[Samba] Samba 4 more complete]]]]]]

cosme at crearq.co.cu cosme at crearq.co.cu
Sat Apr 23 00:48:54 UTC 2016


Now it works and updates the zone like you said

But now I get this

For windows 7

Apr 22 20:25:45 cd1 named[1704]: samba_dlz: starting transaction on zone
home.cu
Apr 22 20:25:45 cd1 named[1704]: samba_dlz: disallowing update of
signer=WIN28\$\@HOME.CU name=win28.home.cu type=AAAA error=insufficient
access rights
Apr 22 20:25:45 cd1 named[1704]: client 192.168.58.80#53235/key
WIN28\$\@HOME.CU: updating zone 'home.cu/NONE': update failed: rejected by
secure update (REFUSED)
Apr 22 20:25:45 cd1 named[1704]: samba_dlz: cancelling transaction on zone
home.cu

For  windows xp

Apr 22 20:44:38 cd1 named[1704]: samba_dlz: starting transaction on zone
home.cu
Apr 22 20:44:38 cd1 named[1704]: samba_dlz: disallowing update of
signer=XP5\$\@HOME.CU name=xp5.home.cu type=A error=insufficient access
rights
Apr 22 20:44:38 cd1 named[1704]: client 192.168.58.78#1077/key
XP5\$\@HOME.CU: updating zone 'home.cu/NONE': update failed: rejected by
secure update (REFUSED)
Apr 22 20:44:38 cd1 named[1704]: samba_dlz: cancelling transaction on zone
home.cu

What's missing now?
Leonidch






---------------------------- Mensaje original ----------------------------
Asunto: Re: [Samba] [Fwd: Re: [Fwd: Re: [Fwd: Re: [Fwd: Re: [Fwd: Re:
Samba 4 more complete]]]]]
De:     "Rowland penny" <rpenny at samba.org>
Fecha:  Jue, 21 de Abril de 2016, 4:40 pm
Para:   cosme at crearq.co.cu
--------------------------------------------------------------------------

