[Samba] sernet documentation
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Aug 27 15:55:55 UTC 2015
On 27/08/15 16:14, Mark Foley wrote:
> Thanks for the info,
>
> At the moment, I don't have more than 1 DC, but I am planning on doing the bind
> master/slave thing thing soon using the Linux webserver host. With failover, I
> don't see why that wouldn't work with multiple DCs (but of course haven't tried
> yet). In any case, our AD/DC also hosts mail and redirected folders do if it
> goes down we've got big problem anyway -- probably not going to attempt to
> create a redundant email/redirectedFolders host.
>
> I did try the bind9_DLZ early on when experimenting with AD/DC installation, but
> I couldn't get it to work. The only one that worked painlessly was
> BIND9_FLATFILE and I've experienced zero problems since.
>
> Yes, I've heard it is not a good idea to use .local, but I don't recall the
> Samba wiki docs saying that at the time. The reason I did that was because I
> migrated the office domain to Samba4 from SBS 2008 and the Windows domain was
> called hprs.local (not initially set up by me). So, not being an expert with
> either Samba4 or Small Business Server, I decided not to mess. Plus, I had
> anticipated using OpenChange as the MTA (not!) and didn't know whether I had to
> keep such things the same. Anyway, too late now.
>
> As to modifying the zone files with Samba/bind running, I don't use any tool to
> modify these. I just hand-edit. In fact, I didn't know there was such a tool.
> Since reading your message I've tried `samba-tool dns zonelist` and can't really
> make head-or-tails of it. Not convinced samba-tool would work on
> non-Samba-builtin DNS. I'm not really a DNS guru and I don't really know what it
> means to "freeze the zone first". Stopping Samba and bind first is rather simple.
>
> --Mark
>
> -----Original Message-----
>> From: "L.P.H. van Belle" <belle at bazuin.nl>
>> To: "samba at lists.samba.org" <samba at lists.samba.org>
>> Date: Thu, 27 Aug 2015 08:37:42 +0200
>> Subject: Re: [Samba] sernet documentation
>>
>> One thing nobody seems to mention.
>>
>> This setup samba 4 + bind9_flate file setup works ok.. BUT
>> If you add a new DC, you will run in to problems..
>>
>> bind9_flatefile setup is NOT multi master replication setup.
>> OK for 1 DC, but if you use more DC's, make sure you make your changes on the first dc.
>> setup a bind master/slave.. and for a dhcp server with failover setup,
>> which works also with samba4, but with restrictions.
>> If you need something like this i need to dig in my archive of setups..
>>
>> I did more then a year ago, and my advice to Mark is, setup bind9_DLZ.
>> Much more flexible, and most important the multimaster replication.
>> which you really want..
>>
>> when you provision.. --realm=hprs.local... DONT use .local.
>> this is a reserved name for Apple's mDNZ (zeroconf) ,
>> yes it does work, but better not. ( same for .lan )
>>
>>>> Important note!!! I've found that samba and DNS must be NOT
>>> RUNNING when you add
>>>> these statis IP to the zone file. Otherwise, they seem to
>>>> get clobbered/removed.
>> then you did something wrong, or you did not use the correct programs to add it.
>> like samba-tool or you did not freeze the zone first.
>> when you run in bind9_flatfile, do not manualy change the zonefiles used by samba.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: donderdag 27 augustus 2015 00:05
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] sernet documentation
>>>
>>> On 26/08/15 22:56, Mark Foley wrote:
>>>> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17
>>> and Slackware 64 14.1
>>>> for many months now in a production environment and it works
>>> just fine. There
>>>> are a few tweaks here and there to get bind/dhcp to play
>>> nicely with Samba ...
>>>> Note, conf file locations are Slackware, but you'll know
>>> where the same thing
>>>> goes in your distro. In the examples below, my Domain IP range is
>>>> 192.168.0.0/24. My AD/DC (also DNS and DHCP server and
>>> router) is 192.168.0.2.
>>>> My domain name is hprs.local.
