[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Markus Roth
markusroth1983 at gmx.net
Wed Aug 20 17:09:28 MDT 2014
Hi Rowland, hi Steve,
@Rowland
Thanks a llot for your howto. I've integrate your script in my centos 7 environment and modified it a little bit for the different pathes. When my client should get an ip-adress the dhcpd daemon brings the message "exit status 256":
Aug 21 00:34:18 server1 dhcpd: Listening on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
Aug 21 00:34:18 server1 dhcpd: Sending on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
Aug 21 00:34:18 server1 dhcpd: Sending on Socket/fallback/fallback-net
Aug 21 00:34:18 server1 systemd: Started DHCPv4 Server Daemon.
Aug 21 00:34:50 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
Aug 21 00:34:50 server1 dhcpd: DHCPREQUEST for 192.168.178.11 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 00:34:50 server1 dhcpd: DHCPACK on 192.168.178.11 to 00:0c:29:a4:b4:10 (client1) via eno16777736
The dyndns.log says that my dhcpduser does not exist, but it does. I created it as follows:
samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via DHCP server"
samba-tool group addmembers DnsAdmins dhcpduser
samba-tool group addmembers "Domain Admins" dhcpduser
Than i generated the keytab:
samba-tool domain exportkeytab --principal=dhcpduser at WINNET.LOCAL /etc/dhcp/dhcpduser.keytab
Extract from the dyndns.log:
No dhcp user exists, need to create it first.. exiting.
you can do this by typing the following commands
/usr/bin/kinit Administrator at WINNET.LOCAL
Usage: samba-tool <subcommand>
Main samba administration tool.
Options:
-h, --help show this help message and exit
Version Options:
-V, --version Display version number
.
.
.
.
My modified dhcp-dyndns.sh: All my files are under /etc/dhcp. In the script below i've modified my realm, domainname, temp-path, the path to my samba-tool and the keytab path.
-----------------------------------------------------------------------------------------------
# ----------------------- start -------------------------
#!/bin/bash
# /etc/dhcp/dhcp-dyndns.sh
# This script is for secure DDNS updates using GSS/TSIG on Samba 4
# Version: 0.8.3 (includes TXTRR records)
# Rowland Penny rpenny241155 at gmail.com
# Updated with suggestions from L. v. Belle louis at van-belle.nl
# method to check for valid kerberos ticket changed
LOG="/etc/dhcp/dyndns.log"
if [ -f /etc/dhcp/dyndns.log ]; then
:
else
touch /etc/dhcp/dyndns.log
fi
exec >> $LOG 2>&1
## CONFIGURATION ##
# Samba 4 realm, change this to YOUR realm.
SETREALM=WINNET.LOCAL
#
# DNS domain, change this to YOUR dns domain
domain=winnet.local
#
## DO NOT CHANGE ANYTHING BELOW HERE
#
## define the dhcp user that will be used for the Dynamic updates to samba4
## this will create a Principal like : user at realm
SETDHCPUSER=dhcpduser
#
# TXT RRs (rfc4701)
# Set to YES to use TXT RRs
TXTRRS="NO"
#
# DNS nameserver
ns=127.0.0.1
#
# Kerberos principal
SETPRINCIPAL=$SETDHCPUSER@$SETREALM
# Kerberos keytab
SETDHCPKEYTAB=/etc/dhcp/$SETDHCPUSER.keytab
# Default DNS resource records TTL
RRTTL="3600"
# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
## Command locations, with full paths it speeds up processing.
## ( tested on Ubuntu 14.04, Debian 7.5 )
CMDSORT="$(which sort)"
CMDAWK="$(which awk)"
CMDHEAD="$(which head)"
CMDECHO="$(which echo)"
CMDDATE="$(which date)"
CMDKINIT="$(which kinit)"
CMDKLIST="$(which klist)"
CMDGREP="$(which grep)"
CMDGETENT="$(which getent)"
CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
CMDCHOWN="$(which chown)"
CMDCHMOD="$(which chmod)"
CMDHOST="$(which host)"
CMDNSUPDATE="$(which nsupdate)"
TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
if [ -z "${TESTUSER}" ]; then
echo "No dhcp user exists, need to create it first.. exiting."
echo "you can do this by typing the following commands"
echo "${CMDKINIT} Administrator@${SETREALM}"
echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
exit 1
fi
# Check for Kerberos keytab
if [ -f "${SETDHCPKEYTAB}" ]; then
:
else
echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be created."
