[Samba] sernet documentation
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Aug 27 14:46:59 UTC 2015
On 27/08/15 15:28, Mark Foley wrote:
> "Ah, but what if you have Unix clients"
>
> I do have Unix clients. They work just fine. The Samba AD/DC is the DHCP server.
> The Windows and Linux clients get their IP addresses and everyone can see all
> the hosts on the domain. for example:
>
> From the domain controller (host name MAIL)
>
> $ host mark # mark is a Windows 7 workstation
> MARK.hprs.local has address 192.168.0.55
>
> $ host webserver # webserver is a Linux server
> webserver.hprs.local has address 192.168.0.3
>
> From the Linux webserver:
>
> $ host mail # mail is the Linux Samba4 domain controller
> mail.hprs.local has address 192.168.0.2
>
> $ host dennis # dennis is a Windows 7 workstation
> DENNIS.hprs.local has address 192.168.0.57
>
> $ host OHPRSstorage $ this is the Linux NAS RAID
> OHPRSstorage.hprs.local has address 192.168.0.5
>
> Is there something in my posted configs that leads to to believe there is a
> problem with Linux hosts in this setup?
>
> "and what about the reverse zone ?"
>
> I do have the reverse zones configured. See the 'snip' section where I've said
> "I've kept my local zone files defined in this named.conf" and also the
> corresponding lines in the full /etc/named.conf; and see lines 23-27 in my
> posted /etc/samba/private/named.conf file.
>
> --Mark
>
> (btw - I know this is probably a function of your mail client, but is there any
> way you can post your replies at the top instead of the bottom of the message?
> Sometimes it a long way to scroll down!)
>
> -----Original Message-----
>> Date: Wed, 26 Aug 2015 23:04:57 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] sernet documentation
>>
>> On 26/08/15 22:56, Mark Foley wrote:
>>> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware 64 14.1
>>> for many months now in a production environment and it works just fine. There
>>> are a few tweaks here and there to get bind/dhcp to play nicely with Samba ...
>>>
>>> Note, conf file locations are Slackware, but you'll know where the same thing
>>> goes in your distro. In the examples below, my Domain IP range is
>>> 192.168.0.0/24. My AD/DC (also DNS and DHCP server and router) is 192.168.0.2.
>>> My domain name is hprs.local.
>>>
>>> First off, I provisioned my Samba as follows:
>>>
>>> $ samba-tool domain provision --use-rfc2307 \
>>> --server-role='dc' --realm=hprs.local --domain=HPRS \
>>> --adminpass='password' --dns-backend=BIND9_FLATFILE \
>>> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>>>
>>>
>>> In the standard /etc/named.conf, in the option section you need:
>>>
>>> ----------snip-----------
>>> options {
>>>
>>> forwarders { // These are the ISP provided name servers
>>> 66.193.88.3;
>>> 66.192.88.4;
>>> };
>>>
>>> allow-query { // Permit querying by others in the domain
>>> 192.168.0.0/24;
>>> 127.0.0.1;
>>> };
>>> };
>>> ----------un-snip-----------
>>>
>>> I've kept my local zone files defined in this named.conf:
>>>
>>> ----------snip-----------
>>> zone "localhost" IN {
>>> type master;
>>> file "/var/named/db.local";
>>> };
>>>
>>> zone "127.in-addr.arpa" IN {
>>> type master;
>>> file "/var/named/db.127";
>>> };
>>> ----------un-snip-----------
>>>
>>> but now I reference Samba's config files for the domain stuff:
>>>
>>> ----------snip-----------
>>> include "/etc/samba/private/named.conf";
>>> ----------un-snip-----------
>>>
>>> Complete /etc/named.conf file:
>>>
>>> ----------snip-----------
>>> options {
>>> // directory "/var/named";
>>>
>>> forwarders { // These are the ISP provided name servers
>>> 209.18.47.61;
>>> 209.18.47.62;
>>> };
>>>
>>> allow-query { // Permit querying by others in the domain
>>> 192.168.0.0/24;
>>> 127.0.0.1;
>>> };
>>> };
>>>
>>> zone "localhost" IN {
>>> type master;
>>> file "/var/named/db.local";
>>> };
>>>
>>> zone "127.in-addr.arpa" IN {
>>> type master;
>>> file "/var/named/db.127";
>>> };
>>>
>>> include "/etc/samba/private/named.conf";
>>> ----------un-snip-----------
>>>
>>> The samba-tool provisioning step will have created the referenced
>>> /etc/samba/private/named.conf file. Listed below is this file with my changes.
