[Samba] Samba AD /dns /dhcp
Rowland Penny
rpenny at samba.org
Thu Nov 30 17:00:00 UTC 2017
See inline comments:
On Thu, 30 Nov 2017 16:25:25 +0000
Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:
> Hi there, thanks for your reply. Probably I should add that:
> a) I'm running Centos7 on the RPi3.
Where did you get that from ?
> b) Compiled and installed samba 4.7.2 from source (packaged AD samba
> not available for CentOS)
Not yet, but it is coming to Fedora and then ultimately Centos, but
probably Centos 8 (this is just a guess)
> c) I haven't managed an AD before this thing landed in my lap, much
> less a Samba AD :)
>
It gets easier after the first year or two ;-)
>
> On 30 November 2017 at 15:45, Rowland Penny via samba
> <samba at lists.samba.org
> > wrote:
>
> >
> > > Basically, I followd this set of instructions:
> > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> > Existing_Active_Directory
> > > I have run into several problems.
> > >
> > > 1. The new DCs were not automatically added to the master zone
> > > A record, i.e. "host -t A samdom.example.com localhost" would only
> > > return the original host. all of the other records (including
> > > GUIDS) were inserted fine. I ended up adding these manually.
> >
> > It is probably down to the version of Samba running on the rpi's,
> > later versions should do this.
> >
> Original DC samba version is 4.5.0, also compiled from source
> Possibly the issue was that the original DC01 had its record manually
> inserted nin the dns, at least, the dns viewer flagged it as 'static'
I have the feeling that your rpi's are getting their IP's via DHCP, if
that is the case, give them a static IP, using DHCP on an AD DC is only
going to end in tears.
>
>
> >
> > > 2. The SOA record for my dns zones seem to have migrated to
> > > point to the last DC that I set up. New zones get the orignal
> > > one (the one with the master token). I am unsure what this
> > > means, but from what I can tell, dnsupdate contacts the host in
> > > the SOA record to make updates. What is the recommended practice
> > > here? Does it matter which of my now three redundant DNS hosts
> > > is the SOA? How can I change it?
> >
> > Again, later versions of Samba will make all Samba DCs
> > authoritative.
> >
> Running 4.7.2.
> What does that mean, can a zone have more than one SOA record? Using
> the DNS Manager tool on windows, the "properties" of a zone has only
> one "Primary server" in the SOA.
> The pre-existing zones seem to have all migrated to DC03 (the last one
> where i installed the AD). Is it ok to have different DCs as primary
> server for a zone? How does this affect redundancy if one DC goes
> offline?
All AD DCs that run a dns server are authoritative for the dns domain,
this means that if you ask a DC for its SOA, it will claim it is
itself. All DCs carry the AD records, this includes the dns records. A
program called 'samba_dnsupdate' is run at Samba startup and then at
frequent intervals, this uses a file 'dns_update_list' and checks and
updates the records found in that file.
>
> >
> > >3. I was unable to the dynamic DNS updates from DHCPD to
> > > work without adding an "allow-update {any;};" clause (or similar)
> > > to named.conf. This was not documented anywhere and caused me a
> > > lot of headaches, particularly since this setting was in the
> > > original DC and so dynamic updates would work or not, based on
> > > the SOA record for the zones. What is the recommended practice
> > > here?
> > You shouldn't need that line, at least, I never have.
> > It might help if you post your bind conf files.
> >
>
> Sure, this is what I'm using. It's the default one for Centos7 rpm
> bind, modified for AD:
This is mine (actually the three debian ones in one file):
options {
directory "/var/cache/bind";
version "0.0.7";
notify no;
empty-zones-enable no;
allow-query { 127.0.0.1; 192.168.0.0/24; };
allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
forwarders { 8.8.8.8; 8.8.4.4; };
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
listen-on-v6 { none; };
listen-on port 53 { 192.168.0.7; 127.0.0.1; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
// adding the Samba dlopen ( Bind DLZ ) module
include "/usr/local/samba/private/named.conf";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
It has worked for me for the last 5 years ;-)
> > >
> > > I was unable to find on the samba wiki an overview over a
> > > recommended setup of the combination of SambaAD/BIND/DHCP which
> > > is sort of a minimum to maintain a site. Particularly how they
> > > interact. From what I can tell, Samba AD and BIND always go hand
> > > in hand, but there are at most two DHCPD servers on the net,
> > > running on two of the DCs. Is this correct?
> >
> > Can I suggest you read again the Samba wikipage that you couldn't
> > find:
> >
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_
> > DNS_records_with_BIND9
> >
> > it changed yesterday because of a bug.
> >
> > Thanks, that's exactly the page I followed when it came to this. I
> > had
> already fixed the problems with the read access to /etc/dhcp, (chgrp
> dhcpd /etc/dhcp) and setting the right path in the script.
>
>
>
> > >
> > > Finally, dynamic NDS updates from the DHCP server seem to take
> > > some 8 or nine seconds, during which time a cliend does not get a
> > > DHCPD ack. Sometimes the client gives up waiting.
> > > I'm currently looking into this, but here is a log:
> >
> > I feel this must be down to the rpi's, less than a second on my DCs
> >
> > I'm sure you are right. I'm having problems with IO performance on
> > this
> particular machine. I probably should replace the SD card.
> However, a considerable time in the script (after analysis) is spent
> on doing checking, particularly the wbinfo -u call, which can take
> anything from .17 seconds to 5 seconds in my case.
> "wbinfo -i dhcpduser" is consistently faster.
Good point, never thought of that (don't use wbinfo much), I will test
it and update the wiki page again, if it makes it faster.
Rowland
More information about the samba
mailing list