[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
Jeff Sadowski
jeff.sadowski at gmail.com
Fri May 27 13:37:27 UTC 2016
I had left my config alone for now and dhcp still writes to
DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about not being able
to write to bind in its zone.
[2016/05/27 07:30:06.738434, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_UNSUCCESSFUL
If you are right about it using kerberos I think I am missing a bit more
configuration to allow bind to use kerberos. I have a place for it to use
the key but nothing in it about kerberos and how to verify that.
On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at gmail.com>
wrote:
> Hi,
>
> Why modifying a working conf when you can build your DC on others systems
> (VM)? That could be really nice to learn but you add a lot of complexity in
> your process, I think.
> Why not using DLZ to access your AD zones? I expect Bind to be able to mix
> its behaviour: flat file for some zone, DLZ for others...
>
> Now regarding:
> update-policy {
> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA SRV CNAME;
> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
> SRV CNAME;
> };
> For me this means:
> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
> Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to
> modify A and AAAA it owns (ms-self) from any host (*).
>
> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME;
> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything on
> any A AAAA SRV CNAME from any host
>
> same for last one.
>
> I'm really a new comer to DNS world, these thoughts come from
> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>
> These lines should make your Bind to use Kerberos. At least I do hope the
> authentication is Kerberos (that's AD!). If it is kerberos authentication,
> I expect you can rely on it as almost the whole world rely on Kerberos
> these days : )
>
> A last thing regarding ISC's key method:
> https://bugzilla.samba.org/show_bug.cgi?id=11520
> I don't meant this bug as something to do with what you want to achieve,
> simply it could be a good thing to read if you understand anything to ISC's
> key method (that I don't), perhaps you could find some leads to follow or
> some information to avoid that configuration.
>
> Sorry not to help more. Have a nice day,
>
> mathias
>
>
>
> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
>
>> So I had dhcp, radvd and bind working together nicely and now I threw in a
>> wrench of setting up an AD DC
>>
>> I want to change my dhcp server setting to put client's into the new AD
>> Domain but am a little hesitant as it is all working so nicely with DDNS
>>
>> I'm starting to think all I need to do is edit just my dhcpd.conf and
>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD
>> A little touch up of db.self and comment out and eventually remove DOMAIN1
>> entries as everything is working as I like.
>>
>> My concern is moving from
>> allow-update { key rndc-key; };
>> notify yes;
>> to
>> update-policy {
>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>> AAAA SRV CNAME;
>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
>> SRV CNAME;
>> };
>>
>> The latter being produced when I created the domain in the example configs
>> that I copied into mine.
>> I think what that is saying is let the domain controller by name have
>> access to the domain's entries
>> I'm a little concerned about verification as I know the key method is safe
>> and I'm not so sure about the grant method.
>>
>> Is there a way to have samba use ISC's key method?
>> Anyone have any suggestions?
>>
>> My current setup is as below.
>>
>> My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1
>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>> It's outside addresses are dhcp from my ISP I do ip masquerade on both
>> ipv4
>> and ipv6
>>
>>
>> My dhcpd.conf looks as follows
>> #================START=======================
>> ddns-updates on;
>> ddns-update-style interim;
>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>> ddns-rev-domainname "in-addr.arpa.";
>> ignore client-updates;
>> option domain-search-order code 119 = string;
>> include "/etc/rndc.key";
>> zone DOMAIN1.SUBDOMAIN.TLD {
>> primary 192.168.1.1;
>> key rndc-key;
>> }
>> zone 1.168.192.in-addr.arpa. {
>> primary 192.168.1.1;
>> key rndc-key;
>> }
>> default-lease-time 100000;
>> max-lease-time 1000000;
>> subnet 192.168.1.0 netmask 255.255.255.0 {
>> range 192.168.1.10 192.168.1.200;
>> option routers 192.168.1.1;
>> option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>> option domain-name-servers 192.168.1.1;
>> option domain-search-order
>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>> next-server 192.168.1.1;
>> filename "/pxelinux.0";
>> allow unknown-clients;
>> }
>> #================END=========================
>>
>> My radvd.conf looks like so
>> #================START=======================
>> interface eth0
>> {
>> AdvSendAdvert on;
>> prefix fc00:1::/64
>> {
>> AdvOnLink on;
>> AdvAutonomous on;
>> };
>> RDNSS fc00:1::1111:1111:1111:1111 {};
>> };
>> #================END=========================
>>
>> My named.conf after adding my samba looks like so
>> #================START=======================
>> options {
>> listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>> listen-on-v6 port 53 { ::1; };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>> allow-query { localhost; 192.168.1.0/16; };
>> recursion yes;
>> dnssec-enable yes;
>> dnssec-validation yes;
>> dnssec-lookaside auto;
>> bindkeys-file "/etc/named.iscdlv.key";
>> managed-keys-directory "/var/named/dynamic";
>> pid-file "/run/named/named.pid";
>> session-keyfile "/run/named/session.key";
>> };
>> logging {
>> channel default_debug {
>> file "data/named.run";
>> severity dynamic;
>> };
>> };
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>> type master;
>> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>> allow-update { key rndc-key; };
>> notify yes;
>> };
>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>> type master;
>> file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>> allow-update { key rndc-key; };
>> notify yes;
>> };
>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>> type master;
>> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>> update-policy {
>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>> AAAA SRV CNAME;
>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
>> SRV CNAME;
>> };
>> check-names ignore;
>> };
>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; };
>> #================END=========================
>>
>> content of db.self
>> #================START=======================
>> $TTL 604800 ; 1 week
>> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>> 2014092401 ; serial
>> 604800 ; refresh (1 week)
>> 86400 ; retry (1 day)
>> 2419200 ; expire (4 weeks)
>> 604800 ; minimum (1 week)
>> )
>> NS ns.DOMAIN1.SUBDOMAIN.TLD.
>> @ IN A 192.168.1.252
>> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
>> @ IN TXT "v=spf1 mx a -all"
>> #================END=========================
>>
>> my smb.conf looks like
>> #================START=======================
>> [global]
>> netbios name = DOMAIN2
>> realm = AD.DOMAIN2.SUBDOMAIN.TLD
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> workgroup = AD
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> [netlogon]
>> path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>> read only = No
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> #================END=========================
>>
>>
>> my krb5.conf looks like
>> #================START=======================
>> [libdefaults]
>> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> #================END=========================
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list