[Samba] sernet documentation

Rowland Penny rowlandpenny241155 at gmail.com
Thu Aug 27 14:46:59 UTC 2015


On 27/08/15 15:28, Mark Foley wrote:
> "Ah, but what if you have Unix clients"
>
> I do have Unix clients. They work just fine. The Samba AD/DC is the DHCP server.
> The Windows and Linux clients get their IP addresses and everyone can see all
> the hosts on the domain. for example:
>
>  From the domain controller (host name MAIL)
>
> $ host mark    # mark is a Windows 7 workstation
> MARK.hprs.local has address 192.168.0.55
>
> $ host webserver  # webserver is a Linux server
> webserver.hprs.local has address 192.168.0.3
>
>  From the Linux webserver:
>
> $ host mail   # mail is the Linux Samba4 domain controller
> mail.hprs.local has address 192.168.0.2
>
> $ host dennis   # dennis is a Windows 7 workstation
> DENNIS.hprs.local has address 192.168.0.57
>
> $ host OHPRSstorage  $ this is the Linux NAS RAID
> OHPRSstorage.hprs.local has address 192.168.0.5
>
> Is there something in my posted configs that leads to to believe there is a
> problem with Linux hosts in this setup?
>
> "and what about the reverse zone ?"
>
> I do have the reverse zones configured. See the 'snip' section where I've said
> "I've kept my local zone files defined in this named.conf" and also the
> corresponding lines in the full /etc/named.conf; and see lines 23-27 in my
> posted /etc/samba/private/named.conf file.
>
> --Mark
>
> (btw - I know this is probably a function of your mail client, but is there any
> way you can post your replies at the top instead of the bottom of the message?
> Sometimes it a long way to scroll down!)
>
> -----Original Message-----
>> Date: Wed, 26 Aug 2015 23:04:57 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] sernet documentation
>>
>> On 26/08/15 22:56, Mark Foley wrote:
>>> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware 64 14.1
>>> for many months now in a production environment and it works just fine.  There
>>> are a few tweaks here and there to get bind/dhcp to play nicely with Samba ...
>>>
>>> Note, conf file locations are Slackware, but you'll know where the same thing
>>> goes in your distro.  In the examples below, my Domain IP range is
>>> 192.168.0.0/24.  My AD/DC (also DNS and DHCP server and router) is 192.168.0.2.
>>> My domain name is hprs.local.
>>>
>>> First off, I provisioned my Samba as follows:
>>>
>>> $ samba-tool domain provision --use-rfc2307 \
>>>     --server-role='dc' --realm=hprs.local --domain=HPRS \
>>>     --adminpass='password' --dns-backend=BIND9_FLATFILE \
>>>     --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>>>
>>>
>>> In the standard /etc/named.conf, in the option section you need:
>>>
>>> ----------snip-----------
>>> options {
>>>
>>>    forwarders {   // These are the ISP provided name servers
>>>               66.193.88.3;
>>>               66.192.88.4;
>>>           };
>>>
>>>           allow-query {        // Permit querying by others in the domain
>>>               192.168.0.0/24;
>>>               127.0.0.1;
>>>           };
>>> };
>>> ----------un-snip-----------
>>>
>>> I've kept my local zone files defined in this named.conf:
>>>
>>> ----------snip-----------
>>> zone "localhost" IN {
>>>           type master;
>>>           file "/var/named/db.local";
>>> };
>>>
>>> zone "127.in-addr.arpa" IN {
>>>           type master;
>>>           file "/var/named/db.127";
>>> };
>>> ----------un-snip-----------
>>>
>>> but now I reference Samba's config files for the domain stuff:
>>>
>>> ----------snip-----------
>>> include "/etc/samba/private/named.conf";
>>> ----------un-snip-----------
>>>
>>> Complete /etc/named.conf file:
>>>
>>> ----------snip-----------
>>> options {
>>> //      directory "/var/named";
>>>
>>>           forwarders {            // These are the ISP provided name servers
>>>               209.18.47.61;
>>>              209.18.47.62;
>>>           };
>>>
>>>           allow-query {           // Permit querying by others in the domain
>>>               192.168.0.0/24;
>>>               127.0.0.1;
>>>           };
>>> };
>>>
>>> zone "localhost" IN {
>>>           type master;
>>>           file "/var/named/db.local";
>>> };
>>>
>>> zone "127.in-addr.arpa" IN {
>>>           type master;
>>>           file "/var/named/db.127";
>>> };
>>>
>>> include "/etc/samba/private/named.conf";
>>> ----------un-snip-----------
>>>
>>> The samba-tool provisioning step will have created the referenced
>>> /etc/samba/private/named.conf file.  Listed below is this file with my changes.
