[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
Jeff Sadowski
jeff.sadowski at gmail.com
Fri May 27 16:11:19 UTC 2016
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
helped me find that I needed to add
options {
[...]
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
[...]
};
That seems to have fixed my errors with DNS
On Fri, May 27, 2016 at 9:26 AM, Rowland penny <rpenny at samba.org> wrote:
> On 27/05/16 14:37, Jeff Sadowski wrote:
>
>> I had left my config alone for now and dhcp still writes to
>> DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about not being
>> able
>> to write to bind in its zone.
>>
>> [2016/05/27 07:30:06.738434, 0]
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
>> NT_STATUS_UNSUCCESSFUL
>>
>> If you are right about it using kerberos I think I am missing a bit more
>> configuration to allow bind to use kerberos. I have a place for it to use
>> the key but nothing in it about kerberos and how to verify that.
>>
>> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at gmail.com>
>> wrote:
>>
>> Hi,
>>>
>>> Why modifying a working conf when you can build your DC on others systems
>>> (VM)? That could be really nice to learn but you add a lot of complexity
>>> in
>>> your process, I think.
>>> Why not using DLZ to access your AD zones? I expect Bind to be able to
>>> mix
>>> its behaviour: flat file for some zone, DLZ for others...
>>>
>>> Now regarding:
>>> update-policy {
>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard
>>> * A
>>> AAAA SRV CNAME;
>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>>> AAAA
>>> SRV CNAME;
>>> };
>>> For me this means:
>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>> Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to
>>> modify A and AAAA it owns (ms-self) from any host (*).
>>>
>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV
>>> CNAME;
>>> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything
>>> on
>>> any A AAAA SRV CNAME from any host
>>>
>>> same for last one.
>>>
>>> I'm really a new comer to DNS world, these thoughts come from
>>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>>>
>>> These lines should make your Bind to use Kerberos. At least I do hope the
>>> authentication is Kerberos (that's AD!). If it is kerberos
>>> authentication,
>>> I expect you can rely on it as almost the whole world rely on Kerberos
>>> these days : )
>>>
>>> A last thing regarding ISC's key method:
>>> https://bugzilla.samba.org/show_bug.cgi?id=11520
>>> I don't meant this bug as something to do with what you want to achieve,
>>> simply it could be a good thing to read if you understand anything to
>>> ISC's
>>> key method (that I don't), perhaps you could find some leads to follow or
>>> some information to avoid that configuration.
>>>
>>> Sorry not to help more. Have a nice day,
>>>
>>> mathias
>>>
>>>
>>>
>>> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
>>>
>>> So I had dhcp, radvd and bind working together nicely and now I threw in
>>>> a
>>>> wrench of setting up an AD DC
>>>>
>>>> I want to change my dhcp server setting to put client's into the new AD
>>>> Domain but am a little hesitant as it is all working so nicely with DDNS
>>>>
>>>> I'm starting to think all I need to do is edit just my dhcpd.conf and
>>>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD
>>>> A little touch up of db.self and comment out and eventually remove
>>>> DOMAIN1
>>>> entries as everything is working as I like.
>>>>
>>>> My concern is moving from
>>>> allow-update { key rndc-key; };
>>>> notify yes;
>>>> to
>>>> update-policy {
>>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard
>>>> * A
>>>> AAAA SRV CNAME;
>>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>>>> AAAA
>>>> SRV CNAME;
>>>> };
>>>>
>>>> The latter being produced when I created the domain in the example
>>>> configs
>>>> that I copied into mine.
>>>> I think what that is saying is let the domain controller by name have
>>>> access to the domain's entries
>>>> I'm a little concerned about verification as I know the key method is
>>>> safe
>>>> and I'm not so sure about the grant method.
>>>>
>>>> Is there a way to have samba use ISC's key method?
>>>> Anyone have any suggestions?
>>>>
>>>> My current setup is as below.
