[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Markus Roth
markusroth1983 at gmx.net
Tue Aug 19 14:56:37 MDT 2014
Hi Rowland,
i think that's no problem to setup your howto with centos 7 :-) can i have the howto? But is it correct that i can't use a dhcp setup without the script?
markus
Gesendet: Dienstag, 19. August 2014 um 22:50 Uhr
Von: "Rowland Penny" <rowlandpenny at googlemail.com>
An: samba at lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 19/08/14 21:27, Markus Roth wrote:
> Hi Steve,
>
> thanks a lot :-) so in this case that i have a successfull configuration i would now implement an isc dhcp server under my centos 7 test environment. But how should i configure the dhcp server? I didn't find any howto. Only a skript from http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
> But is that the only way? And when it is the only way how must i integrate this script in dhcp?
Hi, I have been doing the updates with dhcp this way for over 18 months
now, You need to add a user to do the updates, create a keytab for that
user, turn off ddns updates from windows clients and then dhcp runs a
script that via nsupdate, updates DNS. I could probably come up with a
howto, but it would be for Debian, so you would have to Centos-ify it
yourself.
Rowland
>
> Kind regarts
> Markus
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von steve
> Gesendet: Montag, 18. August 2014 17:08
> An: Markus Roth
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>
> On Mon, 2014-08-18 at 16:28 +0200, Markus Roth wrote:
>> Hi Steve,
>>
>> i have bind in Version 9.9.4-RedHat-9.9.4-14.el7.centos (Extended Support Version) under dentos7. I see the update messages without configuring a log-leve in var/log/messages.
>> ok so yu mean i should use always dhcp instead of static ips for a clean ddns update and logs?
>> when i changed the ip-adress of my client1 from 192.168.178.99 to 192.168.178.98 machine with windows 7 and analyse the dns entries with the windows remote tools he has updated the client1 successfully.
>> With the host command i get:
>>
>> [root at server1 ~]# host -t A client1.winnet.local client1.winnet.local
>> has address 192.168.178.98
>> [root at server1 ~]# host -t PTR 192.168.178.98
>> 98.178.168.192.in-addr.arpa domain name pointer client1.winnet.local.
>>
>> so can i say that i have a correct configuration although i have the denied message? This says /var/log/messages for the ddns during the ip change:
>>
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction
>> on zone winnet.local Aug 18 16:18:08 server1 named[12388]: client
>> 192.168.178.98#57564: update 'winnet.local/IN' denied Aug 18 16:18:08
>> server1 named[12388]: samba_dlz: cancelling transaction on zone
>> winnet.local Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting
>> transaction on zone winnet.local Aug 18 16:18:08 server1 named[12388]:
>> samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL
>> name=client1.winnet.local tcpaddr= type=AAAA
>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr=
>> type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr=
>> type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key
>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting
>> rrset at 'client1.winnet.local' AAAA Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.98'
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 12 900 600 86400 0'
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 13 900 600 86400 0'
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction
>> on zone winnet.local Aug 18 16:18:08 server1 named[12388]: samba_dlz:
>> starting transaction on zone 178.168.192.in-addr.arpa Aug 18 16:18:08
>> server1 named[12388]: client 192.168.178.98#62909: update
>> '178.168.192.in-addr.arpa/IN' denied Aug 18 16:18:08 server1
>> named[12388]: samba_dlz: cancelling transaction on zone
>> 178.168.192.in-addr.arpa Aug 18 16:18:08 server1 named[12388]:
>> samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa Aug
>> 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>> signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa
>> tcpaddr= type=PTR
>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>> signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa
>> tcpaddr= type=PTR
>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key
>> client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '98.178.168.192.in-addr.arpa' PTR Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '98.178.168.192.in-addr.arpa' PTR
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added 98.178.168.192.in-addr.arpa 98.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction
>> on zone 178.168.192.in-addr.arpa
>>
> That looks as perfect as you're gonna get. And, it's working. Unless you want to try samba-technical or isc, I think this is the best you can expect, especially as it's working. Remember, the errors are written by coders and can at times have little bearing upon what is really happening.
