[Samba] Reverse DNS

L.P.H. van Belle belle at bazuin.nl
Thu Jul 4 06:47:20 UTC 2019


On the server with the dhcp script. 

apt install krb5-user  
Should be sufficient, then try again. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] 
> Verzonden: donderdag 4 juli 2019 8:39
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: RE: [Samba] Reverse DNS
> 
> Hi Louis,
> 
> I've have tested some more and have come up with the following
> 
> Test1;
> DHCP server:
> - Not Joined to the AD domain
> - Installed Samba and also setup dhcpd.conf to run the 
> dhcp-dydns script. The script failed as it couldn't use kinit 
> so I don't think it will work
> Results:
> - The forward updates but the reverse doesn't
> Dhcp logs
> 
> Jul  4 05:17:43 server-fw sh[10300]: 
> /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not found
> Jul  4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : 
> Getting new ticket, old one has expired
> Jul  4 05:17:43 server-fw sh[10300]: 
> /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not found
> Jul  4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : 
> dhcpd kinit for dynamic DNS failed
> Jul  4 05:17:43 server-fw dhcpd[10300]: execute: 
> /usr/local/bin/dhcp-dyndns.sh exit status 256
> 
> 
> Test2;
> DHCP server:
> - Not Joined to the AD domain
> - Installed Samba and also setup dhcpd.conf to NOT run the script
> Results:
> - The forward updates but the reverse doesn't
> 
> 
> 
> Test2:
>  Same setup in DHCP server i.e not running the scripts
> In the Windows machine, ticked the Use this connection's DNS 
> suffix in DNS registration under the Advanced DNS settings(IPV4)
> Results
> Both forward and reverse works
> 
> Jul  4 06:16:03 server5 named[90]: samba_dlz: allowing update 
> of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa 
> tcpaddr=192.168.14.150 type=PTR 
> key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> Jul  4 06:16:03 server5 named[90]: samba_dlz: allowing update 
> of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa 
> tcpaddr=192.168.14.150 type=PTR 
> key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> Jul  4 06:16:03 server5 named[90]: client @0x7fb51811e370 
> 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone 
> '14.168.192.in-addr.arpa/NONE': deleting rrset at 
> '150.14.168.192.in-addr.arpa' PTR
> Jul  4 06:16:03 server5 named[90]: samba_dlz: failed to 
> modify 
> DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDns
Zones,DC=lin,DC=group - WERR_GEN_FAILURE
> Jul  4 06:16:03 server5 named[90]: samba_dlz: cancelling 
> transaction on zone 14.168.192.in-addr.arpa
> Jul  4 06:16:03 server5 named[90]: resolver priming query complete
> 
> 
> In all of the subsequent tests, the only time I got a 
> consistent reverse entry in DNS is when ticking the above. 
> Even when I installed DHCP in the actual samba box, the above 
> setting ensured the reverse entry
> 
> 
> Regards,
> Praveen Ghimire
> 
> 
> 
> 
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl] 
> Sent: Thursday, 27 June 2019 10:03 PM
> To: samba at lists.samba.org
> Cc: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
> 
> Hai Praveen, 
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: donderdag 27 juni 2019 13:46
> > Aan: samba at lists.samba.org
> > CC: 'L.P.H. van Belle'
> > Onderwerp: RE: [Samba] Reverse DNS
> > 
> > Hi Guys,
> > 
> > Thank you for your emails. Here is the info
> > 
> > /etc/apparmor.d/local/usr.sbin.dhcp
> > 
> > /etc/dhcp/ r,
> > /etc/dhcp/** r,
> > /etc/dhcpd{,6}.conf r,
> > /etc/dhcpd{,6}_ldap.conf r,
> > /usr/local/bin/dhcp-dyndns.sh ix,
> 
> Try /usr/local/bin/dhcp-dyndns.sh rix, 
> 
> 
> > /bin/grep rix,
> > /usr/sbin/samba rix,
> > /usr/bin/gawk rix,
> > /bin/hostname rix,
> > /usr/bin/wbinfo rix,
> > /usr/bin/heimtools rix,
> > /usr/bin/logger rix,
> > /usr/bin/kinit.heimdal rix,
> > /bin/date rix,
> > /dev/tty wr,
> 
> > /dev/urandom w,
> ^^ change that to wr
> 
> 
> > /proc/** r,
> > /usr/bin/kinit w,
> > /run/samba/winbindd/pipe wr,
> > 
> > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x  1 root root
> > 4117 Jun 27 10:54 dhcp-dyndns.sh
> > 
> > I don't have the
> > /var/lib/samba/private/named.conf.update.static but have 
> > /var/lib/samba/private/named.conf.update, which looks like the 
> > following
> > 
> > /* this file is auto-generated - do not edit */ update-policy {
> >         grant LIN.GROUP ms-self * A AAAA;
> >         grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
> >         grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; };
> 
> This part,
> grant SERVER5$@LIN.group
> So that would mean your hostname is SERVER5 
> 
> 
> > 
> > Please note: the hostname is SERVER5-AD but it is also called
> > SERVER5 as some of the old shares are pointing to 
> SERVER5(have entries 
> > for both in DNS and hosts file)
> No No.. 
> 
> A computer (ip) has only ONE hostname ( as in host.dom.tld ) 
> as in A and PTR record. 
> For example there can only be ONE ptr record for an IP, the 
> matching A is the REAL hostname. 
> 
> All others are aliasses and should be CNAMES in the DNS. 
> Now, your resolving is failing / not correctly setup. 
> That a point to fix and this is the primary thing you should 
> look at first. 
> 
> 
> > 
> > Louis, the machine has full control over it's forward DNS 
> > record . However the machine is not domain\machine but just 
> > "WIN7VM01$" 
> 
> Thats fine also, as long as the computer as full access its ok. 
> 
> > 
> > The reverse DNS doesn't exist so I manually added one using 
> > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 
> > PTR WIN7VM01.lin.group. It creates the record but the machine 
> > has no access.
> Thats because you created it, not the computer. 
> 
> 
> > The thing to note is here is if I add an A record using the 
> > DNS manager and select the option to create the associated 
> > pointer record, it only creates the forward one. I am logged 
> > into the machine with RSAT using the domain administrator account
> Yes, thats know with RSAT, create the PTR manualy in that case. 
> 
> > 
> > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with 
> > full permission in the rev record I just created.
> > 
> > After the reboot the forward DNS record now shows permissions 
> > for ADDOM\WIN7VM01$ instead of just WIN7VM01$
> > Is "Register this connection's address in DNS " checked? It 
> is ticked
> Good. 
> > 
> > In ipconfig /all , the details looks correct. The DNS suffix 
> > is pointing to the domain. It has the correct DHCP and DNS details
> > 
> > I still see the permission denied error about the 
> > dhcp-dyndns.sh and also client @0x7efc5809bfd0 
> > 192.168.14.198#51947: update 'lin.group/IN' denied
> This is correct, thats attempt one, the second should be with 
> bind_dlz and succeede. 
> 
> > 
> > As you can gather I am in completely different timezone (AUS) 
> > as you,  so it might be a while before I can respond to 
> > emails. Hence I am providing as much info as I can while I can. 
> 
> No problems, we all need to sleep sometime. ;-) 
> > 
> > Regards,
> > 
> > Praveen
> 
> Greetz, 
> 
> Louis
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email 
> Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
> 
> 




More information about the samba mailing list