[Samba] [samba4] DNS updates

mathias dufresne infractory at gmail.com
Wed Jan 20 14:47:24 UTC 2016 

Hi all,

Thank you both for these leads and explanations. Mainly they helped me to
verify my (samba's) configuration was not so bad and finally to spot that I
did not disabled SELinux correctly.

All that is still using Centos 7 and Sernet packages (4.2.7).

The point was /etc/sysconfig/selinux is a link to /etc/selinux/config,
which I did not noticed before and the deployement script I wrote replaced
that link by some file, which was stupid. I'm used to be, that's not really
a relief but...

Anyway, once SELinux was removed, once the installation process was
restarted correctly, my DC + Bind-DLZ are working.

I still need to initialize replication which does not (always? answer would
need more tests) work as is.

To initialize replication (with DC1 already up and DC2 newly added) :
1° workaround about missing DNS entries:
- samba-tool dns add DC2 <zone> DC2 A 1.2.3.4
to add local server IP into local AD (DNS) database
- samba_dnsupdate
samba_dnsupdate won't (always?) work without previous command
- samba-tool dns add DC1 <zone> DC2 A 1.2.3.4
to add local server IP into another (I aim FSMO owner) AD (DNS) database,
this to workaround replication issue

2° Force replication with samba-tool
For each part of DIT we push it from DC1 to DC2
for DIT in `ls /var/lib/samba/private/sam.ldb.d/ | grep -v metadata.tdb |
sed -e s/.ldb$//`; do echo $DIT; samba-tool drs replicate dc2 dc1 $DIT ;
done

This bunch of commands is launched first on FSMO owner (DC1) and then on
newly added DC (here DC2) if showrepl still shows errors.

Error met were:
WERR_BADFILE
WERR_DS_DRA_ACCESS_DENIED

What's good in that? That's a script which install everything, no reall
work no for me (which is good news as I do mistake everytime) and I have to
deploy a bunch of servers. Hoping I could come back with precision or even
to tell you what was my mistake.

Cheers,

mathias

2016-01-19 10:32 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:

> In addition what Rowland says.
>
> > >
> > > Finally is someone able to explain:
> > > - how to manually create DNS user and give him right to modify DNS
> > entries.
> > > This is important to be underwstood I think because some others users
> > can
> > > created to do the same, to be able to find them could nice in a
> > > securisation point of view.
> [L.P.H. van Belle]
> For a windows user: Create a normal user, and put him in the DNS Admin
> group that simple.
> For a linux user: use samba-tool, cant tell more about this, i use the
> windows tools for this.
>
> > > - how to recreate the keytab of such user without samba_upgradedns:
> this
> > > user can be deleted accidentaly, being able to recreate it without
> > > samba_dnsupgrade seems less violent so less risky than switching
> > > dns-backend...
> [L.P.H. van Belle]
> First, No, that user can not delete the keytab file is you setup correctly.
> The dns.keytab should have 640 (root:bind) rights.
> Why should a user be able to access this file anyway.
>
> You can export them, like this, a few examples
>
> ( dns.keytab )
> samba-tool domain exportkeytab --principal=dns-DC-NAME at REALM
> samba-tool domain exportkeytab
> --principal=DNS/DC-NAME.internal.domain.tld at REALM
>
> ( secrets.keytab )
> samba-tool domain exportkeytab
> --principal=HOST/DC-NAME.internald.domain.tld at REALM
> samba-tool domain exportkeytab --principal=DC-NAME$@REALM
>
> use ktutil to get/read the file and see which principals there are.
> How:  type :
> ktutil
> rkt /path_to/keytab.file
> list
>
> > > - how frequent are DNS updates? Is it every X minutes ? After each Site
> > > modification + at every samba start?
> [L.P.H. van Belle] see your zone SOA
> A simple dig show it already.
> dig SOA domain.tld
> check the numbers at the end.
> For me :
> 238     900      600   86400  3600
> Serial refresh retry expires min_TTL
>
>
> > >
> > > As you see I completely lost into Samba DNS and help would be welcomed.
> > >
>
>
> > On Centos 7 it was never working correctly: samba_dnsupdate failed
> > because of TSIG authentication failure
> That was because if incorrect bind settings, and most probly because of
> incorrect rights on the dns.keytab file.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> > Verzonden: maandag 18 januari 2016 21:07
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] [samba4] DNS updates
> >
> > On 18/01/16 19:44, mathias dufresne wrote:
> > > Hi all,
> > >
> > > I would like to be able to rely on samba given tools to manage my DNS
> > > entries but until now, I failed.
> > >
> > >  From what I have understood there is one and only one tool responsible
> > to
> > > update DNS: samba_dnsupdate.
> > >
> > > Is that previous affirmation true?
> > >
> > > I had issue with DNS backend set to internal DNS server:
> samba_dnsupdate
> > > was almost never working.
> > >
> > > So I switched to Bind-DLZ as advised here and on the wiki.
> > >
> > > With Bind-DLZ sometimes it works, sometimes it don't.
> > > Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre
> > using
> > > Sernet packages to be sure to have working packages.
> > >
> > > On Debian Jessie it was working easily, just following the wiki.
> > > Rerplication was working and is still working.
> > > Sites were created and DNS entries changed accordingly.
> > > Today I get back on that Debian platform, move again some DC to a new
> > site
> > > and:
> > > - entries on new are created
> > > - entries on old sites are NOT removed
> > > - samba_dnsupdate --verbose ends with "No DNS updates needed"
> > >
> > > On Centos 7 it was never working correctly: samba_dnsupdate failed
> > because
> > > of TSIG authentication failure (I'm not at work so I can't be more
> > precise
> > > right now) and?or replication is failing.
> > > On Centos 7 the only to get something a little bit working was to get
> > Bind
> > > configuration from Debian to Centos, removing /var/named and
> > /etc/named*.
> > >
> > > Perhaps samba_dnsupdate is not responsible to remove DNS entries, in
> > that
> > > case, what tool is responsible to clean up DNS?
> > >
> > > I'm looking for more information about DNS authentication and updates:
> > > Perhaps samba_dnsupdate is not responsible to remove these entries, in
> > that
> > > case, what tool is responsible to clean up DNS?
> > >
> > > Finally is someone able to explain:
> > > - how to manually create DNS user and give him right to modify DNS
> > entries.
> > > This is important to be underwstood I think because some others users
> > can
> > > created to do the same, to be able to find them could nice in a
> > > securisation point of view.
> > > - how to recreate the keytab of such user without samba_upgradedns:
> this
> > > user can be deleted accidentaly, being able to recreate it without
> > > samba_dnsupgrade seems less violent so less risky than switching
> > > dns-backend...
> > > - how frequent are DNS updates? Is it every X minutes ? After each Site
> > > modification + at every samba start?
> > >
> > > As you see I completely lost into Samba DNS and help would be welcomed.
> > >
> > > Cheers,
> > >
> > > mathias
> >
> > it is actually 'nsupdate' (a bind tool) that updates your DNS records, I
> > have been using a combination of Samba4 AD, bind9 and dhcp since 2012
> > and find it quite amusing seeing all the problems people have and that I
> > have never had.
> >
> > Start by having a look here:
> >
> > http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-
> > updates-against-secure-microsoft-dns/
> >
> > If, after reading that, you think this is what you need, I will refresh
> > my notes and send you a copy, but note, I use debian.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list