[Samba] Securring DHCP, with DDNS

Rowland penny rpenny at samba.org
Wed Jan 27 11:16:49 UTC 2016

On 27/01/16 11:03, Sam wrote:
> If I don't use DHCP failover, can you tell me how to do to to have 
> manually dhcp start method working...
> I think I could made a mistake, this is what i did : ( I using Louis 
> script from "old set of script" directory : 
> https://secure.bazuin.nl/scripts/ )
> - On server S4 : resolv.conf set to S4 first and S4bis in second
> - On server S4 : in dhcp-dyndns-debian.sh, NSRVS=*S4*.ariane.intra
> - On server S4 : bash install.sh
> - On server S4 : osync set to sync dhcpd.conf between the 2 servers
> - On server S4bis : resolv.conf set to S4bis first and S4 in second
> - On server S4bis : in dhcp-dyndns-debian.sh, NSRVS=*S4bis*.ariane.intra
> - On server S4bis : bash install.sh
> Am I wrong?
> Regards,
> Sam

I don't think that is going to work.
If you are using Louis's script, then you are using a variant of my 
script, so the following should point you in the right direction.

Setting Up DHCP Failover

This is based on using two Samba4 AD DCs:

dc1.samdom.example.com : : primary
dc2.samdom.example.com : : secondary

The network will be and the address pool will be 
' to'

No firewall is running

Add the following for the failover peers to the configuration files on 
the primary:

failover peer "dhcp-failover" {
   address dc1.samdom.example.com;
   port 519;
   peer address dc2.samdom.example.com;
   peer port 520;
   max-response-delay 60;
   max-unacked-updates 10;
   mclt 3600;
   split 128;
   load balance max seconds 3;

..and secondary:

failover peer "dhcp-failover" {
   address dc2.samdom.example.com;
   port 520;
   peer address dc1.samdom.example.com;
   peer port 519;
   max-response-delay 60;
   max-unacked-updates 10;
   load balance max seconds 3;

Add references for the subnet/pool which will do failover.

subnet netmask {
   option subnet-mask;
   option broadcast-address;
   option time-offset 0;
   option routers;
   option domain-name "samdom.example.com";
   option domain-name-servers,;
   option ntp-servers,;
   pool {
     failover peer "dhcp-failover";
     max-lease-time 1800; # 30 minutes

Configure OMAPI and define a secret key.

Generate a random OMAPI key on the primary, using the dnssec-keygen 
utility distributed with BIND.

dnssec‐keygen ‐a HMAC‐MD5 ‐b 512 ‐n USER DHCP_OMAPI

Now extract the actual key:

cat Kdhcp_omapi.+*.private |grep ^Key|cut -d ' ' -f2-

Add the following to dhcpd.conf on both primary and secondary.

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
      algorithm hmac-md5;
      secret "PUT_YOUR_KEY_HERE";

Replace PUT_YOUR_KEY_HERE with the key you extracted from the private 
key created by the dnssec command

Add the following to dhcpd.conf on both machines:

on commit {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name, 
config-option-host-name, client-name);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", 
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, 

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);

on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually 
receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");

Restart both servers to apply the configuration changes.

If OMAPI is working properly you can test failover by stopping the 
primary server.

Once you are sure everything is working as expected, restart both 
servers to ensure everything is running correctly.

The 'split' value '128' divides responsibility for the clients between 
the two failover partners.
If you want the primary to answer all dhcp requests unless it is down 
(for whatever reason) set the value to '255', use '0' to make the 
secondary responsible.



More information about the samba mailing list