[Samba] Reverse DNS
Praveen Ghimire
PGhimire at sundata.com.au
Tue Jul 9 06:27:03 UTC 2019
Hi Louis,
I can do that but does it mean we'll have to setup a GPO to enable the machines to update their DNS?
Regards,
Praveen Ghimire
-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl]
Sent: Thursday, 4 July 2019 4:47 PM
To: samba at lists.samba.org
Cc: Praveen Ghimire
Subject: RE: [Samba] Reverse DNS
On the server with the dhcp script.
apt install krb5-user
Should be sufficient, then try again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: donderdag 4 juli 2019 8:39
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> I've have tested some more and have come up with the following
>
> Test1;
> DHCP server:
> - Not Joined to the AD domain
> - Installed Samba and also setup dhcpd.conf to run the dhcp-dydns
> script. The script failed as it couldn't use kinit so I don't think it
> will work
> Results:
> - The forward updates but the reverse doesn't Dhcp logs
>
> Jul 4 05:17:43 server-fw sh[10300]:
> /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not found Jul
> 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] :
> Getting new ticket, old one has expired Jul 4 05:17:43 server-fw
> sh[10300]:
> /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not found Jul
> 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] :
> dhcpd kinit for dynamic DNS failed
> Jul 4 05:17:43 server-fw dhcpd[10300]: execute:
> /usr/local/bin/dhcp-dyndns.sh exit status 256
>
>
> Test2;
> DHCP server:
> - Not Joined to the AD domain
> - Installed Samba and also setup dhcpd.conf to NOT run the script
> Results:
> - The forward updates but the reverse doesn't
>
>
>
> Test2:
> Same setup in DHCP server i.e not running the scripts In the Windows
> machine, ticked the Use this connection's DNS suffix in DNS
> registration under the Advanced DNS settings(IPV4) Results Both
> forward and reverse works
>
> Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of
> signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa
> tcpaddr=192.168.14.150 type=PTR
> key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of
> signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa
> tcpaddr=192.168.14.150 type=PTR
> key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> Jul 4 06:16:03 server5 named[90]: client @0x7fb51811e370
> 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone
> '14.168.192.in-addr.arpa/NONE': deleting rrset at
> '150.14.168.192.in-addr.arpa' PTR Jul 4 06:16:03 server5 named[90]:
> samba_dlz: failed to modify
> DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDns
Zones,DC=lin,DC=group - WERR_GEN_FAILURE
> Jul 4 06:16:03 server5 named[90]: samba_dlz: cancelling transaction
> on zone 14.168.192.in-addr.arpa Jul 4 06:16:03 server5 named[90]:
> resolver priming query complete
>
>
> In all of the subsequent tests, the only time I got a consistent
> reverse entry in DNS is when ticking the above.
> Even when I installed DHCP in the actual samba box, the above setting
> ensured the reverse entry
>
>
> Regards,
> Praveen Ghimire
>
>
>
>
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Sent: Thursday, 27 June 2019 10:03 PM
> To: samba at lists.samba.org
> Cc: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
>
> Hai Praveen,
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: donderdag 27 juni 2019 13:46
> > Aan: samba at lists.samba.org
> > CC: 'L.P.H. van Belle'
> > Onderwerp: RE: [Samba] Reverse DNS
> >
> > Hi Guys,
> >
> > Thank you for your emails. Here is the info
> >
> > /etc/apparmor.d/local/usr.sbin.dhcp
> >
> > /etc/dhcp/ r,
> > /etc/dhcp/** r,
> > /etc/dhcpd{,6}.conf r,
> > /etc/dhcpd{,6}_ldap.conf r,
> > /usr/local/bin/dhcp-dyndns.sh ix,
>
> Try /usr/local/bin/dhcp-dyndns.sh rix,
>
>
> > /bin/grep rix,
> > /usr/sbin/samba rix,
> > /usr/bin/gawk rix,
> > /bin/hostname rix,
> > /usr/bin/wbinfo rix,
> > /usr/bin/heimtools rix,
> > /usr/bin/logger rix,
> > /usr/bin/kinit.heimdal rix,
> > /bin/date rix,
> > /dev/tty wr,
>
> > /dev/urandom w,
> ^^ change that to wr
>
>
> > /proc/** r,
> > /usr/bin/kinit w,
> > /run/samba/winbindd/pipe wr,
> >
> > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root
> > 4117 Jun 27 10:54 dhcp-dyndns.sh
> >
> > I don't have the
> > /var/lib/samba/private/named.conf.update.static but have
> > /var/lib/samba/private/named.conf.update, which looks like the
> > following
> >
> > /* this file is auto-generated - do not edit */ update-policy {
> > grant LIN.GROUP ms-self * A AAAA;
> > grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
> > grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; };
>
> This part,
> grant SERVER5$@LIN.group
> So that would mean your hostname is SERVER5
>
>
> >
> > Please note: the hostname is SERVER5-AD but it is also called
> > SERVER5 as some of the old shares are pointing to
> SERVER5(have entries
> > for both in DNS and hosts file)
> No No..
>
> A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A
> and PTR record.
> For example there can only be ONE ptr record for an IP, the matching A
> is the REAL hostname.
>
> All others are aliasses and should be CNAMES in the DNS.
> Now, your resolving is failing / not correctly setup.
> That a point to fix and this is the primary thing you should look at
> first.
>
>
> >
> > Louis, the machine has full control over it's forward DNS record .
> > However the machine is not domain\machine but just "WIN7VM01$"
>
> Thats fine also, as long as the computer as full access its ok.
>
> >
> > The reverse DNS doesn't exist so I manually added one using
> > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 PTR
> > WIN7VM01.lin.group. It creates the record but the machine has no
> > access.
> Thats because you created it, not the computer.
>
>
> > The thing to note is here is if I add an A record using the DNS
> > manager and select the option to create the associated pointer
> > record, it only creates the forward one. I am logged into the
> > machine with RSAT using the domain administrator account
> Yes, thats know with RSAT, create the PTR manualy in that case.
>
> >
> > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with full
> > permission in the rev record I just created.
> >
> > After the reboot the forward DNS record now shows permissions for
> > ADDOM\WIN7VM01$ instead of just WIN7VM01$ Is "Register this
> > connection's address in DNS " checked? It
> is ticked
> Good.
> >
> > In ipconfig /all , the details looks correct. The DNS suffix is
> > pointing to the domain. It has the correct DHCP and DNS details
> >
> > I still see the permission denied error about the dhcp-dyndns.sh and
> > also client @0x7efc5809bfd0
> > 192.168.14.198#51947: update 'lin.group/IN' denied
> This is correct, thats attempt one, the second should be with bind_dlz
> and succeede.
>
> >
> > As you can gather I am in completely different timezone (AUS) as
> > you, so it might be a while before I can respond to emails. Hence I
> > am providing as much info as I can while I can.
>
> No problems, we all need to sleep sometime. ;-)
> >
> > Regards,
> >
> > Praveen
>
> Greetz,
>
> Louis
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
>
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
More information about the samba
mailing list