On 21/04/16 21:00, cosme at crearq.co.cu wrote:
> Where is attached tarball??
>
> Please send again
>
>
>
> ---------------------------- Mensaje original ----------------------------
> Asunto: Re: [Samba] [Fwd: Re: [Fwd: Re: [Fwd: Re: [Fwd: Re: Samba 4 more
> complete]]]]
> De:     "Rowland penny" <rpenny at samba.org>
> Fecha:  Jue, 21 de Abril de 2016, 2:31 pm
> Para:   samba at lists.samba.org
> --------------------------------------------------------------------------
>
> On 21/04/16 18:45, Rowland penny wrote:
>> On 21/04/16 18:22, cosme at crearq.co.cu wrote:
>>> Yes I think so
>>>
>>> This is my /etc/dhcp/dhcpd.conf
>>>
>>> ddns-updates on;
>>> ddns-update-style interim;
>>> #ddns-update-style none;
>>> update-static-leases on;
>>>
>>>
>>> option domain-name-servers cd1.home.cu;
>>> option domain-name "home.cu";
>>>
>>> default-lease-time 600;
>>> max-lease-time 7200;
>>>
>>> authoritative;
>>>
>>> include "/etc/bind/rndc.key";
>>> #include "/usr/local/samba/private/dns.keytab";
>>> #    deny unkown-clients;
>>>      use-host-decl-names on;
>>>      default-lease-time 86400;
>>>      max-lease-time 86400;
>>>      log-facility local7;
>>>
>>> # Zona directa
>>> #zone home.cu. {
>>> #    primary 192.168.58.10;
>>> #    primary 127.0.0.1;
>>> #    key rndc-key;
>>> #    }
>>>
>>> # zona inversa
>>> zone 58.168.192.in-addr.arpa. {
>>> #    primary 192.168.58.10;
>>> #    primary 127.0.0.1;
>>> #    key rndc-key;
>>> #    key dns
>>>      }
>>>
>>>
>>> # Use this to send dhcp log messages to a different log file (you also
>>> # have to hack syslog.conf to complete the redirection).
>>> #log-facility local7;
>>>
>>> # No service will be given on this subnet, but declaring it helps the
>>> # DHCP server to understand the network topology.
>>>
>>> subnet 192.168.58.0 netmask 255.255.255.0 {
>>>      ddns-domainname "home.cu.";
>>> #    ddns-rev-domainname "57.168.192.in-addr.arpa.";
>>> #    ddns-rev-domainname "in-addr.arpa.";
>>>      option routers 192.168.58.10;
>>>      option broadcast-address 192.168.58.255;
>>>          pool{ range 192.168.58.30 192.168.58.200; }
>>> }
>>> deny unknown-clients;
>>> group general {
>>>      host pc_xp{
>>>          option host-name "xp.home.cu";
>>>          hardware ethernet 08:00:27:fd:95:e7;
>>>          fixed-address 192.168.58.33;
>>>      }
>>>
>>> host pc_xp1{
>>>          option host-name "xp1.home.cu";
>>>          hardware ethernet 08:00:27:f1:8a:4c;
>>>          fixed-address 192.168.58.34;
>>>      }
>>>
>>>
>>> host pc_xp2{
>>>          option host-name "xp2.home.cu";
>>>          hardware ethernet 08:00:27:d0:41:21;
>>>          fixed-address 192.168.58.45;
>>>      }
>>>
>>> }
>>>
>>>
>>>
>>> Please tell me what I'm doing wrong and / or missing?
>>>
>>> Leonidch
>>>
>>>
>>>
>>> ---------------------------- Mensaje original
>>> ----------------------------
>>> Asunto: Re: [Samba] [Fwd: Re: [Fwd: Re: [Fwd: Re: Samba 4 more
>>> complete]]]
>>> De:     "Rowland penny" <rpenny at samba.org>
>>> Fecha:  Jue, 21 de Abril de 2016, 11:50 am
>>> Para:   samba at lists.samba.org
>>> --------------------------------------------------------------------------
>>>
>>>
>>> On 21/04/16 16:35, cosme at crearq.co.cu wrote:
>>>> Second question:
>>>>
>>>> Take a look at the logs
>>>>
>>>>
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: starting transaction on
>>>> zone
>>>> 58.168.192.in-addr.arpa
>>>> Apr 21 11:23:58 cd1 named[2224]: client 192.168.58.10#22874: update
>>>> '58.168.192.in-addr.arpa/IN' denied
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: cancelling transaction
>>>> on zone
>>>> 58.168.192.in-addr.arpa
>>>> Apr 21 11:23:58 cd1 dhcpd: Unable to add reverse map from
>>>> 45.58.168.192.in-addr.arpa. to xp2.home.cu: REFUSED
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: starting transaction on
>>>> zone
>>>> home.cu
