[Samba] sernet documentation
Mark Foley
mfoley at novatec-inc.com
Thu Aug 27 14:28:55 UTC 2015
"Ah, but what if you have Unix clients"
I do have Unix clients. They work just fine. The Samba AD/DC is the DHCP server.
The Windows and Linux clients get their IP addresses and everyone can see all
the hosts on the domain. for example:
>From the domain controller (host name MAIL)
$ host mark # mark is a Windows 7 workstation
MARK.hprs.local has address 192.168.0.55
$ host webserver # webserver is a Linux server
webserver.hprs.local has address 192.168.0.3
>From the Linux webserver:
$ host mail # mail is the Linux Samba4 domain controller
mail.hprs.local has address 192.168.0.2
$ host dennis # dennis is a Windows 7 workstation
DENNIS.hprs.local has address 192.168.0.57
$ host OHPRSstorage $ this is the Linux NAS RAID
OHPRSstorage.hprs.local has address 192.168.0.5
Is there something in my posted configs that leads to to believe there is a
problem with Linux hosts in this setup?
"and what about the reverse zone ?"
I do have the reverse zones configured. See the 'snip' section where I've said
"I've kept my local zone files defined in this named.conf" and also the
corresponding lines in the full /etc/named.conf; and see lines 23-27 in my
posted /etc/samba/private/named.conf file.
--Mark
(btw - I know this is probably a function of your mail client, but is there any
way you can post your replies at the top instead of the bottom of the message?
Sometimes it a long way to scroll down!)
-----Original Message-----
> Date: Wed, 26 Aug 2015 23:04:57 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] sernet documentation
>
> On 26/08/15 22:56, Mark Foley wrote:
> > I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware 64 14.1
> > for many months now in a production environment and it works just fine. There
> > are a few tweaks here and there to get bind/dhcp to play nicely with Samba ...
> >
> > Note, conf file locations are Slackware, but you'll know where the same thing
> > goes in your distro. In the examples below, my Domain IP range is
> > 192.168.0.0/24. My AD/DC (also DNS and DHCP server and router) is 192.168.0.2.
> > My domain name is hprs.local.
> >
> > First off, I provisioned my Samba as follows:
> >
> > $ samba-tool domain provision --use-rfc2307 \
> > --server-role='dc' --realm=hprs.local --domain=HPRS \
> > --adminpass='password' --dns-backend=BIND9_FLATFILE \
> > --option="interfaces=lo eth1" --option="bind interfaces only=yes"
> >
> >
> > In the standard /etc/named.conf, in the option section you need:
> >
> > ----------snip-----------
> > options {
> >
> > forwarders { // These are the ISP provided name servers
> > 66.193.88.3;
> > 66.192.88.4;
> > };
> >
> > allow-query { // Permit querying by others in the domain
> > 192.168.0.0/24;
> > 127.0.0.1;
> > };
> > };
> > ----------un-snip-----------
> >
> > I've kept my local zone files defined in this named.conf:
> >
> > ----------snip-----------
> > zone "localhost" IN {
> > type master;
> > file "/var/named/db.local";
> > };
> >
> > zone "127.in-addr.arpa" IN {
> > type master;
> > file "/var/named/db.127";
> > };
> > ----------un-snip-----------
> >
> > but now I reference Samba's config files for the domain stuff:
> >
> > ----------snip-----------
> > include "/etc/samba/private/named.conf";
> > ----------un-snip-----------
> >
> > Complete /etc/named.conf file:
> >
> > ----------snip-----------
> > options {
> > // directory "/var/named";
> >
> > forwarders { // These are the ISP provided name servers
> > 209.18.47.61;
> > 209.18.47.62;
> > };
> >
> > allow-query { // Permit querying by others in the domain
> > 192.168.0.0/24;
> > 127.0.0.1;
> > };
> > };
> >
> > zone "localhost" IN {
> > type master;
> > file "/var/named/db.local";
> > };
> >
> > zone "127.in-addr.arpa" IN {
> > type master;
> > file "/var/named/db.127";
> > };
> >
> > include "/etc/samba/private/named.conf";
> > ----------un-snip-----------
> >
> > The samba-tool provisioning step will have created the referenced
> > /etc/samba/private/named.conf file. Listed below is this file with my changes.
