[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Rowland Penny
rowlandpenny at googlemail.com
Sun Aug 24 13:47:39 MDT 2014
On 24/08/14 20:26, Markus Roth wrote:
> Hi Rowland,
>
> A)
> hmm. that sounds strange. I deleted the account and create it new with the windows rsat tool instead of the samba command.
> But the user is not in the /etc/passwd. (i think getent passwd reads the /etc/passwd?). Do i have to configure something special?
The user shouldn't be in /etc/passwd, you should only have local users
in there. If you are running a S4 AD DC, you do not need any local users
over and above the ones the install creates, or if a package creates a user.
Over on the wiki, on this page:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Installing_Samba
You will find this:
Make domain users/groups available locally through Winbind
To have your domain users and groups available locally on your Member
Server, you need to place two links in your /lib64 folder:
# ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
# ldconfig
If you are running a 32-bit system ("uname -i" will return "i686"), you
have to use /lib instead!
The final step of the configuration is to add 'winbind' to the 'passwd'
and 'group' entry of your /etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
You need to do the above to get winbind to work, if you compile samba
yourself
NOTE to Marc: could you please put this back on the Samba AD DC Howto page.
> I compiled samba 4.1.11 by my own with:
Excuse me, but as an aside, would you by any chance be German ?
>
> 1. ./configure --enable-debug --enable-selftest
You do not need '--enable-debug --enable-selftest' anymore
> 2. make
> 3. make install
> 4. samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
> 4.1 Here i chose my winnet.local as the realm and domainname, than the option dc and then bind9_dlz
>
> did i forget anything else?
No
>
> B)
> ok :-)
>
> C)
> ok i change that :-)
>
>
> Gesendet: Sonntag, 24. August 2014 um 20:29 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: Kein Empfänger
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> On 24/08/14 18:45, Markus Roth wrote:
>> Hi Rowland,
>>
>> now i'm confused again :-)
> OK, lets see if we can de-confuse you ;-)
>> A)
>> getent passwd gives me the linux-users, but my dhcpduser is only in active directory from samba4.
>> from getent passwd i get the user from my dhcp-daemon:
>>
>> dhcpd:x:177:177:DHCP server:/:/sbin/nologin
> This is where your problems start, if I run 'getent passwd' on the S4 AD
> DC, I get (amongst others):
>
> EXAMPLE\dhcpduser:*:3000018:10000::/home/EXAMPLE/dhcpduser:/bin/bash
>
> '3000018' is the xidNumber for 'dhcpduser' from idmap.ldb
>
> You need to investigate why running 'getent passwd' on the S4 AD DC (you
> are doing this on the DC, aren't you?) does not show you dhcpduser
>
>> B)
>> here i get:
>>
>> /bin/getent
> Good.
>
>> C)
>> here i get:
>>
>> alias grep='grep --color=auto'
>> /bin/grep
>>
>>
> Not so good, I just get '/bin/grep'
>
> In the short term, change this in the script:
>
> CMDGREP="$(which grep)"
>
> To:
>
> CMDGREP="/bin/grep"
>
> I will have to think how to get round this problem properly, this will
> probably involve checking for what OS the script is running on and
> setting the commands accordingly.
>
> Rowland
>
>> Gesendet: Sonntag, 24. August 2014 um 19:29 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: Kein Empfänger
>> Cc: samba at lists.samba.org
>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>> On 24/08/14 18:15, Markus Roth wrote:
>>> Hi everybody,
>>>
>>> i've done the steps below but it always says the exit 256 message. the sh-skript has the x acces for owner, group and others. So i don't think it's a permission problem. What does exit 256 exactly mean? Could it be that i must change some things for centos? Sorry, i'm no expert in scripting :-(
>>>
>>> -rwxrwx--x 1 dhcpd root 6375 24. Aug 17:59 dhcp-dyndns.sh
>>>
>>> var/log/messages says:
>>>
>>> Aug 24 15:55:40 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
>>> Aug 24 15:56:02 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
>>> Aug 24 15:56:02 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
>>> Aug 24 15:56:02 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
>>> Aug 24 15:56:05 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
>>> Aug 24 15:56:05 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
>>> Aug 24 15:56:05 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
>>> Aug 24 15:56:11 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
>>>
>>> /etc/dhcp/dyndns.log says:
>>>
>>> No dhcp user exists, need to create it first.. exiting.