>>>>
>>>> My server name is the same as DOMAIN2 it has a ipv4 address of
>>>> 192.168.1.1
>>>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>>>> It's outside addresses are dhcp from my ISP I do ip masquerade on both
>>>> ipv4
>>>> and ipv6
>>>>
>>>>
>>>> My dhcpd.conf looks as follows
>>>> #================START=======================
>>>> ddns-updates on;
>>>> ddns-update-style interim;
>>>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>>>> ddns-rev-domainname "in-addr.arpa.";
>>>> ignore client-updates;
>>>> option domain-search-order code 119 = string;
>>>> include "/etc/rndc.key";
>>>> zone DOMAIN1.SUBDOMAIN.TLD {
>>>> primary 192.168.1.1;
>>>> key rndc-key;
>>>> }
>>>> zone 1.168.192.in-addr.arpa. {
>>>> primary 192.168.1.1;
>>>> key rndc-key;
>>>> }
>>>> default-lease-time 100000;
>>>> max-lease-time 1000000;
>>>> subnet 192.168.1.0 netmask 255.255.255.0 {
>>>> range 192.168.1.10 192.168.1.200;
>>>> option routers 192.168.1.1;
>>>> option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>>>> option domain-name-servers 192.168.1.1;
>>>> option domain-search-order
>>>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>>>> next-server 192.168.1.1;
>>>> filename "/pxelinux.0";
>>>> allow unknown-clients;
>>>> }
>>>> #================END=========================
>>>>
>>>> My radvd.conf looks like so
>>>> #================START=======================
>>>> interface eth0
>>>> {
>>>> AdvSendAdvert on;
>>>> prefix fc00:1::/64
>>>> {
>>>> AdvOnLink on;
>>>> AdvAutonomous on;
>>>> };
>>>> RDNSS fc00:1::1111:1111:1111:1111 {};
>>>> };
>>>> #================END=========================
>>>>
>>>> My named.conf after adding my samba looks like so
>>>> #================START=======================
>>>> options {
>>>> listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>>>> listen-on-v6 port 53 { ::1; };
>>>> directory "/var/named";
>>>> dump-file "/var/named/data/cache_dump.db";
>>>> statistics-file "/var/named/data/named_stats.txt";
>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>> allow-query { localhost; 192.168.1.0/16; };
>>>> recursion yes;
>>>> dnssec-enable yes;
>>>> dnssec-validation yes;
>>>> dnssec-lookaside auto;
>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>> managed-keys-directory "/var/named/dynamic";
>>>> pid-file "/run/named/named.pid";
>>>> session-keyfile "/run/named/session.key";
>>>> };
>>>> logging {
>>>> channel default_debug {
>>>> file "data/named.run";
>>>> severity dynamic;
>>>> };
>>>> };
>>>> zone "." IN {
>>>> type hint;
>>>> file "named.ca";
>>>> };
>>>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>>>> type master;
>>>> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>>>> allow-update { key rndc-key; };
>>>> notify yes;
>>>> };
>>>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>>>> type master;
>>>> file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>>>> allow-update { key rndc-key; };
>>>> notify yes;
>>>> };
>>>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>>>> type master;
>>>> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>>>> update-policy {
>>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard
>>>> * A
>>>> AAAA SRV CNAME;
>>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>>>> AAAA
>>>> SRV CNAME;
>>>> };
>>>> check-names ignore;
>>>> };
>>>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; };
>>>> #================END=========================
>>>>
>>>> content of db.self
>>>> #================START=======================
>>>> $TTL 604800 ; 1 week
>>>> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>>>> 2014092401 ; serial
>>>> 604800 ; refresh (1 week)
>>>> 86400 ; retry (1 day)
>>>> 2419200 ; expire (4 weeks)
>>>> 604800 ; minimum (1 week)
>>>> )
>>>> NS ns.DOMAIN1.SUBDOMAIN.TLD.
>>>> @ IN A 192.168.1.252
>>>> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
>>>> @ IN TXT "v=spf1 mx a -all"
>>>> #================END=========================
>>>>
>>>> my smb.conf looks like
>>>> #================START=======================
>>>> [global]
>>>> netbios name = DOMAIN2
>>>> realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl,
>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>> workgroup = AD
>>>> server role = active directory domain controller
>>>> idmap_ldb:use rfc2307 = yes
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>>>> read only = No
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>> #================END=========================
>>>>
>>>>
>>>> my krb5.conf looks like
>>>> #================START=======================
>>>> [libdefaults]
>>>> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> #================END=========================
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
> You are going about this the wrong way, you do not setup dhcp and bind
> then add a Samba4 AD DC, you setup the AD DC with bind9 and then add the
> dhcp server.
>
>
Your right now I will try adding dhcp to that same rule set
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list