[Samba] AD, multiple DC, some DC without DNS at all

mathias dufresne infractory at gmail.com
Thu Mar 3 10:37:02 UTC 2016


I do : )

2016-03-03 10:52 GMT+01:00 Rowland penny <rpenny at samba.org>:

> On 03/03/16 09:31, mathias dufresne wrote:
>
>> Hi all,
>>
>> Thank you Mark for these precisions.
>>
>> I did switch a DC to --dns-backend=NONE using samba-tool domain join. This
>> removed dns-<DCname> user for this DC and associated keytab.
>>
>> We changed /etc/resolv.conf to use another DC - one with Bind running - as
>> nameserver.
>>
>> Stopping there, running samba_dnsupdate gave error "NOTAUTH".
>>
>> As we want our DC being able to push into DNS database some changes (when
>> we move our DC from Site to Site at least) I tried to find out what is
>> needed to replace that user in a way this user can be used by several DC
>> to
>> modify AD DNS database.
>>
>> What was done to get nsupdate -g working from non-DNS-DC pushing
>> modification to bind-dlz-DC:
>> - copy of private/dns.keytab from bind-dlz-DC to non-DNS-DC
>> - generate a Kerberos ticket for user account dns-<bind-dlz-DC>
>> - run samba_dnsupdate
>> If I remember correctlly error was "NOTAUTH" too.
>>
>> - add SPN to user account dns-<bind-dlz-DC>, new SPN added were:
>> + DNS/<non-DNS-DC>.ad.domain.tld
>> + DNS/<non-DNS-DC>.ad.domain.tld at AD.DOMAIN.TLD
>>
>> - add dns-<bind-dlz-DC> user account into dnsAdmins built-in group
>>
>> Now I am able to modify AD DNS zone AD.DOMAIN.TLD using temporary files
>> generated by samba_dnsupdate (samba_dnsupdate was modified around line 408
>> to comment tmp file deletion, the unlink() function).
>> Trying to modify _msdcs.AD.DOMAIN.TLD is not working, I get error: "update
>> failed: REFUSED".
>>
>> Trying to push modification using nsupdate -g is working on both AD zones
>> when the Kerberos ticket for my session is a ticket belonging to
>> "administrator" account.
>>
>> In résumé nsupdate -g works pushing modification from non-DNS-DC to
>> bind-dlz-DC:
>> with Administrator kerberos ticket: on both DNS zones ad.domain.tld and
>> _msdcs.ad.domain.tld
>> with dns-<bind-dlz-DC> Kerberos ticket: only on DNS zone ad.domain.tl;
>> _msdcs.ad.domain.tld modification gives "update failed: REFUSED".
>>
>> So I miss something to be able to use non-administrator account to modify
>> _msdcs DNS zone. Any idea would be welcomed.
>>
>> Best regards,
>>
>> mathias
>>
>>
>>
>> 2016-03-01 20:02 GMT+01:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>>
>> Hello Mathias,
>>>
>>> Am 01.03.2016 um 11:59 schrieb mathias dufresne:
>>>
>>>> I thought there was an option for samba_dnsupgrade command to tell
>>>>
>>> "remove
>>>
>>>> all DNS service from current DC" but I don't find it anymore.
>>>>
>>> I think there's no such option (yet), but would be worth a feature
>>> request. :-)
>>>
>>>
>>>
>>>
>>> This question is because we are about to deploy an AD with 20 or more DC
>>>> and there is no need they are all DNS servers. In fact having them all
>>>>
>>> DNS
>>>
>>>> servers make design more complex and more risky. The point is to avoid
>>>> risks.
>>>>
>>> You should deploy these DCs without DNS (--dns-backend=NONE), because
>>> then they don't get
>>>    DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>    DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>> replicated at all.
>>>
>>>
>>>
>>>
>>> How I would proceed if samba_dnsupgrade is not able to remove DNS service
>>>> automatically:
>>>> - as for BIND9_DLZ backend, I will keep into smb.conf the "-dns" for
>>>> runninf services.
>>>> - stop Bind-DLZ service on non-DNS-DC
>>>> - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
>>>> remaining DNS servers.
>>>>
>>> I think this should work, beside that those DCs still get the DNS stuff
>>> replicated.
>>>
>>> You can also switch to the internal DNS. If the IP of those DCs is not
>>> used by clients in their DNS configuration, the DNS won't be used. And
>>> if, then nothing bad should happen. :-)
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>>
> It may be because you are trying to run samba_dnsupdate instead of running
> nsupdate directly.
> I run Samba AD DC, Bind9 and DHCP on the same machine, DHCP gives out an
> ipaddress, then runs a script to update Bind9. This script runs nsupdate to
> update the records in AD. All that is required is a user (with password set
> to never expire), this user should be a member of DnsAdmins, you also need
> the users keytab.
>
> Let me know if you need more info.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list