>> OK, the above line is coming from the script, so this is failing:
>>
>> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
>> if [ -z "${TESTUSER}" ]; then
>> echo "No dhcp user exists, need to create it first.. exiting."
>>
>> So:
>>
>> A) what does 'getent passwd' show, is dhcpduser there ?
>> B) does 'which getent' return anything and if so what ?
>> C) does 'which grep' return anything and if so what ?
>>
>> Lets go from there.
>>
>> Rowland
>>
>>> you can do this by typing the following commands
>>> /bin/kinit Administrator at WINNET.LOCAL
>>> /usr/local/samba/bin/samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via ISC DHCP server"
>>> /usr/local/samba/bin/samba-tool user setexpiry dhcpduser --noexpiry
>>> /usr/local/samba/bin/samba-tool group addmembers DnsAdmins dhcpduser
>>>
>>>
>>>
>>>
>>> Gesendet: Freitag, 22. August 2014 um 15:39 Uhr
>>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>>> An: samba at lists.samba.org
>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>>> On 22/08/14 14:34, Markus Roth wrote:
>>>> Hi everybody,
>>>>
>>>> first thanks a lot for all the help. Sorry that all are a little bit confused for me :-( ok, i don't know that i have to decide if i should use sssd ddns or the script from rowland. i thought i Need both. So i decide to take rowlands Skript now. So i would do the following steps for the next test:
>>>>
>>>> 1. Create the GPO from van Belle below
>>>> 2. Set dyndns_update = false in the sssd.conf
>>>> 3. check the correct permissions of dhcp sh script
>>>> 4. Restart named, sssd, samba4, dhcpd
>>>> 5. Restart client1 and analyse the /var/log/message protocoll
>>>>
>>> Sounds a good plan to me ;-)
>>>
>>> Rowland
>>>
>>>
>>>
>>>> Gesendet: Freitag, 22. August 2014 um 12:39 Uhr
>>>> Von: "L.P.H. van Belle" <belle at bazuin.nl>
>>>> An: "samba at lists.samba.org" <samba at lists.samba.org>
>>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>>>> this is what needs to be done..
>>>>
>>>> # FOR USE WITH BIND9_DLZ and dynamic updates
>>>> # It should be noted that using this method will affect functionality of windows clients,
>>>> # as they will still attempt to update DNS on their own and will be denied permission
>>>> # to do so as the record will be owned by the dhcp user.
>>>> #
>>>> # you'll need a Windows PC with the RSAT tools installed.
>>>> # Simply create a dedicated GPO with the Group Policy Editor,
>>>> # apply only to OUs that contain workstations
>>>> # (so that servers can still update using 'ipconfig /registerdns')
>>>> # and configure the following settings:
>>>> ###
>>>> # Computer Configuration
>>>> # Policies
>>>> # Administrative Templates
>>>> # Network
>>>> # DNS Client
>>>> # Dynamic Update = Disabled
>>>> # Register PTR Records = Disabled
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
>>>>> Namens steve
>>>>> Verzonden: vrijdag 22 augustus 2014 12:13
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] samba4 internal dns Server ddns for the
>>>>> reverse lookup Zone
>>>>>
>>>>> On Fri, 2014-08-22 at 09:47 +0100, Rowland Penny wrote:
>>>>>> On 22/08/14 09:30, steve wrote:
>>>>>>> On Fri, 2014-08-22 at 09:54 +0200, Markus Roth wrote:
>>>>>>>> Hi Steve,
>>>>>>>>
>>>>>>>> oh no :-) Sicne you gave me the tip for sssd, i use it.
