[Samba] Reverse DNS

L.P.H. van Belle belle at bazuin.nl
Tue Jul 9 07:10:47 UTC 2019 

The default windows settings should be sufficient. 


> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] 
> Verzonden: dinsdag 9 juli 2019 8:27
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: RE: [Samba] Reverse DNS
> 
> Hi Louis,
> 
> I can do that but does it mean we'll have to setup a GPO to 
> enable the machines to update their DNS?
> 
> 
> Regards,
> Praveen Ghimire
> 
> 
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl] 
> Sent: Thursday, 4 July 2019 4:47 PM
> To: samba at lists.samba.org
> Cc: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
> 
> On the server with the dhcp script. 
> 
> apt install krb5-user
> Should be sufficient, then try again. 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: donderdag 4 juli 2019 8:39
> > Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> > Onderwerp: RE: [Samba] Reverse DNS
> > 
> > Hi Louis,
> > 
> > I've have tested some more and have come up with the following
> > 
> > Test1;
> > DHCP server:
> > - Not Joined to the AD domain
> > - Installed Samba and also setup dhcpd.conf to run the dhcp-dydns 
> > script. The script failed as it couldn't use kinit so I 
> don't think it 
> > will work
> > Results:
> > - The forward updates but the reverse doesn't Dhcp logs
> > 
> > Jul  4 05:17:43 server-fw sh[10300]: 
> > /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not 
> found Jul  
> > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] :
> > Getting new ticket, old one has expired Jul  4 05:17:43 server-fw 
> > sh[10300]:
> > /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not 
> found Jul  
> > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] :
> > dhcpd kinit for dynamic DNS failed
> > Jul  4 05:17:43 server-fw dhcpd[10300]: execute: 
> > /usr/local/bin/dhcp-dyndns.sh exit status 256
> > 
> > 
> > Test2;
> > DHCP server:
> > - Not Joined to the AD domain
> > - Installed Samba and also setup dhcpd.conf to NOT run the script
> > Results:
> > - The forward updates but the reverse doesn't
> > 
> > 
> > 
> > Test2:
> >  Same setup in DHCP server i.e not running the scripts In 
> the Windows 
> > machine, ticked the Use this connection's DNS suffix in DNS 
> > registration under the Advanced DNS settings(IPV4) Results Both 
> > forward and reverse works
> > 
> > Jul  4 06:16:03 server5 named[90]: samba_dlz: allowing update of 
> > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa
> > tcpaddr=192.168.14.150 type=PTR
> > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> > Jul  4 06:16:03 server5 named[90]: samba_dlz: allowing update of 
> > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa
> > tcpaddr=192.168.14.150 type=PTR
> > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0
> > Jul  4 06:16:03 server5 named[90]: client @0x7fb51811e370 
> > 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone
> > '14.168.192.in-addr.arpa/NONE': deleting rrset at 
> > '150.14.168.192.in-addr.arpa' PTR Jul  4 06:16:03 server5 
> named[90]: 
> > samba_dlz: failed to modify 
> > DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDns
> Zones,DC=lin,DC=group - WERR_GEN_FAILURE
> > Jul  4 06:16:03 server5 named[90]: samba_dlz: cancelling 
> transaction 
> > on zone 14.168.192.in-addr.arpa Jul  4 06:16:03 server5 named[90]: 
> > resolver priming query complete
> > 
> > 
> > In all of the subsequent tests, the only time I got a consistent 
> > reverse entry in DNS is when ticking the above.
> > Even when I installed DHCP in the actual samba box, the 
> above setting 
> > ensured the reverse entry
> > 
> > 
> > Regards,
> > Praveen Ghimire
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> > Sent: Thursday, 27 June 2019 10:03 PM
> > To: samba at lists.samba.org
> > Cc: Praveen Ghimire
> > Subject: RE: [Samba] Reverse DNS
> > 
> > Hai Praveen,
> >  
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > > Verzonden: donderdag 27 juni 2019 13:46
> > > Aan: samba at lists.samba.org
> > > CC: 'L.P.H. van Belle'
> > > Onderwerp: RE: [Samba] Reverse DNS
> > > 
> > > Hi Guys,
> > > 
> > > Thank you for your emails. Here is the info
> > > 
> > > /etc/apparmor.d/local/usr.sbin.dhcp
> > > 
> > > /etc/dhcp/ r,
> > > /etc/dhcp/** r,
> > > /etc/dhcpd{,6}.conf r,
> > > /etc/dhcpd{,6}_ldap.conf r,
> > > /usr/local/bin/dhcp-dyndns.sh ix,
