[Samba] [samba4] DNS updates
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 19 09:32:00 UTC 2016
In addition what Rowland says.
> >
> > Finally is someone able to explain:
> > - how to manually create DNS user and give him right to modify DNS
> entries.
> > This is important to be underwstood I think because some others users
> can
> > created to do the same, to be able to find them could nice in a
> > securisation point of view.
[L.P.H. van Belle]
For a windows user: Create a normal user, and put him in the DNS Admin group that simple.
For a linux user: use samba-tool, cant tell more about this, i use the windows tools for this.
> > - how to recreate the keytab of such user without samba_upgradedns: this
> > user can be deleted accidentaly, being able to recreate it without
> > samba_dnsupgrade seems less violent so less risky than switching
> > dns-backend...
[L.P.H. van Belle]
First, No, that user can not delete the keytab file is you setup correctly.
The dns.keytab should have 640 (root:bind) rights.
Why should a user be able to access this file anyway.
You can export them, like this, a few examples
( dns.keytab )
samba-tool domain exportkeytab --principal=dns-DC-NAME at REALM
samba-tool domain exportkeytab --principal=DNS/DC-NAME.internal.domain.tld at REALM
( secrets.keytab )
samba-tool domain exportkeytab --principal=HOST/DC-NAME.internald.domain.tld at REALM
samba-tool domain exportkeytab --principal=DC-NAME$@REALM
use ktutil to get/read the file and see which principals there are.
How: type :
ktutil
rkt /path_to/keytab.file
list
> > - how frequent are DNS updates? Is it every X minutes ? After each Site
> > modification + at every samba start?
[L.P.H. van Belle] see your zone SOA
A simple dig show it already.
dig SOA domain.tld
check the numbers at the end.
For me :
238 900 600 86400 3600
Serial refresh retry expires min_TTL
> >
> > As you see I completely lost into Samba DNS and help would be welcomed.
> >
> On Centos 7 it was never working correctly: samba_dnsupdate failed
> because of TSIG authentication failure
That was because if incorrect bind settings, and most probly because of incorrect rights on the dns.keytab file.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: maandag 18 januari 2016 21:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [samba4] DNS updates
>
> On 18/01/16 19:44, mathias dufresne wrote:
> > Hi all,
> >
> > I would like to be able to rely on samba given tools to manage my DNS
> > entries but until now, I failed.
> >
> > From what I have understood there is one and only one tool responsible
> to
> > update DNS: samba_dnsupdate.
> >
> > Is that previous affirmation true?
> >
> > I had issue with DNS backend set to internal DNS server: samba_dnsupdate
> > was almost never working.
> >
> > So I switched to Bind-DLZ as advised here and on the wiki.
> >
> > With Bind-DLZ sometimes it works, sometimes it don't.
> > Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre
> using
> > Sernet packages to be sure to have working packages.
> >
> > On Debian Jessie it was working easily, just following the wiki.
> > Rerplication was working and is still working.
> > Sites were created and DNS entries changed accordingly.
> > Today I get back on that Debian platform, move again some DC to a new
> site
> > and:
> > - entries on new are created
> > - entries on old sites are NOT removed
> > - samba_dnsupdate --verbose ends with "No DNS updates needed"
> >
> > On Centos 7 it was never working correctly: samba_dnsupdate failed
> because
> > of TSIG authentication failure (I'm not at work so I can't be more
> precise
> > right now) and?or replication is failing.
> > On Centos 7 the only to get something a little bit working was to get
> Bind
> > configuration from Debian to Centos, removing /var/named and
> /etc/named*.
> >
> > Perhaps samba_dnsupdate is not responsible to remove DNS entries, in
> that
> > case, what tool is responsible to clean up DNS?
> >
> > I'm looking for more information about DNS authentication and updates:
> > Perhaps samba_dnsupdate is not responsible to remove these entries, in
> that
> > case, what tool is responsible to clean up DNS?
> >
> > Finally is someone able to explain:
> > - how to manually create DNS user and give him right to modify DNS
> entries.
> > This is important to be underwstood I think because some others users
> can
> > created to do the same, to be able to find them could nice in a
> > securisation point of view.
> > - how to recreate the keytab of such user without samba_upgradedns: this
> > user can be deleted accidentaly, being able to recreate it without
> > samba_dnsupgrade seems less violent so less risky than switching
> > dns-backend...
> > - how frequent are DNS updates? Is it every X minutes ? After each Site
> > modification + at every samba start?
> >
> > As you see I completely lost into Samba DNS and help would be welcomed.
> >
> > Cheers,
> >
> > mathias
>
> it is actually 'nsupdate' (a bind tool) that updates your DNS records, I
> have been using a combination of Samba4 AD, bind9 and dhcp since 2012
> and find it quite amusing seeing all the problems people have and that I
> have never had.
>
> Start by having a look here:
>
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-
> updates-against-secure-microsoft-dns/
>
> If, after reading that, you think this is what you need, I will refresh
> my notes and send you a copy, but note, I use debian.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list