[Samba] Reverse DNS
Praveen Ghimire
PGhimire at sundata.com.au
Mon Jun 24 02:03:15 UTC 2019
Hi Louis,
Just an update on this. I ran up a new test LXC container and completely removed apparmor. Then install the packages. I got the same errors
I thought I would change the DNS from Bind to internal and back to bind.
The following is going from Bind9 to Internal
root at server5-ad:/var/log# service bind9 stop
root at server5-ad:/var/log# systemctl mask bind9
Created symlink /etc/systemd/system/bind9.service -> /dev/null.
root at server5-ad:/var/log# service samba-ad-dc stop
root at server5-ad:/var/log# samba_upgradedns --dns-backend=SAMBA_INTERNAL
I removed the
Server service = -dns from smb.conf
I got the following error,
/source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110
Then I ran the samba_dnsupdate, which failed
Jun 24 01:26:39 server5-ad samba[800]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 24 01:26:49 server5-ad ntpd[120]: local_clock: ntp_loopfilter.c line 818: ntp_adjtime: Operation not permitted
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
IPs: ['192.168.14.10']
Looking for DNS entry A server5.LIN.group 192.168.14.10 as server5.LIN.group.
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 827, in <module>
elif not check_dns_name(d):
File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
Exception: Timeout while waiting to contact a working DNS server while looking for A server5.LIN.group 192.168.14.10 as server5.LIN.group.
I then reverted back to Bind9 and saw the errors I was seeing before. It creates the forward DNS entry but not the reverse. I am underlining the errors
Jun 24 01:36:20 server5-ad samba[1037]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedSuccessful AuthZ:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote host [ipv6::::0] local host
[ipv6::::0]
Jun 24 01:36:21 server5-ad named[1007]: resolver priming query complete
Jun 24 01:36:23 server5-ad named[1007]: message repeated 2 times: [ resolver priming query complete]
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#57503: update 'LIN.group/IN' denied
------------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling transaction on zone LIN.group
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA
key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' AAAA
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' A
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': adding an RR at
'bw10.LIN.group' A 192.168.14. 150
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted rdataset LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
hostmaster.LIN.group. 43 900 600 86400 3600'
Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added rdataset LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group. 900 600 86400 3600'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed transaction on zone LIN.group
Jun 24 01:36:24 server5-ad named[1007]: resolver priming query complete
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#64221: update 'LIN.group/IN' denied
-----------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling transaction on zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068 -ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset 'bw10.LIN.group' AAAA
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset at 'bw10.LIN.group' A
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: subtracted rdataset bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150' Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A 192.168.14. 150
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed transaction on zone LIN.group
The permissions of the bind files
root at server5-ad:# ls -ld /var/lib/samba/private/
drwxr-xr-x 8 root root 27 Jun 24 01:48 /var/lib/samba/private/
root at server5-ad:# ls -l /var/lib/samba/private/named.conf
-rw-r--r-- 1 root root 780 Jun 24 01:35 /var/lib/samba/private/named.conf
root at server5-ad:# ls -ld /var/lib/samba/private/dns
drwxrwx--- 3 root bind 4 Jun 24 01:35 /var/lib/samba/private/dns
root at server5-ad:# ls -ld /var/lib/samba/private/dns.keytab
-rw-r----- 1 root bind 807 Jun 24 01:35 /var/lib/samba/private/dns.keytab
root at server5-ad:# ls -l /var/lib/samba/private/dns/
total 45
-rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
drwxrwx--- 2 root bind 8 Jun 24 01:35 sam.ldb.d
root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
total 3223
-rw-rw---- 1 root bind 8597504 Jun 24 01:35 'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 8187904 Jun 24 01:35 'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 01:48 'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 00:38 'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 831488 Jun 24 01:48 metadata.tdb
Zone list
Using binding ncacn_ip_tcp:192.168.14.10[,sign]
Mapped to DCERPC endpoint 135
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 49152
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
pszZoneName : 14.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : _msdcs.LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.LIN.group
smb.conf
[global]
workgroup = LIN
realm = LIN.GROUP
netbios name = SERVER5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -dns
allow dns updates = nonsecure
/etc//hosts (the server definition)
# The server5-ad and server 5 are one and the same. This is because the at one stage the shares were in server5 which got moved to server5-ad
192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
192.168.14.10 SERVER5.lin.group SERVER5
Regards,
Praveen Ghimire
-----Original Message-----
From: Praveen Ghimire
Sent: Friday, 21 June 2019 11:19 PM
To: 'L.P.H. van Belle'
Subject: RE: [Samba] Reverse DNS
Hi Louis,
Thank you for that. I've got a lab environment similar to the prod and was able to replicate the issues.
