[Samba] Reverse DNS

Praveen Ghimire PGhimire at sundata.com.au
Wed Jun 26 03:38:44 UTC 2019


Hi Louis,

Thank you for that

I have made the changes as per below , some items might have duplicated. I then reload apparmor restarted the samba-ad-dc and bind9 services and get the same issue. Every time the forward DNS update works but the reverse doesn't 

I found a really interesting samba post going back 2017 re the DHCP and DNS
http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4726681.html

In the article there are suggestions of not letting Windows clients updating their own DNS records. In my test machine I manually removed the option . The error message disappears when the machine renews it's DHCP but the DNS (forward or reverse) doesn't update.

The one thing I can't understand is despite the error messages in syslog about denying the lin.group zone, the forward updates but the reverse doesn't .  The DHCP server has the following

ddns-rev-domainname "in-addr.arpa.";




/etc/apparmor.d/local/usr.sbin.named

/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
# Samba4 DLZ and Active Directory Zones (default source installation)

# bind support before samba 4.9
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
# bind support after samba 4.9
/var/lib/samba/bind-dns/** rwmk,
/var/lib/samba/bind-dns/dns.keytab r,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
# Regular samba.
/var/lib/samba/lib/** rm,
/usr/lib/**/samba/bind9/** rmk,
/usr/lib/**/samba/gensec/* rmk,
/usr/lib/**/samba/ldb/** rmk,
/usr/lib/**/ldb/modules/ldb/** rmk,
/var/tmp/** rwmk,
/var/lib/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,



#Changes 26062019
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
  /var/lib/samba/bind-dns/dns.keytab rk,
  /var/lib/samba/bind-dns/named.conf r,
  /var/lib/samba/bind-dns/dns/** rwk,
  /var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns/** rwk,
  /etc/samba/smb.conf r,
  /dev/urandom rwmk,


Regards,
Praveen Ghimire







-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van Belle via samba
Sent: Tuesday, 25 June 2019 11:25 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

Hai, 

You posted the correct things here, for a quick fix i I'm buzzy with something else atm but i saw that /dev/urandom part. 

Add in the bind9 (named) apparmor profile 

# Samba DLZ
  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
  /var/lib/samba/bind-dns/dns.keytab rk,
  /var/lib/samba/bind-dns/named.conf r,
  /var/lib/samba/bind-dns/dns/** rwk,
  /var/lib/samba/private/dns.keytab rk,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns/** rwk,
  /etc/samba/smb.conf r,
  /dev/urandom rwmk,

Then try again. 