>
> I'm no expert on network topography. We chose dhcp because we wanted less work. For file servers we always use fixed IP. I'm sure that someone will chip in with some more concrete explanations other than sheer laziness;) HTH, Steve
>
>>
>>
>> Gesendet: Montag, 18. August 2014 um 00:31 Uhr
>> Von: steve <steve at steve-ss.com>
>> An: "Markus Roth" <markusroth1983 at gmx.net>
>> Cc: samba at lists.samba.org
>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
>> lookup Zone On Sun, 2014-08-17 at 16:55 +0200, Markus Roth wrote:
>>> Hi Steve,
>>>
>>> first thanks a lot for your help at this time :-)
>>>
>>>> Much easier:
>>>> samba-tool dns zonedelete
>>>> restart named
>>>> samba-tool dns zonecreate
>>>> restart sssd
>>> ah okay good to know for future actions. So do i understand that right that my configuration is correct now and the denied messages with this configuration is ok? if its so than the denied messages are ok for me :-) But before i took my new configuration in productive use i better ask.
>> On:
>> named -version
>> BIND 9.9.4-rpz2.13269.14-P2 (Extended Support Version) We do not get
>> the denied messages, but we may have a lower debug level set. Sorry,
>> can't confirm this as we've no test domain with that version.
>> _Are_ the records being updated? Change the IP of a sssd client box
>> (NOT the IP of the DC) and use host to check A and PTR.
>>> I took static IPs only for testing. When this configuration is ok now i would create a test envirnoment with a dhcp-server.
>>>
>> ddns is handled fine by the sssd ad backend when the ip of a client is
>> changed via dhcp.
>>
>>> For the rw access you said named needs rw access on the dns databases.
>> Yes. the keytab for named.conf and the dns partitions.
>>
>>> So i've set rw access for the group named on the *.so-files and for the ldb and tdb-files in the /usr/samba/private structure. But i don't know if this is neccesary.
>>>
>>> Only for interest: When static IPs were used you would deaktivate the automatic ddns updates and add them manually with the samba-tool or with the windows remote administration kit? But i think it's much easier with ddns if some IPs will change, isn't it?
>>>
>>>> LOL, yeah. open source error messages at their best.
>>> ......
>>>> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
>>> . . .then it does it!
>>> ....
>>>> Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed
>>>> transaction on zone 178.168.192.in-addr.arpa
>>>>
>>>> That's the best you're gonna get. But why bother with static IPs?
>>>> HTH,
>>>> Steve
>>>> Gesendet: Sonntag, 17. August 2014 um 01:53 Uhr
>>>> Von: steve <steve at steve-ss.com>
>>>> An: "Markus Roth" <markusroth1983 at gmx.net>
>>>> Cc: samba at lists.samba.org
>>>> Betreff: Re: Aw: Re: AW: [Samba] samba4 internal dns Server ddns
>>>> for the reverse lookup Zone On Sun, 2014-08-17 at 00:46 +0200, Markus Roth wrote:
>>>>> Hi Steve,
>>>>>
>>>>> i don't know what i'm still doing wrong :-( I've create new vmware environments with centos 7 and windows 7. The hostname oft he centos 7 is server1 and the hostname from the windows 7 is client1. I've configured server1 as followed:
>>>>>
>>>>> 1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
>>>>> 2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
>>>>> 3. edit /root/rpmbuild/SPECS/bind.spec and remove the line
>>>>> --disable-isc-spnego 4. rebuild bind with rpmbuild -bb
>>>>> ~/rpmbuild/SPECS/bind.spec 5. remove all previous bind* and
>>>>> samba* installation files with yum remove 6. install
>>>>> bind-license, bind-libs* and bind9* with rpm -ivh 7. download
>>>>> samba 4.1.11 8. install dependencies for samba 4.1.11 with yum
>>>>> install glibc glibc-devel gcc python* libacl-devel
>>>>> krb5-workstation krb5-libs pam_krb5 8. install samba 4.1.11 with
>>>>> ./configure --enable-debug --enable-selftest than make than make
>>>>> install 9. configure samba 4.1.11 with samba-tool domain
>>>>> provision --use-rfc2307 --interactive --function-level=2008_R2
>>>>> 10. configure /etc/named.conf for samba4 11. chgrp named + rw
>>>>> access for named on dns.keytab, dns_update_list, named.conf
>>>>> under /usr/local/samba/private and the same on *.so files under
>>>>> /usr/local/samba/lib/bind9. Next i activate the so file for
>>>>> bind9 in the samba named.conf
>>>> named needs rw on the DNS databases too.
