[Samba] samba4 internal dns Server ddns for the reverse lookup Zone

Sun Aug 24 11:45:55 MDT 2014

Hi Rowland,

now i'm confused again :-) 

A) 
getent passwd gives me the linux-users, but my dhcpduser is only in active directory from samba4.
from getent passwd i get the user from my dhcp-daemon:

dhcpd:x:177:177:DHCP server:/:/sbin/nologin

B)
here i get:

/bin/getent

C)
here i get:

alias grep='grep --color=auto'
	/bin/grep

Gesendet: Sonntag, 24. August 2014 um 19:29 Uhr
Von: "Rowland Penny" <rowlandpenny at googlemail.com>
An: Kein Empfänger
Cc: samba at lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 24/08/14 18:15, Markus Roth wrote:
> Hi everybody,
>
> i've done the steps below but it always says the exit 256 message. the sh-skript has the x acces for owner, group and others. So i don't think it's a permission problem. What does exit 256 exactly mean? Could it be that i must change some things for centos? Sorry, i'm no expert in scripting :-(
>
> -rwxrwx--x 1 dhcpd root 6375 24. Aug 17:59 dhcp-dyndns.sh
>
> var/log/messages says:
>
> Aug 24 15:55:40 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
> Aug 24 15:56:02 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
> Aug 24 15:56:02 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:02 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:05 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
> Aug 24 15:56:05 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:05 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:11 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
>
> /etc/dhcp/dyndns.log says:
>
> No dhcp user exists, need to create it first.. exiting.

OK, the above line is coming from the script, so this is failing:

TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
if [ -z "${TESTUSER}" ]; then
echo "No dhcp user exists, need to create it first.. exiting."

So:

A) what does 'getent passwd' show, is dhcpduser there ?
B) does 'which getent' return anything and if so what ?
C) does 'which grep' return anything and if so what ?

Lets go from there.

