[Samba] Reverse DNS
Praveen Ghimire
PGhimire at sundata.com.au
Tue Jun 25 11:43:21 UTC 2019
Hi All,
Some more digging through the syslogs. The following error sticks out
client @0x7fd3bc0d5910 192.168.14.196#56965: updating zone '168.192.IN-ADDR.ARPA/IN': update failed: not authoritative for update zone (NOTAUTH)
This was with dns update = nonsecure and secure and static IP. With the dns update section removed, the reverse DNS update works and reverse entry is created
When using nonsecure and secure and DHCP, we see the following
[26654.606730] audit: type=1400 audit(1561462441.550:193): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/dev/urandom" pid=29418 comm="isc-worker0001" requested_mask="wc" denied_mask="wc" fsuid=111 ouid=0
dnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Following Louis' instructions in the git page, I've setup the following in apparmor
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
# Samba4 DLZ and Active Directory Zones (default source installation)
# bind support before samba 4.9
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
# bind support after samba 4.9
/var/lib/samba/bind-dns/** rwmk,
/var/lib/samba/bind-dns/dns.keytab r,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
# Regular samba.
/var/lib/samba/lib/** rm,
/usr/lib/**/samba/bind9/** rmk,
/usr/lib/**/samba/gensec/* rmk,
/usr/lib/**/samba/ldb/** rmk,
/usr/lib/**/ldb/modules/ldb/** rmk,
/var/tmp/** rwmk,
/var/lib/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
Just a reminder the zones are following
pszZoneName : 14.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : _msdcs.LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.LIN.group
As mentioned the DHCP server is not in the same server and not in a machine which is not in the same domain. It is a standalone Ubuntu server
Any suggestions?
Regards,
Praveen Ghimire
-----Original Message-----
From: Praveen Ghimire
Sent: Monday, 24 June 2019 12:03 PM
To: 'L.P.H. van Belle'
Cc: samba at lists.samba.org
Subject: RE: [Samba] Reverse DNS
Hi Louis,
Just an update on this. I ran up a new test LXC container and completely removed apparmor. Then install the packages. I got the same errors
I thought I would change the DNS from Bind to internal and back to bind.
The following is going from Bind9 to Internal
root at server5-ad:/var/log# service bind9 stop root at server5-ad:/var/log# systemctl mask bind9 Created symlink /etc/systemd/system/bind9.service -> /dev/null.
root at server5-ad:/var/log# service samba-ad-dc stop root at server5-ad:/var/log# samba_upgradedns --dns-backend=SAMBA_INTERNAL
I removed the
Server service = -dns from smb.conf
I got the following error,
/source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110
Then I ran the samba_dnsupdate, which failed
Jun 24 01:26:39 server5-ad samba[800]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 24 01:26:49 server5-ad ntpd[120]: local_clock: ntp_loopfilter.c line 818: ntp_adjtime: Operation not permitted added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
IPs: ['192.168.14.10']
Looking for DNS entry A server5.LIN.group 192.168.14.10 as server5.LIN.group.
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 827, in <module>
elif not check_dns_name(d):
File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name))
Exception: Timeout while waiting to contact a working DNS server while looking for A server5.LIN.group 192.168.14.10 as server5.LIN.group.