>>>>
>>>>> 12. install sssd with yum install sssd 13. generatet he
>>>>> krb5.keytab with my servername in big letters fort he principal
>>>>> name # samba-tool domain exportkeytab /etc/krb5.keytab
>>>>> --principal=SERVER1$
>>>> The next 2 lines make no sense:
>>>>> # chown root:root /etc/krb5.sssd.keytab # chmod 600
>>>>> /etc/krb5.sssd.keytab
>>>>> 14. generatet he sssd.conf with the same file permissions as the
>>>>> krb5.keytab + copy the samba4 krb5.conf to /etc and overwrite
>>>>> the existing one 15. Start named, sssd and samba daemon 16.
>>>>> generate reverse lookup zone with samba-tool dns zonecreate
>>>>> server1.winnet.local 178.168.192.in-addr.arpa 17. Start the
>>>>> client1 machine, give the server1 ip as the dns-server and
>>>>> joined the client1 to the domain
>>>>>
>>>>> Here are my configuration files and the last log-file Do you see
>>>>> any mistakes?
>>>>>
>>>>> Named.conf
>>>>> ----------------------------------------------------------------
>>>>> ----------------------------------------------------------------
>>>>> --------------------------------------------
>>>>> options {
>>>>> listen-on port 53 { 127.0.0.1; 192.168.178.130; };
>>>>> listen-on-v6 port 53 { ::1; };
>>>>> directory "/var/named";
>>>>> dump-file "/var/named/data/cache_dump.db"; statistics-file
>>>>> "/var/named/data/named_stats.txt";
>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>> allow-query { localhost; 192.168.178.0/24; }; allow-recursion {
>>>>> localhost; 192.168.178.0/24; }; forwarders { 8.8.8.8; 8.8.4.4;
>>>>> }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>>>>> recursion yes;
>>>>> dnssec-enable yes;
>>>>> dnssec-validation yes;
>>>>> dnssec-lookaside auto;
>>>>> /* Path to ISC DLV key */
>>>>> bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory
>>>>> "/var/named/dynamic"; pid-file "/run/named/named.pid";
>>>>> session-keyfile "/run/named/session.key"; }; logging { channel
>>>>> default_debug { file "data/named.run"; severity dynamic; }; };
>>>>> zone "." IN { type hint; file "named.ca"; }; include
>>>>> "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
>>>>> include "/usr/local/samba/private/named.conf";
>>>>> ----------------------------------------------------------------
>>>>> ----------------------------------------------------------------
>>>>> --------------------------------------------
>>>>> Sssd.conf
>>>>> [sssd]
>>>>> services = nss, pam
>>>>> config_file_version = 2
>>>>> domains = winnet.local
>>>>> [nss]
>>>>> [pam]
>>>>> [domain/winnet.local]
>>>>> id_provider = ad
>>>>> auth_provider = ad
>>>>> access_provider = ad
>>>>> ldap_id_mapping = False
>>>>> ----------------------------------------------------------------
>>>>> ----------------------------------------------------------------
>>>>> --------------------------------------------
>>>>> Smb.conf
>>>>> # Global parameters
>>>>> [global]
>>>>> workgroup = WINNET
>>>>> realm = WINNET.LOCAL
>>>>> netbios name = SERVER1
>>>>> server role = active directory domain controller server services
>>>>> = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
>>>>> ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon]
>>>>> path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
>>>>> read only = No
>>>>> [sysvol]
>>>>> path = /usr/local/samba/var/locks/sysvol read only = No
>>>>> ----------------------------------------------------------------
>>>>> ----------------------------------------------------------------
>>>>> --------------------------------------------
>>>>> Samba4 named.conf
>>>>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
>>>>> #
>>>>> # This file should be included in your main BIND configuration
>>>>> file # # For example with # include
>>>>> "/usr/local/samba/private/named.conf";
>>>>> #
>>>>> # This configures dynamically loadable zones (DLZ) from AD
>>>>> schema # Uncomment only single database line, depending on your
>>>>> BIND version # dlz "AD DNS Zone" { # For BIND 9.8.0 # database
>>>>> "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
>>>>> # For BIND 9.9.0
>>>>> database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
>>>>> };
>>>>> ----------------------------------------------------------------
>>>>> ----------------------------------------------------------------
>>>>> --------------------------------------------
>>>>> Var/log/messages