>>>
>>> I've commented out line 15.
>>>
>>> More importantly, the domain Windows workstations will want to update the zone
>>> files via Samba.  If they cannot, you will continuously get the syslog message:
>>>
>>> syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update 'hprs.local/IN' denied
>>>
>>> Hence the "allow-update" in lines 8 and 25.
>>>
>>> Finally, I've added the "optional" reverse zone in lines 23-26.
>>>
>>> ----------snip-----------
>>>    1  # This file should be included in your main BIND configuration file
>>>    2  #
>>>    3  # For example with
>>>    4  # include "/etc/samba/private/named.conf";
>>>    5
>>>    6  zone "hprs.local." IN {
>>>    7      type master;
>>>    8      allow-update { 192.168.0.0/24; 127.0.0.1; };           // local DHCP server
>>>    9      file "/etc/samba/private/dns/hprs.local.zone";
>>> 10   /*
>>> 11    * the list of principals and what they can change is created
>>> 12    * dynamically by Samba, based on the membership of the domain controllers
>>> 13    * group. The provision just creates this file as an empty file.
>>> 14    */
>>> 15  #       include "/etc/samba/private/named.conf.update";
>>> 16
>>> 17   /* we need to use check-names ignore so _msdcs A records can be created */
>>> 18   check-names ignore;
>>> 19  };
>>> 20
>>> 21  # The reverse zone configuration is optional.
>>> 22
>>> 23  zone "0.168.192.in-addr.arpa" in {
>>> 24      type master;
>>> 25      allow-update { 192.168.0.0/24; 127.0.0.1; };           // local DHCP server
>>> 26      file "/etc/samba/private/dns/db.192.168.0";
>>> 27  };
>>> 28
>>> 29  # Note that the reverse zone file is not created during the provision process.
>>> 30
>>> 31  # The most recent BIND versions (9.8 or later) support secure GSS-TSIG
>>> 32  # updates.  If you are running an earlier version of BIND, or if you do not wish
>>> 33  # to use secure GSS-TSIG updates, you may remove the update-policy sections in
>>> 34  # both examples above.
>>> ----------un-snip-----------
>>>
>>> For DNS, that's about it. I hand-tweaked a few things in the samba-tool
>>> provisioned zone files to change the hostmaster email address and the various
>>> refresh, retry, etc. timers. I'll not post those unless you need them because
>>> they can be fairly lengthy. Except, you mentioned static IP. As an example, I
>>> just added the following to my /etc/samba/private/dns/hprs.local.zone file:
>>>
>>> $TTL 3600       ; 1 hour
>>> vaio                    A       192.168.0.102
>>>
>>> Important note!!! I've found that samba and DNS must be NOT RUNNING when you add
>>> these statis IP to the zone file. Otherwise, they seem to get clobbered/removed.
>>>
>>> For DHCP, I've simply added the following to my dhcpd.conf. All these are
>>> important, but the first 4 are needed for Samba to be able to update leases on
>>> behalf of clients.
>>>
>>> ----------snip-----------
>>> ddns-updates on;
>>> update-static-leases on;
>>> allow unknown-clients;  # default, deprecated (man dhcpd.conf)
>>> ignore client-updates;  # see https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore client-updates
>>> ddns-update-style interim;
>>>
>>> zone hprs.local. { primary 192.168.0.2; }
>>> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>>>
>>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>>       option routers 192.168.0.2;
>>>       range 192.168.0.100 192.168.0.254;
>>>       option domain-name-servers 192.168.0.2;
>>>       option domain-name "hprs.local";
>>>       ddns-domainname = "hprs.local.";
>>>       ddns-rev-domainname = "in-addr.arpa.";
>>> }
>>>
>>> // Example of DHCP static IP
>>>
>>> host ricoh {
>>>       hardware ethernet 00:26:73:55:63:AB;
>>>       fixed-address 192.168.0.20;
>>> }
>>> ----------un-snip-----------
>>>
>>> This all works just fine.  I've routed my log messages for DNS and DHCPD to
>>> their own file (not shown) and I can tail -f this file and see REQUESTs and ACKs
>>> scrolling by in fine style.
>>>
>>> Not to put too much in one message, but I had to do the following on each Windows
>>> workstation (command line) to get time to synchronize with ntpd where "mail" is
>>> the hostname of my AD/DC and domain time server:
>>>
>>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>>> w32tm /config /update
>>>
>>> reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>>>
>>> Hope this helps
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>>> Date: Wed, 26 Aug 2015 21:28:55 +0100