>>>
>>> I've commented out line 15.
>>>
>>> More importantly, the domain Windows workstations will want to update the zone
>>> files via Samba. If they cannot, you will continuously get the syslog message:
>>>
>>> syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update 'hprs.local/IN' denied
>>>
>>> Hence the "allow-update" in lines 8 and 25.
>>>
>>> Finally, I've added the "optional" reverse zone in lines 23-26.
>>>
>>> ----------snip-----------
>>> 1 # This file should be included in your main BIND configuration file
>>> 2 #
>>> 3 # For example with
>>> 4 # include "/etc/samba/private/named.conf";
>>> 5
>>> 6 zone "hprs.local." IN {
>>> 7 type master;
>>> 8 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
>>> 9 file "/etc/samba/private/dns/hprs.local.zone";
>>> 10 /*
>>> 11 * the list of principals and what they can change is created
>>> 12 * dynamically by Samba, based on the membership of the domain controllers
>>> 13 * group. The provision just creates this file as an empty file.
>>> 14 */
>>> 15 # include "/etc/samba/private/named.conf.update";
>>> 16
>>> 17 /* we need to use check-names ignore so _msdcs A records can be created */
>>> 18 check-names ignore;
>>> 19 };
>>> 20
>>> 21 # The reverse zone configuration is optional.
>>> 22
>>> 23 zone "0.168.192.in-addr.arpa" in {
>>> 24 type master;
>>> 25 allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP server
>>> 26 file "/etc/samba/private/dns/db.192.168.0";
>>> 27 };
>>> 28
>>> 29 # Note that the reverse zone file is not created during the provision process.
>>> 30
>>> 31 # The most recent BIND versions (9.8 or later) support secure GSS-TSIG
>>> 32 # updates. If you are running an earlier version of BIND, or if you do not wish
>>> 33 # to use secure GSS-TSIG updates, you may remove the update-policy sections in
>>> 34 # both examples above.
>>> ----------un-snip-----------
>>>
>>> For DNS, that's about it. I hand-tweaked a few things in the samba-tool
>>> provisioned zone files to change the hostmaster email address and the various
>>> refresh, retry, etc. timers. I'll not post those unless you need them because
>>> they can be fairly lengthy. Except, you mentioned static IP. As an example, I
>>> just added the following to my /etc/samba/private/dns/hprs.local.zone file:
>>>
>>> $TTL 3600 ; 1 hour
>>> vaio A 192.168.0.102
>>>
>>> Important note!!! I've found that samba and DNS must be NOT RUNNING when you add
>>> these statis IP to the zone file. Otherwise, they seem to get clobbered/removed.
>>>
>>> For DHCP, I've simply added the following to my dhcpd.conf. All these are
>>> important, but the first 4 are needed for Samba to be able to update leases on
>>> behalf of clients.
>>>
>>> ----------snip-----------
>>> ddns-updates on;
>>> update-static-leases on;
>>> allow unknown-clients; # default, deprecated (man dhcpd.conf)
>>> ignore client-updates; # see https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore client-updates
>>> ddns-update-style interim;
>>>
>>> zone hprs.local. { primary 192.168.0.2; }
>>> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>>>
>>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>> option routers 192.168.0.2;
>>> range 192.168.0.100 192.168.0.254;
>>> option domain-name-servers 192.168.0.2;
>>> option domain-name "hprs.local";
>>> ddns-domainname = "hprs.local.";
>>> ddns-rev-domainname = "in-addr.arpa.";
>>> }
>>>
>>> // Example of DHCP static IP
>>>
>>> host ricoh {
>>> hardware ethernet 00:26:73:55:63:AB;
>>> fixed-address 192.168.0.20;
>>> }
>>> ----------un-snip-----------
>>>
>>> This all works just fine. I've routed my log messages for DNS and DHCPD to
>>> their own file (not shown) and I can tail -f this file and see REQUESTs and ACKs
>>> scrolling by in fine style.
