[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
Rowland penny
rpenny at samba.org
Fri May 27 15:26:36 UTC 2016
On 27/05/16 14:37, Jeff Sadowski wrote:
> I had left my config alone for now and dhcp still writes to
> DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about not being able
> to write to bind in its zone.
>
> [2016/05/27 07:30:06.738434, 0]
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
> NT_STATUS_UNSUCCESSFUL
>
> If you are right about it using kerberos I think I am missing a bit more
> configuration to allow bind to use kerberos. I have a place for it to use
> the key but nothing in it about kerberos and how to verify that.
>
> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at gmail.com>
> wrote:
>
>> Hi,
>>
>> Why modifying a working conf when you can build your DC on others systems
>> (VM)? That could be really nice to learn but you add a lot of complexity in
>> your process, I think.
>> Why not using DLZ to access your AD zones? I expect Bind to be able to mix
>> its behaviour: flat file for some zone, DLZ for others...
>>
>> Now regarding:
>> update-policy {
>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>> AAAA SRV CNAME;
>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
>> SRV CNAME;
>> };
>> For me this means:
>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>> Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to
>> modify A and AAAA it owns (ms-self) from any host (*).
>>
>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME;
>> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything on
>> any A AAAA SRV CNAME from any host
>>
>> same for last one.
>>
>> I'm really a new comer to DNS world, these thoughts come from
>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>>
>> These lines should make your Bind to use Kerberos. At least I do hope the
>> authentication is Kerberos (that's AD!). If it is kerberos authentication,
>> I expect you can rely on it as almost the whole world rely on Kerberos
>> these days : )
>>
>> A last thing regarding ISC's key method:
>> https://bugzilla.samba.org/show_bug.cgi?id=11520
>> I don't meant this bug as something to do with what you want to achieve,
>> simply it could be a good thing to read if you understand anything to ISC's
>> key method (that I don't), perhaps you could find some leads to follow or
>> some information to avoid that configuration.
>>
>> Sorry not to help more. Have a nice day,
>>
>> mathias
>>
>>
>>
>> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
>>
>>> So I had dhcp, radvd and bind working together nicely and now I threw in a
>>> wrench of setting up an AD DC
>>>
>>> I want to change my dhcp server setting to put client's into the new AD
>>> Domain but am a little hesitant as it is all working so nicely with DDNS
>>>
>>> I'm starting to think all I need to do is edit just my dhcpd.conf and
>>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD
>>> A little touch up of db.self and comment out and eventually remove DOMAIN1
>>> entries as everything is working as I like.
>>>
>>> My concern is moving from
>>> allow-update { key rndc-key; };
>>> notify yes;
>>> to
>>> update-policy {
>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>>> AAAA SRV CNAME;
>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
>>> SRV CNAME;
>>> };
>>>
>>> The latter being produced when I created the domain in the example configs
>>> that I copied into mine.
>>> I think what that is saying is let the domain controller by name have
>>> access to the domain's entries
>>> I'm a little concerned about verification as I know the key method is safe
>>> and I'm not so sure about the grant method.
>>>
>>> Is there a way to have samba use ISC's key method?
>>> Anyone have any suggestions?
>>>
>>> My current setup is as below.
>>>
>>> My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1
>>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>>> It's outside addresses are dhcp from my ISP I do ip masquerade on both
>>> ipv4
>>> and ipv6
>>>
>>>
>>> My dhcpd.conf looks as follows
>>> #================START=======================
>>> ddns-updates on;
>>> ddns-update-style interim;
>>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>>> ddns-rev-domainname "in-addr.arpa.";
>>> ignore client-updates;
>>> option domain-search-order code 119 = string;
>>> include "/etc/rndc.key";
>>> zone DOMAIN1.SUBDOMAIN.TLD {
>>> primary 192.168.1.1;
>>> key rndc-key;
>>> }
>>> zone 1.168.192.in-addr.arpa. {
>>> primary 192.168.1.1;
>>> key rndc-key;
>>> }
>>> default-lease-time 100000;
>>> max-lease-time 1000000;
>>> subnet 192.168.1.0 netmask 255.255.255.0 {
>>> range 192.168.1.10 192.168.1.200;
>>> option routers 192.168.1.1;
>>> option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>>> option domain-name-servers 192.168.1.1;
>>> option domain-search-order
>>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>>> next-server 192.168.1.1;
>>> filename "/pxelinux.0";
>>> allow unknown-clients;
>>> }
>>> #================END=========================
>>>
>>> My radvd.conf looks like so
>>> #================START=======================
>>> interface eth0
>>> {
>>> AdvSendAdvert on;
>>> prefix fc00:1::/64
>>> {
>>> AdvOnLink on;
>>> AdvAutonomous on;
>>> };
>>> RDNSS fc00:1::1111:1111:1111:1111 {};
>>> };
>>> #================END=========================
>>>
>>> My named.conf after adding my samba looks like so
>>> #================START=======================
>>> options {
>>> listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>>> listen-on-v6 port 53 { ::1; };
>>> directory "/var/named";
>>> dump-file "/var/named/data/cache_dump.db";
>>> statistics-file "/var/named/data/named_stats.txt";
>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>> allow-query { localhost; 192.168.1.0/16; };
>>> recursion yes;
>>> dnssec-enable yes;
>>> dnssec-validation yes;
>>> dnssec-lookaside auto;
>>> bindkeys-file "/etc/named.iscdlv.key";
>>> managed-keys-directory "/var/named/dynamic";
>>> pid-file "/run/named/named.pid";
>>> session-keyfile "/run/named/session.key";
>>> };
>>> logging {
>>> channel default_debug {
>>> file "data/named.run";
>>> severity dynamic;
>>> };
>>> };
>>> zone "." IN {
>>> type hint;
>>> file "named.ca";
>>> };
>>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>>> type master;
>>> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>>> allow-update { key rndc-key; };
>>> notify yes;
>>> };
>>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>>> type master;
>>> file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>>> allow-update { key rndc-key; };
>>> notify yes;
>>> };
>>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>>> type master;
>>> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>>> update-policy {
>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>>> AAAA SRV CNAME;
>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
>>> SRV CNAME;
>>> };
>>> check-names ignore;
>>> };
>>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; };
>>> #================END=========================
>>>
>>> content of db.self
>>> #================START=======================
>>> $TTL 604800 ; 1 week
>>> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>>> 2014092401 ; serial
>>> 604800 ; refresh (1 week)
>>> 86400 ; retry (1 day)
>>> 2419200 ; expire (4 weeks)
>>> 604800 ; minimum (1 week)
>>> )
>>> NS ns.DOMAIN1.SUBDOMAIN.TLD.
>>> @ IN A 192.168.1.252
>>> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
>>> @ IN TXT "v=spf1 mx a -all"
>>> #================END=========================
>>>
>>> my smb.conf looks like
>>> #================START=======================
>>> [global]
>>> netbios name = DOMAIN2
>>> realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbindd, ntp_signd, kcc, dnsupdate
>>> workgroup = AD
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>>> read only = No
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>> #================END=========================
>>>
>>>
>>> my krb5.conf looks like
>>> #================START=======================
>>> [libdefaults]
>>> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> #================END=========================
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
You are going about this the wrong way, you do not setup dhcp and bind
then add a Samba4 AD DC, you setup the AD DC with bind9 and then add the
dhcp server.
Rowland
More information about the samba
mailing list