[Samba] samba4 internal dns Server ddns for the reverse lookup Zone

Markus Roth markusroth1983 at gmx.net
Sun Aug 24 13:26:53 MDT 2014


Hi Rowland,
 
A)
hmm. that sounds strange. I deleted the account and create it new with the windows rsat tool instead of the samba command.
But the user is not in the /etc/passwd. (i think getent passwd reads the /etc/passwd?). Do i have to configure something special?
I compiled samba 4.1.11 by my own with:

1. ./configure --enable-debug --enable-selftest
2. make
3. make install
4. samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
4.1 Here i chose my winnet.local as the realm and domainname, than the option dc and then bind9_dlz

did i forget anything else?

B)
ok :-)

C)
ok i change that :-)
  

Gesendet: Sonntag, 24. August 2014 um 20:29 Uhr
Von: "Rowland Penny" <rowlandpenny at googlemail.com>
An: Kein Empfänger
Cc: samba at lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 24/08/14 18:45, Markus Roth wrote:
> Hi Rowland,
>
> now i'm confused again :-)

OK, lets see if we can de-confuse you ;-)
>
> A)
> getent passwd gives me the linux-users, but my dhcpduser is only in active directory from samba4.
> from getent passwd i get the user from my dhcp-daemon:
>
> dhcpd:x:177:177:DHCP server:/:/sbin/nologin

This is where your problems start, if I run 'getent passwd' on the S4 AD
DC, I get (amongst others):

EXAMPLE\dhcpduser:*:3000018:10000::/home/EXAMPLE/dhcpduser:/bin/bash

'3000018' is the xidNumber for 'dhcpduser' from idmap.ldb

You need to investigate why running 'getent passwd' on the S4 AD DC (you
are doing this on the DC, aren't you?) does not show you dhcpduser

>
> B)
> here i get:
>
> /bin/getent

Good.

>
> C)
> here i get:
>
> alias grep='grep --color=auto'
> /bin/grep
>
>
Not so good, I just get '/bin/grep'

In the short term, change this in the script:

CMDGREP="$(which grep)"

To:

CMDGREP="/bin/grep"

I will have to think how to get round this problem properly, this will
probably involve checking for what OS the script is running on and
setting the commands accordingly.

