[Samba] Reverse DNS

Praveen Ghimire PGhimire at sundata.com.au
Thu Jul 4 06:39:25 UTC 2019 

Hi Louis,

I've have tested some more and have come up with the following

Test1;
DHCP server:
- Not Joined to the AD domain
- Installed Samba and also setup dhcpd.conf to run the dhcp-dydns script. The script failed as it couldn't use kinit so I don't think it will work
Results:
- The forward updates but the reverse doesn't
Dhcp logs

Jul  4 05:17:43 server-fw sh[10300]: /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not found
Jul  4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : Getting new ticket, old one has expired
Jul  4 05:17:43 server-fw sh[10300]: /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not found
Jul  4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : dhcpd kinit for dynamic DNS failed
Jul  4 05:17:43 server-fw dhcpd[10300]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 256


Test2;
DHCP server:
- Not Joined to the AD domain
- Installed Samba and also setup dhcpd.conf to NOT run the script
Results:
- The forward updates but the reverse doesn't



Test2:
 Same setup in DHCP server i.e not running the scripts
In the Windows machine, ticked the Use this connection's DNS suffix in DNS registration under the Advanced DNS settings(IPV4)
Results
Both forward and reverse works

Jul  4 06:16:03 server5 named[90]: samba_dlz: allowing update of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa tcpaddr=192.168.14.150 type=PTR key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
Jul  4 06:16:03 server5 named[90]: samba_dlz: allowing update of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa tcpaddr=192.168.14.150 type=PTR key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
Jul  4 06:16:03 server5 named[90]: client @0x7fb51811e370 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone '14.168.192.in-addr.arpa/NONE': deleting rrset at '150.14.168.192.in-addr.arpa' PTR
Jul  4 06:16:03 server5 named[90]: samba_dlz: failed to modify DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=lin,DC=group - WERR_GEN_FAILURE
Jul  4 06:16:03 server5 named[90]: samba_dlz: cancelling transaction on zone 14.168.192.in-addr.arpa
Jul  4 06:16:03 server5 named[90]: resolver priming query complete


In all of the subsequent tests, the only time I got a consistent reverse entry in DNS is when ticking the above. Even when I installed DHCP in the actual samba box, the above setting ensured the reverse entry


Regards,
Praveen Ghimire




-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl] 
Sent: Thursday, 27 June 2019 10:03 PM
To: samba at lists.samba.org
Cc: Praveen Ghimire
Subject: RE: [Samba] Reverse DNS

Hai Praveen, 
 

> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: donderdag 27 juni 2019 13:46
> Aan: samba at lists.samba.org
> CC: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
> 
> Hi Guys,
> 
> Thank you for your emails. Here is the info
> 
> /etc/apparmor.d/local/usr.sbin.dhcp
> 
> /etc/dhcp/ r,
> /etc/dhcp/** r,
> /etc/dhcpd{,6}.conf r,
> /etc/dhcpd{,6}_ldap.conf r,
> /usr/local/bin/dhcp-dyndns.sh ix,

Try /usr/local/bin/dhcp-dyndns.sh rix, 


> /bin/grep rix,
> /usr/sbin/samba rix,
> /usr/bin/gawk rix,
> /bin/hostname rix,
> /usr/bin/wbinfo rix,
> /usr/bin/heimtools rix,
> /usr/bin/logger rix,
> /usr/bin/kinit.heimdal rix,
> /bin/date rix,
> /dev/tty wr,

> /dev/urandom w,
^^ change that to wr


> /proc/** r,
> /usr/bin/kinit w,
> /run/samba/winbindd/pipe wr,
> 
> The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x  1 root root
> 4117 Jun 27 10:54 dhcp-dyndns.sh
> 
> I don't have the
> /var/lib/samba/private/named.conf.update.static but have 
> /var/lib/samba/private/named.conf.update, which looks like the 
> following
> 
> /* this file is auto-generated - do not edit */ update-policy {
>         grant LIN.GROUP ms-self * A AAAA;
>         grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
>         grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; };

This part,
grant SERVER5$@LIN.group
So that would mean your hostname is SERVER5 


> 
> Please note: the hostname is SERVER5-AD but it is also called
> SERVER5 as some of the old shares are pointing to SERVER5(have entries 
> for both in DNS and hosts file)
No No.. 

A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A and PTR record. 
For example there can only be ONE ptr record for an IP, the matching A is the REAL hostname. 

All others are aliasses and should be CNAMES in the DNS. 
Now, your resolving is failing / not correctly setup. 
That a point to fix and this is the primary thing you should look at first. 


> 
> Louis, the machine has full control over it's forward DNS 
> record . However the machine is not domain\machine but just 
> "WIN7VM01$" 

Thats fine also, as long as the computer as full access its ok. 

> 
> The reverse DNS doesn't exist so I manually added one using 
> samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 
> PTR WIN7VM01.lin.group. It creates the record but the machine 
> has no access.
Thats because you created it, not the computer. 


> The thing to note is here is if I add an A record using the 
> DNS manager and select the option to create the associated 
> pointer record, it only creates the forward one. I am logged 
> into the machine with RSAT using the domain administrator account
Yes, thats know with RSAT, create the PTR manualy in that case. 

> 
> Back to the reverse one. I setup the ADDOM\WIN7VM01$ with 
> full permission in the rev record I just created.
> 
> After the reboot the forward DNS record now shows permissions 
> for ADDOM\WIN7VM01$ instead of just WIN7VM01$
> Is "Register this connection's address in DNS " checked? It is ticked
Good. 
> 
> In ipconfig /all , the details looks correct. The DNS suffix 
> is pointing to the domain. It has the correct DHCP and DNS details
> 
> I still see the permission denied error about the 
> dhcp-dyndns.sh and also client @0x7efc5809bfd0 
> 192.168.14.198#51947: update 'lin.group/IN' denied
This is correct, thats attempt one, the second should be with bind_dlz and succeede. 

> 
> As you can gather I am in completely different timezone (AUS) 
> as you,  so it might be a while before I can respond to 
> emails. Hence I am providing as much info as I can while I can. 

No problems, we all need to sleep sometime. ;-) 
> 
> Regards,
> 
> Praveen

Greetz, 

Louis

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

More information about the samba mailing list