>>>>> Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from
>>>>> unauthorised host 192.168.178.200 port 123 Aug 17 00:14:02
>>>>> server1 named[11100]: samba_dlz: starting transaction on zone
>>>>> winnet.local Aug 17 00:14:02 server1 named[11100]: client
>>>>> 192.168.178.200#57474: update 'winnet.local/IN' denied Aug 17
>>>>> 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction
>>>>> on zone winnet.local Aug 17 00:14:02 server1 named[11100]:
>>>>> samba_dlz: starting transaction on zone winnet.local Aug 17
>>>>> 00:14:02 server1 named[11100]: samba_dlz: allowing update of
>>>>> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
>>>>> tcpaddr= type=AAAA
>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>> of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
>>>>> tcpaddr= type=A
>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>> of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
>>>>> tcpaddr= type=A
>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>> 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone
>>>>> 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>> 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed
>>>>> transaction on zone winnet.local Aug 17 00:14:02 server1
>>>>> named[11100]: samba_dlz: starting transaction on zone
>>>>> 178.168.192.in-addr.arpa Aug 17 00:14:02 server1 named[11100]:
>>>>> client 192.168.178.200#59638: update
>>>>> '178.168.192.in-addr.arpa/IN' denied Aug 17 00:14:02 server1
>>>>> named[11100]: samba_dlz: cancelling transaction on zone
>>>>> 178.168.192.in-addr.arpa Aug 17 00:14:02 server1 named[11100]:
>>>>> samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>> of signer=client1\$\@WINNET.LOCAL
>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>> of signer=client1\$\@WINNET.LOCAL
>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>> 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>> 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed
>>>>> transaction on zone 178.168.192.in-addr.arpa
>>>>> ----------------------------------------------------------------
>>>>> ----------------------------------------------------------------
>>>>> --------------------------------------------
>>>>>
>>>> You must delete the reverse zone and recreate it as I outlined in
>>>> my last message. Also, no feedback on the latter, so I have to
>>>> guess that you have done it but it.
>>>> HTH
>>>>
>>>>
>>>>>
>>>>> Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
>>>>> Von: steve <steve at steve-ss.com>
>>>>> An: "Markus Roth" <markusroth1983 at gmx.net>
>>>>> Cc: samba at lists.samba.org
>>>>> Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the
>>>>> reverse lookup Zone On Sat, 2014-08-16 at 15:46 +0200, Markus Roth wrote:
>>>>>> Hi Steve,
>>>>>>
>>>>>> update. I think nobody can say that i'm not creative :-) I've
>>>>>> tried now ./samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>> without the --principal and change my sssd.conf back to:
>>>>>>
>>>>>> [sssd]
>>>>>> services = nss, pam
>>>>>> config_file_version = 2
>>>>>> domains = winnet.local
>>>>>> [nss]
>>>>>> [pam]
>>>>>> [domain/winnet.local]
>>>>>> id_provider = ad
>>>>>> access_provider = ad
>>>>>>
>>>>>> Now i get also the denied messages, but the logs now seems to be different:
>>>>> Very close now. This should do it:
>>>>> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-[http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-]
>>>>> stale-dns-records-with.html
>>>>>
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting
>>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
>>>>>> named[14419]: samba_dlz: allowing update of
>>>>>> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
>>>>>> tcpaddr=192.168.178.130 type=A
>>>>>> key=2171273687.sig-server1.winnet.local/160/0
>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>> 192.168.178.130#49475/key
>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>> deleting rrset at 'server1.winnet.local' A Aug 16 15:40:03
>>>>>> server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>> server1.winnet.local 'server1.winnet.local. 3600 IN A
>>>>>> 192.168.178.130'
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted
>>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
>>>>>> server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added
>>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local.