I then reverted back to Bind9 and saw the errors I was seeing before. It creates the forward DNS entry but not the reverse. I am underlining the errors
Jun 24 01:36:20 server5-ad samba[1037]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedSuccessful AuthZ:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote host [ipv6::::0] local host
[ipv6::::0]
Jun 24 01:36:21 server5-ad named[1007]: resolver priming query complete Jun 24 01:36:23 server5-ad named[1007]: message repeated 2 times: [ resolver priming query complete] Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#57503: update 'LIN.group/IN' denied
------------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling transaction on zone LIN.group Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA
key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' AAAA
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' A
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': adding an RR at
'bw10.LIN.group' A 192.168.14. 150
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted rdataset LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
hostmaster.LIN.group. 43 900 600 86400 3600'
Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added rdataset LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group. 900 600 86400 3600'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed transaction on zone LIN.group Jun 24 01:36:24 server5-ad named[1007]: resolver priming query complete Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#64221: update 'LIN.group/IN' denied
-----------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling transaction on zone LIN.group Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting transaction on zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A key=1068 -ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset 'bw10.LIN.group' AAAA Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset at 'bw10.LIN.group' A
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: subtracted rdataset bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150' Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A 192.168.14. 150
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed transaction on zone LIN.group
The permissions of the bind files
root at server5-ad:# ls -ld /var/lib/samba/private/ drwxr-xr-x 8 root root 27 Jun 24 01:48 /var/lib/samba/private/ root at server5-ad:# ls -l /var/lib/samba/private/named.conf
-rw-r--r-- 1 root root 780 Jun 24 01:35 /var/lib/samba/private/named.conf root at server5-ad:# ls -ld /var/lib/samba/private/dns
drwxrwx--- 3 root bind 4 Jun 24 01:35 /var/lib/samba/private/dns root at server5-ad:# ls -ld /var/lib/samba/private/dns.keytab
-rw-r----- 1 root bind 807 Jun 24 01:35 /var/lib/samba/private/dns.keytab root at server5-ad:# ls -l /var/lib/samba/private/dns/ total 45
-rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
drwxrwx--- 2 root bind 8 Jun 24 01:35 sam.ldb.d
root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
total 3223
-rw-rw---- 1 root bind 8597504 Jun 24 01:35 'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 8187904 Jun 24 01:35 'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 01:48 'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 00:38 'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 831488 Jun 24 01:48 metadata.tdb
Zone list
Using binding ncacn_ip_tcp:192.168.14.10[,sign] Mapped to DCERPC endpoint 135 added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0 added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0 Mapped to DCERPC endpoint 49152 added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0 added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0 Cannot do GSSAPI to an IP address Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
pszZoneName : 14.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : _msdcs.LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.LIN.group
smb.conf
[global]
workgroup = LIN
realm = LIN.GROUP
netbios name = SERVER5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -dns
allow dns updates = nonsecure
/etc//hosts (the server definition)
# The server5-ad and server 5 are one and the same. This is because the at one stage the shares were in server5 which got moved to server5-ad
192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
192.168.14.10 SERVER5.lin.group SERVER5
Regards,
Praveen Ghimire
-----Original Message-----
From: Praveen Ghimire
Sent: Friday, 21 June 2019 11:19 PM
To: 'L.P.H. van Belle'
Subject: RE: [Samba] Reverse DNS
Hi Louis,
Thank you for that. I've got a lab environment similar to the prod and was able to replicate the issues.
I added the following to /etc/bind/named.conf.options
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
This caused the named-checkconf to fail
root at server5-ad:/etc/bind# named-checkconf
/etc/bind/rndc.key:1: unknown option 'key'
/etc/bind/named.conf.options:27: unknown option 'controls'
So I removed that line. The following is the existing named.conf.options
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
};
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain yes; # conform to RFC1035
empty-zones-enable no;
listen-on-v6 { any; };
};
We are using LXC container. It turns out there is a reported issue with apparmor with LXC , as per below
apparmor_parser: Unable to replace "/usr/sbin/named". Permission denied; attempted to load a profile while confined?
