[Samba] sernet documentation
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 27 06:37:42 UTC 2015
One thing nobody seems to mention.
This setup samba 4 + bind9_flate file setup works ok.. BUT
If you add a new DC, you will run in to problems..
bind9_flatefile setup is NOT multi master replication setup.
OK for 1 DC, but if you use more DC's, make sure you make your changes on the first dc.
setup a bind master/slave.. and for a dhcp server with failover setup,
which works also with samba4, but with restrictions.
If you need something like this i need to dig in my archive of setups..
I did more then a year ago, and my advice to Mark is, setup bind9_DLZ.
Much more flexible, and most important the multimaster replication.
which you really want..
when you provision.. --realm=hprs.local... DONT use .local.
this is a reserved name for Apple's mDNZ (zeroconf) ,
yes it does work, but better not. ( same for .lan )
>> Important note!!! I've found that samba and DNS must be NOT
>RUNNING when you add
>> these statis IP to the zone file. Otherwise, they seem to
>>get clobbered/removed.
then you did something wrong, or you did not use the correct programs to add it.
like samba-tool or you did not freeze the zone first.
when you run in bind9_flatfile, do not manualy change the zonefiles used by samba.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 27 augustus 2015 00:05
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] sernet documentation
>
>On 26/08/15 22:56, Mark Foley wrote:
>> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17
>and Slackware 64 14.1
>> for many months now in a production environment and it works
>just fine. There
>> are a few tweaks here and there to get bind/dhcp to play
>nicely with Samba ...
>>
>> Note, conf file locations are Slackware, but you'll know
>where the same thing
>> goes in your distro. In the examples below, my Domain IP range is
>> 192.168.0.0/24. My AD/DC (also DNS and DHCP server and
>router) is 192.168.0.2.
>> My domain name is hprs.local.
>>
>> First off, I provisioned my Samba as follows:
>>
>> $ samba-tool domain provision --use-rfc2307 \
>> --server-role='dc' --realm=hprs.local --domain=HPRS \
>> --adminpass='password' --dns-backend=BIND9_FLATFILE \
>> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>>
>>
>> In the standard /etc/named.conf, in the option section you need:
>>
>> ----------snip-----------
>> options {
>>
>> forwarders { // These are the ISP provided name servers
>> 66.193.88.3;
>> 66.192.88.4;
>> };
>>
>> allow-query { // Permit querying by others
>in the domain
>> 192.168.0.0/24;
>> 127.0.0.1;
>> };
>> };
>> ----------un-snip-----------
>>
>> I've kept my local zone files defined in this named.conf:
>>
>> ----------snip-----------
>> zone "localhost" IN {
>> type master;
>> file "/var/named/db.local";
>> };
>>
>> zone "127.in-addr.arpa" IN {
>> type master;
>> file "/var/named/db.127";
>> };
>> ----------un-snip-----------
>>
>> but now I reference Samba's config files for the domain stuff:
>>
>> ----------snip-----------
>> include "/etc/samba/private/named.conf";
>> ----------un-snip-----------
>>
>> Complete /etc/named.conf file:
>>
>> ----------snip-----------
>> options {
>> // directory "/var/named";
>>
>> forwarders { // These are the ISP
>provided name servers
>> 209.18.47.61;
>> 209.18.47.62;
>> };
>>
>> allow-query { // Permit querying by
>others in the domain
>> 192.168.0.0/24;
>> 127.0.0.1;
>> };
>> };
>>
>> zone "localhost" IN {
>> type master;
>> file "/var/named/db.local";
>> };
>>
>> zone "127.in-addr.arpa" IN {
>> type master;
>> file "/var/named/db.127";
>> };
>>
>> include "/etc/samba/private/named.conf";
>> ----------un-snip-----------
>>
>> The samba-tool provisioning step will have created the referenced
>> /etc/samba/private/named.conf file. Listed below is this
>file with my changes.
>>
>> I've commented out line 15.
>>
>> More importantly, the domain Windows workstations will want
>to update the zone
>> files via Samba. If they cannot, you will continuously get
>the syslog message:
>>
>> syslog:Jul 30 20:35:20 mail named[792]: client
>192.168.0.101#58026: update 'hprs.local/IN' denied
>>
>> Hence the "allow-update" in lines 8 and 25.