echo "Use the following commands as root"
echo "${CMDSAMBATOOL} domain exportkeytab --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
testos=$(uname -a | grep 'Debian')
if [ -z "$testos" ]; then
echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
fi
exit 1
fi
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
NSUPDFLAGS="-d"
## VARIABLES ##
# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
usage()
{
echo "USAGE:"
echo " `basename $0` add ip-address dhcid|mac-address hostname"
echo " `basename $0` delete ip-address dhcid|mac-address"
}
_KERBEROS () {
# get current time as a number
test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
# Check for valid kerberos ticket
echo "$test [dyndns] : Running check for valid kerberos ticket"
klist -c "$KRB5CCNAME" -s
if [ "$?" != "0" ]; then
echo "$test [dyndns] : Getting new ticket, old one has expired"
kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
if [ "$?" != "0" ]; then
echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
exit 1;
fi
else
echo "$test [dyndns] : New ticket not required, old one still valid"
fi
}
# Exit if no ip address or mac-address
if [ -z "$ip" ] || [ -z "$DHCID" ]; then
usage
exit 1
fi
# Exit if no computer name supplied, unless the action is 'delete'
if [ "$name" = "" ]; then
if [ "$action" = "delete" ]; then
name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | ${CMDAWK} -F '.' '{print $1}')
else
usage
exit 1;
fi
fi
# Set PTR address
ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
# Create RRTXT record
RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
RRTXT="000101${RRTXT%% *}"
# extract txt record, if there is one
RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
## ${CMDNSUPDATE} ##
case "$action" in
add)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
# if string is not null
if [ -n "$RRTXTOLD" ]; then
# if old RRTXT is not the same as $RRTXT then exit
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: adding records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
update add $name.$domain $RRTTL A $ip
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
zone 0.168.192.in-addr.arpa
update delete $ptr $RRTTL PTR
update add $ptr $RRTTL PTR $name.$domain
send
UPDATE
result2=$?
;;
delete)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
if [ -n "$RRTXTOLD" ]; then
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: removing records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
else
TXTRRS=";"
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $ptr $RRTTL PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac
result="$result1$result2"
if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
else
echo "DHCP-DNS Update succeeded"
logger "DHCP-DNS Update succeeded"
fi
exit $result
# ------------------ end -------------------------
-----------------------------------------------------------------------------------------------
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Mittwoch, 20. August 2014 10:52
An: Markus Roth
Betreff: Re: Aw: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 19/08/14 22:27, Markus Roth wrote:
> Hi Rowland,
>
> that would be great :-) thank you :-)
>
> Markus
>
>
> Gesendet: Dienstag, 19. August 2014 um 23:19 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: "samba at lists.samba.org" <samba at lists.samba.org>
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
> lookup Zone I never found any other way to do it, you have to do it by
> a secure method
> (kerberos) and that's how the script works. I'll come up with a howto
> and send it to you tomorrow. Provided gmail is working properly again
>
> Rowland
>
>
> On 19 August 2014 21:56, Markus Roth <markusroth1983 at gmx.net> wrote:
>
>> Hi Rowland,
>>
>> i think that's no problem to setup your howto with centos 7 :-) can i
>> have the howto? But is it correct that i can't use a dhcp setup
>> without the script?
>>
>> markus
>>
>> Gesendet: Dienstag, 19. August 2014 um 22:50 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
>> lookup Zone On 19/08/14 21:27, Markus Roth wrote:
>>> Hi Steve,
>>>
>>> thanks a lot :-) so in this case that i have a successfull
>>> configuration
>> i would now implement an isc dhcp server under my centos 7 test
>> environment. But how should i configure the dhcp server? I didn't
>> find any howto. Only a skript from
>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-up
>> dates-against-secure-microsoft-dns/
>>> But is that the only way? And when it is the only way how must i
>> integrate this script in dhcp?
>> Hi, I have been doing the updates with dhcp this way for over 18
>> months now, You need to add a user to do the updates, create a keytab
>> for that user, turn off ddns updates from windows clients and then
>> dhcp runs a script that via nsupdate, updates DNS. I could probably
>> come up with a howto, but it would be for Debian, so you would have
>> to Centos-ify it yourself.
>>
>> Rowland
>>
>>> Kind regarts
>>> Markus
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org]
>> Im Auftrag von steve
>>> Gesendet: Montag, 18. August 2014 17:08
>>> An: Markus Roth
>>> Cc: samba at lists.samba.org
>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
>> lookup Zone
>>> On Mon, 2014-08-18 at 16:28 +0200, Markus Roth wrote:
>>>> Hi Steve,
>>>>
>>>> i have bind in Version 9.9.4-RedHat-9.9.4-14.el7.centos (Extended
>> Support Version) under dentos7. I see the update messages without
>> configuring a log-leve in var/log/messages.
>>>> ok so yu mean i should use always dhcp instead of static ips for a
>> clean ddns update and logs?
>>>> when i changed the ip-adress of my client1 from 192.168.178.99 to
>> 192.168.178.98 machine with windows 7 and analyse the dns entries
>> with the windows remote tools he has updated the client1 successfully.
>>>> With the host command i get:
>>>>
>>>> [root at server1 ~]# host -t A client1.winnet.local
>>>> client1.winnet.local has address 192.168.178.98
>>>> [root at server1 ~]# host -t PTR 192.168.178.98
>>>> 98.178.168.192.in-addr.arpa domain name pointer client1.winnet.local.
