[Samba] sernet documentation
Mark Foley
mfoley at novatec-inc.com
Wed Aug 26 21:56:40 UTC 2015
I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware 64 14.1
for many months now in a production environment and it works just fine. There
are a few tweaks here and there to get bind/dhcp to play nicely with Samba ...
Note, conf file locations are Slackware, but you'll know where the same thing
goes in your distro. In the examples below, my Domain IP range is
192.168.0.0/24. My AD/DC (also DNS and DHCP server and router) is 192.168.0.2.
My domain name is hprs.local.
First off, I provisioned my Samba as follows:
$ samba-tool domain provision --use-rfc2307 \
--server-role='dc' --realm=hprs.local --domain=HPRS \
--adminpass='password' --dns-backend=BIND9_FLATFILE \
--option="interfaces=lo eth1" --option="bind interfaces only=yes"
In the standard /etc/named.conf, in the option section you need:
----------snip-----------
options {
forwarders { // These are the ISP provided name servers
66.193.88.3;
66.192.88.4;
};
allow-query { // Permit querying by others in the domain
192.168.0.0/24;
127.0.0.1;
};
};
----------un-snip-----------
I've kept my local zone files defined in this named.conf:
----------snip-----------
zone "localhost" IN {
type master;
file "/var/named/db.local";
};
zone "127.in-addr.arpa" IN {
type master;
file "/var/named/db.127";
};
----------un-snip-----------
but now I reference Samba's config files for the domain stuff:
----------snip-----------
include "/etc/samba/private/named.conf";
----------un-snip-----------
Complete /etc/named.conf file:
----------snip-----------
options {
// directory "/var/named";
forwarders { // These are the ISP provided name servers
209.18.47.61;
209.18.47.62;
};
allow-query { // Permit querying by others in the domain
192.168.0.0/24;
127.0.0.1;
};
};
zone "localhost" IN {
type master;
file "/var/named/db.local";
};
zone "127.in-addr.arpa" IN {
type master;
file "/var/named/db.127";
};
include "/etc/samba/private/named.conf";
----------un-snip-----------
The samba-tool provisioning step will have created the referenced
/etc/samba/private/named.conf file. Listed below is this file with my changes.
I've commented out line 15.
More importantly, the domain Windows workstations will want to update the zone
files via Samba. If they cannot, you will continuously get the syslog message:
syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update 'hprs.local/IN' denied
Hence the "allow-update" in lines 8 and 25.
Finally, I've added the "optional" reverse zone in lines 23-26.
----------snip-----------
1 # This file should be included in your main BIND configuration file
2 #
3 # For example with
4 # include "/etc/samba/private/named.conf";
5
6 zone "hprs.local." IN {
7 type master;
8 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
9 file "/etc/samba/private/dns/hprs.local.zone";
10 /*
11 * the list of principals and what they can change is created
12 * dynamically by Samba, based on the membership of the domain controllers
13 * group. The provision just creates this file as an empty file.
14 */
15 # include "/etc/samba/private/named.conf.update";
16
17 /* we need to use check-names ignore so _msdcs A records can be created */
18 check-names ignore;
19 };
20
21 # The reverse zone configuration is optional.
22
23 zone "0.168.192.in-addr.arpa" in {
24 type master;
25 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
26 file "/etc/samba/private/dns/db.192.168.0";
27 };
28
29 # Note that the reverse zone file is not created during the provision process.
30
31 # The most recent BIND versions (9.8 or later) support secure GSS-TSIG
32 # updates. If you are running an earlier version of BIND, or if you do not wish
33 # to use secure GSS-TSIG updates, you may remove the update-policy sections in
34 # both examples above.
----------un-snip-----------
For DNS, that's about it. I hand-tweaked a few things in the samba-tool
provisioned zone files to change the hostmaster email address and the various
refresh, retry, etc. timers. I'll not post those unless you need them because
they can be fairly lengthy. Except, you mentioned static IP. As an example, I
just added the following to my /etc/samba/private/dns/hprs.local.zone file:
$TTL 3600 ; 1 hour
vaio A 192.168.0.102
Important note!!! I've found that samba and DNS must be NOT RUNNING when you add
these statis IP to the zone file. Otherwise, they seem to get clobbered/removed.
For DHCP, I've simply added the following to my dhcpd.conf. All these are
important, but the first 4 are needed for Samba to be able to update leases on
behalf of clients.
