[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
mathias dufresne
infractory at gmail.com
Mon May 23 16:35:19 UTC 2016
Hi,
Why modifying a working conf when you can build your DC on others systems
(VM)? That could be really nice to learn but you add a lot of complexity in
your process, I think.
Why not using DLZ to access your AD zones? I expect Bind to be able to mix
its behaviour: flat file for some zone, DLZ for others...
Now regarding:
update-policy {
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA SRV CNAME;
grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV CNAME;
};
For me this means:
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to
modify A and AAAA it owns (ms-self) from any host (*).
grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME;
Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything on
any A AAAA SRV CNAME from any host
same for last one.
I'm really a new comer to DNS world, these thoughts come from
http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
These lines should make your Bind to use Kerberos. At least I do hope the
authentication is Kerberos (that's AD!). If it is kerberos authentication,
I expect you can rely on it as almost the whole world rely on Kerberos
these days : )
A last thing regarding ISC's key method:
https://bugzilla.samba.org/show_bug.cgi?id=11520
I don't meant this bug as something to do with what you want to achieve,
simply it could be a good thing to read if you understand anything to ISC's
key method (that I don't), perhaps you could find some leads to follow or
some information to avoid that configuration.
Sorry not to help more. Have a nice day,
mathias
2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
> So I had dhcp, radvd and bind working together nicely and now I threw in a
> wrench of setting up an AD DC
>
> I want to change my dhcp server setting to put client's into the new AD
> Domain but am a little hesitant as it is all working so nicely with DDNS
>
> I'm starting to think all I need to do is edit just my dhcpd.conf and
> change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD
> A little touch up of db.self and comment out and eventually remove DOMAIN1
> entries as everything is working as I like.
>
> My concern is moving from
> allow-update { key rndc-key; };
> notify yes;
> to
> update-policy {
> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA SRV CNAME;
> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
> SRV CNAME;
> };
>
> The latter being produced when I created the domain in the example configs
> that I copied into mine.
> I think what that is saying is let the domain controller by name have
> access to the domain's entries
> I'm a little concerned about verification as I know the key method is safe
> and I'm not so sure about the grant method.
>
> Is there a way to have samba use ISC's key method?
> Anyone have any suggestions?
>
> My current setup is as below.
>
> My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1
> and a ipv6 address of fc00:1::1111:1111:1111:1111
> It's outside addresses are dhcp from my ISP I do ip masquerade on both ipv4
> and ipv6
>
>
> My dhcpd.conf looks as follows
> #================START=======================
> ddns-updates on;
> ddns-update-style interim;
> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
> ddns-rev-domainname "in-addr.arpa.";
> ignore client-updates;
> option domain-search-order code 119 = string;
> include "/etc/rndc.key";
> zone DOMAIN1.SUBDOMAIN.TLD {
> primary 192.168.1.1;
> key rndc-key;
> }
> zone 1.168.192.in-addr.arpa. {
> primary 192.168.1.1;
> key rndc-key;
> }
> default-lease-time 100000;
> max-lease-time 1000000;
> subnet 192.168.1.0 netmask 255.255.255.0 {
> range 192.168.1.10 192.168.1.200;
> option routers 192.168.1.1;
> option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
> option domain-name-servers 192.168.1.1;
> option domain-search-order
> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
> next-server 192.168.1.1;
> filename "/pxelinux.0";
> allow unknown-clients;
> }
> #================END=========================
>
> My radvd.conf looks like so
> #================START=======================
> interface eth0
> {
> AdvSendAdvert on;
> prefix fc00:1::/64
> {
> AdvOnLink on;
> AdvAutonomous on;
> };
> RDNSS fc00:1::1111:1111:1111:1111 {};
> };
> #================END=========================
>
> My named.conf after adding my samba looks like so
> #================START=======================
> options {
> listen-on port 53 { 127.0.0.1; 192.168.1.1; };
> listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; 192.168.1.0/16; };
> recursion yes;
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
> type master;
> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
> allow-update { key rndc-key; };
> notify yes;
> };
> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
> type master;
> file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
> allow-update { key rndc-key; };
> notify yes;
> };
> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
> type master;
> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
> update-policy {
> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA SRV CNAME;
> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
> SRV CNAME;
> };
> check-names ignore;
> };
> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; };
> #================END=========================
>
> content of db.self
> #================START=======================
> $TTL 604800 ; 1 week
> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
> 2014092401 ; serial
> 604800 ; refresh (1 week)
> 86400 ; retry (1 day)
> 2419200 ; expire (4 weeks)
> 604800 ; minimum (1 week)
> )
> NS ns.DOMAIN1.SUBDOMAIN.TLD.
> @ IN A 192.168.1.252
> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
> @ IN TXT "v=spf1 mx a -all"
> #================END=========================
>
> my smb.conf looks like
> #================START=======================
> [global]
> netbios name = DOMAIN2
> realm = AD.DOMAIN2.SUBDOMAIN.TLD
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = AD
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> [netlogon]
> path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
> read only = No
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> #================END=========================
>
>
> my krb5.conf looks like
> #================START=======================
> [libdefaults]
> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
> dns_lookup_realm = false
> dns_lookup_kdc = true
> #================END=========================
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list