>>>>
>>>> so can i say that i have a correct configuration although i have
>>>> the
>> denied message? This says /var/log/messages for the ddns during the
>> ip
>> change:
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting
>>>> transaction on zone winnet.local Aug 18 16:18:08 server1
>>>> named[12388]: client
>>>> 192.168.178.98#57564: update 'winnet.local/IN' denied Aug 18
>>>> 16:18:08
>>>> server1 named[12388]: samba_dlz: cancelling transaction on zone
>>>> winnet.local Aug 18 16:18:08 server1 named[12388]: samba_dlz:
>>>> starting transaction on zone winnet.local Aug 18 16:18:08 server1 named[12388]:
>>>> samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL
>>>> name=client1.winnet.local tcpaddr= type=AAAA
>>>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>>>> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr=
>>>> type=A
>>>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>>>> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr=
>>>> type=A
>>>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>>>> Aug 18 16:18:08 server1 named[12388]: client
>>>> 192.168.178.98#52919/key
>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>> deleting rrset at 'client1.winnet.local' AAAA Aug 18 16:18:08
>>>> server1
>> named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL:
>> updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local'
>> A Aug 18 16:18:08 server1 named[12388]: client
>> 192.168.178.98#52919/key
>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an
>> RR at 'client1.winnet.local' A
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset
>> client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.98'
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted
>>>> rdataset
>> winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local.
>> hostmaster.winnet.local. 12 900 600 86400 0'
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset
>> winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local.
>> hostmaster.winnet.local. 13 900 600 86400 0'
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed
>>>> transaction on zone winnet.local Aug 18 16:18:08 server1 named[12388]: samba_dlz:
>>>> starting transaction on zone 178.168.192.in-addr.arpa Aug 18
>>>> 16:18:08
>>>> server1 named[12388]: client 192.168.178.98#62909: update
>>>> '178.168.192.in-addr.arpa/IN' denied Aug 18 16:18:08 server1
>>>> named[12388]: samba_dlz: cancelling transaction on zone
>>>> 178.168.192.in-addr.arpa Aug 18 16:18:08 server1 named[12388]:
>>>> samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
>>>> Aug
>>>> 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>>>> signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa
>>>> tcpaddr= type=PTR
>>>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
>>>> signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa
>>>> tcpaddr= type=PTR
>>>> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
>>>> Aug 18 16:18:08 server1 named[12388]: client
>>>> 192.168.178.98#58907/key
>>>> client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
>> deleting rrset at '98.178.168.192.in-addr.arpa' PTR Aug 18 16:18:08
>> server1
>> named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL:
>> updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at
>> '98.178.168.192.in-addr.arpa' PTR
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added
>> 98.178.168.192.in-addr.arpa 98.178.168.192.in-addr.arpa. 1200 IN PTR
>> client1.winnet.local.
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted
>>>> rdataset
>> 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA
>> server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset
>> 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA
>> server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
>>>> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed
>>>> transaction on zone 178.168.192.in-addr.arpa
>>>>
>>> That looks as perfect as you're gonna get. And, it's working. Unless
>>> you
>> want to try samba-technical or isc, I think this is the best you can
>> expect, especially as it's working. Remember, the errors are written
>> by coders and can at times have little bearing upon what is really happening.
>>> I'm no expert on network topography. We chose dhcp because we wanted
>> less work. For file servers we always use fixed IP. I'm sure that
>> someone will chip in with some more concrete explanations other than
>> sheer
>> laziness;) HTH, Steve
>>>>
>>>> Gesendet: Montag, 18. August 2014 um 00:31 Uhr
>>>> Von: steve <steve at steve-ss.com>
>>>> An: "Markus Roth" <markusroth1983 at gmx.net>
>>>> Cc: samba at lists.samba.org
>>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the
>>>> reverse lookup Zone On Sun, 2014-08-17 at 16:55 +0200, Markus Roth wrote:
>>>>> Hi Steve,
>>>>>
>>>>> first thanks a lot for your help at this time :-)
>>>>>
>>>>>> Much easier:
>>>>>> samba-tool dns zonedelete
>>>>>> restart named
>>>>>> samba-tool dns zonecreate
>>>>>> restart sssd
>>>>> ah okay good to know for future actions. So do i understand that
>>>>> right
>> that my configuration is correct now and the denied messages with
>> this configuration is ok? if its so than the denied messages are ok
>> for me :-) But before i took my new configuration in productive use i better ask.
>>>> On:
>>>> named -version
>>>> BIND 9.9.4-rpz2.13269.14-P2 (Extended Support Version) We do not
>>>> get the denied messages, but we may have a lower debug level set.
>>>> Sorry, can't confirm this as we've no test domain with that version.
>>>> _Are_ the records being updated? Change the IP of a sssd client box
>>>> (NOT the IP of the DC) and use host to check A and PTR.
>>>>> I took static IPs only for testing. When this configuration is ok
>>>>> now
>> i would create a test envirnoment with a dhcp-server.
>>>> ddns is handled fine by the sssd ad backend when the ip of a client
>>>> is changed via dhcp.