>>>>
>>>> First off, I provisioned my Samba as follows:
>>>>
>>>> $ samba-tool domain provision --use-rfc2307 \
>>>> --server-role='dc' --realm=hprs.local --domain=HPRS \
>>>> --adminpass='password' --dns-backend=BIND9_FLATFILE \
>>>> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>>>>
>>>>
>>>> In the standard /etc/named.conf, in the option section you need:
>>>>
>>>> ----------snip-----------
>>>> options {
>>>>
>>>> forwarders { // These are the ISP provided name servers
>>>> 66.193.88.3;
>>>> 66.192.88.4;
>>>> };
>>>>
>>>> allow-query { // Permit querying by others
>>> in the domain
>>>> 192.168.0.0/24;
>>>> 127.0.0.1;
>>>> };
>>>> };
>>>> ----------un-snip-----------
>>>>
>>>> I've kept my local zone files defined in this named.conf:
>>>>
>>>> ----------snip-----------
>>>> zone "localhost" IN {
>>>> type master;
>>>> file "/var/named/db.local";
>>>> };
>>>>
>>>> zone "127.in-addr.arpa" IN {
>>>> type master;
>>>> file "/var/named/db.127";
>>>> };
>>>> ----------un-snip-----------
>>>>
>>>> but now I reference Samba's config files for the domain stuff:
>>>>
>>>> ----------snip-----------
>>>> include "/etc/samba/private/named.conf";
>>>> ----------un-snip-----------
>>>>
>>>> Complete /etc/named.conf file:
>>>>
>>>> ----------snip-----------
>>>> options {
>>>> // directory "/var/named";
>>>>
>>>> forwarders { // These are the ISP
>>> provided name servers
>>>> 209.18.47.61;
>>>> 209.18.47.62;
>>>> };
>>>>
>>>> allow-query { // Permit querying by
>>> others in the domain
>>>> 192.168.0.0/24;
>>>> 127.0.0.1;
>>>> };
>>>> };
>>>>
>>>> zone "localhost" IN {
>>>> type master;
>>>> file "/var/named/db.local";
>>>> };
>>>>
>>>> zone "127.in-addr.arpa" IN {
>>>> type master;
>>>> file "/var/named/db.127";
>>>> };
>>>>
>>>> include "/etc/samba/private/named.conf";
>>>> ----------un-snip-----------
>>>>
>>>> The samba-tool provisioning step will have created the referenced
>>>> /etc/samba/private/named.conf file. Listed below is this
>>> file with my changes.
>>>> I've commented out line 15.
>>>>
>>>> More importantly, the domain Windows workstations will want
>>> to update the zone
>>>> files via Samba. If they cannot, you will continuously get
>>> the syslog message:
>>>> syslog:Jul 30 20:35:20 mail named[792]: client
>>> 192.168.0.101#58026: update 'hprs.local/IN' denied
>>>> Hence the "allow-update" in lines 8 and 25.
>>>>
>>>> Finally, I've added the "optional" reverse zone in lines 23-26.
>>>>
>>>> ----------snip-----------
>>>> 1 # This file should be included in your main BIND
>>> configuration file
>>>> 2 #
>>>> 3 # For example with
>>>> 4 # include "/etc/samba/private/named.conf";
>>>> 5
>>>> 6 zone "hprs.local." IN {
>>>> 7 type master;
>>>> 8 allow-update { 192.168.0.0/24; 127.0.0.1; };
>>> // local DHCP server
>>>> 9 file "/etc/samba/private/dns/hprs.local.zone";
>>>> 10 /*
>>>> 11 * the list of principals and what they can change is created
>>>> 12 * dynamically by Samba, based on the membership of the
>>> domain controllers
>>>> 13 * group. The provision just creates this file as an empty file.
>>>> 14 */
>>>> 15 # include "/etc/samba/private/named.conf.update";
>>>> 16
>>>> 17 /* we need to use check-names ignore so _msdcs A
>>> records can be created */
>>>> 18 check-names ignore;
>>>> 19 };
>>>> 20
>>>> 21 # The reverse zone configuration is optional.
>>>> 22
>>>> 23 zone "0.168.192.in-addr.arpa" in {
>>>> 24 type master;
>>>> 25 allow-update { 192.168.0.0/24; 127.0.0.1; };
>>> // local DHCP server
>>>> 26 file "/etc/samba/private/dns/db.192.168.0";
>>>> 27 };
>>>> 28
>>>> 29 # Note that the reverse zone file is not created during
>>> the provision process.
