[Samba] pfSense DHCP integration with Samba AD DDNS

Rowland penny rpenny at samba.org
Thu Jun 20 12:25:16 UTC 2019 

On 20/06/2019 12:55, Adam Weremczuk wrote:
> Hi Rowland,
>
> I don't want to to run an AD DC on firewall device, barely DHCP and 
> maybe DNS.
>
> What you have pointed me to is similar to what I have in place:
>
> https://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ 
>
It would be, I based my script on the same webpage info
>
> and which is working fine.
>
> NOW I want to switch DHCP from isc-dhcp-server 4.2.2 on Debian to DHCP 
> on pfSense firewall (based on FreeBSD 11.2) which reports as below:
>
> pkg info | grep dhcp
> dhcp6-20080615.2               KAME DHCP6 client, server, and relay
> dhcpleases-0.3_1               read dhpcd.lease file and add it to 
> hosts file
> dhcpleases6-0.1_2              read dhpcd6.leases file and trigger 
> command on modification
> isc-dhcp43-client-4.3.6P1      The ISC Dynamic Host Configuration 
> Protocol client
> isc-dhcp43-relay-4.3.6P1_1     The ISC Dynamic Host Configuration 
> Protocol relay
> isc-dhcp43-server-4.3.6P1_1    ISC Dynamic Host Configuration Protocol 
> server
>
> I've set it up and everything is working fine apart from DDNS 
> integration.
That is what made me think 'AD DC'
>
> PfSense web GUI is limiting my config choices to the following:
>
> Dynamic DNS
> Enable: Check the box to enable registration of DHCP client names in 
> DNS using an external
> (non-pfSense) DNS server.
> DDNS Domain: The domain name used for registering clients in DNS
> Primary DDNS Address: The DNS server used for registering clients in DNS
> DNS Domain Key: The encryption key used for DNS registration
> DNS Domain Key: Secret The secret for the key used for DNS registration
>
> Does it mean it's not going to work as it doesn't involve Kerberos 
> authentication?

The problem is that Windows machines can update their own records in AD, 
but you need a separate user to update other users. This leads to the 
obvious question, do you have any Unix clients or are they all Windows 
clients ? You only need an update script if you have any Unix dhcp clients.

The only way that I could get it to work is shown in the script I 
pointed you to, by using kerberos.

Rowland

More information about the samba mailing list