>>>>
>>>>> For the rw access you said named needs rw access on the dns databases.
>>>> Yes. the keytab for named.conf and the dns partitions.
>>>>
>>>>> So i've set rw access for the group named on the *.so-files and
>>>>> for
>> the ldb and tdb-files in the /usr/samba/private structure. But i
>> don't know if this is neccesary.
>>>>> Only for interest: When static IPs were used you would deaktivate
>>>>> the
>> automatic ddns updates and add them manually with the samba-tool or
>> with the windows remote administration kit? But i think it's much
>> easier with ddns if some IPs will change, isn't it?
>>>>>> LOL, yeah. open source error messages at their best.
>>>>> ......
>>>>>> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added
>> 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN
>> PTR client1.winnet.local.
>>>>> . . .then it does it!
>>>>> ....
>>>>>> Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed
>>>>>> transaction on zone 178.168.192.in-addr.arpa
>>>>>>
>>>>>> That's the best you're gonna get. But why bother with static IPs?
>>>>>> HTH,
>>>>>> Steve
>>>>>> Gesendet: Sonntag, 17. August 2014 um 01:53 Uhr
>>>>>> Von: steve <steve at steve-ss.com>
>>>>>> An: "Markus Roth" <markusroth1983 at gmx.net>
>>>>>> Cc: samba at lists.samba.org
>>>>>> Betreff: Re: Aw: Re: AW: [Samba] samba4 internal dns Server ddns
>>>>>> for the reverse lookup Zone On Sun, 2014-08-17 at 00:46 +0200,
>>>>>> Markus
>> Roth wrote:
>>>>>>> Hi Steve,
>>>>>>>
>>>>>>> i don't know what i'm still doing wrong :-( I've create new
>>>>>>> vmware
>> environments with centos 7 and windows 7. The hostname oft he centos
>> 7 is
>> server1 and the hostname from the windows 7 is client1. I've
>> configured
>> server1 as followed:
>>>>>>> 1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
>>>>>>> 2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
>>>>>>> 3. edit /root/rpmbuild/SPECS/bind.spec and remove the line
>>>>>>> --disable-isc-spnego 4. rebuild bind with rpmbuild -bb
>>>>>>> ~/rpmbuild/SPECS/bind.spec 5. remove all previous bind* and
>>>>>>> samba* installation files with yum remove 6. install
>>>>>>> bind-license, bind-libs* and bind9* with rpm -ivh 7. download
>>>>>>> samba 4.1.11 8. install dependencies for samba 4.1.11 with yum
>>>>>>> install glibc glibc-devel gcc python* libacl-devel
>>>>>>> krb5-workstation krb5-libs pam_krb5 8. install samba 4.1.11 with
>>>>>>> ./configure --enable-debug --enable-selftest than make than make
>>>>>>> install 9. configure samba 4.1.11 with samba-tool domain
>>>>>>> provision --use-rfc2307 --interactive --function-level=2008_R2
>>>>>>> 10. configure /etc/named.conf for samba4 11. chgrp named + rw
>>>>>>> access for named on dns.keytab, dns_update_list, named.conf
>>>>>>> under /usr/local/samba/private and the same on *.so files under
>>>>>>> /usr/local/samba/lib/bind9. Next i activate the so file for
>>>>>>> bind9 in the samba named.conf
>>>>>> named needs rw on the DNS databases too.
>>>>>>
>>>>>>> 12. install sssd with yum install sssd 13. generatet he
>>>>>>> krb5.keytab with my servername in big letters fort he principal
>>>>>>> name # samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>> --principal=SERVER1$
>>>>>> The next 2 lines make no sense:
>>>>>>> # chown root:root /etc/krb5.sssd.keytab # chmod 600
>>>>>>> /etc/krb5.sssd.keytab 14. generatet he sssd.conf with the same
>>>>>>> file permissions as the krb5.keytab + copy the samba4 krb5.conf
>>>>>>> to /etc and overwrite the existing one 15. Start named, sssd and
>>>>>>> samba daemon 16.
>>>>>>> generate reverse lookup zone with samba-tool dns zonecreate
>>>>>>> server1.winnet.local 178.168.192.in-addr.arpa 17. Start the
>>>>>>> client1 machine, give the server1 ip as the dns-server and
>>>>>>> joined the client1 to the domain
>>>>>>>
>>>>>>> Here are my configuration files and the last log-file Do you see
>>>>>>> any mistakes?
