[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
Rowland penny
rpenny at samba.org
Fri May 27 17:17:27 UTC 2016
On 27/05/16 18:07, Jeff Sadowski wrote:
>
>
> On Fri, May 27, 2016 at 10:23 AM, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 27/05/16 17:11, Jeff Sadowski wrote:
>
> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
> helped me find that I needed to add
>
> options {
> [...]
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> [...]
> };
> That seems to have fixed my errors with DNS
>
> On Fri, May 27, 2016 at 9:26 AM, Rowland penny
> <rpenny at samba.org <mailto:rpenny at samba.org>
> <mailto:rpenny at samba.org <mailto:rpenny at samba.org>>> wrote:
>
> On 27/05/16 14:37, Jeff Sadowski wrote:
>
> I had left my config alone for now and dhcp still
> writes to
> DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining
> about
> not being able
> to write to bind in its zone.
>
> [2016/05/27 07:30:06.738434, 0]
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
> NT_STATUS_UNSUCCESSFUL
>
> If you are right about it using kerberos I think I am
> missing
> a bit more
> configuration to allow bind to use kerberos. I have a
> place
> for it to use
> the key but nothing in it about kerberos and how to
> verify that.
>
> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne
> <infractory at gmail.com <mailto:infractory at gmail.com>
> <mailto:infractory at gmail.com <mailto:infractory at gmail.com>>>
>
> wrote:
>
> Hi,
>
> Why modifying a working conf when you can build
> your DC on
> others systems
> (VM)? That could be really nice to learn but you
> add a lot
> of complexity in
> your process, I think.
> Why not using DLZ to access your AD zones? I
> expect Bind
> to be able to mix
> its behaviour: flat file for some zone, DLZ for
> others...
>
> Now regarding:
> update-policy {
> grant AD.DOMAIN2.SUBDOMAIN.TLD
> ms-self *
> A AAAA;
> grant
> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA SRV CNAME;
> grant
> DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD
> wildcard * A AAAA
> SRV CNAME;
> };
> For me this means:
> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
> Grant any authenticated user (from domain
> AD.DOMAIN2.SUBDOMAIN.TLD) to
> modify A and AAAA it owns (ms-self) from any host (*).
>
> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
> wildcard * A
> AAAA SRV CNAME;
> Grant administrator from domain
> AD.DOMAIN2.SUBDOMAIN.TLD
> to do anything on
> any A AAAA SRV CNAME from any host
>
> same for last one.
>
> I'm really a new comer to DNS world, these
> thoughts come from
> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>
> These lines should make your Bind to use Kerberos. At
> least I do hope the
> authentication is Kerberos (that's AD!). If it is
> kerberos
> authentication,
> I expect you can rely on it as almost the whole
> world rely
> on Kerberos
> these days : )
>
> A last thing regarding ISC's key method:
> https://bugzilla.samba.org/show_bug.cgi?id=11520
> I don't meant this bug as something to do with
> what you
> want to achieve,
> simply it could be a good thing to read if you
> understand
> anything to ISC's
> key method (that I don't), perhaps you could find some
> leads to follow or
> some information to avoid that configuration.
>
> Sorry not to help more. Have a nice day,
>
> mathias
>
>
>
> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski
> <jeff.sadowski at gmail.com
> <mailto:jeff.sadowski at gmail.com>
> <mailto:jeff.sadowski at gmail.com
> <mailto:jeff.sadowski at gmail.com>>>:
>
>
> So I had dhcp, radvd and bind working together
> nicely
> and now I threw in a
> wrench of setting up an AD DC
>
> I want to change my dhcp server setting to put
> client's into the new AD
> Domain but am a little hesitant as it is all
> working
> so nicely with DDNS
>
> I'm starting to think all I need to do is edit
> just my
> dhcpd.conf and
> change occurrences of DOMAIN1.SUBDOMAIN.TLD to
> AD.DOMAIN2.SUBDOMAIN.TLD
> A little touch up of db.self and comment out and
> eventually remove DOMAIN1
> entries as everything is working as I like.
>
> My concern is moving from
> allow-update { key rndc-key; };
> notify yes;
> to
> update-policy {
> grant AD.DOMAIN2.SUBDOMAIN.TLD
> ms-self * A AAAA;
> grant
> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA SRV CNAME;
> grant
> DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA
> SRV CNAME;
> };
>
> The latter being produced when I created the
> domain in
> the example configs
> that I copied into mine.
> I think what that is saying is let the domain
> controller by name have
> access to the domain's entries
> I'm a little concerned about verification as I
> know
> the key method is safe
> and I'm not so sure about the grant method.
>
> Is there a way to have samba use ISC's key method?
> Anyone have any suggestions?
>
> My current setup is as below.