Rowland

>
> Gesendet: Sonntag, 24. August 2014 um 19:29 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: Kein Empfänger
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> On 24/08/14 18:15, Markus Roth wrote:
>> Hi everybody,
>>
>> i've done the steps below but it always says the exit 256 message. the sh-skript has the x acces for owner, group and others. So i don't think it's a permission problem. What does exit 256 exactly mean? Could it be that i must change some things for centos? Sorry, i'm no expert in scripting :-(
>>
>> -rwxrwx--x 1 dhcpd root 6375 24. Aug 17:59 dhcp-dyndns.sh
>>
>> var/log/messages says:
>>
>> Aug 24 15:55:40 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
>> Aug 24 15:56:02 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
>> Aug 24 15:56:02 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
>> Aug 24 15:56:02 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
>> Aug 24 15:56:05 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
>> Aug 24 15:56:05 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
>> Aug 24 15:56:05 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
>> Aug 24 15:56:11 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
>>
>> /etc/dhcp/dyndns.log says:
>>
>> No dhcp user exists, need to create it first.. exiting.
> OK, the above line is coming from the script, so this is failing:
>
> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
> if [ -z "${TESTUSER}" ]; then
> echo "No dhcp user exists, need to create it first.. exiting."
>
> So:
>
> A) what does 'getent passwd' show, is dhcpduser there ?
> B) does 'which getent' return anything and if so what ?
> C) does 'which grep' return anything and if so what ?
>
> Lets go from there.
>
> Rowland
>
>> you can do this by typing the following commands
>> /bin/kinit Administrator at WINNET.LOCAL
>> /usr/local/samba/bin/samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via ISC DHCP server"
>> /usr/local/samba/bin/samba-tool user setexpiry dhcpduser --noexpiry
>> /usr/local/samba/bin/samba-tool group addmembers DnsAdmins dhcpduser
>>
>>
>>
>>
>> Gesendet: Freitag, 22. August 2014 um 15:39 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>> On 22/08/14 14:34, Markus Roth wrote:
>>> Hi everybody,
>>>
>>> first thanks a lot for all the help. Sorry that all are a little bit confused for me :-( ok, i don't know that i have to decide if i should use sssd ddns or the script from rowland. i thought i Need both. So i decide to take rowlands Skript now. So i would do the following steps for the next test:
>>>
>>> 1. Create the GPO from van Belle below
>>> 2. Set dyndns_update = false in the sssd.conf
>>> 3. check the correct permissions of dhcp sh script
>>> 4. Restart named, sssd, samba4, dhcpd
>>> 5. Restart client1 and analyse the /var/log/message protocoll
>>>
>> Sounds a good plan to me ;-)
>>
>> Rowland
>>
>>
>>
>>> Gesendet: Freitag, 22. August 2014 um 12:39 Uhr
>>> Von: "L.P.H. van Belle" <belle at bazuin.nl>
>>> An: "samba at lists.samba.org" <samba at lists.samba.org>
>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>>> this is what needs to be done..
>>>
>>> # FOR USE WITH BIND9_DLZ and dynamic updates
>>> # It should be noted that using this method will affect functionality of windows clients,
>>> # as they will still attempt to update DNS on their own and will be denied permission
>>> # to do so as the record will be owned by the dhcp user.
>>> #
>>> # you'll need a Windows PC with the RSAT tools installed.
>>> # Simply create a dedicated GPO with the Group Policy Editor,
>>> # apply only to OUs that contain workstations
>>> # (so that servers can still update using 'ipconfig /registerdns')
>>> # and configure the following settings:
>>> ###
>>> # Computer Configuration
>>> # Policies
>>> # Administrative Templates
>>> # Network
>>> # DNS Client
>>> # Dynamic Update = Disabled
>>> # Register PTR Records = Disabled
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
>>>> Namens steve
>>>> Verzonden: vrijdag 22 augustus 2014 12:13
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] samba4 internal dns Server ddns for the
>>>> reverse lookup Zone
>>>>
>>>> On Fri, 2014-08-22 at 09:47 +0100, Rowland Penny wrote:
>>>>> On 22/08/14 09:30, steve wrote:
>>>>>> On Fri, 2014-08-22 at 09:54 +0200, Markus Roth wrote:
>>>>>>> Hi Steve,
>>>>>>>
>>>>>>> oh no :-) Sicne you gave me the tip for sssd, i use it.
>>>> The interessting thing is that since i have sssd my server1 is
>>>> also doing ddns updates. Before sssd it didn't. And the ddns
>>>> update from my server1 is without any denied messages (server1
>>>> has the static IP 192.168.178.130). My client1 windows7 brings
>>>> first the denied message with a static ip and then it's doing
>>>> the updates. And at this point i thougt you said my configs
>>>> are ok, or the best i can get with static IPs :-)
>>>>>>> So i started to implement dhcp for my further tests
>>>> before i go to productive use. So now i have the problem with
>>>> dhcp i get the exit 256 message and than the denied message
>>> >from my client1 again. It seems that my client is doing the
>>>> ddns updates instead the script in the dhcp-config. :-) But i
>>>> don't know why. I think the exit 256 message is the problem.
>>>> My dhcpd-user has rw rights on the sh-script and recursive on
>>>> /etc/dhcp and now the sh-script is under /usr/local/sbin as
>>>> rowland said.
>>>>>>> In the dyndns.log from the sh-script it says every time
>>>> that no dhcp-user exists and that the script would generate one.
>>>>>> Hi Markus,
>>>>>> As we see it, you use either Rowland's dhcp
>>>> direct-inject-on-dc script
>>>>>> and turn off ddns on your clients or you use sssd on Linux
>>>> and allow the
>>>>>> window clients to send their own ddns requests. If the latter, you
>>>>>> disable ddns updates if you run sssd on the DC.
>>>>>> @Rowland Is this what we are taking about here?
>>>>>> Cheers and sorry about the confusion,
>>>>> Your confused, I think just about everybody is confused here ;-)
>>>>>
>>>>> And yes, you can only use one, either get sssd to update the
>>>> forward and
>>>>> reverse zones OR use the setup I use. You cannot use both.
>>>>>
>>>>> Rowland
>>>> Perfect. OK then. So the OP needs to:
>>>> 1. Decide which way to go. AND TELL US! Let's assume he goes with
>>>> Rowland's dhcp-ddns script on the DC. So,
>>>> 2. Disable ddns. Is this it?
>>>> http://support.microsoft.com/kb/816592
>>>> 3. Disable ddns updates from sssd on the DC and the Linux cleints in
>>>> sssd.conf:
>>>> dyndns_update=false
>>>> HTH
>>>> Steve
>>>>
>>>>
>>>>>> Steve
>>>>>>
>>>>>>> Gesendet: Freitag, 22. August 2014 um 01:01 Uhr
>>>>>>> Von: steve <steve at steve-ss.com>
>>>>>>> An: samba at lists.samba.org
>>>>>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for
>>>> the reverse lookup Zone
>>>>>>> On Fri, 2014-08-22 at 00:19 +0200, Markus Roth wrote:
>>>>>>>
>>>>>>>> Yes I'm running sssd.conf with the dns update:
>>>>>>>>
>>>>>>>> [sssd]
>>>>>>>> services = nss, pam
>>>>>>>> config_file_version = 2
>>>>>>>> domains = winnet.local
>>>>>>>> [nss]
>>>>>>>> [pam]
>>>>>>>> [domain/winnet.local]
>>>>>>>> id_provider = ad
>>>>>>>> auth_provider = ad
>>>>>>>> access_provider = ad
>>>>>>>> ldap_id_mapping = False
>>>>>>>> dyndns_update = True
>>>>>>>>
>>>>>>>> my /etc/krb5.keytab was generatet with the --principal server1$
>>>>>>>>
>>>>>>> I'm confused then. I thought you'd given up with sssd...
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]


More information about the samba mailing list