>>>>>>>
>>>>>>> Named.conf
>>>>>>> ----------------------------------------------------------------
>>>>>>> ----------------------------------------------------------------
>>>>>>> --------------------------------------------
>>>>>>> options {
>>>>>>> listen-on port 53 { 127.0.0.1; 192.168.178.130; };
>>>>>>> listen-on-v6 port 53 { ::1; };
>>>>>>> directory "/var/named";
>>>>>>> dump-file "/var/named/data/cache_dump.db"; statistics-file
>>>>>>> "/var/named/data/named_stats.txt";
>>>>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>>> allow-query { localhost; 192.168.178.0/24; }; allow-recursion {
>>>>>>> localhost; 192.168.178.0/24; }; forwarders { 8.8.8.8; 8.8.4.4;
>>>>>>> }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>>>>>>> recursion yes;
>>>>>>> dnssec-enable yes;
>>>>>>> dnssec-validation yes;
>>>>>>> dnssec-lookaside auto;
>>>>>>> /* Path to ISC DLV key */
>>>>>>> bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory
>>>>>>> "/var/named/dynamic"; pid-file "/run/named/named.pid";
>>>>>>> session-keyfile "/run/named/session.key"; }; logging { channel
>>>>>>> default_debug { file "data/named.run"; severity dynamic; }; };
>>>>>>> zone "." IN { type hint; file "named.ca"; }; include
>>>>>>> "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
>>>>>>> include "/usr/local/samba/private/named.conf";
>>>>>>> ----------------------------------------------------------------
>>>>>>> ----------------------------------------------------------------
>>>>>>> --------------------------------------------
>>>>>>> Sssd.conf
>>>>>>> [sssd]
>>>>>>> services = nss, pam
>>>>>>> config_file_version = 2
>>>>>>> domains = winnet.local
>>>>>>> [nss]
>>>>>>> [pam]
>>>>>>> [domain/winnet.local]
>>>>>>> id_provider = ad
>>>>>>> auth_provider = ad
>>>>>>> access_provider = ad
>>>>>>> ldap_id_mapping = False
>>>>>>> ----------------------------------------------------------------
>>>>>>> ----------------------------------------------------------------
>>>>>>> --------------------------------------------
>>>>>>> Smb.conf
>>>>>>> # Global parameters
>>>>>>> [global]
>>>>>>> workgroup = WINNET
>>>>>>> realm = WINNET.LOCAL
>>>>>>> netbios name = SERVER1
>>>>>>> server role = active directory domain controller server services
>>>>>>> = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
>>>>>>> ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon]
>>>>>>> path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
>>>>>>> read only = No
>>>>>>> [sysvol]
>>>>>>> path = /usr/local/samba/var/locks/sysvol read only = No
>>>>>>> ----------------------------------------------------------------
>>>>>>> ----------------------------------------------------------------
>>>>>>> --------------------------------------------
>>>>>>> Samba4 named.conf
>>>>>>> # This DNS configuration is for BIND 9.8.0 or later with
>>>>>>> dlz_dlopen
>> support.
>>>>>>> #
>>>>>>> # This file should be included in your main BIND configuration
>>>>>>> file # # For example with # include
>>>>>>> "/usr/local/samba/private/named.conf";
>>>>>>> #
>>>>>>> # This configures dynamically loadable zones (DLZ) from AD
>>>>>>> schema # Uncomment only single database line, depending on your
>>>>>>> BIND version # dlz "AD DNS Zone" { # For BIND 9.8.0 # database
>>>>>>> "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
>>>>>>> # For BIND 9.9.0
>>>>>>> database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
>>>>>>> };
>>>>>>> ----------------------------------------------------------------
>>>>>>> ----------------------------------------------------------------
>>>>>>> --------------------------------------------
>>>>>>> Var/log/messages
>>>>>>> Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from
>>>>>>> unauthorised host 192.168.178.200 port 123 Aug 17 00:14:02
>>>>>>> server1 named[11100]: samba_dlz: starting transaction on zone
>>>>>>> winnet.local Aug 17 00:14:02 server1 named[11100]: client
>>>>>>> 192.168.178.200#57474: update 'winnet.local/IN' denied Aug 17
>>>>>>> 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction
>>>>>>> on zone winnet.local Aug 17 00:14:02 server1 named[11100]:
>>>>>>> samba_dlz: starting transaction on zone winnet.local Aug 17
>>>>>>> 00:14:02 server1 named[11100]: samba_dlz: allowing update of
>>>>>>> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
>>>>>>> tcpaddr= type=AAAA
>>>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>>>> of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
>>>>>>> tcpaddr= type=A
>>>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>>>> of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
>>>>>>> tcpaddr= type=A
>>>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>>>> 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone
>>>>>>> 'winnet.local/NONE': deleting rrset at 'client1.winnet.local'
>>>>>>> AAAA
>> Aug 17 00:14:02 server1 named[11100]: client
>> 192.168.178.200#53493/key
>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting
>> rrset at 'client1.winnet.local' A Aug 17 00:14:02 server1 named[11100]:
>> samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local.