>
> My server name is the same as DOMAIN2 it has a
> ipv4
> address of 192.168.1.1
> and a ipv6 address of fc00:1::1111:1111:1111:1111
> It's outside addresses are dhcp from my ISP I
> do ip
> masquerade on both
> ipv4
> and ipv6
>
>
> My dhcpd.conf looks as follows
> #================START=======================
> ddns-updates on;
> ddns-update-style interim;
> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
> ddns-rev-domainname "in-addr.arpa.";
> ignore client-updates;
> option domain-search-order code 119 = string;
> include "/etc/rndc.key";
> zone DOMAIN1.SUBDOMAIN.TLD {
> primary 192.168.1.1;
> key rndc-key;
> }
> zone 1.168.192.in-addr.arpa. {
> primary 192.168.1.1;
> key rndc-key;
> }
> default-lease-time 100000;
> max-lease-time 1000000;
> subnet 192.168.1.0 netmask 255.255.255.0 {
> range 192.168.1.10 192.168.1.200;
> option routers 192.168.1.1;
> option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
> option domain-name-servers 192.168.1.1;
> option domain-search-order
> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
> next-server 192.168.1.1;
> filename "/pxelinux.0";
> allow unknown-clients;
> }
> #================END=========================
>
> My radvd.conf looks like so
> #================START=======================
> interface eth0
> {
> AdvSendAdvert on;
> prefix fc00:1::/64
> {
> AdvOnLink on;
> AdvAutonomous on;
> };
> RDNSS fc00:1::1111:1111:1111:1111 {};
> };
> #================END=========================
>
> My named.conf after adding my samba looks like so
> #================START=======================
> options {
> listen-on port 53 { 127.0.0.1;
> 192.168.1.1; };
> listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file
> "/var/named/data/cache_dump.db";
> statistics-file
> "/var/named/data/named_stats.txt";
> memstatistics-file
> "/var/named/data/named_mem_stats.txt";
> allow-query { localhost;
> 192.168.1.0/16 <http://192.168.1.0/16>
> <http://192.168.1.0/16>; };
> recursion yes;
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory
> "/var/named/dynamic";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
> zone "." IN {
> type hint;
> file "named.ca <http://named.ca>
> <http://named.ca>";
>
> };
> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
> type master;
> file
> "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
> allow-update { key rndc-key; };
> notify yes;
> };
> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
> type master;
> file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
> allow-update { key rndc-key; };
> notify yes;
> };
> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
> type master;
> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
> update-policy {
> grant AD.DOMAIN2.SUBDOMAIN.TLD
> ms-self * A AAAA;
> grant
> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA SRV CNAME;
> grant
> DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
> AAAA
> SRV CNAME;
> };
> check-names ignore;
> };
> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master;
> file
> "db.self"; };
> #================END=========================
>
> content of db.self
> #================START=======================
> $TTL 604800 ; 1 week
> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD
> MY.EMAIL. (
> 2014092401 <tel:2014092401> <tel:2014092401 <tel:2014092401>>
> ; serial
>
> 604800 ; refresh
> (1 week)
> 86400 ; retry (1
> day)
> 2419200 ; expire
> (4 weeks)
> 604800 ; minimum
> (1 week)
> )
> NS
> ns.DOMAIN1.SUBDOMAIN.TLD.
> @ IN A 192.168.1.252
> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
> @ IN TXT "v=spf1 mx a -all"
> #================END=========================
>
> my smb.conf looks like
> #================START=======================
> [global]
> netbios name = DOMAIN2
> realm = AD.DOMAIN2.SUBDOMAIN.TLD
> server services = s3fs, rpc, nbt, wrepl,
> ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = AD
> server role = active directory domain
> controller
> idmap_ldb:use rfc2307 = yes
> [netlogon]
> path =
> /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
> read only = No
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> #================END=========================
>
>
> my krb5.conf looks like
> #================START=======================
> [libdefaults]
> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
> dns_lookup_realm = false
> dns_lookup_kdc = true
> #================END=========================
> --
> To unsubscribe from this list go to the
> following URL
> and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
>
> You are going about this the wrong way, you do not setup
> dhcp and
> bind then add a Samba4 AD DC, you setup the AD DC with
> bind9 and
> then add the dhcp server.
>
>
> Your right now I will try adding dhcp to that same rule set
>
>
>
> I will give you a few hints: 'on commit' 'on release' and 'on
> expiry' :-)
>
>
> This page http://www.zytrax.com/books/dns/ch9/dhcp.html makes it seem
> that I can replace the
>
> allow-update {key "ddns-a-rrs";}; # allowed key
> with
> update-policy {grant "ddns-a-ptr" self * A TXT DHCID;};
>
> so I just added "grant rndc-key self * A TXT DHCID;" to my update policy
>
>
>
> Rowland
>
> PS: if you get stuck, I could always tell you how I have been
> doing it for nearly 4 years.
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
What about the reverse zone ?
Anyway, what do I know, as I said, I have only been using Samba4, Bind9
and dhcp for nearly 4 years without major incidence. I have seen plenty
of others with problems, but my system has been rock solid, so obviously
I don't know what I am doing :-)
Rowland
More information about the samba
mailing list