[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
steve
steve at steve-ss.com
Sun Aug 17 04:42:55 MDT 2014
On Sun, 2014-08-17 at 09:07 +0200, Markus Roth wrote:
> Hi Steve,
>
> do you mean named needs rw on the DNS databases on /usr/local/samba/private/dns? in this file the grp named has rw access to the files and folders. That was automatically done by the samba4. Should i change here something?
> Oh sorry i meant krb5.keytab not krb5.sssd.keytab.
> You mean for the reverse lookup zone to delete the entry for client1 with the command ldbdel?
Much easier:
samba-tool dns zonedelete
restart named
samba-tool dns zonecreate
restart sssd
> I didn't do that for this test because these VMs where complete new generated.
> And before i add my client1 to samba4 i've done a backup from my server1 VM so i can restore that every time for new tests. Client1 is the only client.
> On my test today i restored the server1 VM and generate a new krb5.keytab without the --principal command again. Now i saw for the first time a ddns update from my server1 machine in the log.
> The server1 itself had updated without any denied messages. But when i joined my client1 to the domain and restart the client1, i first get the denied messages again before he did the updates.
LOL, yeah. open source error messages at their best.
> Should i give the grp named rw rights to the ldb and tdb files directly in the private folder from samba4?
>
> What i forgot to say. I use static IPs on the server1 and client1.
So you don't need ddns;) The A record is produced by net ads join. You
could add the PTR and just disable the ddns updates and forget about
them.
>
>
> Here are my new logs:
> server1:
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=1043380558.sig-server1.winnet.local/160/0
> Aug 17 08:30:01 server1 named[12525]: client 192.168.178.130#35803/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' A
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: subtracted rdataset server1.winnet.local 'server1.winnet.local. 900 IN A 192.168.178.130'
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 1 900 600 86400 0'
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 0'
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
> server:
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=AAAA key=1245284349.sig-server1.winnet.local/160/0
> Aug 17 08:30:01 server1 named[12525]: client 192.168.178.130#50958/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' AAAA
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=200605021.sig-server1.winnet.local/160/0
> Aug 17 08:30:01 server1 named[12525]: client 192.168.178.130#53088/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'server1.winnet.local' A
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: added rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A 192.168.178.130'
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 0'
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 0'
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
> Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 17 08:30:02 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=35035507.sig-server1.winnet.local/160/0
> Aug 17 08:30:02 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=35035507.sig-server1.winnet.local/160/0
> Aug 17 08:30:02 server1 named[12525]: client 192.168.178.130#33172/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '130.178.168.192.in-addr.arpa' PTR
> Aug 17 08:30:02 server1 named[12525]: client 192.168.178.130#33172/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '130.178.168.192.in-addr.arpa' PTR
> Aug 17 08:30:02 server1 named[12525]: samba_dlz: added 130.178.168.192.in-addr.arpa 130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.
> Aug 17 08:30:02 server1 named[12525]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 1 900 600 86400 3600'
> Aug 17 08:30:02 server1 named[12525]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 3600'
> Aug 17 08:30:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> ---------------------------------------------------------------------------------------------------------------
> client:
> Aug 17 08:30:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> Aug 17 08:34:02 server1 chronyd[852]: NTP packet received from unauthorised host 192.168.178.200 port 123
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49669: update 'winnet.local/IN' denied
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: cancelling transaction on zone winnet.local
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49750/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49750/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49750/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added client1.winnet.local client1.winnet.local. 1200 IN A 192.168.178.200
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 0'
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#62506: update '178.168.192.in-addr.arpa/IN' denied
This bit: It denies it. . .
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#54101/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#54101/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
. . .then it does it!
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 3600'
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
>
That's the best you're gonna get. But why bother with static IPs?
HTH,
Steve
>
> Gesendet: Sonntag, 17. August 2014 um 01:53 Uhr
> Von: steve <steve at steve-ss.com>
> An: "Markus Roth" <markusroth1983 at gmx.net>
> Cc: samba at lists.samba.org
> Betreff: Re: Aw: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> On Sun, 2014-08-17 at 00:46 +0200, Markus Roth wrote:
> > Hi Steve,
> >
> > i don't know what i'm still doing wrong :-( I've create new vmware environments with centos 7 and windows 7. The hostname oft he centos 7 is server1 and the hostname from the windows 7 is client1. I've configured server1 as followed:
> >
> > 1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> > 2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> > 3. edit /root/rpmbuild/SPECS/bind.spec and remove the line --disable-isc-spnego
> > 4. rebuild bind with rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
> > 5. remove all previous bind* and samba* installation files with yum remove
> > 6. install bind-license, bind-libs* and bind9* with rpm -ivh
> > 7. download samba 4.1.11
> > 8. install dependencies for samba 4.1.11 with
> > yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5
> > 8. install samba 4.1.11 with ./configure --enable-debug --enable-selftest than make than make install
> > 9. configure samba 4.1.11 with samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
> > 10. configure /etc/named.conf for samba4
> > 11. chgrp named + rw access for named on dns.keytab, dns_update_list, named.conf under /usr/local/samba/private and the same on *.so files under
> > /usr/local/samba/lib/bind9. Next i activate the so file for bind9 in the samba named.conf
>
> named needs rw on the DNS databases too.