I added the following to /etc/bind/named.conf.options
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
This caused the named-checkconf to fail
root at server5-ad:/etc/bind# named-checkconf
/etc/bind/rndc.key:1: unknown option 'key'
/etc/bind/named.conf.options:27: unknown option 'controls'
So I removed that line. The following is the existing named.conf.options
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
};
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain yes; # conform to RFC1035
empty-zones-enable no;
listen-on-v6 { any; };
};
We are using LXC container. It turns out there is a reported issue with apparmor with LXC , as per below
apparmor_parser: Unable to replace "/usr/sbin/named". Permission denied; attempted to load a profile while confined?
The option was to purge and reinstall apparmor. The following is the /etc/apparmor.d/local/usr.sbin.named
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
The following from syslog
Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation not permitted Jun 21 12:52:38 server5-ad ntpd[174]: message repeated 27 times: [ adj_systime: Operation not permitted]
Jun 21 12:52:38 server5-ad samba[201]: dnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation not permitted \ samba_dlz: starting transaction on zone LIN.group Jun 21 12:55:27 server5-ad named[564]: client @0x7fa7fc013e70 192.168.14.181#54936: update 'LIN.group/IN' denied Jun 21 12:58:34 server5-ad ntpd[174]: 91.189.89.199 local addr 192.168.14.10 -> <null> Jun 21 12:58:35 server5-ad ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null> Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local addr 192.168.14.10 -> <null> Jun 21 12:58:42 server5-ad named[564]: resolver priming query complete Jun 21 12:58:46 server5-ad samba[201]: [2019/06/21 12:58:46.917811, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 21 12:58:53 server5-ad samba[201]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedldb_wrap open of secrets.ldb
Jun 21 12:59:01 server5-ad named[564]: resolver priming query complete Jun 21 12:59:04 server5-ad samba[201]: [2019/06/21 12:59:04.972119, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
I've made changes as per your recommendations.
In terms of DHCP. I did go through that wiki a while ago. To me it looks like it works if the DHCP server is in the same domain as the AD server, this is not the case here. I made the changes as per the wiki and added the script. I manually specified the domain and realm info. The script does run but doesn't seem to make a difference. I copied the dhcpd user info stuff from the AD box to the DHCP server
ACL has now been installed
Thank you once again
Regards,
Praveen
-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl]
Sent: Friday, 21 June 2019 7:52 PM
To: Praveen Ghimire
Subject: RE: [Samba] Reverse DNS
Hai, well i had a good look, im commented where it was needed ;-)
This is part to start with, then then this is all correct, you can look at the DDNS and Reverse dns parts.
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: woensdag 19 juni 2019 12:38
> Aan: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Thank you, awesome script.
>
> Output as follows
>
> Collected config --- 2019-06-19-10:12 -----------
>
> Hostname: server5-ad
> DNS Domain:
Missing default DNS domain.
Is "search your.primary.search.domain.tld" set in /etc/resolv.conf
> FQDN: server5-ad
And missing domain in FQDN, as result of missing DNS domain.
> ipaddress: 192.168.14.10
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.1 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.1 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.1 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
>
> -----------
> Checking file: /etc/hosts
Fix the hosts file
>
> 127.0.0.1 localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.14.10 server5-ad
> # --- BEGIN PVE ---
> 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> 192.168.14.10 server5
> 192.168.14.10 server5.LIN.group
Now this is also incorrect, you only need 1 line per ip.
If its correctly set, you can run this : echo "$(hostname -i) $(hostname -f) $(hostname -s)"
More aliasses, add it at the end of that line, or add them to the DNS as CNAME.
So you hosts file should result in :
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.14.10 server5-ad.LIN.group server5-ad
> -----------
>
> Checking file: /etc/resolv.conf
>
> # --- BEGIN PVE ---
> search LIN.group
> nameserver 192.168.14.10
> # --- END PVE ---
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = LIN.GROUP
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> LIN.GROUP = {
> kdc = server5
> admin_server = server5
>
> }
Remove the [realm] part, not needed.
And wasnt you server named server5-ad ?
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind
> group: files winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = LIN
> realm = LIN.GROUP
> netbios name = server5
Ok, here netbios name. If a mismatch with thats set in /ets/hosts.
HOSTNAME="$(hostname -s)"
echo ${HOSTNAME^^}"
Results in "SERVER5-AD" and that should be in netbios name = ....