>>>>>> hostmaster.winnet.local. 5 900 600 86400 0'
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
>>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>> winnet.local Aug 16 15:40:03 server1 named[14419]: samba_dlz:
>>>>>> allowing update of signer=SERVER1\$\@WINNET.LOCAL
>>>>>> name=server1.winnet.local
>>>>>> tcpaddr=192.168.178.130 type=AAAA
>>>>>> key=1458088344.sig-server1.winnet.local/160/0
>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>> 192.168.178.130#60843/key
>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>> deleting rrset at 'server1.winnet.local' AAAA Aug 16 15:40:03
>>>>>> server1 named[14419]: samba_dlz: committed transaction on zone
>>>>>> winnet.local Aug 16 15:40:03 server1 named[14419]: samba_dlz:
>>>>>> starting transaction on zone winnet.local Aug 16 15:40:03
>>>>>> server1 named[14419]: samba_dlz: allowing update of
>>>>>> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
>>>>>> tcpaddr=192.168.178.130 type=A
>>>>>> key=2571247347.sig-server1.winnet.local/160/0
>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>> 192.168.178.130#60497/key
>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>> adding an RR at 'server1.winnet.local' A Aug 16 15:40:03
>>>>>> server1 named[14419]: samba_dlz: added rdataset
>>>>>> server1.winnet.local 'server1.winnet.local. 3600 IN A
>>>>>> 192.168.178.130'
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted
>>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
>>>>>> server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added
>>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local.
>>>>>> hostmaster.winnet.local. 6 900 600 86400 0'
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
>>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:03 server1 named[14419]:
>>>>>> samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL
>>>>>> name=130.178.168.192.in-addr.arpa
>>>>>> tcpaddr=192.168.178.130 type=PTR
>>>>>> key=1615781577.sig-server1.winnet.local/160/0
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing
>>>>>> update of signer=SERVER1\$\@WINNET.LOCAL
>>>>>> name=130.178.168.192.in-addr.arpa
>>>>>> tcpaddr=192.168.178.130 type=PTR
>>>>>> key=1615781577.sig-server1.winnet.local/160/0
>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>> 192.168.178.130#56401/key
>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
>>>>>> deleting rrset at '130.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>> 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa.
>>>>>> 3600 IN PTR server1.winnet.local.'
>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>> 192.168.178.130#56401/key
>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
>>>>>> adding an RR at '130.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>> 15:40:03 server1 named[14419]: samba_dlz: added rdataset
>>>>>> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa.
>>>>>> 3600 IN PTR server1.winnet.local.'
>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
>>>>>> transaction on zone 178.168.192.in-addr.arpa Aug 16 15:40:19
>>>>>> server1 chronyd[831]: NTP packet received from unauthorised
>>>>>> host 192.168.178.200 port 123 Aug 16 15:40:20 server1
>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>> winnet.local Aug 16 15:40:20 server1 named[14419]: client
>>>>>> 192.168.178.200#53494: update 'winnet.local/IN' denied Aug 16
>>>>>> 15:40:20 server1 named[14419]: samba_dlz: cancelling
>>>>>> transaction on zone winnet.local Aug 16 15:40:20 server1
>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>> winnet.local Aug 16 15:40:20 server1 named[14419]: samba_dlz:
>>>>>> allowing update of signer=client1\$\@WINNET.LOCAL
>>>>>> name=client1.winnet.local tcpaddr= type=AAAA
>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
>>>>>> update of signer=client1\$\@WINNET.LOCAL
>>>>>> name=client1.winnet.local tcpaddr= type=A
>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
>>>>>> update of signer=client1\$\@WINNET.LOCAL
>>>>>> name=client1.winnet.local tcpaddr= type=A
>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: client
>>>>>> 192.168.178.200#59384/key
>>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>> deleting rrset at 'client1.winnet.local' AAAA Aug 16 15:40:20
>>>>>> server1 named[14419]: client 192.168.178.200#59384/key
>>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>> deleting rrset at 'client1.winnet.local' A Aug 16 15:40:20
>>>>>> server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>> client1.winnet.local 'client1.winnet.local. 1200 IN A
>>>>>> 192.168.178.200'
>>>>>> Aug 16 15:40:20 server1 named[14419]: client
>>>>>> 192.168.178.200#59384/key
>>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>> adding an RR at 'client1.winnet.local' A Aug 16 15:40:20
>>>>>> server1 named[14419]: samba_dlz: added rdataset
>>>>>> client1.winnet.local 'client1.winnet.local. 1200 IN A
>>>>>> 192.168.178.200'
>>>>>> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed
>>>>>> transaction on zone winnet.local Aug 16 15:40:20 server1
>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
>>>>>> client 192.168.178.200#61402: update
>>>>>> '178.168.192.in-addr.arpa/IN' denied Aug 16 15:40:20 server1
>>>>>> named[14419]: samba_dlz: cancelling transaction on zone
>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
>>>>>> samba_dlz: starting transaction on zone
>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
>>>>>> samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL
>>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
>>>>>> update of signer=client1\$\@WINNET.LOCAL
>>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: client
>>>>>> 192.168.178.200#54396/key
>>>>>> client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
>>>>>> deleting rrset at '200.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>> 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa.