>
> > 12. install sssd with yum install sssd
> > 13. generatet he krb5.keytab with my servername in big letters fort he principal name
> > # samba-tool domain exportkeytab /etc/krb5.keytab --principal=SERVER1$
>
> The next 2 lines make no sense:
> > # chown root:root /etc/krb5.sssd.keytab
> > # chmod 600 /etc/krb5.sssd.keytab
>
> > 14. generatet he sssd.conf with the same file permissions as the krb5.keytab + copy the samba4 krb5.conf to /etc and overwrite the existing one
> > 15. Start named, sssd and samba daemon
> > 16. generate reverse lookup zone with samba-tool dns zonecreate server1.winnet.local 178.168.192.in-addr.arpa
> > 17. Start the client1 machine, give the server1 ip as the dns-server and joined the client1 to the domain
> >
> > Here are my configuration files and the last log-file
> > Do you see any mistakes?
> >
> > Named.conf
> > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > options {
> > listen-on port 53 { 127.0.0.1; 192.168.178.130; };
> > listen-on-v6 port 53 { ::1; };
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > memstatistics-file "/var/named/data/named_mem_stats.txt";
> > allow-query { localhost; 192.168.178.0/24; };
> > allow-recursion { localhost; 192.168.178.0/24; };
> > forwarders { 8.8.8.8; 8.8.4.4; };
> > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> > recursion yes;
> > dnssec-enable yes;
> > dnssec-validation yes;
> > dnssec-lookaside auto;
> > /* Path to ISC DLV key */
> > bindkeys-file "/etc/named.iscdlv.key";
> > managed-keys-directory "/var/named/dynamic";
> > pid-file "/run/named/named.pid";
> > session-keyfile "/run/named/session.key";
> > };
> > logging {
> > channel default_debug {
> > file "data/named.run";
> > severity dynamic;
> > };
> > };
> > zone "." IN {
> > type hint;
> > file "named.ca";
> > };
> > include "/etc/named.rfc1912.zones";
> > include "/etc/named.root.key";
> > include "/usr/local/samba/private/named.conf";
> > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > Sssd.conf
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = winnet.local
> > [nss]
> > [pam]
> > [domain/winnet.local]
> > id_provider = ad
> > auth_provider = ad
> > access_provider = ad
> > ldap_id_mapping = False
> > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > Smb.conf
> > # Global parameters
> > [global]
> > workgroup = WINNET
> > realm = WINNET.LOCAL
> > netbios name = SERVER1
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> > idmap_ldb:use rfc2307 = yes
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
> > read only = No
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
> > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > Samba4 named.conf
> > # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
> > #
> > # This file should be included in your main BIND configuration file
> > #
> > # For example with
> > # include "/usr/local/samba/private/named.conf";
> > #
> > # This configures dynamically loadable zones (DLZ) from AD schema
> > # Uncomment only single database line, depending on your BIND version
> > #
> > dlz "AD DNS Zone" {
> > # For BIND 9.8.0
> > # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
> > # For BIND 9.9.0
> > database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
> > };
> > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > Var/log/messages
> > Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from unauthorised host 192.168.178.200 port 123
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
> > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#57474: update 'winnet.local/IN' denied
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone winnet.local
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
> > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
> > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone winnet.local
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#59638: update '178.168.192.in-addr.arpa/IN' denied
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> > Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> You must delete the reverse zone and recreate it as I outlined in my
> last message. Also, no feedback on the latter, so I have to guess that
> you have done it but it.
> HTH
>
>
> >
> >
> > Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
> > Von: steve <steve at steve-ss.com>
> > An: "Markus Roth" <markusroth1983 at gmx.net>
> > Cc: samba at lists.samba.org
> > Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> > On Sat, 2014-08-16 at 15:46 +0200, Markus Roth wrote:
> > > Hi Steve,
> > >
> > > update. I think nobody can say that i'm not creative :-) I've tried now
> > > ./samba-tool domain exportkeytab /etc/krb5.keytab without the --principal
> > > and change my sssd.conf back to:
> > >
> > > [sssd]
> > > services = nss, pam
> > > config_file_version = 2
> > > domains = winnet.local
> > > [nss]
> > > [pam]
> > > [domain/winnet.local]
> > > id_provider = ad
> > > access_provider = ad
> > >
> > > Now i get also the denied messages, but the logs now seems to be different:
> >
> > Very close now. This should do it:
> > http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
> >
> > >
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > zone winnet.local
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > tcpaddr=192.168.178.130 type=A key=2171273687.sig-server1.winnet.local/160/0
> > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#49475/key
> > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > at 'server1.winnet.local' A
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > server1.winnet.local 'server1.winnet.local. 3600 IN A
> > > 192.168.178.130'
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > winnet.local 'winnet.local. 3600 IN SOA
> > > server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> > > 'winnet.local. 3600 IN SOA server1.winnet.local.