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: allowing update of
>>>> signer=XP2\$\@HOME.CU name=xp2.home.cu tcpaddr= type=A
>>>> key=964-ms-7.3-e83765.c64f8090-07b1-11e6-07a1-080027d04121/160/0
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: allowing update of
>>>> signer=XP2\$\@HOME.CU name=xp2.home.cu tcpaddr= type=A
>>>> key=964-ms-7.3-e83765.c64f8090-07b1-11e6-07a1-080027d04121/160/0
>>>> Apr 21 11:23:58 cd1 named[2224]: client 192.168.58.45#1317/key
>>>> XP2\$\@HOME.CU: updating zone 'home.cu/NONE': deleting rrset at
>>>> 'xp2.home.cu' A
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: subtracted rdataset
>>>> xp2.home.cu 'xp2.home.cu.#0111200#011IN#011A#011192.168.58.45'
>>>> Apr 21 11:23:58 cd1 named[2224]: client 192.168.58.45#1317/key
>>>> XP2\$\@HOME.CU: updating zone 'home.cu/NONE': adding an RR at
>>>> 'xp2.home.cu' A
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: added rdataset xp2.home.cu
>>>> 'xp2.home.cu.#0111200#011IN#011A#011192.168.58.45'
>>>> Apr 21 11:23:58 cd1 named[2224]: samba_dlz: committed transaction on
>>>> zone
>>>> home.cu
>>>> Apr 21 11:24:00 cd1 dhcpd: Dynamic and static leases present for
>>>> 192.168.58.45.
>>>> Apr 21 11:24:00 cd1 dhcpd: Remove host declaration pc_xp2 or remove
>>>> 192.168.58.45
>>>> Apr 21 11:24:00 cd1 dhcpd: from the dynamic address pool for
>>> 192.168.58.0/24
>>>> Apr 21 11:24:00 cd1 dhcpd: DHCPREQUEST for 192.168.58.45 from
>>>> 08:00:27:d0:41:21 via eth0
>>>> Apr 21 11:24:00 cd1 dhcpd: DHCPACK on 192.168.58.45 to
>>>> 08:00:27:d0:41:21
>>>> via eth0
>>>> Apr 21 11:24:00 cd1 named[2224]: samba_dlz: starting transaction on
>>>> zone
>>>> 58.168.192.in-addr.arpa
>>>> Apr 21 11:24:00 cd1 named[2224]: client 192.168.58.10#22874: update
>>>> '58.168.192.in-addr.arpa/IN' denied
>>>> Apr 21 11:24:00 cd1 named[2224]: samba_dlz: cancelling transaction
>>>> on zone
>>>> 58.168.192.in-addr.arpa
>>>> Apr 21 11:24:00 cd1 dhcpd: Unable to add reverse map from
>>>> 45.58.168.192.in-addr.arpa. to xp2.home.cu: REFUSED
>>>> Apr 21 11:24:00 cd1 named[2224]: samba_dlz: starting transaction on
>>>> zone
>>>> home.cu
>>>> Apr 21 11:24:00 cd1 named[2224]: client 192.168.58.45#1320: update
>>>> 'home.cu/IN' denied
>>>> Apr 21 11:24:00 cd1 named[2224]: samba_dlz: cancelling transaction
>>>> on zone
>>>> home.cu
>>>>
>>>> What I meant is my problem with the reverse zone, the direct zone works
>>>> out well
>>>>
>>>>
>>>> It has to do with the permissions, but I have tried in many ways
>>>> without
>>>> solution
>>>>
>>>> What could be missing?
>>>>
>>>>
>>>>
>>>> Leonidch
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------- Mensaje original
>>>> ----------------------------
>>>> Asunto: Re: [Samba] [Fwd: Re: [Fwd: Re: Samba 4 more complete]]
>>>> De:     "Rowland penny" <rpenny at samba.org>
>>>> Fecha:  Jue, 21 de Abril de 2016, 10:46 am
>>>> Para:   samba at lists.samba.org
>>>> --------------------------------------------------------------------------
>>>>
>>>>
>>>> On 21/04/16 15:23, cosme at crearq.co.cu wrote:
>>>>> First question
>>>>>
>>>>> To use bind as dlz is required to be compiled from source or you
>>>>> can use
>>>>> the package bind9 repo Debian8 ??
>>>>>
>>>>> Because I'm seeing you in the wiki
>>>>> https://wiki.samba.org/index.php/Setup_a_basic_BIND_installation
>>>>> ------------------------------------------
>>>>> says this
>>>>>
>>>>> If you install BIND from the repositories of your distribution, you
>>>>> can
>>>>> skip the following two steps, but make sure it was compiled That
>>>>> With The
>>>>> '--with-gssapi' and '--with-dlopen' options (see below) before
>>>>> using it as
>>>>> the Samba AD DNS backend.
>>>>> -------------------------------------------
>>>>>
>>>>> In this case I bind9.9.5 use since the repo comes with
>>>>> --with-gssapi but
>>>>> not with --with-dlopen or --with-dlz-dlopen '
