[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
Jeff Sadowski
jeff.sadowski at gmail.com
Wed May 18 16:13:52 UTC 2016
So I had dhcp, radvd and bind working together nicely and now I threw in a
wrench of setting up an AD DC
I want to change my dhcp server setting to put client's into the new AD
Domain but am a little hesitant as it is all working so nicely with DDNS
I'm starting to think all I need to do is edit just my dhcpd.conf and
change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD
A little touch up of db.self and comment out and eventually remove DOMAIN1
entries as everything is working as I like.
My concern is moving from
allow-update { key rndc-key; };
notify yes;
to
update-policy {
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA SRV CNAME;
grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV CNAME;
};
The latter being produced when I created the domain in the example configs
that I copied into mine.
I think what that is saying is let the domain controller by name have
access to the domain's entries
I'm a little concerned about verification as I know the key method is safe
and I'm not so sure about the grant method.
Is there a way to have samba use ISC's key method?
Anyone have any suggestions?
My current setup is as below.
My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1
and a ipv6 address of fc00:1::1111:1111:1111:1111
It's outside addresses are dhcp from my ISP I do ip masquerade on both ipv4
and ipv6
My dhcpd.conf looks as follows
#================START=======================
ddns-updates on;
ddns-update-style interim;
ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
ddns-rev-domainname "in-addr.arpa.";
ignore client-updates;
option domain-search-order code 119 = string;
include "/etc/rndc.key";
zone DOMAIN1.SUBDOMAIN.TLD {
primary 192.168.1.1;
key rndc-key;
}
zone 1.168.192.in-addr.arpa. {
primary 192.168.1.1;
key rndc-key;
}
default-lease-time 100000;
max-lease-time 1000000;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.200;
option routers 192.168.1.1;
option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
option domain-name-servers 192.168.1.1;
option domain-search-order
"DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
next-server 192.168.1.1;
filename "/pxelinux.0";
allow unknown-clients;
}
#================END=========================
My radvd.conf looks like so
#================START=======================
interface eth0
{
AdvSendAdvert on;
prefix fc00:1::/64
{
AdvOnLink on;
AdvAutonomous on;
};
RDNSS fc00:1::1111:1111:1111:1111 {};
};
#================END=========================
My named.conf after adding my samba looks like so
#================START=======================
options {
listen-on port 53 { 127.0.0.1; 192.168.1.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/16; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
type master;
file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
allow-update { key rndc-key; };
notify yes;
};
zone "DOMAIN1.SUBDOMAIN.TLD" IN {
type master;
file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
allow-update { key rndc-key; };
notify yes;
};
zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
type master;
file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
update-policy {
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA SRV CNAME;
grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV CNAME;
};
check-names ignore;
};
zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; };
#================END=========================
content of db.self
#================START=======================
$TTL 604800 ; 1 week
@ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
2014092401 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns.DOMAIN1.SUBDOMAIN.TLD.
@ IN A 192.168.1.252
@ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
@ IN TXT "v=spf1 mx a -all"
#================END=========================
my smb.conf looks like
#================START=======================
[global]
netbios name = DOMAIN2
realm = AD.DOMAIN2.SUBDOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AD
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
#================END=========================
my krb5.conf looks like
#================START=======================
[libdefaults]
default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
#================END=========================
More information about the samba
mailing list