[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
Jeff Sadowski
jeff.sadowski at gmail.com
Fri May 27 17:07:08 UTC 2016
On Fri, May 27, 2016 at 10:23 AM, Rowland penny <rpenny at samba.org> wrote:
> On 27/05/16 17:11, Jeff Sadowski wrote:
>
>> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
>> helped me find that I needed to add
>>
>> options {
>> [...]
>> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>> [...]
>> };
>> That seems to have fixed my errors with DNS
>>
>> On Fri, May 27, 2016 at 9:26 AM, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 27/05/16 14:37, Jeff Sadowski wrote:
>>
>> I had left my config alone for now and dhcp still writes to
>> DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about
>> not being able
>> to write to bind in its zone.
>>
>> [2016/05/27 07:30:06.738434, 0]
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
>> NT_STATUS_UNSUCCESSFUL
>>
>> If you are right about it using kerberos I think I am missing
>> a bit more
>> configuration to allow bind to use kerberos. I have a place
>> for it to use
>> the key but nothing in it about kerberos and how to verify that.
>>
>> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne
>> <infractory at gmail.com <mailto:infractory at gmail.com>>
>>
>> wrote:
>>
>> Hi,
>>
>> Why modifying a working conf when you can build your DC on
>> others systems
>> (VM)? That could be really nice to learn but you add a lot
>> of complexity in
>> your process, I think.
>> Why not using DLZ to access your AD zones? I expect Bind
>> to be able to mix
>> its behaviour: flat file for some zone, DLZ for others...
>>
>> Now regarding:
>> update-policy {
>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self *
>> A AAAA;
>> grant
>> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>> AAAA SRV CNAME;
>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD
>> wildcard * A AAAA
>> SRV CNAME;
>> };
>> For me this means:
>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>> Grant any authenticated user (from domain
>> AD.DOMAIN2.SUBDOMAIN.TLD) to
>> modify A and AAAA it owns (ms-self) from any host (*).
>>
>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>> AAAA SRV CNAME;
>> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD
>> to do anything on
>> any A AAAA SRV CNAME from any host
>>
>> same for last one.
>>
>> I'm really a new comer to DNS world, these thoughts come from
>>
>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>>
>> These lines should make your Bind to use Kerberos. At
>> least I do hope the
>> authentication is Kerberos (that's AD!). If it is kerberos
>> authentication,
>> I expect you can rely on it as almost the whole world rely
>> on Kerberos
>> these days : )
>>
>> A last thing regarding ISC's key method:
>> https://bugzilla.samba.org/show_bug.cgi?id=11520
>> I don't meant this bug as something to do with what you
>> want to achieve,
>> simply it could be a good thing to read if you understand
>> anything to ISC's
>> key method (that I don't), perhaps you could find some
>> leads to follow or
>> some information to avoid that configuration.
>>
>> Sorry not to help more. Have a nice day,
>>
>> mathias
>>
>>
>>
>> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski
>> <jeff.sadowski at gmail.com <mailto:jeff.sadowski at gmail.com>>:
>>
>>
>> So I had dhcp, radvd and bind working together nicely
>> and now I threw in a
>> wrench of setting up an AD DC
>>
>> I want to change my dhcp server setting to put
>> client's into the new AD
>> Domain but am a little hesitant as it is all working
>> so nicely with DDNS
>>
>> I'm starting to think all I need to do is edit just my
>> dhcpd.conf and
>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to
>> AD.DOMAIN2.SUBDOMAIN.TLD
>> A little touch up of db.self and comment out and
>> eventually remove DOMAIN1
>> entries as everything is working as I like.
>>
>> My concern is moving from
>> allow-update { key rndc-key; };
>> notify yes;
>> to
>> update-policy {
>> grant AD.DOMAIN2.SUBDOMAIN.TLD
>> ms-self * A AAAA;
>> grant
>> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>> AAAA SRV CNAME;
>> grant
>> DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
>> SRV CNAME;
>> };
>>
>> The latter being produced when I created the domain in
>> the example configs
>> that I copied into mine.
>> I think what that is saying is let the domain
>> controller by name have
>> access to the domain's entries
>> I'm a little concerned about verification as I know
>> the key method is safe
>> and I'm not so sure about the grant method.
>>
>> Is there a way to have samba use ISC's key method?
>> Anyone have any suggestions?
>>
>> My current setup is as below.