> >
> > I've commented out line 15.
> >
> > More importantly, the domain Windows workstations will want to update the zone
> > files via Samba. If they cannot, you will continuously get the syslog message:
> >
> > syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update 'hprs.local/IN' denied
> >
> > Hence the "allow-update" in lines 8 and 25.
> >
> > Finally, I've added the "optional" reverse zone in lines 23-26.
> >
> > ----------snip-----------
> > 1 # This file should be included in your main BIND configuration file
> > 2 #
> > 3 # For example with
> > 4 # include "/etc/samba/private/named.conf";
> > 5
> > 6 zone "hprs.local." IN {
> > 7 type master;
> > 8 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
> > 9 file "/etc/samba/private/dns/hprs.local.zone";
> > 10 /*
> > 11 * the list of principals and what they can change is created
> > 12 * dynamically by Samba, based on the membership of the domain controllers
> > 13 * group. The provision just creates this file as an empty file.
> > 14 */
> > 15 # include "/etc/samba/private/named.conf.update";
> > 16
> > 17 /* we need to use check-names ignore so _msdcs A records can be created */
> > 18 check-names ignore;
> > 19 };
> > 20
> > 21 # The reverse zone configuration is optional.
> > 22
> > 23 zone "0.168.192.in-addr.arpa" in {
> > 24 type master;
> > 25 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
> > 26 file "/etc/samba/private/dns/db.192.168.0";
> > 27 };
> > 28
> > 29 # Note that the reverse zone file is not created during the provision process.
> > 30
> > 31 # The most recent BIND versions (9.8 or later) support secure GSS-TSIG
> > 32 # updates. If you are running an earlier version of BIND, or if you do not wish
> > 33 # to use secure GSS-TSIG updates, you may remove the update-policy sections in
> > 34 # both examples above.
> > ----------un-snip-----------
> >
> > For DNS, that's about it. I hand-tweaked a few things in the samba-tool
> > provisioned zone files to change the hostmaster email address and the various
> > refresh, retry, etc. timers. I'll not post those unless you need them because
> > they can be fairly lengthy. Except, you mentioned static IP. As an example, I
> > just added the following to my /etc/samba/private/dns/hprs.local.zone file:
> >
> > $TTL 3600 ; 1 hour
> > vaio A 192.168.0.102
> >
> > Important note!!! I've found that samba and DNS must be NOT RUNNING when you add
> > these statis IP to the zone file. Otherwise, they seem to get clobbered/removed.
> >
> > For DHCP, I've simply added the following to my dhcpd.conf. All these are
> > important, but the first 4 are needed for Samba to be able to update leases on
> > behalf of clients.
> >
> > ----------snip-----------
> > ddns-updates on;
> > update-static-leases on;
> > allow unknown-clients; # default, deprecated (man dhcpd.conf)
> > ignore client-updates; # see https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore client-updates
> > ddns-update-style interim;
> >
> > zone hprs.local. { primary 192.168.0.2; }
> > zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
> >
> > subnet 192.168.0.0 netmask 255.255.255.0 {
> > option routers 192.168.0.2;
> > range 192.168.0.100 192.168.0.254;
> > option domain-name-servers 192.168.0.2;
> > option domain-name "hprs.local";
> > ddns-domainname = "hprs.local.";
> > ddns-rev-domainname = "in-addr.arpa.";
> > }
> >
> > // Example of DHCP static IP
> >
> > host ricoh {
> > hardware ethernet 00:26:73:55:63:AB;
> > fixed-address 192.168.0.20;
> > }
> > ----------un-snip-----------
> >
> > This all works just fine. I've routed my log messages for DNS and DHCPD to
> > their own file (not shown) and I can tail -f this file and see REQUESTs and ACKs
> > scrolling by in fine style.