>>>> 30
>>>> 31 # The most recent BIND versions (9.8 or later) support
>>> secure GSS-TSIG
>>>> 32 # updates. If you are running an earlier version of
>>> BIND, or if you do not wish
>>>> 33 # to use secure GSS-TSIG updates, you may remove the
>>> update-policy sections in
>>>> 34 # both examples above.
>>>> ----------un-snip-----------
>>>>
>>>> For DNS, that's about it. I hand-tweaked a few things in the
>>> samba-tool
>>>> provisioned zone files to change the hostmaster email
>>> address and the various
>>>> refresh, retry, etc. timers. I'll not post those unless you
>>> need them because
>>>> they can be fairly lengthy. Except, you mentioned static IP.
>>> As an example, I
>>>> just added the following to my
>>> /etc/samba/private/dns/hprs.local.zone file:
>>>> $TTL 3600 ; 1 hour
>>>> vaio A 192.168.0.102
>>>>
>>>> Important note!!! I've found that samba and DNS must be NOT
>>> RUNNING when you add
>>>> these statis IP to the zone file. Otherwise, they seem to
>>> get clobbered/removed.
>>>> For DHCP, I've simply added the following to my dhcpd.conf.
>>> All these are
>>>> important, but the first 4 are needed for Samba to be able
>>> to update leases on
>>>> behalf of clients.
>>>>
>>>> ----------snip-----------
>>>> ddns-updates on;
>>>> update-static-leases on;
>>>> allow unknown-clients; # default, deprecated (man dhcpd.conf)
>>>> ignore client-updates; # see
>>> https://www.centos.org/forums/viewtopic.php?t=29256, man
>>> dhcpd.conf: ignore client-updates
>>>> ddns-update-style interim;
>>>>
>>>> zone hprs.local. { primary 192.168.0.2; }
>>>> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>>>>
>>>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>>> option routers 192.168.0.2;
>>>> range 192.168.0.100 192.168.0.254;
>>>> option domain-name-servers 192.168.0.2;
>>>> option domain-name "hprs.local";
>>>> ddns-domainname = "hprs.local.";
>>>> ddns-rev-domainname = "in-addr.arpa.";
>>>> }
>>>>
>>>> // Example of DHCP static IP
>>>>
>>>> host ricoh {
>>>> hardware ethernet 00:26:73:55:63:AB;
>>>> fixed-address 192.168.0.20;
>>>> }
>>>> ----------un-snip-----------
>>>>
>>>> This all works just fine. I've routed my log messages for
>>> DNS and DHCPD to
>>>> their own file (not shown) and I can tail -f this file and
>>> see REQUESTs and ACKs
>>>> scrolling by in fine style.
>>>>
>>>> Not to put too much in one message, but I had to do the
>>> following on each Windows
>>>> workstation (command line) to get time to synchronize with
>>> ntpd where "mail" is
>>>> the hostname of my AD/DC and domain time server:
>>>>
>>>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>>>> w32tm /config /update
>>>>
>>>> reference:
>>> https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>>>> Hope this helps
>>>>
>>>> --Mark
>>>>
>>>> -----Original Message-----
>>>>> Date: Wed, 26 Aug 2015 21:28:55 +0100
>>>>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>>>>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at lists.samba.org
>>>>> Subject: Re: [Samba] sernet documentation
>>>>>
>>>>> On 26/08/15 21:07, Robert Moskowitz wrote:
>>>>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
>>>>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
>>>>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
>>>>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
>>>>>>>>>> One of the Centos 7 arm developers built the sernet
>>> 4.2 for me to
>>>>>>>>>> start testing.
>>>>>>>>>>
>>>>>>>>>> http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
>>>>>>>>>>
>>>>>>>>>> and
>>>>>>>>>>
>>>>>>>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
>>>>>>>>>>
>>>>>>>>>> Since these were built on qemu, not requiring specific armv7
>>>>>>>>>> hardware, Perhaps at some point they can be adopted by
>>> Sernet. But
>>>>>>>>>> for now, how to test....