> > > hostmaster.winnet.local. 5 900 600 86400 0'
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > zone winnet.local
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > zone winnet.local
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > tcpaddr=192.168.178.130 type=AAAA
> > > key=1458088344.sig-server1.winnet.local/160/0
> > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60843/key
> > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > at 'server1.winnet.local' AAAA
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > zone winnet.local
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > zone winnet.local
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > tcpaddr=192.168.178.130 type=A key=2571247347.sig-server1.winnet.local/160/0
> > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60497/key
> > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> > > 'server1.winnet.local' A
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> > > server1.winnet.local 'server1.winnet.local. 3600 IN A
> > > 192.168.178.130'
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > winnet.local 'winnet.local. 3600 IN SOA
> > > server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> > > 'winnet.local. 3600 IN SOA server1.winnet.local.
> > > hostmaster.winnet.local. 6 900 600 86400 0'
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > zone winnet.local
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > zone 178.168.192.in-addr.arpa
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> > > tcpaddr=192.168.178.130 type=PTR
> > > key=1615781577.sig-server1.winnet.local/160/0
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> > > tcpaddr=192.168.178.130 type=PTR
> > > key=1615781577.sig-server1.winnet.local/160/0
> > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> > > SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > deleting rrset at '130.178.168.192.in-addr.arpa' PTR
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> > > PTR server1.winnet.local.'
> > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> > > SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > adding an RR at '130.178.168.192.in-addr.arpa' PTR
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> > > 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> > > PTR server1.winnet.local.'
> > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > zone 178.168.192.in-addr.arpa
> > > Aug 16 15:40:19 server1 chronyd[831]: NTP packet received from unauthorised
> > > host 192.168.178.200 port 123
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > zone winnet.local
> > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#53494: update
> > > 'winnet.local/IN' denied
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> > > zone winnet.local
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > zone winnet.local
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA
> > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > at 'client1.winnet.local' AAAA
> > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > at 'client1.winnet.local' A
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> > > client1.winnet.local 'client1.winnet.local. 1200 IN A
> > > 192.168.178.200'
> > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> > > 'client1.winnet.local' A
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> > > client1.winnet.local 'client1.winnet.local. 1200 IN A
> > > 192.168.178.200'
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> > > zone winnet.local
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > zone 178.168.192.in-addr.arpa
> > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#61402: update
> > > '178.168.192.in-addr.arpa/IN' denied
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> > > zone 178.168.192.in-addr.arpa
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > zone 178.168.192.in-addr.arpa
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> > > type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> > > type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> > > client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> > > 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> > > PTR client1.winnet.local.'
> > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> > > client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > adding an RR at '200.178.168.192.in-addr.arpa' PTR
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> > > 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> > > PTR client1.winnet.local.'
> > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> > > zone 178.168.192.in-addr.arpa
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Markus Roth [mailto:markusroth1983 at gmx.net]
> > > Gesendet: Samstag, 16. August 2014 15:13
> > > An: 'steve'
> > > Cc: 'samba at lists.samba.org'
> > > Betreff: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup
> > > Zone
> > >
> > > Hi Steve,
> > >
> > > I've tried the below domain exportkeytab, but when i do samba-tool domain
> > > exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
> > >
> > > ./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
> > > ERROR(runtime): uncaught exception - Key table entry not found
> > > File
> > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > > line 175, in _run
> > > return self.run(*args, **kwargs)
> > > File
> > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> > > line 103, in run
> > > net.export_keytab(keytab=keytab, principal=principal)
> > >
> > > When i do the same with --principal=server1$ it does an export, but i get
> > > also the beginning denied messages. I also tried winnet$ or winnet.local$
> > > but it gets the same erros above.
> > >
> > >
> > > >Hi
> > > >This is not using the sssd ad backend at all. It will not do ddns updates,
> > > neither will it pull the correct id info from AD.
> > >
> > > >You were nearly there. Did you see my other post?
> > >
> > > >Just issue:
> > > >samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ and try
> > > with your original ad sssd config.
> > >
> > > >--
> > > >To unsubscribe from this list go to the following URL and read the
> > > >Instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]
> > >
> >
> >
>
>
More information about the samba
mailing list