>> 1200 IN A 192.168.178.200'
>>>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>>>> 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone
>> 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A Aug 17
>> 00:14:02 server1 named[11100]: samba_dlz: added rdataset
>> client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
>>>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed
>>>>>>> transaction on zone winnet.local Aug 17 00:14:02 server1
>>>>>>> named[11100]: samba_dlz: starting transaction on zone
>>>>>>> 178.168.192.in-addr.arpa Aug 17 00:14:02 server1 named[11100]:
>>>>>>> client 192.168.178.200#59638: update
>>>>>>> '178.168.192.in-addr.arpa/IN' denied Aug 17 00:14:02 server1
>>>>>>> named[11100]: samba_dlz: cancelling transaction on zone
>>>>>>> 178.168.192.in-addr.arpa Aug 17 00:14:02 server1 named[11100]:
>>>>>>> samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
>>>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>>>> of signer=client1\$\@WINNET.LOCAL
>>>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
>>>>>>> of signer=client1\$\@WINNET.LOCAL
>>>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
>>>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>>>> 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone
>> '178.168.192.in-addr.arpa/NONE': deleting rrset at
>> '200.178.168.192.in-addr.arpa' PTR Aug 17 00:14:02 server1 named[11100]:
>> samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa
>> '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
>>>>>>> Aug 17 00:14:02 server1 named[11100]: client
>>>>>>> 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone
>> '178.168.192.in-addr.arpa/NONE': adding an RR at
>> '200.178.168.192.in-addr.arpa' PTR Aug 17 00:14:02 server1 named[11100]:
>> samba_dlz: added rdataset 200.178.168.192.in-addr.arpa
>> '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
>>>>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed
>>>>>>> transaction on zone 178.168.192.in-addr.arpa
>>>>>>> ----------------------------------------------------------------
>>>>>>> ----------------------------------------------------------------
>>>>>>> --------------------------------------------
>>>>>>>
>>>>>> You must delete the reverse zone and recreate it as I outlined in
>>>>>> my last message. Also, no feedback on the latter, so I have to
>>>>>> guess that you have done it but it.
>>>>>> HTH
>>>>>>
>>>>>>
>>>>>>> Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
>>>>>>> Von: steve <steve at steve-ss.com>
>>>>>>> An: "Markus Roth" <markusroth1983 at gmx.net>
>>>>>>> Cc: samba at lists.samba.org
>>>>>>> Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the
>>>>>>> reverse lookup Zone On Sat, 2014-08-16 at 15:46 +0200, Markus
>>>>>>> Roth
>> wrote:
>>>>>>>> Hi Steve,
>>>>>>>>
>>>>>>>> update. I think nobody can say that i'm not creative :-) I've
>>>>>>>> tried now ./samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>>> without the --principal and change my sssd.conf back to:
>>>>>>>>
>>>>>>>> [sssd]
>>>>>>>> services = nss, pam
>>>>>>>> config_file_version = 2
>>>>>>>> domains = winnet.local
>>>>>>>> [nss]
>>>>>>>> [pam]
>>>>>>>> [domain/winnet.local]
>>>>>>>> id_provider = ad
>>>>>>>> access_provider = ad
>>>>>>>>
>>>>>>>> Now i get also the denied messages, but the logs now seems to
>>>>>>>> be
>> different:
>>>>>>> Very close now. This should do it:
>>>>>>>
>> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-[http
>> ://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-][http://
>> linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-[http://linu
>> xcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-]]
>>>>>>> stale-dns-records-with.html
>>>>>>>
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting
>>>>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
>>>>>>>> named[14419]: samba_dlz: allowing update of
>>>>>>>> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
>>>>>>>> tcpaddr=192.168.178.130 type=A
>>>>>>>> key=2171273687.sig-server1.winnet.local/160/0
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>>>> 192.168.178.130#49475/key
>>>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>>>> deleting rrset at 'server1.winnet.local' A Aug 16 15:40:03
>>>>>>>> server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>>>> server1.winnet.local 'server1.winnet.local. 3600 IN A
>>>>>>>> 192.168.178.130'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted
>>>>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
>>>>>>>> server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
>>>>>>>> winnet.local 'winnet.local. 3600 IN SOA
>> server1.winnet.local.
>>>>>>>> hostmaster.winnet.local. 5 900 600 86400 0'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
>>>>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
>>>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>>>> winnet.local Aug 16 15:40:03 server1 named[14419]: samba_dlz:
>>>>>>>> allowing update of signer=SERVER1\$\@WINNET.LOCAL
>>>>>>>> name=server1.winnet.local
>>>>>>>> tcpaddr=192.168.178.130 type=AAAA
>>>>>>>> key=1458088344.sig-server1.winnet.local/160/0
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>>>> 192.168.178.130#60843/key
>>>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>>>> deleting rrset at 'server1.winnet.local' AAAA Aug 16 15:40:03
>>>>>>>> server1 named[14419]: samba_dlz: committed transaction on zone
>>>>>>>> winnet.local Aug 16 15:40:03 server1 named[14419]: samba_dlz:
>>>>>>>> starting transaction on zone winnet.local Aug 16 15:40:03
>>>>>>>> server1 named[14419]: samba_dlz: allowing update of
>>>>>>>> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
>>>>>>>> tcpaddr=192.168.178.130 type=A
>>>>>>>> key=2571247347.sig-server1.winnet.local/160/0
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>>>> 192.168.178.130#60497/key
>>>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>>>> adding an RR at 'server1.winnet.local' A Aug 16 15:40:03
>>>>>>>> server1 named[14419]: samba_dlz: added rdataset
>>>>>>>> server1.winnet.local 'server1.winnet.local. 3600 IN A
>>>>>>>> 192.168.178.130'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted
>>>>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
>>>>>>>> server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
>>>>>>>> winnet.local 'winnet.local. 3600 IN SOA
>> server1.winnet.local.