The option was to purge and reinstall apparmor. The following is the /etc/apparmor.d/local/usr.sbin.named
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
The following from syslog
Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation not permitted Jun 21 12:52:38 server5-ad ntpd[174]: message repeated 27 times: [ adj_systime: Operation not permitted]
Jun 21 12:52:38 server5-ad samba[201]: dnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation not permitted \ samba_dlz: starting transaction on zone LIN.group Jun 21 12:55:27 server5-ad named[564]: client @0x7fa7fc013e70 192.168.14.181#54936: update 'LIN.group/IN' denied Jun 21 12:58:34 server5-ad ntpd[174]: 91.189.89.199 local addr 192.168.14.10 -> <null> Jun 21 12:58:35 server5-ad ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null> Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local addr 192.168.14.10 -> <null> Jun 21 12:58:42 server5-ad named[564]: resolver priming query complete Jun 21 12:58:46 server5-ad samba[201]: [2019/06/21 12:58:46.917811, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 21 12:58:53 server5-ad samba[201]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedldb_wrap open of secrets.ldb
Jun 21 12:59:01 server5-ad named[564]: resolver priming query complete Jun 21 12:59:04 server5-ad samba[201]: [2019/06/21 12:59:04.972119, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
I've made changes as per your recommendations.
In terms of DHCP. I did go through that wiki a while ago. To me it looks like it works if the DHCP server is in the same domain as the AD server, this is not the case here. I made the changes as per the wiki and added the script. I manually specified the domain and realm info. The script does run but doesn't seem to make a difference. I copied the dhcpd user info stuff from the AD box to the DHCP server
ACL has now been installed
Thank you once again
Regards,
Praveen
-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl]
Sent: Friday, 21 June 2019 7:52 PM
To: Praveen Ghimire
Subject: RE: [Samba] Reverse DNS
Hai, well i had a good look, im commented where it was needed ;-)
This is part to start with, then then this is all correct, you can look at the DDNS and Reverse dns parts.
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: woensdag 19 juni 2019 12:38
> Aan: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Thank you, awesome script.
>
> Output as follows
>
> Collected config --- 2019-06-19-10:12 -----------
>
> Hostname: server5-ad
> DNS Domain:
Missing default DNS domain.
Is "search your.primary.search.domain.tld" set in /etc/resolv.conf
> FQDN: server5-ad
And missing domain in FQDN, as result of missing DNS domain.
> ipaddress: 192.168.14.10
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.1 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.1 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.1 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
>
> -----------
> Checking file: /etc/hosts
Fix the hosts file
>
> 127.0.0.1 localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.14.10 server5-ad
> # --- BEGIN PVE ---
> 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> 192.168.14.10 server5
> 192.168.14.10 server5.LIN.group
Now this is also incorrect, you only need 1 line per ip.
If its correctly set, you can run this : echo "$(hostname -i) $(hostname -f) $(hostname -s)"
More aliasses, add it at the end of that line, or add them to the DNS as CNAME.
So you hosts file should result in :
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.14.10 server5-ad.LIN.group server5-ad
> -----------
>
> Checking file: /etc/resolv.conf
>
> # --- BEGIN PVE ---
> search LIN.group
> nameserver 192.168.14.10
> # --- END PVE ---
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = LIN.GROUP
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> LIN.GROUP = {
> kdc = server5
> admin_server = server5
>
> }
Remove the [realm] part, not needed.
And wasnt you server named server5-ad ?
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind
> group: files winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = LIN
> realm = LIN.GROUP
> netbios name = server5
Ok, here netbios name. If a mismatch with thats set in /ets/hosts.
HOSTNAME="$(hostname -s)"
echo ${HOSTNAME^^}"
Results in "SERVER5-AD" and that should be in netbios name = ....
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> log file = /var/log/samba/log.%m
> log level = 4
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
Preffered enum user/group to no, it only slows down your server.
> acl allow execute always = True
> server services = -dns
> allow dns updates = nonsecure
> unix extensions = No
>
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink
> full_audit:failure = none
> full_audit:prefix = %u|%I|%S
>
> [netlogon]
> path = /var/lib/samba/sysvol/LIN.group/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> [homes]
> comment = Home Directories
> root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700 /home/%U &&
> mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain Users" /home/%U'
>
> # create mask = 0700
> # directory mask = 0700
> # browseable = No
> read only = No
> path = /home/%U/samba
> vfs objects = full_audit
> # follow symlinks = yes
> # wide links = yes
>
Ah [homes], well Rowland and I just did a small test. You can try this.
