[Samba] AD, multiple DC, some DC without DNS at all

Thu Mar 3 10:39:37 UTC 2016

Long version: yes I do as I explained in a relatively long mail what I did,
without too much success. And what I did is exactly what you described
Rowland: I have a user, I have a keytab, it does not fully work.

So yes I would need more information to finish that.

2016-03-03 11:37 GMT+01:00 mathias dufresne <infractory at gmail.com>:

> I do : )
>
> 2016-03-03 10:52 GMT+01:00 Rowland penny <rpenny at samba.org>:
>
>> On 03/03/16 09:31, mathias dufresne wrote:
>>
>>> Hi all,
>>>
>>> Thank you Mark for these precisions.
>>>
>>> I did switch a DC to --dns-backend=NONE using samba-tool domain join.
>>> This
>>> removed dns-<DCname> user for this DC and associated keytab.
>>>
>>> We changed /etc/resolv.conf to use another DC - one with Bind running -
>>> as
>>> nameserver.
>>>
>>> Stopping there, running samba_dnsupdate gave error "NOTAUTH".
>>>
>>> As we want our DC being able to push into DNS database some changes (when
>>> we move our DC from Site to Site at least) I tried to find out what is
>>> needed to replace that user in a way this user can be used by several DC
>>> to
>>> modify AD DNS database.
>>>
>>> What was done to get nsupdate -g working from non-DNS-DC pushing
>>> modification to bind-dlz-DC:
>>> - copy of private/dns.keytab from bind-dlz-DC to non-DNS-DC
>>> - generate a Kerberos ticket for user account dns-<bind-dlz-DC>
>>> - run samba_dnsupdate
>>> If I remember correctlly error was "NOTAUTH" too.
>>>
>>> - add SPN to user account dns-<bind-dlz-DC>, new SPN added were:
>>> + DNS/<non-DNS-DC>.ad.domain.tld
>>> + DNS/<non-DNS-DC>.ad.domain.tld at AD.DOMAIN.TLD
>>>
>>> - add dns-<bind-dlz-DC> user account into dnsAdmins built-in group
>>>
>>> Now I am able to modify AD DNS zone AD.DOMAIN.TLD using temporary files
>>> generated by samba_dnsupdate (samba_dnsupdate was modified around line
>>> 408
>>> to comment tmp file deletion, the unlink() function).
>>> Trying to modify _msdcs.AD.DOMAIN.TLD is not working, I get error:
>>> "update
>>> failed: REFUSED".
>>>
>>> Trying to push modification using nsupdate -g is working on both AD zones
>>> when the Kerberos ticket for my session is a ticket belonging to
>>> "administrator" account.
>>>
>>> In résumé nsupdate -g works pushing modification from non-DNS-DC to
>>> bind-dlz-DC:
>>> with Administrator kerberos ticket: on both DNS zones ad.domain.tld and
>>> _msdcs.ad.domain.tld
>>> with dns-<bind-dlz-DC> Kerberos ticket: only on DNS zone ad.domain.tl;
>>> _msdcs.ad.domain.tld modification gives "update failed: REFUSED".
>>>
>>> So I miss something to be able to use non-administrator account to modify
>>> _msdcs DNS zone. Any idea would be welcomed.
>>>
>>> Best regards,
>>>
>>> mathias
>>>
>>>
>>>
>>> 2016-03-01 20:02 GMT+01:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>>>
>>> Hello Mathias,
>>>>
>>>> Am 01.03.2016 um 11:59 schrieb mathias dufresne:
>>>>
>>>>> I thought there was an option for samba_dnsupgrade command to tell
>>>>>
>>>> "remove
>>>>
>>>>> all DNS service from current DC" but I don't find it anymore.
>>>>>
>>>> I think there's no such option (yet), but would be worth a feature
>>>> request. :-)
>>>>
>>>>
>>>>
>>>>
>>>> This question is because we are about to deploy an AD with 20 or more DC
>>>>> and there is no need they are all DNS servers. In fact having them all
>>>>>
>>>> DNS
>>>>
>>>>> servers make design more complex and more risky. The point is to avoid
>>>>> risks.
>>>>>
>>>> You should deploy these DCs without DNS (--dns-backend=NONE), because
>>>> then they don't get
>>>>    DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>>    DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>> replicated at all.
>>>>
>>>>
>>>>
>>>>
>>>> How I would proceed if samba_dnsupgrade is not able to remove DNS
>>>>> service
>>>>> automatically:
>>>>> - as for BIND9_DLZ backend, I will keep into smb.conf the "-dns" for
>>>>> runninf services.
>>>>> - stop Bind-DLZ service on non-DNS-DC
>>>>> - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
>>>>> remaining DNS servers.
>>>>>
>>>> I think this should work, beside that those DCs still get the DNS stuff
>>>> replicated.
>>>>
>>>> You can also switch to the internal DNS. If the IP of those DCs is not
>>>> used by clients in their DNS configuration, the DNS won't be used. And
>>>> if, then nothing bad should happen. :-)
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>>
>> It may be because you are trying to run samba_dnsupdate instead of
>> running nsupdate directly.
>> I run Samba AD DC, Bind9 and DHCP on the same machine, DHCP gives out an
>> ipaddress, then runs a script to update Bind9. This script runs nsupdate to
>> update the records in AD. All that is required is a user (with password set
>> to never expire), this user should be a member of DnsAdmins, you also need
>> the users keytab.
>>
>> Let me know if you need more info.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>