----------snip-----------
ddns-updates on;
update-static-leases on;
allow unknown-clients; # default, deprecated (man dhcpd.conf)
ignore client-updates; # see https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore client-updates
ddns-update-style interim;
zone hprs.local. { primary 192.168.0.2; }
zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.2;
range 192.168.0.100 192.168.0.254;
option domain-name-servers 192.168.0.2;
option domain-name "hprs.local";
ddns-domainname = "hprs.local.";
ddns-rev-domainname = "in-addr.arpa.";
}
// Example of DHCP static IP
host ricoh {
hardware ethernet 00:26:73:55:63:AB;
fixed-address 192.168.0.20;
}
----------un-snip-----------
This all works just fine. I've routed my log messages for DNS and DHCPD to
their own file (not shown) and I can tail -f this file and see REQUESTs and ACKs
scrolling by in fine style.
Not to put too much in one message, but I had to do the following on each Windows
workstation (command line) to get time to synchronize with ntpd where "mail" is
the hostname of my AD/DC and domain time server:
w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
w32tm /config /update
reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
Hope this helps
--Mark
-----Original Message-----
> Date: Wed, 26 Aug 2015 21:28:55 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: Robert Moskowitz <rgm at htt-consult.com>, samba at lists.samba.org
> Subject: Re: [Samba] sernet documentation
>
> On 26/08/15 21:07, Robert Moskowitz wrote:
> >
> >
> > On 08/26/2015 03:50 PM, Rowland Penny wrote:
> >> On 26/08/15 20:39, Robert Moskowitz wrote:
> >>>
> >>>
> >>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
> >>>> On 26/08/15 20:14, Robert Moskowitz wrote:
> >>>>> One of the Centos 7 arm developers built the sernet 4.2 for me to
> >>>>> start testing.
> >>>>>
> >>>>> http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
> >>>>>
> >>>>> and
> >>>>>
> >>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
> >>>>>
> >>>>> Since these were built on qemu, not requiring specific armv7
> >>>>> hardware, Perhaps at some point they can be adopted by Sernet. But
> >>>>> for now, how to test....
> >>>>>
> >>>>> I don't see any specific Sernet documentation. Like what is here
> >>>>> and how to set it up, perhaps different, from generic Samba 4.
> >>>>>
> >>>>> I searched the sernet web site and this list and came up empty,
> >>>>> but my search foo is weak.
> >>>>>
> >>>>> thanks
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> If Sernet just built samba for ARM, I do not think that it should
> >>>> be any different to set up, so just follow the relevant
> >>>> documentation on the samba wiki:
> >>>>
> >>>> https://wiki.samba.org/index.php/Main_Page
> >>>
> >>> I was thinking that PERHAPS te sernet build could have specific
> >>> configs for BIND and DHCP at the least. Unless Samba has already
> >>> included these. For things like DYNDNS.
> >>>
> >>
> >> Could you be a bit more specific, you can use Bind with samba4 but it
> >> is up to the sysadmin to set this up, though there is a page on the
> >> samba wiki. DHCP, again the sysadmin will have to set this, but there
> >> is not much on the wiki about this, but if all else fails, I can help
> >> with this. Finally, I don't see where DYNDNS comes in here.
> >
> > Plowing through the wiki...
> >
> > I see where if I use the internal DNS provided, I will have to set up
> > a forwarder. No problem, I have done that a lot. But I plan on using
> > a private tld, htt. and the zone home.htt. I want these zones known
> > to other systems on my network, so I want to slave them to my main DNS
> > internal servers (I actually have a production and 2 distinct test DNS
> > servers). Perhaps I will find in the wiki how to do this, or find my
> > old notes.
> >
> > Are workstations assigned DNS entries when they get their DHCP lease?
> > So that 'den' becomes den.home.htt and diningroom becomes
> > diningroom.home.htt? That is what I would think DYNDNS would be
> > doing. Of course the file servers, nevia and vega would be
> > nevia.home.htt and vega.home.htt? But since these are statically
> > assigned, again, I am assuming there are ways to get them into the
> > internal DNS.
>
> Unless things have changed, DHCP doesn't work with the samba internal
> DNS server, it does however work with the Bind9 DNS server, I have been
> using it since Dec 2012 on my home network 192.168.0.0/24 with the
> domain name of home.lan. To get the domain name applied to the clients,
> you just have to set them to ask for it and the DHCP to send it. As for
> the static clients, you can use samba-tool to add these.
>
> >
> > Finally I am testing on one RFC1918 subnet (check out the authors of
> > 1918) and then will move all the servers to another one. what will I
> > need to do for this migration?
> >
>
> What do you need to migrate ? if you set the first DC in a domain and
> then add another DC, all the AD database will be replicated to it.
>
> Rowland
>
> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if you are,
> sorry but until this post, I had never heard of you :-) )
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list