[Samba] Reverse DNS
Praveen Ghimire
PGhimire at sundata.com.au
Wed Jun 19 03:22:27 UTC 2019
Hi,
We have some issue with the reverse DNS in Samba AD. We're running Bind9_DLZ on Ubuntu 18.04. The DHCP server(Ubuntu 16.04) is different to the AD server and not in the same AD domain. The DHCP scope points to the Samba AD server as the DNS server
When a machine with DHCP assigned address tries to update the DNS record, it is able to update the forward zone but not the reverse zone. The only time it updates both the forward and the reverse is if the machine is setup with a static IP.
The global bit of the smb.conf
[global]
workgroup = LIN
realm = LIN.GROUP
netbios name = server5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%m
log level = 4
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
acl allow execute always = True
server services = -dns
allow dns updates = nonsecure
unix extensions = No
The following syslog is with the allow dns updates = nonsecure
root at server5-ad:/var/log# tail -f syslog
Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: spnego update failed
Jun 19 02:47:19 server5-ad named[3166]: client @0x7f1c64008380 192.168.14.187#59581/key site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': update failed: rejected by secure update (REFUSED)
Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: cancelling transaction on zone LIN.group
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting transaction on zone LIN.group
Jun 19 02:47:22 server5-ad named[3166]: client @0x7f1c64008380 192.168.14.187#50012: update 'LIN.group/IN' denied
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling transaction on zone LIN.group
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting transaction on zone LIN.group
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: spnego update failed
Jun 19 02:47:22 server5-ad named[3166]: client @0x7f1c64008380 192.168.14.187#52845/key site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': update failed: rejected by secure update (REFUSED)
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling transaction on zone LIN.group
Jun 19 02:47:44 server5-ad samba[3132]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
The following syslog is with the allow dns updates = secure
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing update of signer=site01-WIN7-01\$\@LIN.GROUP name=site01-WIN7-01.LIN.group tcpaddr=192.168.14.187 type=A key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing update of signer=site01-WIN7-01\$\@LIN.GROUP name=site01-WIN7-01.LIN.group tcpaddr=192.168.14.187 type=A key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0
Jun 19 02:52:54 server5-ad named[3221]: client @0x7fda290b99c0 192.168.14.187#52268/key site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset at 'site01-WIN7-01.LIN.group' AAAA
Jun 19 02:52:54 server5-ad named[3221]: client @0x7fda290b99c0 192.168.14.187#52268/key site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset at 'site01-WIN7-01.LIN.group' A
Jun 19 02:52:54 server5-ad named[3221]: client @0x7fda290b99c0 192.168.14.187#52268/key site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': adding an RR at 'site01-WIN7-01.LIN.group' A 192.168.14.187
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added rdataset site01-WIN7-01.LIN.group 'site01-WIN7-01.LIN.group.#0111200#011IN#011A#011192.168.14.187'
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: subtracted rdataset LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group. 12474 900 600 86400 3600'
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added rdataset LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group. 12475 900 600 86400 3600'
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: committed transaction on zone LIN.group
Jun 19 02:52:56 server5-ad samba[3240]: dnsserver: Invalid zone operation IsSignedldb_wrap open of secrets.ldb
Jun 19 02:53:27 server5-ad samba[3240]: [2019/06/19 02:53:27.656391, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
The following syslog is with the allow dns updates = nonsecure but with a static IP
samba_dlz: added rdataset 14.168.192.in-addr.arpa '14.168.192.in-addr.arpa.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group.
The bind files
root at server5-ad:/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
root at server5-ad:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
The named.conf is /var/lib/samba/private
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
root at server5-ad:/var/lib/samba/private# klist -kte /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-crc)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-crc)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-md5)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-md5)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (arcfour-hmac)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (arcfour-hmac)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (aes128-cts-hmac-sha1-96)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes128-cts-hmac-sha1-96)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (aes256-cts-hmac-sha1-96)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes256-cts-hmac-sha1-96)
root at server5-ad:/var/log# service --status-all
[ - ] apparmor
[ + ] bind9
[ - ] console-setup.sh
[ + ] cron
[ + ] dbus
[ - ] hwclock.sh
[ - ] irqbalance
[ - ] keyboard-setup.sh
[ - ] kmod
[ - ] nmbd
[ + ] ntp
[ - ] plymouth
[ - ] plymouth-log
[ + ] postfix
[ + ] procps
[ - ] rsync
[ + ] rsyslog
[ + ] samba-ad-dc
[ - ] smbd
[ + ] ssh
[ - ] udev
[ + ] ufw
[ - ] urandom
[ - ] uuidd
[ - ] winbind
[ - ] x11-common
Regards,
Praveen Ghimire
More information about the samba
mailing list