>>>>>>>>>>
>>>>>>>>>> I don't see any specific Sernet documentation. Like
>>> what is here
>>>>>>>>>> and how to set it up, perhaps different, from generic Samba 4.
>>>>>>>>>>
>>>>>>>>>> I searched the sernet web site and this list and came up empty,
>>>>>>>>>> but my search foo is weak.
>>>>>>>>>>
>>>>>>>>>> thanks
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> If Sernet just built samba for ARM, I do not think that
>>> it should
>>>>>>>>> be any different to set up, so just follow the relevant
>>>>>>>>> documentation on the samba wiki:
>>>>>>>>>
>>>>>>>>> https://wiki.samba.org/index.php/Main_Page
>>>>>>>> I was thinking that PERHAPS te sernet build could have specific
>>>>>>>> configs for BIND and DHCP at the least. Unless Samba has already
>>>>>>>> included these. For things like DYNDNS.
>>>>>>>>
>>>>>>> Could you be a bit more specific, you can use Bind with
>>> samba4 but it
>>>>>>> is up to the sysadmin to set this up, though there is a
>>> page on the
>>>>>>> samba wiki. DHCP, again the sysadmin will have to set
>>> this, but there
>>>>>>> is not much on the wiki about this, but if all else
>>> fails, I can help
>>>>>>> with this. Finally, I don't see where DYNDNS comes in here.
>>>>>> Plowing through the wiki...
>>>>>>
>>>>>> I see where if I use the internal DNS provided, I will
>>> have to set up
>>>>>> a forwarder. No problem, I have done that a lot. But I
>>> plan on using
>>>>>> a private tld, htt. and the zone home.htt. I want these
>>> zones known
>>>>>> to other systems on my network, so I want to slave them to
>>> my main DNS
>>>>>> internal servers (I actually have a production and 2
>>> distinct test DNS
>>>>>> servers). Perhaps I will find in the wiki how to do this,
>>> or find my
>>>>>> old notes.
>>>>>>
>>>>>> Are workstations assigned DNS entries when they get their
>>> DHCP lease?
>>>>>> So that 'den' becomes den.home.htt and diningroom becomes
>>>>>> diningroom.home.htt? That is what I would think DYNDNS would be
>>>>>> doing. Of course the file servers, nevia and vega would be
>>>>>> nevia.home.htt and vega.home.htt? But since these are statically
>>>>>> assigned, again, I am assuming there are ways to get them into the
>>>>>> internal DNS.
>>>>> Unless things have changed, DHCP doesn't work with the
>>> samba internal
>>>>> DNS server, it does however work with the Bind9 DNS server,
>>> I have been
>>>>> using it since Dec 2012 on my home network 192.168.0.0/24 with the
>>>>> domain name of home.lan. To get the domain name applied to
>>> the clients,
>>>>> you just have to set them to ask for it and the DHCP to
>>> send it. As for
>>>>> the static clients, you can use samba-tool to add these.
>>>>>
>>>>>> Finally I am testing on one RFC1918 subnet (check out the
>>> authors of
>>>>>> 1918) and then will move all the servers to another one.
>>> what will I
>>>>>> need to do for this migration?
>>>>>>
>>>>> What do you need to migrate ? if you set the first DC in a
>>> domain and
>>>>> then add another DC, all the AD database will be replicated to it.
>>>>>
>>>>> Rowland
>>>>>
>>>>> PS: you wouldn't be the B. Moskowitz from RFC would you ?
>>> (if you are,
>>>>> sorry but until this post, I had never heard of you :-) )
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>> Ah, but what if you have Unix clients and what about the reverse zone ?
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Hi Mark, there is very little on samba wiki that says you must or must
not do this, that or the other :-)
What it does say, in a lot of places, is that this is not recommended. I
am sure if you were now setting up a new domain, you would seek advice
and use the best practice. Using .local was forced on you by someone
else, who probably used it because at one time microsoft said you could
use it, this was before mDNS and now they don't recommend using it :-)
As for using bind flatfile, well if it works for you, then ok, but using
dlz with bind is now the recommended way, but nobody is going to try to
force you to use it.
Rowland
More information about the samba
mailing list