[Samba] Securring DHCP, with DDNS

Tue Jan 26 16:15:44 UTC 2016

Rowland.. the solution to the failover came after we advices to setup with 2 servers and manualy start them up.. 

Maybe its best we put this on the samba wiki? 
Would help a lot of users. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Walter Mautner
> Verzonden: dinsdag 26 januari 2016 17:03
> Aan: Sam
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Securring DHCP, with DDNS
> 
> You may have 2 dhcps running, but you have to make sure the lease ranges
> are different. The first dns server stanza should refer to the server
> which gets the lease update.
> For the dns servers you would need to define each other as forwarder,
> probably by ip range, to be able to resolve the other (half of the) names.
> 
> --
> W.Mautner (Walter.mautner at ages.at)
> +43050555111 IKT Hotline
> 
> 
> > Am 26.01.2016 um 16:33 schrieb Sam <sr42354 at gmail.com>:
> >
> > Hello All,
> >
> > I have 2 samba4 AD server with dhpd and dynamic DNS.
> > I have well understand that for now it's not possible to have 2 DHCP
> server running in the same time.
> > So I would have at a time only one dhcp server running.
> > If the first server got a problem I want to manually start the isc-dhcp
> service in the second to rescue the system.
> >
> > But It's not working as I expected...
> >
> > If I switch off Isc-dhcp service in the first DC and switch on in the
> other one I get these errors :
> >
> > ipconfig /release
> > Jan 26 11:41:36 S4 named[2308]: samba_dlz: starting transaction on zone
> ariane.intra
> > Jan 26 11:41:36 S4 named[2308]: client 172.20.4.2#54917: update
> 'ariane.intra/IN' denied
> > Jan 26 11:41:36 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> > Jan 26 11:41:36 S4 named[2308]: samba_dlz: starting transaction on zone
> ariane.intra
> > Jan 26 11:41:36 S4 named[2308]: samba_dlz: disallowing update of
> signer=client7-pcbis\$\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> type=A*error=**insufficient access rights*
> > Jan 26 11:41:36 S4 named[2308]: client 172.20.4.2#65046: updating zone
> 'ariane.intra/NONE': update failed: rejected by secure update (REFUSED)
> > Jan 26 11:41:36 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> >
> > ipconfig /renew
> > Jan 26 11:43:22 S4 dhcpd: DHCPDISCOVER from 00:50:56:8f:55:b6 via eth0
> > Jan 26 11:43:23 S4 dhcpd: DHCPOFFER on 172.20.4.2 to 00:50:56:8f:55:b6
> (client7-PCbis) via eth0
> > Jan 26 11:43:23 S4 dhcpd: execute_statement argv[0] =
> /etc/dhcp/bin/dhcp-dyndns-debian.sh
> > Jan 26 11:43:23 S4 dhcpd: execute_statement argv[1] = add
> > Jan 26 11:43:23 S4 dhcpd: execute_statement argv[2] = 172.20.4.2
> > Jan 26 11:43:23 S4 dhcpd: execute_statement argv[3] = client7-PCbis
> > Jan 26 11:43:23 S4 dhcpd: execute_statement argv[4] = 0:50:56:8f:55:b6
> > Jan 26 11:43:23 S4 dhcpd: DHCPREQUEST for 172.20.4.2 (172.20.2.2) from
> 00:50:56:8f:55:b6 (client7-PCbis) via eth0
> > Jan 26 11:43:23 S4 dhcpd: DHCPACK on 172.20.4.2 to 00:50:56:8f:55:b6
> (client7-PCbis) via eth0
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: starting transaction on zone
> ariane.intra
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> tcpaddr=172.20.2.2 type=A key=1616985151.sig-s4.ariane.intra/160/0
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> tcpaddr=172.20.2.2 type=A key=1616985151.sig-s4.ariane.intra/160/0
> > Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#57599: updating zone
> 'ariane.intra/NONE': deleting rrset at 'client7-PCbis.ariane.intra' A
> > Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#57599: updating zone
> 'ariane.intra/NONE': adding an RR at 'client7-PCbis.ariane.intra' A
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset client7-
> PCbis.ariane.intra 'client7-
> PCbis.ariane.intra.#0113600#011IN#011A#011172.20.4.2'
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: subtracted rdataset
> ariane.intra 'ariane.intra.#0113600#011IN#011SOA#011s4.ariane.intra.
> admin.ariane.intra. 98438 900 600 86400 3600'
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset ariane.intra
> 'ariane.intra.#0113600#011IN#011SOA#011s4.ariane.intra.
> admin.ariane.intra. 98439 900 600 86400 3600'
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: committed transaction on zone
> ariane.intra
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: starting transaction on zone
> 4.20.172.in-addr.arpa
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=2.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=1880656139.sig-s4.ariane.intra/160/0
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=2.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=1880656139.sig-s4.ariane.intra/160/0
> > Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#39255: updating zone
> '4.20.172.in-addr.arpa/NONE': deleting rrset at '2.4.20.172.in-addr.arpa'
> PTR
> > Jan 26 11:43:23 S4 named[2308]: client 172.20.2.2#39255: updating zone
> '4.20.172.in-addr.arpa/NONE': adding an RR at '2.4.20.172.in-addr.arpa'
> PTR
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset 2.4.20.172.in-
> addr.arpa '2.4.20.172.in-addr.arpa.#0113600#011IN#011PTR#011client7-
> PCbis.ariane.intra.'
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: subtracted rdataset
> 4.20.172.in-addr.arpa '4.20.172.in-
> addr.arpa.#0113600#011IN#011SOA#011s4.ariane.intra. admin.ariane.intra. 34
> 900 600 86400 3600'
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: added rdataset 4.20.172.in-
> addr.arpa '4.20.172.in-addr.arpa.#0113600#011IN#011SOA#011s4.ariane.intra.
> admin.ariane.intra. 35 900 600 86400 3600'
> > Jan 26 11:43:23 S4 named[2308]: samba_dlz: committed transaction on zone
> 4.20.172.in-addr.arpa
> > Jan 26 11:43:23 S4 dhcpd: DDNS: adding records for 172.20.4.2 (client7-
> PCbis.ariane.intra) succeeded
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on zone
> ariane.intra
> > Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#49708: update
> 'ariane.intra/IN' denied
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on zone
> ariane.intra
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: disallowing update of
> signer=client7-pcbis\$\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> type=AAAA*error=insufficient access rights*
> > Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#58780: updating zone
> 'ariane.intra/NONE': update failed: rejected by secure update (REFUSED)
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on zone
> ariane.intra
> > Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#62901: update
> 'ariane.intra/IN' denied
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: starting transaction on zone
> ariane.intra
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: disallowing update of
> signer=client7-pcbis\$\@ARIANE.INTRA name=client7-PCbis.ariane.intra
> type=AAAA*error=insufficient access rights*
> > Jan 26 11:43:27 S4 named[2308]: client 172.20.4.2#60619: updating zone
> 'ariane.intra/NONE': update failed: rejected by secure update (REFUSED)
> > Jan 26 11:43:27 S4 named[2308]: samba_dlz: cancelling transaction on
> zone ariane.intra
> > Jan 26 11:43:30 S4 dhcpd: DHCPINFORM from 172.20.4.2 via eth0
> > Jan 26 11:43:30 S4 dhcpd: DHCPACK to 172.20.4.2 (00:50:56:8f:55:b6) via
> eth0
> >
> >
> > How to start quickly with the second DHCP server without mistakes and
> without manually remove the DNS entries?
> >
> > Thank you in advance for the answers!
> >
> > Sam
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba