[Samba] Samba AD /dns /dhcp

Rowland Penny rpenny at samba.org
Thu Nov 30 17:00:00 UTC 2017 

See inline comments:

On Thu, 30 Nov 2017 16:25:25 +0000
Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:

> Hi there, thanks for your reply.  Probably I should add that:
> a) I'm running Centos7 on the RPi3.

Where did you get that from ?

> b) Compiled and installed samba 4.7.2 from source (packaged AD samba
> not available for CentOS)

Not yet, but it is coming to Fedora and then ultimately Centos, but
probably Centos 8 (this is just a guess)

> c) I haven't managed an AD before this thing landed in my lap, much
> less a Samba AD :)
> 

It gets easier after the first year or two ;-)

> 
> On 30 November 2017 at 15:45, Rowland Penny via samba
> <samba at lists.samba.org
> > wrote:
> 
> >
> > > Basically, I followd this set of instructions:
> > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> > Existing_Active_Directory
> > > I have run into several problems.
> > >
> > >    1. The new DCs were not automatically added to the master zone
> > > A record, i.e. "host -t A samdom.example.com localhost" would only
> > > return the original host.  all of the other records (including
> > > GUIDS) were inserted fine.  I ended up adding these manually.
> >
> > It is probably down to the version of Samba running on the rpi's,
> > later versions should do this.
> >
> Original DC samba version is 4.5.0, also compiled from source
> Possibly the issue was that the original DC01 had its record manually
> inserted nin the dns, at least, the dns viewer flagged it as 'static'

I have the feeling that your rpi's are getting their IP's via DHCP, if
that is the case, give them a static IP, using DHCP on an AD DC is only
going to end in tears.

> 
> 
> >
> > >    2. The SOA record for my dns zones seem to have migrated to
> > > point to the last DC that I set up.  New zones get the orignal
> > > one (the one with the master token).  I am unsure what this
> > > means, but from what I can tell, dnsupdate contacts the host in
> > > the SOA record to make updates.  What is the recommended practice
> > > here?  Does it matter which of my now three redundant DNS hosts
> > > is the SOA?  How can I change it?
> >
> > Again, later versions of Samba will make all Samba DCs
> > authoritative.
> >
> Running 4.7.2.
> What does that mean, can a zone have more than one SOA record?  Using
> the DNS Manager tool on windows, the "properties" of a zone has only
> one "Primary server" in the SOA.
> The pre-existing zones seem to have all migrated to DC03 (the last one
> where i installed the AD).   Is it ok to have different DCs as primary
> server for a zone?  How does this affect redundancy if one DC goes
> offline?

All AD DCs that run a dns server are authoritative for the dns domain,
this means that if you ask a DC for its SOA, it will claim it is
itself. All DCs carry the AD records, this includes the dns records. A
program called 'samba_dnsupdate' is run at Samba startup and then at
frequent intervals, this uses a file 'dns_update_list' and checks and
updates the records found in that file.

> 
> >
> > >3. I was unable to the dynamic DNS updates from DHCPD to
> > > work without adding an "allow-update {any;};" clause (or similar)
> > > to named.conf.  This was not documented anywhere and caused me a
> > > lot of headaches, particularly since this setting was in the
> > > original DC and so dynamic updates would work or not, based on
> > > the SOA record for the zones.  What is the recommended practice
> > > here?
> > You shouldn't need that line, at least, I never have.
> > It might help if you post your bind conf files.
> >
> 
> Sure, this is what I'm using.  It's the default one for Centos7 rpm
> bind, modified for AD:

This is mine (actually the three debian ones in one file):

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; 8.8.4.4; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;
        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.7; 127.0.0.1; };

        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

// adding the Samba dlopen ( Bind DLZ ) module
include "/usr/local/samba/private/named.conf";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

It has worked for me for the last 5 years ;-)

> > >
> > > I was unable to find on the samba wiki an overview over a
> > > recommended setup of the combination of SambaAD/BIND/DHCP which
> > > is sort of a minimum to maintain a site.  Particularly how they
> > > interact. From what I can tell, Samba AD and BIND always go hand
> > > in hand, but there are at most two DHCPD servers on the net,
> > > running on two of the DCs.  Is this correct?
> >
> > Can I suggest you read again the Samba wikipage that you couldn't
> > find:
> >
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_
> > DNS_records_with_BIND9
> >
> > it changed yesterday because of a bug.
> >
> > Thanks, that's exactly the page I followed when it came to this. I
> > had
> already fixed the problems with the read access to /etc/dhcp, (chgrp
> dhcpd /etc/dhcp) and setting the right path in the script.
> 
> 
> 
> > >
> > > Finally, dynamic NDS updates from the DHCP server seem to take
> > > some 8 or nine seconds, during which time a cliend does not get a
> > > DHCPD ack. Sometimes the client gives up waiting.
> > > I'm currently looking into this, but here is a log:
> >
> > I feel this must be down to the rpi's, less than a second on my DCs
> >
> > I'm sure you are right.  I'm having problems with IO performance on
> > this
> particular machine.  I probably should replace the SD card.
> However, a considerable time in the script (after analysis) is spent
> on doing checking, particularly the wbinfo -u call, which can take
> anything from .17 seconds to 5 seconds in my case.
> "wbinfo -i dhcpduser" is consistently faster.

Good point, never thought of that (don't use wbinfo much), I will test
it and update the wiki page again, if it makes it faster.

Rowland

More information about the samba mailing list