> > 
> > Try /usr/local/bin/dhcp-dyndns.sh rix,
> > 
> > 
> > > /bin/grep rix,
> > > /usr/sbin/samba rix,
> > > /usr/bin/gawk rix,
> > > /bin/hostname rix,
> > > /usr/bin/wbinfo rix,
> > > /usr/bin/heimtools rix,
> > > /usr/bin/logger rix,
> > > /usr/bin/kinit.heimdal rix,
> > > /bin/date rix,
> > > /dev/tty wr,
> > 
> > > /dev/urandom w,
> > ^^ change that to wr
> > 
> > 
> > > /proc/** r,
> > > /usr/bin/kinit w,
> > > /run/samba/winbindd/pipe wr,
> > > 
> > > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x  1 root root
> > > 4117 Jun 27 10:54 dhcp-dyndns.sh
> > > 
> > > I don't have the
> > > /var/lib/samba/private/named.conf.update.static but have 
> > > /var/lib/samba/private/named.conf.update, which looks like the 
> > > following
> > > 
> > > /* this file is auto-generated - do not edit */ update-policy {
> > >         grant LIN.GROUP ms-self * A AAAA;
> > >         grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
> > >         grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; };
> > 
> > This part,
> > grant SERVER5$@LIN.group
> > So that would mean your hostname is SERVER5
> > 
> > 
> > > 
> > > Please note: the hostname is SERVER5-AD but it is also called
> > > SERVER5 as some of the old shares are pointing to
> > SERVER5(have entries
> > > for both in DNS and hosts file)
> > No No.. 
> > 
> > A computer (ip) has only ONE hostname ( as in host.dom.tld 
> ) as in A 
> > and PTR record.
> > For example there can only be ONE ptr record for an IP, the 
> matching A 
> > is the REAL hostname.
> > 
> > All others are aliasses and should be CNAMES in the DNS. 
> > Now, your resolving is failing / not correctly setup. 
> > That a point to fix and this is the primary thing you 
> should look at 
> > first.
> > 
> > 
> > > 
> > > Louis, the machine has full control over it's forward DNS 
> record . 
> > > However the machine is not domain\machine but just "WIN7VM01$"
> > 
> > Thats fine also, as long as the computer as full access its ok. 
> > 
> > > 
> > > The reverse DNS doesn't exist so I manually added one using 
> > > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 PTR 
> > > WIN7VM01.lin.group. It creates the record but the machine has no 
> > > access.
> > Thats because you created it, not the computer. 
> > 
> > 
> > > The thing to note is here is if I add an A record using the DNS 
> > > manager and select the option to create the associated pointer 
> > > record, it only creates the forward one. I am logged into the 
> > > machine with RSAT using the domain administrator account
> > Yes, thats know with RSAT, create the PTR manualy in that case. 
> > 
> > > 
> > > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with full 
> > > permission in the rev record I just created.
> > > 
> > > After the reboot the forward DNS record now shows permissions for 
> > > ADDOM\WIN7VM01$ instead of just WIN7VM01$ Is "Register this 
> > > connection's address in DNS " checked? It
> > is ticked
> > Good. 
> > > 
> > > In ipconfig /all , the details looks correct. The DNS suffix is 
> > > pointing to the domain. It has the correct DHCP and DNS details
> > > 
> > > I still see the permission denied error about the 
> dhcp-dyndns.sh and 
> > > also client @0x7efc5809bfd0
> > > 192.168.14.198#51947: update 'lin.group/IN' denied
> > This is correct, thats attempt one, the second should be 
> with bind_dlz 
> > and succeede.
> > 
> > > 
> > > As you can gather I am in completely different timezone (AUS) as 
> > > you,  so it might be a while before I can respond to 
> emails. Hence I 
> > > am providing as much info as I can while I can.
> > 
> > No problems, we all need to sleep sometime. ;-)
> > > 
> > > Regards,
> > > 
> > > Praveen
> > 
> > Greetz,
> > 
> > Louis
> > 
> > 
> ______________________________________________________________________
> > This email has been scanned by the Symantec Email Security.cloud 
> > service.
> > For more information please visit http://www.symanteccloud.com 
> > 
> ______________________________________________________________________
> > 
> > 
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email 
> Security.cloud service.
> For more information please visit 
> http://www.symanteccloud.com 
> ______________________________________________________________________
> 
>

More information about the samba mailing list