>>>>>>>> hostmaster.winnet.local. 6 900 600 86400 0'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
>>>>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
>>>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:03 server1 named[14419]:
>>>>>>>> samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL
>>>>>>>> name=130.178.168.192.in-addr.arpa
>>>>>>>> tcpaddr=192.168.178.130 type=PTR
>>>>>>>> key=1615781577.sig-server1.winnet.local/160/0
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing
>>>>>>>> update of signer=SERVER1\$\@WINNET.LOCAL
>>>>>>>> name=130.178.168.192.in-addr.arpa
>>>>>>>> tcpaddr=192.168.178.130 type=PTR
>>>>>>>> key=1615781577.sig-server1.winnet.local/160/0
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>>>> 192.168.178.130#56401/key
>>>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone
>> '178.168.192.in-addr.arpa/NONE':
>>>>>>>> deleting rrset at '130.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>>>> 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>>>> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa.
>>>>>>>> 3600 IN PTR server1.winnet.local.'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: client
>>>>>>>> 192.168.178.130#56401/key
>>>>>>>> SERVER1\$\@WINNET.LOCAL: updating zone
>> '178.168.192.in-addr.arpa/NONE':
>>>>>>>> adding an RR at '130.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>>>> 15:40:03 server1 named[14419]: samba_dlz: added rdataset
>>>>>>>> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa.
>>>>>>>> 3600 IN PTR server1.winnet.local.'
>>>>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
>>>>>>>> transaction on zone 178.168.192.in-addr.arpa Aug 16 15:40:19
>>>>>>>> server1 chronyd[831]: NTP packet received from unauthorised
>>>>>>>> host 192.168.178.200 port 123 Aug 16 15:40:20 server1
>>>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>>>> winnet.local Aug 16 15:40:20 server1 named[14419]: client
>>>>>>>> 192.168.178.200#53494: update 'winnet.local/IN' denied Aug 16
>>>>>>>> 15:40:20 server1 named[14419]: samba_dlz: cancelling
>>>>>>>> transaction on zone winnet.local Aug 16 15:40:20 server1
>>>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>>>> winnet.local Aug 16 15:40:20 server1 named[14419]: samba_dlz:
>>>>>>>> allowing update of signer=client1\$\@WINNET.LOCAL
>>>>>>>> name=client1.winnet.local tcpaddr= type=AAAA
>>>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
>>>>>>>> update of signer=client1\$\@WINNET.LOCAL
>>>>>>>> name=client1.winnet.local tcpaddr= type=A
>>>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
>>>>>>>> update of signer=client1\$\@WINNET.LOCAL
>>>>>>>> name=client1.winnet.local tcpaddr= type=A
>>>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: client
>>>>>>>> 192.168.178.200#59384/key
>>>>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>>>> deleting rrset at 'client1.winnet.local' AAAA Aug 16 15:40:20
>>>>>>>> server1 named[14419]: client 192.168.178.200#59384/key
>>>>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>>>> deleting rrset at 'client1.winnet.local' A Aug 16 15:40:20
>>>>>>>> server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>>>> client1.winnet.local 'client1.winnet.local. 1200 IN A
>>>>>>>> 192.168.178.200'
>>>>>>>> Aug 16 15:40:20 server1 named[14419]: client
>>>>>>>> 192.168.178.200#59384/key
>>>>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
>>>>>>>> adding an RR at 'client1.winnet.local' A Aug 16 15:40:20
>>>>>>>> server1 named[14419]: samba_dlz: added rdataset
>>>>>>>> client1.winnet.local 'client1.winnet.local. 1200 IN A
>>>>>>>> 192.168.178.200'
>>>>>>>> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed
>>>>>>>> transaction on zone winnet.local Aug 16 15:40:20 server1
>>>>>>>> named[14419]: samba_dlz: starting transaction on zone
>>>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
>>>>>>>> client 192.168.178.200#61402: update
>>>>>>>> '178.168.192.in-addr.arpa/IN' denied Aug 16 15:40:20 server1
>>>>>>>> named[14419]: samba_dlz: cancelling transaction on zone
>>>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
>>>>>>>> samba_dlz: starting transaction on zone
>>>>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
>>>>>>>> samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL
>>>>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
>>>>>>>> update of signer=client1\$\@WINNET.LOCAL
>>>>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
>>>>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
>>>>>>>> 0 Aug 16 15:40:20 server1 named[14419]: client
>>>>>>>> 192.168.178.200#54396/key
>>>>>>>> client1\$\@WINNET.LOCAL: updating zone
>> '178.168.192.in-addr.arpa/NONE':
>>>>>>>> deleting rrset at '200.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>>>> 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
>>>>>>>> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa.