>>>
>>> Not to put too much in one message, but I had to do the following on each Windows
>>> workstation (command line) to get time to synchronize with ntpd where "mail" is
>>> the hostname of my AD/DC and domain time server:
>>>
>>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>>> w32tm /config /update
>>>
>>> reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>>>
>>> Hope this helps
>>>
>>> --Mark
>>>
>>> -----Original Message-----
>>>> Date: Wed, 26 Aug 2015 21:28:55 +0100
>>>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>>>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at lists.samba.org
>>>> Subject: Re: [Samba] sernet documentation
>>>>
>>>> On 26/08/15 21:07, Robert Moskowitz wrote:
>>>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
>>>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
>>>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
>>>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
>>>>>>>>> One of the Centos 7 arm developers built the sernet 4.2 for me to
>>>>>>>>> start testing.
>>>>>>>>>
>>>>>>>>> http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
>>>>>>>>>
>>>>>>>>> and
>>>>>>>>>
>>>>>>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
>>>>>>>>>
>>>>>>>>> Since these were built on qemu, not requiring specific armv7
>>>>>>>>> hardware, Perhaps at some point they can be adopted by Sernet. But
>>>>>>>>> for now, how to test....
>>>>>>>>>
>>>>>>>>> I don't see any specific Sernet documentation. Like what is here
>>>>>>>>> and how to set it up, perhaps different, from generic Samba 4.
>>>>>>>>>
>>>>>>>>> I searched the sernet web site and this list and came up empty,
>>>>>>>>> but my search foo is weak.
>>>>>>>>>
>>>>>>>>> thanks
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> If Sernet just built samba for ARM, I do not think that it should
>>>>>>>> be any different to set up, so just follow the relevant
>>>>>>>> documentation on the samba wiki:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Main_Page
>>>>>>> I was thinking that PERHAPS te sernet build could have specific
>>>>>>> configs for BIND and DHCP at the least. Unless Samba has already
>>>>>>> included these. For things like DYNDNS.
>>>>>>>
>>>>>> Could you be a bit more specific, you can use Bind with samba4 but it
>>>>>> is up to the sysadmin to set this up, though there is a page on the
>>>>>> samba wiki. DHCP, again the sysadmin will have to set this, but there
>>>>>> is not much on the wiki about this, but if all else fails, I can help
>>>>>> with this. Finally, I don't see where DYNDNS comes in here.
>>>>> Plowing through the wiki...
>>>>>
>>>>> I see where if I use the internal DNS provided, I will have to set up
>>>>> a forwarder. No problem, I have done that a lot. But I plan on using
>>>>> a private tld, htt. and the zone home.htt. I want these zones known
>>>>> to other systems on my network, so I want to slave them to my main DNS
>>>>> internal servers (I actually have a production and 2 distinct test DNS
>>>>> servers). Perhaps I will find in the wiki how to do this, or find my
>>>>> old notes.
>>>>>
>>>>> Are workstations assigned DNS entries when they get their DHCP lease?
>>>>> So that 'den' becomes den.home.htt and diningroom becomes
>>>>> diningroom.home.htt? That is what I would think DYNDNS would be
>>>>> doing. Of course the file servers, nevia and vega would be
>>>>> nevia.home.htt and vega.home.htt? But since these are statically
>>>>> assigned, again, I am assuming there are ways to get them into the
>>>>> internal DNS.
>>>> Unless things have changed, DHCP doesn't work with the samba internal
>>>> DNS server, it does however work with the Bind9 DNS server, I have been
>>>> using it since Dec 2012 on my home network 192.168.0.0/24 with the
>>>> domain name of home.lan. To get the domain name applied to the clients,
>>>> you just have to set them to ask for it and the DHCP to send it. As for
>>>> the static clients, you can use samba-tool to add these.
>>>>
>>>>> Finally I am testing on one RFC1918 subnet (check out the authors of
>>>>> 1918) and then will move all the servers to another one. what will I
>>>>> need to do for this migration?
>>>>>
>>>> What do you need to migrate ? if you set the first DC in a domain and
>>>> then add another DC, all the AD database will be replicated to it.
>>>>
>>>> Rowland
>>>>
>>>> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if you are,
>>>> sorry but until this post, I had never heard of you :-) )
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>> Ah, but what if you have Unix clients and what about the reverse zone ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Hmm worth knowing, I do it a different way, dhcp runs a script which
carries out the updates using nsupdate from bind.
As to the bottom posting, I was always told to not top post as it breaks
the flow, but I suppose everybody to their own :-)
Rowland
More information about the samba
mailing list