[Samba] Reverse DNS
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 9 07:10:47 UTC 2019
The default windows settings should be sufficient.
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: dinsdag 9 juli 2019 8:27
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> I can do that but does it mean we'll have to setup a GPO to
> enable the machines to update their DNS?
>
>
> Regards,
> Praveen Ghimire
>
>
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Sent: Thursday, 4 July 2019 4:47 PM
> To: samba at lists.samba.org
> Cc: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
>
> On the server with the dhcp script.
>
> apt install krb5-user
> Should be sufficient, then try again.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: donderdag 4 juli 2019 8:39
> > Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> > Onderwerp: RE: [Samba] Reverse DNS
> >
> > Hi Louis,
> >
> > I've have tested some more and have come up with the following
> >
> > Test1;
> > DHCP server:
> > - Not Joined to the AD domain
> > - Installed Samba and also setup dhcpd.conf to run the dhcp-dydns
> > script. The script failed as it couldn't use kinit so I
> don't think it
> > will work
> > Results:
> > - The forward updates but the reverse doesn't Dhcp logs
> >
> > Jul 4 05:17:43 server-fw sh[10300]:
> > /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not
> found Jul
> > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] :
> > Getting new ticket, old one has expired Jul 4 05:17:43 server-fw
> > sh[10300]:
> > /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not
> found Jul
> > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] :
> > dhcpd kinit for dynamic DNS failed
> > Jul 4 05:17:43 server-fw dhcpd[10300]: execute:
> > /usr/local/bin/dhcp-dyndns.sh exit status 256
> >
> >
> > Test2;
> > DHCP server:
> > - Not Joined to the AD domain
> > - Installed Samba and also setup dhcpd.conf to NOT run the script
> > Results:
> > - The forward updates but the reverse doesn't
> >
> >
> >
> > Test2:
> > Same setup in DHCP server i.e not running the scripts In
> the Windows
> > machine, ticked the Use this connection's DNS suffix in DNS
> > registration under the Advanced DNS settings(IPV4) Results Both
> > forward and reverse works
> >
> > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of
> > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa
> > tcpaddr=192.168.14.150 type=PTR
> > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of
> > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa
> > tcpaddr=192.168.14.150 type=PTR
> > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> > Jul 4 06:16:03 server5 named[90]: client @0x7fb51811e370
> > 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone
> > '14.168.192.in-addr.arpa/NONE': deleting rrset at
> > '150.14.168.192.in-addr.arpa' PTR Jul 4 06:16:03 server5
> named[90]:
> > samba_dlz: failed to modify
> > DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDns
> Zones,DC=lin,DC=group - WERR_GEN_FAILURE
> > Jul 4 06:16:03 server5 named[90]: samba_dlz: cancelling
> transaction
> > on zone 14.168.192.in-addr.arpa Jul 4 06:16:03 server5 named[90]:
> > resolver priming query complete
> >
> >
> > In all of the subsequent tests, the only time I got a consistent
> > reverse entry in DNS is when ticking the above.