>>>>> The interessting thing is that since i have sssd my server1 is
>>>>> also doing ddns updates. Before sssd it didn't. And the ddns
>>>>> update from my server1 is without any denied messages (server1
>>>>> has the static IP 192.168.178.130). My client1 windows7 brings
>>>>> first the denied message with a static ip and then it's doing
>>>>> the updates. And at this point i thougt you said my configs
>>>>> are ok, or the best i can get with static IPs :-)
>>>>>>>> So i started to implement dhcp for my further tests
>>>>> before i go to productive use. So now i have the problem with
>>>>> dhcp i get the exit 256 message and than the denied message
>>>> >from my client1 again. It seems that my client is doing the
>>>>> ddns updates instead the script in the dhcp-config. :-) But i
>>>>> don't know why. I think the exit 256 message is the problem.
>>>>> My dhcpd-user has rw rights on the sh-script and recursive on
>>>>> /etc/dhcp and now the sh-script is under /usr/local/sbin as
>>>>> rowland said.
>>>>>>>> In the dyndns.log from the sh-script it says every time
>>>>> that no dhcp-user exists and that the script would generate one.
>>>>>>> Hi Markus,
>>>>>>> As we see it, you use either Rowland's dhcp
>>>>> direct-inject-on-dc script
>>>>>>> and turn off ddns on your clients or you use sssd on Linux
>>>>> and allow the
>>>>>>> window clients to send their own ddns requests. If the latter, you
>>>>>>> disable ddns updates if you run sssd on the DC.
>>>>>>> @Rowland Is this what we are taking about here?
>>>>>>> Cheers and sorry about the confusion,
>>>>>> Your confused, I think just about everybody is confused here ;-)
>>>>>>
>>>>>> And yes, you can only use one, either get sssd to update the
>>>>> forward and
>>>>>> reverse zones OR use the setup I use. You cannot use both.
>>>>>>
>>>>>> Rowland
>>>>> Perfect. OK then. So the OP needs to:
>>>>> 1. Decide which way to go. AND TELL US! Let's assume he goes with
>>>>> Rowland's dhcp-ddns script on the DC. So,
>>>>> 2. Disable ddns. Is this it?
>>>>> http://support.microsoft.com/kb/816592
>>>>> 3. Disable ddns updates from sssd on the DC and the Linux cleints in
>>>>> sssd.conf:
>>>>> dyndns_update=false
>>>>> HTH
>>>>> Steve
>>>>>
>>>>>
>>>>>>> Steve
>>>>>>>
>>>>>>>> Gesendet: Freitag, 22. August 2014 um 01:01 Uhr
>>>>>>>> Von: steve <steve at steve-ss.com>
>>>>>>>> An: samba at lists.samba.org
>>>>>>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for
>>>>> the reverse lookup Zone
>>>>>>>> On Fri, 2014-08-22 at 00:19 +0200, Markus Roth wrote:
>>>>>>>>
>>>>>>>>> Yes I'm running sssd.conf with the dns update:
>>>>>>>>>
>>>>>>>>> [sssd]
>>>>>>>>> services = nss, pam
>>>>>>>>> config_file_version = 2
>>>>>>>>> domains = winnet.local
>>>>>>>>> [nss]
>>>>>>>>> [pam]
>>>>>>>>> [domain/winnet.local]
>>>>>>>>> id_provider = ad
>>>>>>>>> auth_provider = ad
>>>>>>>>> access_provider = ad
>>>>>>>>> ldap_id_mapping = False
>>>>>>>>> dyndns_update = True
>>>>>>>>>
>>>>>>>>> my /etc/krb5.keytab was generatet with the --principal server1$
>>>>>>>>>
>>>>>>>> I'm confused then. I thought you'd given up with sssd...
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
>>>>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
More information about the samba
mailing list