>>>> Hmm, the wiki needs updating, Bind9.9.x now compiles dlopen in as
>>>> standard, it is no longer an option, not entirely sure just when it
>>>> changed, but I can assure you Bind9 in Jessie does work with Samba4
>>>> (and
>>>> dhcp)
>>>>
>>>> Next question :-D
>>>>
>>>> Rowland
>>>>
>>>>
>>>>> What can I do in that case ??
>>>>>
>>>>> maybe that's one of my problems
>>>>>
>>>>> Leonidch
>>>>>
>>>>>
>>> You mean you want to see something like this in the logs:
>>>
>>> Apr 21 06:46:27 dc1 named[1698]: samba_dlz: starting transaction on zone
>>> 0.168.192.in-addr.arpa
>>> Apr 21 06:46:27 dc1 named[1698]: samba_dlz: allowing update of
>>> signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=101.0.168.192.in-addr.arpa
>>> tcpaddr=127.0.0.1 type=PTR
>>> key=990741993.sig-dc1.samdom.example.com/160/0
>>> Apr 21 06:46:27 dc1 named[1698]: samba_dlz: allowing update of
>>> signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=101.0.168.192.in-addr.arpa
>>> tcpaddr=127.0.0.1 type=PTR
>>> key=990741993.sig-dc1.samdom.example.com/160/0
>>> Apr 21 06:46:27 dc1 named[1698]: client 127.0.0.1#34666/key
>>> dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone
>>> '0.168.192.in-addr.arpa/NONE': deleting rrset at
>>> '101.0.168.192.in-addr.arpa' PTR
>>> Apr 21 06:46:27 dc1 named[1698]: samba_dlz: subtracted rdataset
>>> 101.0.168.192.in-addr.arpa
>>> '101.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011HP-Printer.samdom.example.com.'
>>>
>>> Apr 21 06:46:27 dc1 named[1698]: client 127.0.0.1#34666/key
>>> dhcpduser\@SAMDOM.EXAMPLE.COM: updating zone
>>> '0.168.192.in-addr.arpa/NONE': adding an RR at
>>> '101.0.168.192.in-addr.arpa' PTR
>>> Apr 21 06:46:27 dc1 named[1698]: samba_dlz: added rdataset
>>> 101.0.168.192.in-addr.arpa
>>> '101.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011HP-Printer.samdom.example.com.'
>>>
>>> Apr 21 06:46:27 dc1 named[1698]: samba_dlz: committed transaction on
>>> zone 0.168.192.in-addr.arpa
>>> Apr 21 06:46:27 dc1 root: DHCP-DNS Update succeeded
>>>
>>> Can I ask how you have tried to do the updates ?
>>> Is dhcp trying to update the reverse zone directly ?
>>>
>>> Rowland
>>>
>> OK, I thought that was what you were doing, what you are missing
>> (amongst other things) is this from the bottom of dhcpd.conf:
>>
>> on commit {
>> set noname = concat("dhcp-", binary-to-ascii(10, 8, "-",
>> leased-address));
>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>> set ClientName = pick-first-value(option host-name,
>> config-option-host-name, client-name, noname);
>> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name:
>> ", ClientName));
>> execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
>> ClientName);
>> }
>>
>> on release {
>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>> log(concat("Release: IP: ", ClientIP));
>> execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
>> }
>>
>> on expiry {
>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>> # cannot get a ClientMac here, apparently this only works when
>> actually receiving a packet
>> log(concat("Expired: IP: ", ClientIP));
>> # cannot get a ClientName here, for some reason that always fails
>> execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
>> }
>>
>> As you can see, dhcp has the facility to run a script and it is this
>> script that does the updates, you will also have to stop your windows
>> clients from trying to update their own records, but there is a gpo
>> for this.
>>
>> I will check over my notes ( to make sure they are correct and
>> up-todate) and I will then send you them off list.
>>
>> Rowland
>>
> OK, see the attached tarball, all the info is in there, if you have any
> questions, just ask.
>
> Rowland
>


I sent it by mistake to the list, but it should have been there, anyway
I have attached it again.

Rowland






More information about the samba mailing list