> >
> > Not to put too much in one message, but I had to do the following on each Windows
> > workstation (command line) to get time to synchronize with ntpd where "mail" is
> > the hostname of my AD/DC and domain time server:
> >
> > w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> > w32tm /config /update
> >
> > reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
> >
> > Hope this helps
> >
> > --Mark
> >
> > -----Original Message-----
> >> Date: Wed, 26 Aug 2015 21:28:55 +0100
> >> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> >> To: Robert Moskowitz <rgm at htt-consult.com>, samba at lists.samba.org
> >> Subject: Re: [Samba] sernet documentation
> >>
> >> On 26/08/15 21:07, Robert Moskowitz wrote:
> >>>
> >>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
> >>>> On 26/08/15 20:39, Robert Moskowitz wrote:
> >>>>>
> >>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
> >>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
> >>>>>>> One of the Centos 7 arm developers built the sernet 4.2 for me to
> >>>>>>> start testing.
> >>>>>>>
> >>>>>>> http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
> >>>>>>>
> >>>>>>> and
> >>>>>>>
> >>>>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
> >>>>>>>
> >>>>>>> Since these were built on qemu, not requiring specific armv7
> >>>>>>> hardware, Perhaps at some point they can be adopted by Sernet. But
> >>>>>>> for now, how to test....
> >>>>>>>
> >>>>>>> I don't see any specific Sernet documentation. Like what is here
> >>>>>>> and how to set it up, perhaps different, from generic Samba 4.
> >>>>>>>
> >>>>>>> I searched the sernet web site and this list and came up empty,
> >>>>>>> but my search foo is weak.
> >>>>>>>
> >>>>>>> thanks
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> If Sernet just built samba for ARM, I do not think that it should
> >>>>>> be any different to set up, so just follow the relevant
> >>>>>> documentation on the samba wiki:
> >>>>>>
> >>>>>> https://wiki.samba.org/index.php/Main_Page
> >>>>> I was thinking that PERHAPS te sernet build could have specific
> >>>>> configs for BIND and DHCP at the least. Unless Samba has already
> >>>>> included these. For things like DYNDNS.
> >>>>>
> >>>> Could you be a bit more specific, you can use Bind with samba4 but it
> >>>> is up to the sysadmin to set this up, though there is a page on the
> >>>> samba wiki. DHCP, again the sysadmin will have to set this, but there
> >>>> is not much on the wiki about this, but if all else fails, I can help
> >>>> with this. Finally, I don't see where DYNDNS comes in here.
> >>> Plowing through the wiki...
> >>>
> >>> I see where if I use the internal DNS provided, I will have to set up
> >>> a forwarder. No problem, I have done that a lot. But I plan on using
> >>> a private tld, htt. and the zone home.htt. I want these zones known
> >>> to other systems on my network, so I want to slave them to my main DNS
> >>> internal servers (I actually have a production and 2 distinct test DNS
> >>> servers). Perhaps I will find in the wiki how to do this, or find my
> >>> old notes.
> >>>
> >>> Are workstations assigned DNS entries when they get their DHCP lease?
> >>> So that 'den' becomes den.home.htt and diningroom becomes
> >>> diningroom.home.htt? That is what I would think DYNDNS would be
> >>> doing. Of course the file servers, nevia and vega would be
> >>> nevia.home.htt and vega.home.htt? But since these are statically
> >>> assigned, again, I am assuming there are ways to get them into the
> >>> internal DNS.
> >> Unless things have changed, DHCP doesn't work with the samba internal
> >> DNS server, it does however work with the Bind9 DNS server, I have been
> >> using it since Dec 2012 on my home network 192.168.0.0/24 with the
> >> domain name of home.lan. To get the domain name applied to the clients,
> >> you just have to set them to ask for it and the DHCP to send it. As for
> >> the static clients, you can use samba-tool to add these.
> >>
> >>> Finally I am testing on one RFC1918 subnet (check out the authors of
> >>> 1918) and then will move all the servers to another one. what will I
> >>> need to do for this migration?
> >>>
> >> What do you need to migrate ? if you set the first DC in a domain and
> >> then add another DC, all the AD database will be replicated to it.
> >>
> >> Rowland
> >>
> >> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if you are,
> >> sorry but until this post, I had never heard of you :-) )
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
> Ah, but what if you have Unix clients and what about the reverse zone ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list