[Samba] Samba AD /dns /dhcp

Kristján Valur Jónsson kristjan at rvx.is
Thu Nov 30 14:55:43 UTC 2017 

Hello there.  I hope I'm in the right place for some Samba AD advice.

I recently added two extra ADs to a setup I inherited.
Originally there was a single Samba AD  with BIND9_DLS config.  DHCP was
separate.
Subsequently I installed Samba on two Raspberry Pis to act as backup
servers.

Basically, I followd this set of instructions:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
I have run into several problems.

   1. The new DCs were not automatically added to the master zone A record,
   i.e. "host -t A samdom.example.com localhost" would only return the
   original host.  all of the other records (including GUIDS) were inserted
   fine.  I ended up adding these manually.
   2. The SOA record for my dns zones seem to have migrated to point to the
   last DC that I set up.  New zones get the orignal one (the one with the
   master token).  I am unsure what this means, but from what I can tell,
   dnsupdate contacts the host in the SOA record to make updates.  What is the
   recommended practice here?  Does it matter which of my now three redundant
   DNS hosts is the SOA?  How can I change it?
   3. I was unable to the dynamic DNS updates from DHCPD to work without
   adding an "allow-update {any;};" clause (or similar) to named.conf.  This
   was not documented anywhere and caused me a lot of headaches, particularly
   since this setting was in the original DC and so dynamic updates would work
   or not, based on the SOA record for the zones.  What is the recommended
   practice here?


I was unable to find on the samba wiki an overview over a recommended setup
of the combination of SambaAD/BIND/DHCP which is sort of a minimum to
maintain a site.  Particularly how they interact.
>From what I can tell, Samba AD and BIND always go hand in hand, but there
are at most two DHCPD servers on the net, running on two of the DCs.  Is
this correct?

Finally, dynamic NDS updates from the DHCP server seem to take some 8 or
nine seconds, during which time a cliend does not get a DHCPD ack.
Sometimes the client gives up waiting.
I'm currently looking into this, but here is a log:

Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: Commit: IP: 192.168.53.20 DHCID:
1:0:20:85:ed:5:d0 Name: ups208
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[0] =
/etc/dhcp/bin/dhcp-dyndns.sh
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[1] = add
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[2] =
192.168.53.20
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[3] =
1:0:20:85:ed:5:d0
Nov 30 14:48:32 dc03.rvx.is dhcpd[15712]: execute_statement argv[4] = ups208
a)
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: starting transaction
on zone rvx.is
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=ups208.rvx.is tcpaddr=127.0.0.1 type=A
key=1178036325.sig-dc03.rv
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=ups208.rvx.is tcpaddr=127.0.0.1 type=A
key=1178036325.sig-dc03.rv
Nov 30 14:48:38 dc03.rvx.is named[19015]: client 127.0.0.1#56549/key
dhcpduser\@RVX.IS: updating zone 'rvx.is/NONE': deleting rrset at '
ups208.rvx.is' A
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: subtracted rdataset
ups208.rvx.is 'ups208.rvx.is.        3600        IN        A
192.168.53.20'
Nov 30 14:48:38 dc03.rvx.is named[19015]: client 127.0.0.1#56549/key
dhcpduser\@RVX.IS: updating zone 'rvx.is/NONE': adding an RR at '
ups208.rvx.is' A
Nov 30 14:48:38 dc03.rvx.is named[19015]: samba_dlz: added rdataset
ups208.rvx.is 'ups208.rvx.is.        3600        IN        A
192.168.53.20'
b)
Nov 30 14:48:40 dc03.rvx.is named[19015]: samba_dlz: committed transaction
on zone rvx.is
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: starting transaction
on zone 53.168.192.in-addr.arpa
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=20.53.168.192.in-addr.arpa tcpaddr=127.0.0.1
type=PTR key=4098431
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=20.53.168.192.in-addr.arpa tcpaddr=127.0.0.1
type=PTR key=4098431
Nov 30 14:48:44 dc03.rvx.is named[19015]: client 127.0.0.1#59019/key
dhcpduser\@RVX.IS: updating zone '53.168.192.in-addr.arpa/NONE': deleting
rrset at '20.53.168.192.
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: subtracted rdataset
20.53.168.192.in-addr.arpa '20.53.168.192.in-addr.arpa.        3600
IN        PTR
Nov 30 14:48:44 dc03.rvx.is named[19015]: client 127.0.0.1#59019/key
dhcpduser\@RVX.IS: updating zone '53.168.192.in-addr.arpa/NONE': adding an
RR at '20.53.168.192.in
Nov 30 14:48:44 dc03.rvx.is named[19015]: samba_dlz: added rdataset
20.53.168.192.in-addr.arpa '20.53.168.192.in-addr.arpa.        3600
IN        PTR        ups
c)
Nov 30 14:48:46 dc03.rvx.is named[19015]: samba_dlz: committed transaction
on zone 53.168.192.in-addr.arpa
d)
Nov 30 14:48:47 dc03.rvx.is logger[20952]: DHCP-DNS Update succeeded

Note the initial 6 seconds at a) that it takes dhcp-dyndns.sh to get to the
point where it call nsupdate....  Any thoughts?




-- 
Kv,
Kristján Valur Jónsson, RVX

More information about the samba mailing list