> > Even when I installed DHCP in the actual samba box, the
> above setting
> > ensured the reverse entry
> >
> >
> > Regards,
> > Praveen Ghimire
> >
> >
> >
> >
> > -----Original Message-----
> > From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> > Sent: Thursday, 27 June 2019 10:03 PM
> > To: samba at lists.samba.org
> > Cc: Praveen Ghimire
> > Subject: RE: [Samba] Reverse DNS
> >
> > Hai Praveen,
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > > Verzonden: donderdag 27 juni 2019 13:46
> > > Aan: samba at lists.samba.org
> > > CC: 'L.P.H. van Belle'
> > > Onderwerp: RE: [Samba] Reverse DNS
> > >
> > > Hi Guys,
> > >
> > > Thank you for your emails. Here is the info
> > >
> > > /etc/apparmor.d/local/usr.sbin.dhcp
> > >
> > > /etc/dhcp/ r,
> > > /etc/dhcp/** r,
> > > /etc/dhcpd{,6}.conf r,
> > > /etc/dhcpd{,6}_ldap.conf r,
> > > /usr/local/bin/dhcp-dyndns.sh ix,
> >
> > Try /usr/local/bin/dhcp-dyndns.sh rix,
> >
> >
> > > /bin/grep rix,
> > > /usr/sbin/samba rix,
> > > /usr/bin/gawk rix,
> > > /bin/hostname rix,
> > > /usr/bin/wbinfo rix,
> > > /usr/bin/heimtools rix,
> > > /usr/bin/logger rix,
> > > /usr/bin/kinit.heimdal rix,
> > > /bin/date rix,
> > > /dev/tty wr,
> >
> > > /dev/urandom w,
> > ^^ change that to wr
> >
> >
> > > /proc/** r,
> > > /usr/bin/kinit w,
> > > /run/samba/winbindd/pipe wr,
> > >
> > > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root
> > > 4117 Jun 27 10:54 dhcp-dyndns.sh
> > >
> > > I don't have the
> > > /var/lib/samba/private/named.conf.update.static but have
> > > /var/lib/samba/private/named.conf.update, which looks like the
> > > following
> > >
> > > /* this file is auto-generated - do not edit */ update-policy {
> > > grant LIN.GROUP ms-self * A AAAA;
> > > grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
> > > grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; };
> >
> > This part,
> > grant SERVER5$@LIN.group
> > So that would mean your hostname is SERVER5
> >
> >
> > >
> > > Please note: the hostname is SERVER5-AD but it is also called
> > > SERVER5 as some of the old shares are pointing to
> > SERVER5(have entries
> > > for both in DNS and hosts file)
> > No No..
> >
> > A computer (ip) has only ONE hostname ( as in host.dom.tld
> ) as in A
> > and PTR record.
> > For example there can only be ONE ptr record for an IP, the
> matching A
> > is the REAL hostname.
> >
> > All others are aliasses and should be CNAMES in the DNS.
> > Now, your resolving is failing / not correctly setup.
> > That a point to fix and this is the primary thing you
> should look at
> > first.
> >
> >
> > >
> > > Louis, the machine has full control over it's forward DNS
> record .
> > > However the machine is not domain\machine but just "WIN7VM01$"
> >
> > Thats fine also, as long as the computer as full access its ok.
> >
> > >
> > > The reverse DNS doesn't exist so I manually added one using
> > > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 PTR
> > > WIN7VM01.lin.group. It creates the record but the machine has no
> > > access.
> > Thats because you created it, not the computer.
> >
> >
> > > The thing to note is here is if I add an A record using the DNS
> > > manager and select the option to create the associated pointer
> > > record, it only creates the forward one. I am logged into the
> > > machine with RSAT using the domain administrator account
> > Yes, thats know with RSAT, create the PTR manualy in that case.
> >
> > >
> > > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with full
> > > permission in the rev record I just created.
> > >
> > > After the reboot the forward DNS record now shows permissions for
> > > ADDOM\WIN7VM01$ instead of just WIN7VM01$ Is "Register this
> > > connection's address in DNS " checked? It
> > is ticked
> > Good.
> > >
> > > In ipconfig /all , the details looks correct. The DNS suffix is
> > > pointing to the domain. It has the correct DHCP and DNS details
> > >
> > > I still see the permission denied error about the
> dhcp-dyndns.sh and
> > > also client @0x7efc5809bfd0
> > > 192.168.14.198#51947: update 'lin.group/IN' denied
> > This is correct, thats attempt one, the second should be
> with bind_dlz
> > and succeede.
> >
> > >
> > > As you can gather I am in completely different timezone (AUS) as
> > > you, so it might be a while before I can respond to
> emails. Hence I
> > > am providing as much info as I can while I can.
> >
> > No problems, we all need to sleep sometime. ;-)
> > >
> > > Regards,
> > >
> > > Praveen
> >
> > Greetz,
> >
> > Louis
> >
> >
> ______________________________________________________________________
> > This email has been scanned by the Symantec Email Security.cloud
> > service.
> > For more information please visit http://www.symanteccloud.com
> >
> ______________________________________________________________________
> >
> >
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email
> Security.cloud service.
> For more information please visit
> http://www.symanteccloud.com
> ______________________________________________________________________
>
>
More information about the samba
mailing list