>>>>>> 1200 IN PTR client1.winnet.local.'
>>>>>> Aug 16 15:40:20 server1 named[14419]: client
>>>>>> 192.168.178.200#54396/key
>>>>>> client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
>>>>>> adding an RR at '200.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>> 15:40:20 server1 named[14419]: samba_dlz: added rdataset
>>>>>> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa.
>>>>>> 1200 IN PTR client1.winnet.local.'
>>>>>> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed
>>>>>> transaction on zone 178.168.192.in-addr.arpa
>>>>>>
>>>>>> -----Ursprüngliche Nachricht-----
>>>>>> Von: Markus Roth [mailto:markusroth1983 at gmx.net]
>>>>>> Gesendet: Samstag, 16. August 2014 15:13
>>>>>> An: 'steve'
>>>>>> Cc: 'samba at lists.samba.org'
>>>>>> Betreff: AW: [Samba] samba4 internal dns Server ddns for the
>>>>>> reverse lookup Zone
>>>>>>
>>>>>> Hi Steve,
>>>>>>
>>>>>> I've tried the below domain exportkeytab, but when i do
>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
>>>>>>
>>>>>> ./samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>> --principal=WINNET$
>>>>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>>>> File
>>>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/_
>>>>>> _init__.py",
>>>>>> line 175, in _run
>>>>>> return self.run(*args, **kwargs) File
>>>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/d
>>>>>> omain.py",
>>>>>> line 103, in run
>>>>>> net.export_keytab(keytab=keytab, principal=principal)
>>>>>>
>>>>>> When i do the same with --principal=server1$ it does an
>>>>>> export, but i get also the beginning denied messages. I also
>>>>>> tried winnet$ or winnet.local$ but it gets the same erros above.
>>>>>>
>>>>>>
>>>>>>> Hi
>>>>>>> This is not using the sssd ad backend at all. It will not do
>>>>>>> ddns updates,
>>>>>> neither will it pull the correct id info from AD.
>>>>>>
>>>>>>> You were nearly there. Did you see my other post?
>>>>>>> Just issue:
>>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>> --principal=WINNET$ and try
>>>>>> with your original ad sssd config.
>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>> read the
>>>>>>> Instructions:
>>>>>>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.s
>>>>>>> amba.org/mailman/options/samba][https://lists.samba.org/mailm[https://lists.samba.org/mailm]
>>>>>>> an/options/samba[https://lists.samba.org/mailman/options/samb[https://lists.samba.org/mailman/options/samb]
>>>>>>> a]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lis
>>>>>>> ts.samba.org/mailman/options/samba][https://lists.samba.org/m[https://lists.samba.org/m]
>>>>>>> ailman/options/samba[https://lists.samba.org/mailman/options/[https://lists.samba.org/mailman/options/]
>>>>>>> samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https:
>>>>>>> //lists.samba.org/mailman/options/samba][https://lists.samba[https://lists.samba].
>>>>>>> org/mailman/options/samba[https://lists.samba.org/mailman/opt[https://lists.samba.org/mailman/opt]
>>>>>>> ions/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][ht
>>>>>>> tps://lists.samba.org/mailman/options/samba][https://lists.sa[https://lists.sa]
>>>>>>> mba.org/mailman/options/samba[https://lists.samba.org/mailman[https://lists.samba.org/mailman]
>>>>>>> /options/samba]]]]
>>>>>
>>>>
>>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
More information about the samba
mailing list