>>>>>>>> 1200 IN PTR client1.winnet.local.'
>>>>>>>> Aug 16 15:40:20 server1 named[14419]: client
>>>>>>>> 192.168.178.200#54396/key
>>>>>>>> client1\$\@WINNET.LOCAL: updating zone
>> '178.168.192.in-addr.arpa/NONE':
>>>>>>>> adding an RR at '200.178.168.192.in-addr.arpa' PTR Aug 16
>>>>>>>> 15:40:20 server1 named[14419]: samba_dlz: added rdataset
>>>>>>>> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa.
>>>>>>>> 1200 IN PTR client1.winnet.local.'
>>>>>>>> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed
>>>>>>>> transaction on zone 178.168.192.in-addr.arpa
>>>>>>>>
>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>> Von: Markus Roth [mailto:markusroth1983 at gmx.net]
>>>>>>>> Gesendet: Samstag, 16. August 2014 15:13
>>>>>>>> An: 'steve'
>>>>>>>> Cc: 'samba at lists.samba.org'
>>>>>>>> Betreff: AW: [Samba] samba4 internal dns Server ddns for the
>>>>>>>> reverse lookup Zone
>>>>>>>>
>>>>>>>> Hi Steve,
>>>>>>>>
>>>>>>>> I've tried the below domain exportkeytab, but when i do
>>>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>>> --principal=WINNET$
>> the log says:
>>>>>>>> ./samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>>> --principal=WINNET$
>>>>>>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>>>>>> File
>>>>>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/_
>>>>>>>> _init__.py",
>>>>>>>> line 175, in _run
>>>>>>>> return self.run(*args, **kwargs) File
>>>>>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/d
>>>>>>>> omain.py",
>>>>>>>> line 103, in run
>>>>>>>> net.export_keytab(keytab=keytab, principal=principal)
>>>>>>>>
>>>>>>>> When i do the same with --principal=server1$ it does an export,
>>>>>>>> but i get also the beginning denied messages. I also tried
>>>>>>>> winnet$ or winnet.local$ but it gets the same erros above.
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>> This is not using the sssd ad backend at all. It will not do
>>>>>>>>> ddns updates,
>>>>>>>> neither will it pull the correct id info from AD.
>>>>>>>>
>>>>>>>>> You were nearly there. Did you see my other post?
>>>>>>>>> Just issue:
>>>>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>>>> --principal=WINNET$ and try
>>>>>>>> with your original ad sssd config.
>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>> the
>>>>>>>>> Instructions:
>>>>>>>>>
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][https://lists.s
>> amba.org/mailman/options/samba][https://lists.samba.org/mailm[https:/
>> /lists.samba.org/mailm][https://lists.samba.org/mailm[https://lists.s
>> amba.org/mailm]]
>>>>>>>>> an/options/samba[
>> https://lists.samba.org/mailman/options/samb[https://lists.samba.org/
>> mailman/options/samb][https://lists.samba.org/mailman/options/samb[ht
>> tps://lists.samba.org/mailman/options/samb]]
>>>>>>>>> a]][
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][https://lis
>> ts.samba.org/mailman/options/samba][https://lists.samba.org/m[https:/
>> /lists.samba.org/m][https://lists.samba.org/m[https://lists.samba.org
>> /m]]
>>>>>>>>> ailman/options/samba[
>> https://lists.samba.org/mailman/options/[https://lists.samba.org/mail
>> man/options/][https://lists.samba.org/mailman/options/[https://lists.
>> samba.org/mailman/options/]]
>>>>>>>>> samba]]][
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][https
>> :
>>>>>>>>> //
>> lists.samba.org/mailman/options/samba][https://lists.samba[https://li
>> sts.samba][https://lists.samba[https://lists.samba]]
>> .
>>>>>>>>> org/mailman/options/samba[
>> https://lists.samba.org/mailman/opt[https://lists.samba.org/mailman/o
>> pt][https://lists.samba.org/mailman/opt[https://lists.samba.org/mailm
>> an/opt]]
>>>>>>>>> ions/samba]][
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][ht
>>>>>>>>> tps://
>> lists.samba.org/mailman/options/samba][https://lists.sa[https://lists
>> .sa][https://lists.sa[https://lists.sa]]
>> mba.org/mailman/options/samba[https://lists.samba.org/mailman[https:/
>> /lists.samba.org/mailman][https://lists.samba.org/mailman[https://lis
>> ts.samba.org/mailman]]
>>>>>>>>> /options/samba]]]]
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]]
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]]
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/
> mailman/options/samba]
OK, I have thrown the attached file together, as Steve says, you can run the dhcp server on another machine but I have not yet found a way for dhcp running on another machine to directly update DNS. You either have to use something like the script I use directly on the server or use sssd.
Rowland
More information about the samba
mailing list