[Samba] Setup a new samba AD DC

Dario Lesca d.lesca at solinos.it
Tue Apr 25 23:55:16 UTC 2017 

Il giorno mar, 25/04/2017 alle 14.36 +0100, Rowland Penny via samba ha
scritto:
> > However I would like to enable also the DHCP service, and think
> > it's right to activate it on this server.
> > 
> > What is the best way to do so?
> 
> Well you could always do it the way I have been doing it for the last
> 5 years, see here:
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

I have setup dhcp like howto say, and this is the result:

Problem 1:

On fedora the script put into /etc/dhcp/bin cannot work:

# ls -ld /etc/ /etc/dhcp /etc/dhcp/bin/
drwxr-xr-x. 93 root root 8192 25 apr 19.46 /etc/
drwxr-x---.  4 root root  119 25 apr 16.13 /etc/dhcp
drwxr-xr-x   2 root root   28 25 apr 16.06 /etc/dhcp/bin/

Because the dhcpd daemon do not have the right to access to /etc/dhcp
folder

Solution 1:
I have move the bin directory to /etc/samba and modify the dhcpd.conf.

Problem 2:
At line 46 the Script test -f /etc/dhcp/dhcpduser.keytab but do not can
access to it for the previous problem (inaccessible /etc/dhcp/ dir),
then at line 47 show an mistaken error message "Required keytab
/etc/dhcpduser.keytab not found,"

Solution 2:
I have move dhcpduser.keytab file to /etc/samba and modify the script
(see attachment). 

Problem 3:
For strange reason the krbcc ticket cache /tmp/dhcp-dyndns.cc is not
readable from dhcpd user, have owner root:root and 600 access.

Solution 3:
I have add into shell a specific error message and manually remove it

Problem 4:

The new ticket cache is not generate because user dhcpd cannot execute
kinit:
> # su - dhcpd -s /bin/bash
> -bash-4.3$ kinit -F -k -t /etc/samba/dhcpduser.keytab -c '/tmp/dhcp-
> dyndns.cc' 'dhcpduser at SOLINOS.LOC'
> kinit: Permission denied while initializing Kerberos 5 library
> -bash-4.3$ 

This problem is caused from access denied to /etc/krb5.conf
https://wiki.ncsa.illinois.edu/display/ITS/Kerberos+Troubleshooting+for+Unix#KerberosTroubleshootingforUnix-general

# ll /etc/krb5.conf
lrwxrwxrwx. 1 root root 32 25 apr 08.27 /etc/krb5.conf -> /var/lib/samba/private/krb5.conf
# ll /var/lib/samba/private/krb5.conf
-rw-r--r--. 1 root root 92 25 apr 08.26 /var/lib/samba/private/krb5.conf
# ll /var/lib/samba/private/ -d
drwxr-x---. 8 root named 4096 26 apr 00.48 /var/lib/samba/private/

Solution 4:
I have remove symbolic link and copy the samba krb5.conf directly to
/etc

Now, after this change the dhcp script work, can add the new DNS record
A and bind the new name to assigned IP.

apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: Commit: IP: 10.11.12.100 DHCID: 1:52:54:0:93:83:52 Name: centos7
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[0] = /etc/samba/bin/dhcp-dyndns.sh
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[1] = add
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[2] = 10.11.12.100
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[3] = 1:52:54:0:93:83:52
apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[4] = centos7
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: starting transaction on zone solinos.loc
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: allowing update of signer=dhcpduser\@SOLINOS.LOC name=centos7.solinos.loc tcpaddr=127.0.0.1 type=A key=3307522444.sig-fedora-addc.solinos.loc/160/0
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: allowing update of signer=dhcpduser\@SOLINOS.LOC name=centos7.solinos.loc tcpaddr=127.0.0.1 type=A key=3307522444.sig-fedora-addc.solinos.loc/160/0
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: client 127.0.0.1#33191/key dhcpduser\@SOLINOS.LOC: updating zone 'solinos.loc/NONE': deleting rrset at 'centos7.solinos.loc' A
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: client 127.0.0.1#33191/key dhcpduser\@SOLINOS.LOC: updating zone 'solinos.loc/NONE': adding an RR at 'centos7.solinos.loc' A 10.11.12.100
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: added rdataset centos7.solinos.loc 'centos7.solinos.loc.        3600        IN        A        10.11.12.100'
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: subtracted rdataset solinos.loc 'solinos.loc.        3600        IN        SOA        fedora-addc.solinos.loc. hostmaster.solinos.loc. 9 900 600 86400 3600'
apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: added rdataset solinos.loc 'solinos.loc.        3600        IN        SOA        fedora-addc.solinos.loc. hostmaster.solinos.loc. 10 900 600 86400 3600'
apr 26 00:58:22 fedora-addc.solinos.loc named[901]: samba_dlz: committed transaction on zone solinos.loc
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1946]: DHCP-DNS Update failed: 02
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: execute: /etc/samba/bin/dhcp-dyndns.sh exit status 512
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: DHCPREQUEST for 10.11.12.100 from 52:54:00:93:83:52 (centos7) via ens3
apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: DHCPACK on 10.11.12.100 to 52:54:00:93:83:52 (centos7) via ens3

[root at fedora-addc ~]# host centos7.solinos.loc
centos7.solinos.loc has address 10.11.12.100
[root at fedora-addc ~]# host 10.11.12.100
Host 100.12.11.10.in-addr.arpa. not found: 3(NXDOMAIN)

But the procedure fail to add the PTR record for new IP.

Seem I have a DNS problem with reverse zone.

# host 10.11.12.200 #(AD-DC IP)
Host 200.12.11.10.in-addr.arpa. not found: 3(NXDOMAIN)
# samba-tool dns zonelist $(hostname)
  2 zone(s) found

  pszZoneName                 : solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.solinos.loc

  pszZoneName                 : _msdcs.solinos.loc
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : ForestDnsZones.solinos.loc


I have try to create the missing reverse zone:

# samba-tool dns zonecreate $(hostname) 12.11.10.in-addr.arpa
Zone 12.11.10.in-addr.arpa created successfully

But now the error when dhcp update dns is:
apr 26 01:31:35 fedora-addc.solinos.loc named[901]: client 127.0.0.1#36099/key dhcpduser\@SOLINOS.LOC: updating zone '10.IN-ADDR.ARPA/IN': update failed: not authoritative for update zone (NOTAUTH)

Can someone help me to find what is the problem and how to resolve it?

Many thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

More information about the samba mailing list