>>
>> Finally, I've added the "optional" reverse zone in lines 23-26.
>>
>> ----------snip-----------
>> 1 # This file should be included in your main BIND
>configuration file
>> 2 #
>> 3 # For example with
>> 4 # include "/etc/samba/private/named.conf";
>> 5
>> 6 zone "hprs.local." IN {
>> 7 type master;
>> 8 allow-update { 192.168.0.0/24; 127.0.0.1; };
> // local DHCP server
>> 9 file "/etc/samba/private/dns/hprs.local.zone";
>> 10 /*
>> 11 * the list of principals and what they can change is created
>> 12 * dynamically by Samba, based on the membership of the
>domain controllers
>> 13 * group. The provision just creates this file as an empty file.
>> 14 */
>> 15 # include "/etc/samba/private/named.conf.update";
>> 16
>> 17 /* we need to use check-names ignore so _msdcs A
>records can be created */
>> 18 check-names ignore;
>> 19 };
>> 20
>> 21 # The reverse zone configuration is optional.
>> 22
>> 23 zone "0.168.192.in-addr.arpa" in {
>> 24 type master;
>> 25 allow-update { 192.168.0.0/24; 127.0.0.1; };
> // local DHCP server
>> 26 file "/etc/samba/private/dns/db.192.168.0";
>> 27 };
>> 28
>> 29 # Note that the reverse zone file is not created during
>the provision process.
>> 30
>> 31 # The most recent BIND versions (9.8 or later) support
>secure GSS-TSIG
>> 32 # updates. If you are running an earlier version of
>BIND, or if you do not wish
>> 33 # to use secure GSS-TSIG updates, you may remove the
>update-policy sections in
>> 34 # both examples above.
>> ----------un-snip-----------
>>
>> For DNS, that's about it. I hand-tweaked a few things in the
>samba-tool
>> provisioned zone files to change the hostmaster email
>address and the various
>> refresh, retry, etc. timers. I'll not post those unless you
>need them because
>> they can be fairly lengthy. Except, you mentioned static IP.
>As an example, I
>> just added the following to my
>/etc/samba/private/dns/hprs.local.zone file:
>>
>> $TTL 3600 ; 1 hour
>> vaio A 192.168.0.102
>>
>> Important note!!! I've found that samba and DNS must be NOT
>RUNNING when you add
>> these statis IP to the zone file. Otherwise, they seem to
>get clobbered/removed.
>>
>> For DHCP, I've simply added the following to my dhcpd.conf.
>All these are
>> important, but the first 4 are needed for Samba to be able
>to update leases on
>> behalf of clients.
>>
>> ----------snip-----------
>> ddns-updates on;
>> update-static-leases on;
>> allow unknown-clients; # default, deprecated (man dhcpd.conf)
>> ignore client-updates; # see
>https://www.centos.org/forums/viewtopic.php?t=29256, man
>dhcpd.conf: ignore client-updates
>> ddns-update-style interim;
>>
>> zone hprs.local. { primary 192.168.0.2; }
>> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>>
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>> option routers 192.168.0.2;
>> range 192.168.0.100 192.168.0.254;
>> option domain-name-servers 192.168.0.2;
>> option domain-name "hprs.local";
>> ddns-domainname = "hprs.local.";
>> ddns-rev-domainname = "in-addr.arpa.";
>> }
>>
>> // Example of DHCP static IP
>>
>> host ricoh {
>> hardware ethernet 00:26:73:55:63:AB;
>> fixed-address 192.168.0.20;
>> }
>> ----------un-snip-----------
>>
>> This all works just fine. I've routed my log messages for
>DNS and DHCPD to
>> their own file (not shown) and I can tail -f this file and
>see REQUESTs and ACKs
>> scrolling by in fine style.