[homes]
comment = Home Directories
read only = no
valid users = %S
root preexec = /usr/local/sbin/mkhomedir.sh %U %H
Content of mkhomedir.sh :
#!/bin/bash
if [ ! -e "$2" ]; then
DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk '{ print $$1 }')"
install -d "$2" -o "$1" -g "${DOMUSERS}" "$2" -m 700 fi
exit 0
>
>
>
> [data]
> comment = Data share
> path = /data
> hide unreadable = Yes
> vfs objects = full_audit
> follow symlinks = yes
> wide links = yes
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server
> named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information
> on the // structure of BIND configuration files in Debian, *BEFORE*
> you customize // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options"; include
> "/etc/bind/named.conf.local"; include
> "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
Do set you forwarder to internet DNS servers.
>
>
> //============================================================
> ============
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //============================================================
> ============
> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain no; # conform to RFC1035
your AD DC is the AUTORITIVE server of the primary zone so..
auth-nxdomain yes;
> listen-on-v6 { any; };
Add : empty-zones-enable no;
That avoids possible conficts with configured zones.
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization //include "/etc/bind/zones.rfc1918";
Im missing here :
// adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9 then you need to change this manualy include "/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list:
> Samba DNS zone list Automated check :
>
> Installed packages:
Im missing acl.
apt-get install acl
> ii attr 1:2.4.47-2build1
> amd64 Utilities for manipulating filesystem
> extended attributes
> ii bind9 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Internet Domain Name Server
> ii bind9-host 1:9.11.3+dfsg-1ubuntu1.7
> amd64 DNS lookup utility (deprecated)
> ii bind9utils 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Utilities for BIND
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.16-2ubuntu0.1
> all internationalization support for MIT Kerberos
> ii krb5-user 1.16-2ubuntu0.1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.52-3build1
> amd64 Access control list shared library
> ii libattr1:amd64 1:2.4.47-2build1
> amd64 Extended attribute shared library
> ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.7
> amd64 BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - krb5
> GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Windows domain
> authentication integration plugin
> ii libwbclient0:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba winbind
> client library
> ii python-samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python
> bindings for Samba
> ii samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file,
> print, and login server for Unix
> ii samba-common
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files
> used by both the Samba server and client
> ii samba-common-bin
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries
> ii samba-vfs-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual
> FileSystem plugins
> ii winbind
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 service to
> resolve user and group information from Windows NT servers
>
> -----------
>
>
> DHCP
>
> subnet 192.168.14.0 netmask 255.255.255.0 {
> authoritative;
> option netbios-name-servers 192.168.14.10;
> option netbios-dd-server 192.168.14.10;
> option netbios-node-type 8;
> option domain-name-servers 192.168.14.1, 192.168.14.10;
>
> ddns-rev-domainname "in-addr.arpa.";
>
> pool {
> range dynamic-bootp 192.168.14.150 192.168.14.150;
> range dynamic-bootp 192.168.14.153 192.168.14.154;
> range dynamic-bootp 192.168.14.180 192.168.14.188;
> range dynamic-bootp 192.168.14.191 192.168.14.191;
> range dynamic-bootp 192.168.14.193 192.168.14.196;
> range dynamic-bootp 192.168.14.198 192.168.14.210;
> range dynamic-bootp 192.168.14.212 192.168.14.214;
>
> }
> option broadcast-address 192.168.14.255;
> option routers 192.168.14.254;
> option domain-name "site01";
> ddns-domainname "site01";
Here, domainname and ddns-domainname should be your primary DNS.
> ddns-updates on;
> update-optimization off;
> update-static-leases on;
> allow client-updates;
> }
I suggest, have a good look at :
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
And in addition.
In named.conf.options add at the end of the file include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
More information about the samba
mailing list