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> log file = /var/log/samba/log.%m
> log level = 4
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
Preffered enum user/group to no, it only slows down your server.
> acl allow execute always = True
> server services = -dns
> allow dns updates = nonsecure
> unix extensions = No
>
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink
> full_audit:failure = none
> full_audit:prefix = %u|%I|%S
>
> [netlogon]
> path = /var/lib/samba/sysvol/LIN.group/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> [homes]
> comment = Home Directories
> root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700 /home/%U &&
> mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain Users" /home/%U'
>
> # create mask = 0700
> # directory mask = 0700
> # browseable = No
> read only = No
> path = /home/%U/samba
> vfs objects = full_audit
> # follow symlinks = yes
> # wide links = yes
>
Ah [homes], well Rowland and I just did a small test. You can try this.
[homes]
comment = Home Directories
read only = no
valid users = %S
root preexec = /usr/local/sbin/mkhomedir.sh %U %H
Content of mkhomedir.sh :
#!/bin/bash
if [ ! -e "$2" ]; then
DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk '{ print $$1 }')"
install -d "$2" -o "$1" -g "${DOMUSERS}" "$2" -m 700 fi
exit 0
>
>
>
> [data]
> comment = Data share
> path = /data
> hide unreadable = Yes
> vfs objects = full_audit
> follow symlinks = yes
> wide links = yes
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server
> named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information
> on the // structure of BIND configuration files in Debian, *BEFORE*
> you customize // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options"; include
> "/etc/bind/named.conf.local"; include
> "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
Do set you forwarder to internet DNS servers.
>
>
> //============================================================
> ============
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //============================================================
> ============
> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain no; # conform to RFC1035
your AD DC is the AUTORITIVE server of the primary zone so..
auth-nxdomain yes;
> listen-on-v6 { any; };
Add : empty-zones-enable no;
That avoids possible conficts with configured zones.
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization //include "/etc/bind/zones.rfc1918";
Im missing here :
// adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy include "/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list:
> Samba DNS zone list Automated check :
>
> Installed packages:
Im missing acl.
apt-get install acl
> ii attr 1:2.4.47-2build1
> amd64 Utilities for manipulating filesystem
> extended attributes
> ii bind9 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Internet Domain Name Server
> ii bind9-host 1:9.11.3+dfsg-1ubuntu1.7
> amd64 DNS lookup utility (deprecated)
> ii bind9utils 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Utilities for BIND
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.16-2ubuntu0.1
> all internationalization support for MIT Kerberos
> ii krb5-user 1.16-2ubuntu0.1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.52-3build1
> amd64 Access control list shared library
> ii libattr1:amd64 1:2.4.47-2build1
> amd64 Extended attribute shared library
> ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.7
> amd64 BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - krb5
> GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Windows domain
> authentication integration plugin
> ii libwbclient0:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba winbind
> client library
> ii python-samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python
> bindings for Samba
> ii samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file,
> print, and login server for Unix
> ii samba-common
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files
> used by both the Samba server and client
> ii samba-common-bin
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries
> ii samba-vfs-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual
> FileSystem plugins
> ii winbind
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 service to
> resolve user and group information from Windows NT servers
>
> -----------
>
>
> DHCP
>
> subnet 192.168.14.0 netmask 255.255.255.0 {
> authoritative;
> option netbios-name-servers 192.168.14.10;
> option netbios-dd-server 192.168.14.10;
> option netbios-node-type 8;
> option domain-name-servers 192.168.14.1, 192.168.14.10;
>
> ddns-rev-domainname "in-addr.arpa.";
>
> pool {
> range dynamic-bootp 192.168.14.150 192.168.14.150;
> range dynamic-bootp 192.168.14.153 192.168.14.154;
> range dynamic-bootp 192.168.14.180 192.168.14.188;
> range dynamic-bootp 192.168.14.191 192.168.14.191;
> range dynamic-bootp 192.168.14.193 192.168.14.196;
> range dynamic-bootp 192.168.14.198 192.168.14.210;
> range dynamic-bootp 192.168.14.212 192.168.14.214;
>
> }
> option broadcast-address 192.168.14.255;
> option routers 192.168.14.254;
> option domain-name "site01";
> ddns-domainname "site01";
Here, domainname and ddns-domainname should be your primary DNS.
> ddns-updates on;
> update-optimization off;
> update-static-leases on;
> allow client-updates;
> }
I suggest, have a good look at :
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
And in addition.
In named.conf.options add at the end of the file include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
More information about the samba
mailing list