>>
>> Not to put too much in one message, but I had to do the
>following on each Windows
>> workstation (command line) to get time to synchronize with
>ntpd where "mail" is
>> the hostname of my AD/DC and domain time server:
>>
>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>> w32tm /config /update
>>
>> reference:
>https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>>
>> Hope this helps
>>
>> --Mark
>>
>> -----Original Message-----
>>> Date: Wed, 26 Aug 2015 21:28:55 +0100
>>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at lists.samba.org
>>> Subject: Re: [Samba] sernet documentation
>>>
>>> On 26/08/15 21:07, Robert Moskowitz wrote:
>>>>
>>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
>>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
>>>>>>
>>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
>>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
>>>>>>>> One of the Centos 7 arm developers built the sernet
>4.2 for me to
>>>>>>>> start testing.
>>>>>>>>
>>>>>>>> http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
>>>>>>>>
>>>>>>>> and
>>>>>>>>
>>>>>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
>>>>>>>>
>>>>>>>> Since these were built on qemu, not requiring specific armv7
>>>>>>>> hardware, Perhaps at some point they can be adopted by
>Sernet. But
>>>>>>>> for now, how to test....
>>>>>>>>
>>>>>>>> I don't see any specific Sernet documentation. Like
>what is here
>>>>>>>> and how to set it up, perhaps different, from generic Samba 4.
>>>>>>>>
>>>>>>>> I searched the sernet web site and this list and came up empty,
>>>>>>>> but my search foo is weak.
>>>>>>>>
>>>>>>>> thanks
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> If Sernet just built samba for ARM, I do not think that
>it should
>>>>>>> be any different to set up, so just follow the relevant
>>>>>>> documentation on the samba wiki:
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Main_Page
>>>>>> I was thinking that PERHAPS te sernet build could have specific
>>>>>> configs for BIND and DHCP at the least. Unless Samba has already
>>>>>> included these. For things like DYNDNS.
>>>>>>
>>>>> Could you be a bit more specific, you can use Bind with
>samba4 but it
>>>>> is up to the sysadmin to set this up, though there is a
>page on the
>>>>> samba wiki. DHCP, again the sysadmin will have to set
>this, but there
>>>>> is not much on the wiki about this, but if all else
>fails, I can help
>>>>> with this. Finally, I don't see where DYNDNS comes in here.
>>>> Plowing through the wiki...
>>>>
>>>> I see where if I use the internal DNS provided, I will
>have to set up
>>>> a forwarder. No problem, I have done that a lot. But I
>plan on using
>>>> a private tld, htt. and the zone home.htt. I want these
>zones known
>>>> to other systems on my network, so I want to slave them to
>my main DNS
>>>> internal servers (I actually have a production and 2
>distinct test DNS
>>>> servers). Perhaps I will find in the wiki how to do this,
>or find my
>>>> old notes.
>>>>
>>>> Are workstations assigned DNS entries when they get their
>DHCP lease?
>>>> So that 'den' becomes den.home.htt and diningroom becomes
>>>> diningroom.home.htt? That is what I would think DYNDNS would be
>>>> doing. Of course the file servers, nevia and vega would be
>>>> nevia.home.htt and vega.home.htt? But since these are statically
>>>> assigned, again, I am assuming there are ways to get them into the
>>>> internal DNS.
>>> Unless things have changed, DHCP doesn't work with the
>samba internal
>>> DNS server, it does however work with the Bind9 DNS server,
>I have been
>>> using it since Dec 2012 on my home network 192.168.0.0/24 with the
>>> domain name of home.lan. To get the domain name applied to
>the clients,
>>> you just have to set them to ask for it and the DHCP to
>send it. As for
>>> the static clients, you can use samba-tool to add these.
>>>
>>>> Finally I am testing on one RFC1918 subnet (check out the
>authors of
>>>> 1918) and then will move all the servers to another one.
>what will I
>>>> need to do for this migration?
>>>>
>>> What do you need to migrate ? if you set the first DC in a
>domain and
>>> then add another DC, all the AD database will be replicated to it.
>>>
>>> Rowland
>>>
>>> PS: you wouldn't be the B. Moskowitz from RFC would you ?
>(if you are,
>>> sorry but until this post, I had never heard of you :-) )
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
>Ah, but what if you have Unix clients and what about the reverse zone ?
>
>Rowland
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list