>>>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>>>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at lists.samba.org
>>>> Subject: Re: [Samba] sernet documentation
>>>>
>>>> On 26/08/15 21:07, Robert Moskowitz wrote:
>>>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
>>>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
>>>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
>>>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
>>>>>>>>> One of the Centos 7 arm developers built the sernet 4.2 for me to
>>>>>>>>> start testing.
>>>>>>>>>
>>>>>>>>> http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
>>>>>>>>>
>>>>>>>>> and
>>>>>>>>>
>>>>>>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
>>>>>>>>>
>>>>>>>>> Since these were built on qemu, not requiring specific armv7
>>>>>>>>> hardware, Perhaps at some point they can be adopted by Sernet. But
>>>>>>>>> for now, how to test....
>>>>>>>>>
>>>>>>>>> I don't see any specific Sernet documentation.  Like what is here
>>>>>>>>> and how to set it up, perhaps different, from generic Samba 4.
>>>>>>>>>
>>>>>>>>> I searched the sernet web site and this list and came up empty,
>>>>>>>>> but my search foo is weak.
>>>>>>>>>
>>>>>>>>> thanks
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> If Sernet just built samba for ARM, I do not think that it should
>>>>>>>> be any different to set up, so just follow the relevant
>>>>>>>> documentation on the samba wiki:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Main_Page
>>>>>>> I was thinking that PERHAPS te sernet build could have specific
>>>>>>> configs for BIND and DHCP at the least.  Unless Samba has already
>>>>>>> included these.  For things like DYNDNS.
>>>>>>>
>>>>>> Could you be a bit more specific, you can use Bind with samba4 but it
>>>>>> is up to the sysadmin to set this up, though there is a page on the
>>>>>> samba wiki. DHCP, again the sysadmin will have to set this, but there
>>>>>> is not much on the wiki about this, but if all else fails, I can help
>>>>>> with this. Finally, I don't see where DYNDNS comes in here.
>>>>> Plowing through the wiki...
>>>>>
>>>>> I see where if I use the internal DNS provided, I will have to set up
>>>>> a forwarder.  No problem, I have done that a lot.  But I plan on using
>>>>> a private tld, htt. and the zone home.htt.  I want these zones known
>>>>> to other systems on my network, so I want to slave them to my main DNS
>>>>> internal servers (I actually have a production and 2 distinct test DNS
>>>>> servers).  Perhaps I will find in the wiki how to do this, or find my
>>>>> old notes.
>>>>>
>>>>> Are workstations assigned DNS entries when they get their DHCP lease?
>>>>> So that 'den' becomes den.home.htt and diningroom becomes
>>>>> diningroom.home.htt?  That is what I would think DYNDNS would be
>>>>> doing.  Of course the file servers, nevia and vega would be
>>>>> nevia.home.htt and vega.home.htt?  But since these are statically
>>>>> assigned, again, I am assuming there are ways to get them into the
>>>>> internal DNS.
>>>> Unless things have changed, DHCP doesn't work with the samba internal
>>>> DNS server, it does however work with the Bind9 DNS server, I have been
>>>> using it since Dec 2012 on my home network 192.168.0.0/24 with the
>>>> domain name of home.lan. To get the domain name applied to the clients,
>>>> you just have to set them to ask for it and the DHCP to send it. As for
>>>> the static clients, you can use samba-tool to add these.
>>>>
>>>>> Finally I am testing on one RFC1918 subnet (check out the authors of
>>>>> 1918) and then will move all the servers to another one.  what will I
>>>>> need to do for this migration?
>>>>>
>>>> What do you need to migrate ? if you set the first DC in a domain and
>>>> then add another DC, all the AD database will be replicated to it.
>>>>
>>>> Rowland
>>>>
>>>> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if you are,
>>>> sorry but until this post, I had never heard of you :-)     )
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>> Ah, but what if you have Unix clients and what about the reverse zone ?
>>
>> Rowland
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Hmm worth knowing, I do it a different way, dhcp runs a script which 
carries out the updates using nsupdate from bind.

As to the bottom posting, I was always told to not top post as it breaks 
the flow, but I suppose everybody to their own :-)

Rowland




More information about the samba mailing list