Rowland

> you can do this by typing the following commands
> /bin/kinit Administrator at WINNET.LOCAL
> /usr/local/samba/bin/samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via ISC DHCP server"
> /usr/local/samba/bin/samba-tool user setexpiry dhcpduser --noexpiry
> /usr/local/samba/bin/samba-tool group addmembers DnsAdmins dhcpduser
>
>
>
>
> Gesendet: Freitag, 22. August 2014 um 15:39 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> On 22/08/14 14:34, Markus Roth wrote:
>> Hi everybody,
>>
>> first thanks a lot for all the help. Sorry that all are a little bit confused for me :-( ok, i don't know that i have to decide if i should use sssd ddns or the script from rowland. i thought i Need both. So i decide to take rowlands Skript now. So i would do the following steps for the next test:
>>
>> 1. Create the GPO from van Belle below
>> 2. Set dyndns_update = false in the sssd.conf
>> 3. check the correct permissions of dhcp sh script
>> 4. Restart named, sssd, samba4, dhcpd
>> 5. Restart client1 and analyse the /var/log/message protocoll
>>
> Sounds a good plan to me ;-)
>
> Rowland
>
>
>
>> Gesendet: Freitag, 22. August 2014 um 12:39 Uhr
>> Von: "L.P.H. van Belle" <belle at bazuin.nl>
>> An: "samba at lists.samba.org" <samba at lists.samba.org>
>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>> this is what needs to be done..
>>
>> # FOR USE WITH BIND9_DLZ and dynamic updates
>> # It should be noted that using this method will affect functionality of windows clients,
>> # as they will still attempt to update DNS on their own and will be denied permission
>> # to do so as the record will be owned by the dhcp user.
>> #
>> # you'll need a Windows PC with the RSAT tools installed.
>> # Simply create a dedicated GPO with the Group Policy Editor,
>> # apply only to OUs that contain workstations
>> # (so that servers can still update using 'ipconfig /registerdns')
>> # and configure the following settings:
>> ###
>> # Computer Configuration
>> # Policies
>> # Administrative Templates
>> # Network
>> # DNS Client
>> # Dynamic Update = Disabled
>> # Register PTR Records = Disabled
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
>>> Namens steve
>>> Verzonden: vrijdag 22 augustus 2014 12:13
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] samba4 internal dns Server ddns for the
>>> reverse lookup Zone
>>>
>>> On Fri, 2014-08-22 at 09:47 +0100, Rowland Penny wrote:
>>>> On 22/08/14 09:30, steve wrote:
>>>>> On Fri, 2014-08-22 at 09:54 +0200, Markus Roth wrote:
>>>>>> Hi Steve,
>>>>>>
>>>>>> oh no :-) Sicne you gave me the tip for sssd, i use it.
>>> The interessting thing is that since i have sssd my server1 is
>>> also doing ddns updates. Before sssd it didn't. And the ddns
>>> update from my server1 is without any denied messages (server1
>>> has the static IP 192.168.178.130). My client1 windows7 brings
>>> first the denied message with a static ip and then it's doing
>>> the updates. And at this point i thougt you said my configs
>>> are ok, or the best i can get with static IPs :-)
>>>>>> So i started to implement dhcp for my further tests
>>> before i go to productive use. So now i have the problem with
>>> dhcp i get the exit 256 message and than the denied message
>> >from my client1 again. It seems that my client is doing the
>>> ddns updates instead the script in the dhcp-config. :-) But i
>>> don't know why. I think the exit 256 message is the problem.
>>> My dhcpd-user has rw rights on the sh-script and recursive on
>>> /etc/dhcp and now the sh-script is under /usr/local/sbin as
>>> rowland said.
>>>>>> In the dyndns.log from the sh-script it says every time
>>> that no dhcp-user exists and that the script would generate one.
>>>>> Hi Markus,
>>>>> As we see it, you use either Rowland's dhcp
>>> direct-inject-on-dc script
>>>>> and turn off ddns on your clients or you use sssd on Linux
>>> and allow the
>>>>> window clients to send their own ddns requests. If the latter, you
>>>>> disable ddns updates if you run sssd on the DC.
>>>>> @Rowland Is this what we are taking about here?
>>>>> Cheers and sorry about the confusion,
>>>> Your confused, I think just about everybody is confused here ;-)
>>>>
>>>> And yes, you can only use one, either get sssd to update the
>>> forward and
>>>> reverse zones OR use the setup I use. You cannot use both.
>>>>
>>>> Rowland
>>> Perfect. OK then. So the OP needs to:
>>> 1. Decide which way to go. AND TELL US! Let's assume he goes with
>>> Rowland's dhcp-ddns script on the DC. So,
>>> 2. Disable ddns. Is this it?
>>> http://support.microsoft.com/kb/816592
>>> 3. Disable ddns updates from sssd on the DC and the Linux cleints in
>>> sssd.conf:
>>> dyndns_update=false
>>> HTH
>>> Steve
>>>
>>>
>>>>> Steve
>>>>>
>>>>>> Gesendet: Freitag, 22. August 2014 um 01:01 Uhr
>>>>>> Von: steve <steve at steve-ss.com>
>>>>>> An: samba at lists.samba.org
>>>>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for
>>> the reverse lookup Zone
>>>>>> On Fri, 2014-08-22 at 00:19 +0200, Markus Roth wrote:
>>>>>>
>>>>>>> Yes I'm running sssd.conf with the dns update:
>>>>>>>
>>>>>>> [sssd]
>>>>>>> services = nss, pam
>>>>>>> config_file_version = 2
>>>>>>> domains = winnet.local
>>>>>>> [nss]
>>>>>>> [pam]
>>>>>>> [domain/winnet.local]
>>>>>>> id_provider = ad
>>>>>>> auth_provider = ad
>>>>>>> access_provider = ad
>>>>>>> ldap_id_mapping = False
>>>>>>> dyndns_update = True
>>>>>>>
>>>>>>> my /etc/krb5.keytab was generatet with the --principal server1$
>>>>>>>
>>>>>> I'm confused then. I thought you'd given up with sssd...
>>>>>>
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]