>>
>> My server name is the same as DOMAIN2 it has a ipv4
>> address of 192.168.1.1
>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>> It's outside addresses are dhcp from my ISP I do ip
>> masquerade on both
>> ipv4
>> and ipv6
>>
>>
>> My dhcpd.conf looks as follows
>> #================START=======================
>> ddns-updates on;
>> ddns-update-style interim;
>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>> ddns-rev-domainname "in-addr.arpa.";
>> ignore client-updates;
>> option domain-search-order code 119 = string;
>> include "/etc/rndc.key";
>> zone DOMAIN1.SUBDOMAIN.TLD {
>> primary 192.168.1.1;
>> key rndc-key;
>> }
>> zone 1.168.192.in-addr.arpa. {
>> primary 192.168.1.1;
>> key rndc-key;
>> }
>> default-lease-time 100000;
>> max-lease-time 1000000;
>> subnet 192.168.1.0 netmask 255.255.255.0 {
>> range 192.168.1.10 192.168.1.200;
>> option routers 192.168.1.1;
>> option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>> option domain-name-servers 192.168.1.1;
>> option domain-search-order
>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>> next-server 192.168.1.1;
>> filename "/pxelinux.0";
>> allow unknown-clients;
>> }
>> #================END=========================
>>
>> My radvd.conf looks like so
>> #================START=======================
>> interface eth0
>> {
>> AdvSendAdvert on;
>> prefix fc00:1::/64
>> {
>> AdvOnLink on;
>> AdvAutonomous on;
>> };
>> RDNSS fc00:1::1111:1111:1111:1111 {};
>> };
>> #================END=========================
>>
>> My named.conf after adding my samba looks like so
>> #================START=======================
>> options {
>> listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>> listen-on-v6 port 53 { ::1; };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file
>> "/var/named/data/named_stats.txt";
>> memstatistics-file
>> "/var/named/data/named_mem_stats.txt";
>> allow-query { localhost; 192.168.1.0/16
>> <http://192.168.1.0/16>; };
>> recursion yes;
>> dnssec-enable yes;
>> dnssec-validation yes;
>> dnssec-lookaside auto;
>> bindkeys-file "/etc/named.iscdlv.key";
>> managed-keys-directory "/var/named/dynamic";
>> pid-file "/run/named/named.pid";
>> session-keyfile "/run/named/session.key";
>> };
>> logging {
>> channel default_debug {
>> file "data/named.run";
>> severity dynamic;
>> };
>> };
>> zone "." IN {
>> type hint;
>> file "named.ca <http://named.ca>";
>>
>> };
>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>> type master;
>> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>> allow-update { key rndc-key; };
>> notify yes;
>> };
>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>> type master;
>> file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>> allow-update { key rndc-key; };
>> notify yes;
>> };
>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>> type master;
>> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>> update-policy {
>> grant AD.DOMAIN2.SUBDOMAIN.TLD
>> ms-self * A AAAA;
>> grant
>> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
>> AAAA SRV CNAME;
>> grant
>> DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
>> SRV CNAME;
>> };
>> check-names ignore;
>> };
>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file
>> "db.self"; };
>> #================END=========================
>>
>> content of db.self
>> #================START=======================
>> $TTL 604800 ; 1 week
>> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>> 2014092401 <tel:2014092401> ; serial
>>
>> 604800 ; refresh
>> (1 week)
>> 86400 ; retry (1
>> day)
>> 2419200 ; expire
>> (4 weeks)
>> 604800 ; minimum
>> (1 week)
>> )
>> NS ns.DOMAIN1.SUBDOMAIN.TLD.
>> @ IN A 192.168.1.252
>> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
>> @ IN TXT "v=spf1 mx a -all"
>> #================END=========================
>>
>> my smb.conf looks like
>> #================START=======================
>> [global]
>> netbios name = DOMAIN2
>> realm = AD.DOMAIN2.SUBDOMAIN.TLD
>> server services = s3fs, rpc, nbt, wrepl,
>> ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> workgroup = AD
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> [netlogon]
>> path =
>> /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>> read only = No
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> #================END=========================
>>
>>
>> my krb5.conf looks like
>> #================START=======================
>> [libdefaults]
>> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> #================END=========================
>> --
>> To unsubscribe from this list go to the following URL
>> and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> You are going about this the wrong way, you do not setup dhcp and
>> bind then add a Samba4 AD DC, you setup the AD DC with bind9 and
>> then add the dhcp server.
>>
>>
>> Your right now I will try adding dhcp to that same rule set
>>
>>
>>
> I will give you a few hints: 'on commit' 'on release' and 'on expiry' :-)
This page http://www.zytrax.com/books/dns/ch9/dhcp.html makes it seem
that I can replace the
allow-update {key "ddns-a-rrs";}; # allowed key
with
update-policy {grant "ddns-a-ptr" self * A TXT DHCID;};
so I just added "grant rndc-key self * A TXT DHCID;" to my update policy
>
> Rowland
>
> PS: if you get stuck, I could always tell you how I have been doing it for
> nearly 4 years.
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list