[Samba] Securring DHCP, with DDNS

Sam sr42354 at gmail.com
Wed Jan 27 13:24:13 UTC 2016 

Thanks Rowland and Louis! :)

Ok I'm going to test the failover mode! ;)
Do I need to set the same value for NSRVS in dhcp-dyndns.sh? ( the first 
AD server, "S4" for me )
Or can I keep
NSRVS=S4.ariane.intra on server S4 and
NSRVS=S4bis.ariane.intra on server S4bis?

It seems to be more secure for me if the first server switch off...

Sam

Le 27/01/2016 12:16, Rowland penny a écrit :
> On 27/01/16 11:03, Sam wrote:
>> If I don't use DHCP failover, can you tell me how to do to to have 
>> manually dhcp start method working...
>>
>> I think I could made a mistake, this is what i did : ( I using Louis 
>> script from "old set of script" directory : 
>> https://secure.bazuin.nl/scripts/ )
>>
>> - On server S4 : resolv.conf set to S4 first and S4bis in second
>> - On server S4 : in dhcp-dyndns-debian.sh, NSRVS=*S4*.ariane.intra
>> - On server S4 : bash install.sh
>> - On server S4 : osync set to sync dhcpd.conf between the 2 servers
>> - On server S4bis : resolv.conf set to S4bis first and S4 in second
>> - On server S4bis : in dhcp-dyndns-debian.sh, NSRVS=*S4bis*.ariane.intra
>> - On server S4bis : bash install.sh
>>
>> Am I wrong?
>>
>> Regards,
>> Sam
>>
>>
>>
>
> I don't think that is going to work.
> If you are using Louis's script, then you are using a variant of my 
> script, so the following should point you in the right direction.
>
>
> Setting Up DHCP Failover
>
> This is based on using two Samba4 AD DCs:
>
> dc1.samdom.example.com : 192.168.0.5 : primary
> dc2.samdom.example.com : 192.168.0.6 : secondary
>
> The network will be 192.168.0.0/24 and the address pool will be 
> '192.168.0.50 to 192.168.0.229'
>
> No firewall is running
>
> Add the following for the failover peers to the configuration files on 
> the primary:
>
> failover peer "dhcp-failover" {
>   primary;
>   address dc1.samdom.example.com;
>   port 519;
>   peer address dc2.samdom.example.com;
>   peer port 520;
>   max-response-delay 60;
>   max-unacked-updates 10;
>   mclt 3600;
>   split 128;
>   load balance max seconds 3;
> }
>
> ..and secondary:
>
> failover peer "dhcp-failover" {
>   secondary;
>   address dc2.samdom.example.com;
>   port 520;
>   peer address dc1.samdom.example.com;
>   peer port 519;
>   max-response-delay 60;
>   max-unacked-updates 10;
>   load balance max seconds 3;
> }
>
> Add references for the subnet/pool which will do failover.
>
> subnet 192.168.0.0 netmask 255.255.255.0 {
>   option subnet-mask 255.255.255.0;
>   option broadcast-address 192.168.0.255;
>   option time-offset 0;
>   option routers 192.168.0.1;
>   option domain-name "samdom.example.com";
>   option domain-name-servers 192.168.0.5, 192.168.0.6;
>   option ntp-servers 192.168.0.5, 192.168.0.6;
>   pool {
>     failover peer "dhcp-failover";
>     max-lease-time 1800; # 30 minutes
>     range 192.168.0.50 192.168.0.229;
>   }
> }
>
> Configure OMAPI and define a secret key.
>
> Generate a random OMAPI key on the primary, using the dnssec-keygen 
> utility distributed with BIND.
>
> dnssec‐keygen ‐a HMAC‐MD5 ‐b 512 ‐n USER DHCP_OMAPI
>
> Now extract the actual key:
>
> cat Kdhcp_omapi.+*.private |grep ^Key|cut -d ' ' -f2-
>
> Add the following to dhcpd.conf on both primary and secondary.
>
> omapi-port 7911;
> omapi-key omapi_key;
>
> key omapi_key {
>      algorithm hmac-md5;
>      secret "PUT_YOUR_KEY_HERE";
> }
>
> Replace PUT_YOUR_KEY_HERE with the key you extracted from the private 
> key created by the dnssec command
>
> Add the following to dhcpd.conf on both machines:
>
> on commit {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> set ClientName = pick-first-value(option host-name, 
> config-option-host-name, client-name);
> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: 
> ", ClientName));
> execute("/etc/dhcp/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, 
> ClientName);
> }
>
> on release {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> log(concat("Release: IP: ", ClientIP));
> execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
> }
>
> on expiry {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> # cannot get a ClientMac here, apparently this only works when 
> actually receiving a packet
> log(concat("Expired: IP: ", ClientIP));
> # cannot get a ClientName here, for some reason that always fails
> execute("/etc/dhcp/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
> }
>
> Restart both servers to apply the configuration changes.
>
> If OMAPI is working properly you can test failover by stopping the 
> primary server.
>
> Once you are sure everything is working as expected, restart both 
> servers to ensure everything is running correctly.
>
>
> The 'split' value '128' divides responsibility for the clients between 
> the two failover partners.
> If you want the primary to answer all dhcp requests unless it is down 
> (for whatever reason) set the value to '255', use '0' to make the 
> secondary responsible.
>
> HTH
>
> Rowland
>

More information about the samba mailing list