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> zone winnet.local
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> zone winnet.local
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> tcpaddr=192.168.178.130 type=A key=2571247347.sig-server1.winnet.local/160/0
> Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60497/key
> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> 'server1.winnet.local' A
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> server1.winnet.local 'server1.winnet.local. 3600 IN A
> 192.168.178.130'
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> winnet.local 'winnet.local. 3600 IN SOA
> server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> 'winnet.local. 3600 IN SOA server1.winnet.local.
> hostmaster.winnet.local. 6 900 600 86400 0'
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> zone winnet.local
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> zone 178.168.192.in-addr.arpa
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> tcpaddr=192.168.178.130 type=PTR
> key=1615781577.sig-server1.winnet.local/160/0
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> tcpaddr=192.168.178.130 type=PTR
> key=1615781577.sig-server1.winnet.local/160/0
> Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> deleting rrset at '130.178.168.192.in-addr.arpa' PTR
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> PTR server1.winnet.local.'
> Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> adding an RR at '130.178.168.192.in-addr.arpa' PTR
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> PTR server1.winnet.local.'
> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> zone 178.168.192.in-addr.arpa
> Aug 16 15:40:19 server1 chronyd[831]: NTP packet received from unauthorised
> host 192.168.178.200 port 123
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> zone winnet.local
> Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#53494: update
> 'winnet.local/IN' denied
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> zone winnet.local
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> zone winnet.local
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA
> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> at 'client1.winnet.local' AAAA
> Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> at 'client1.winnet.local' A
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> client1.winnet.local 'client1.winnet.local. 1200 IN A
> 192.168.178.200'
> Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> 'client1.winnet.local' A
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> client1.winnet.local 'client1.winnet.local. 1200 IN A
> 192.168.178.200'
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> zone winnet.local
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> zone 178.168.192.in-addr.arpa
> Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#61402: update
> '178.168.192.in-addr.arpa/IN' denied
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> zone 178.168.192.in-addr.arpa
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> zone 178.168.192.in-addr.arpa
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> PTR client1.winnet.local.'
> Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> adding an RR at '200.178.168.192.in-addr.arpa' PTR
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> PTR client1.winnet.local.'
> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> zone 178.168.192.in-addr.arpa
>
> -----Ursprüngliche Nachricht-----
> Von: Markus Roth [mailto:markusroth1983 at gmx.net]
> Gesendet: Samstag, 16. August 2014 15:13
> An: 'steve'
> Cc: 'samba at lists.samba.org'
> Betreff: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup
> Zone
>
> Hi Steve,
>
> I've tried the below domain exportkeytab, but when i do samba-tool domain
> exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
>
> ./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
> ERROR(runtime): uncaught exception - Key table entry not found
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 103, in run
> net.export_keytab(keytab=keytab, principal=principal)
>
> When i do the same with --principal=server1$ it does an export, but i get
> also the beginning denied messages. I also tried winnet$ or winnet.local$
> but it gets the same erros above.
>
>
> >Hi
> >This is not using the sssd ad backend at all. It will not do ddns updates,
> neither will it pull the correct id info from AD.
>
> >You were nearly there. Did you see my other post?
>
> >Just issue:
> >samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ and try
> with your original ad sssd config.
>
> >--
> >To unsubscribe from this list go to the following URL and read the
> >Instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>
More information about the samba
mailing list