Source : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928398 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Praveen 
> Ghimire via samba
> Verzonden: dinsdag 25 juni 2019 13:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Reverse DNS
> 
> Hi All,
> 
> Some more digging through the syslogs. The following error sticks out
> 
> client @0x7fd3bc0d5910 192.168.14.196#56965: updating zone
> '168.192.IN-ADDR.ARPA/IN': update failed: not authoritative for update 
> zone (NOTAUTH)
> 
> This was with dns update = nonsecure and secure and static IP. With 
> the dns update section removed, the reverse DNS update works  and 
> reverse entry is created
> 
> When using nonsecure and secure and DHCP, we see the following
> 
> [26654.606730] audit: type=1400 audit(1561462441.550:193): 
> apparmor="DENIED" operation="open" profile="/usr/sbin/named" 
> name="/dev/urandom" pid=29418 comm="isc-worker0001" 
> requested_mask="wc" denied_mask="wc" fsuid=111 ouid=0
> 
> dnsserver: Invalid zone operation IsSignedTerminating connection - 
> 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> 
> Following Louis' instructions in the git page, I've setup the 
> following in apparmor
> 
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
> # Samba4 DLZ and Active Directory Zones (default source installation) 
> # bind support before samba 4.9
> /var/lib/samba/private/dns/** rwmk,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> # bind support after samba 4.9
> /var/lib/samba/bind-dns/** rwmk,
> /var/lib/samba/bind-dns/dns.keytab r,
> /var/lib/samba/bind-dns/named.conf r,
> /var/lib/samba/bind-dns/dns/** rwk,
> # Regular samba.
> /var/lib/samba/lib/** rm,
> /usr/lib/**/samba/bind9/** rmk,
> /usr/lib/**/samba/gensec/* rmk,
> /usr/lib/**/samba/ldb/** rmk,
> /usr/lib/**/ldb/modules/ldb/** rmk,
> /var/tmp/** rwmk,
> /var/lib/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
> 
> 
> Just a reminder the zones are following
> 
> pszZoneName                 : 14.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.LIN.group
> 
>   pszZoneName                 : LIN.group
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.LIN.group
> 
>   pszZoneName                 : _msdcs.LIN.group
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.LIN.group
> 
> 
> As mentioned the DHCP server is not in the same server and not in a 
> machine which is not in the same domain. It is a standalone Ubuntu 
> server
> 
> Any suggestions?
> 
> 
> Regards,
> Praveen Ghimire
> 
> 
> 
> 
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Monday, 24 June 2019 12:03 PM
> To: 'L.P.H. van Belle'
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Reverse DNS
> 
> Hi Louis,
> 
> Just an update on this. I ran up a new test LXC container and 
> completely removed apparmor. Then install the packages. I got the same 
> errors
> 
> I thought I would change the DNS from Bind to internal and back to 
> bind.
> 
> 
> The following is going from Bind9 to Internal
> 
> root at server5-ad:/var/log# service bind9 stop root at server5-ad:/var/log# 
> systemctl mask bind9 Created symlink /etc/systemd/system/bind9.service 
> -> /dev/null.
> root at server5-ad:/var/log# service samba-ad-dc stop 
> root at server5-ad:/var/log# samba_upgradedns 
> --dns-backend=SAMBA_INTERNAL
> 
> I removed the
> Server service = -dns from smb.conf
> 
> I got the following error,
> 
> /source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error 
> code 110
> 
> Then I ran the samba_dnsupdate, which failed
> 
> Jun 24 01:26:39 server5-ad samba[800]:   dnsserver: Invalid 
> zone operation IsSigneddnsserver: Invalid zone operation 
> IsSignedTerminating connection -
> 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 24 01:26:49 server5-ad ntpd[120]: local_clock: 
> ntp_loopfilter.c line 818: ntp_adjtime: Operation not permitted added 
> interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0
> IPs: ['192.168.14.10']
> Looking for DNS entry A server5.LIN.group 192.168.14.10 as 
> server5.LIN.group.
> Traceback (most recent call last):
>   File "/usr/sbin/samba_dnsupdate", line 827, in <module>
>     elif not check_dns_name(d):
>   File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
>     raise Exception("Timeout while waiting to contact a working DNS 
> server while looking for %s as %s" % (d, normalised_name))
> Exception: Timeout while waiting to contact a working DNS server while 
> looking for A server5.LIN.group 192.168.14.10 as server5.LIN.group.
> 
> 
> I then reverted back to Bind9 and saw the errors I was seeing before. 
> It creates the forward DNS entry but not the reverse.
> I am underlining the errors
> 
> 
> 
> Jun 24 01:36:20 server5-ad samba[1037]:   dnsserver: Invalid 
> zone operation IsSigneddnsserver: Invalid zone operation 
> IsSignedSuccessful AuthZ:
> 
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------------------------------------
> 
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18]    
>             at [Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote host 
> [ipv6::::0] local host [ipv6::::0] Jun 24 01:36:21 server5-ad 
> named[1007]: resolver priming query complete Jun 24 01:36:23 
> server5-ad named[1007]:
> message repeated 2 times: [ resolver priming query complete] Jun 24 
> 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on 
> zone LIN.group
> 
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#57503: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------
> 
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling 
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: samba_dlz: starting transaction on zone LIN.group Jun 24 
> 01:36:24 server5-ad named[1007]: samba_dlz:
> allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group 
> tcpaddr=192.168.14.150 type=AAAA
> 
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62               
> a7-9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of 
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
> 
> -ms-7.1-80306.78bac884-9620-11e9-62a7-               
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of 
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
> 
> -ms-7.1-80306.78bac884-9620-11e9-62a7-               
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: 
> updating zone 'LIN.group/NONE': deleting rrset
> 
> at 'bw10.LIN.group' AAAA
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: 
> updating zone 'LIN.group/NONE': deleting rrset
> 
> at 'bw10.LIN.group' A
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP: 
> updating zone 'LIN.group/NONE': adding an RR at
> 
> 'bw10.LIN.group' A 192.168.14.               150
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added rdataset 
> bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted rdataset 
> LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
> 
> hostmaster.LIN.group. 43 900 600 86400 3600'
> Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added rdataset 
> LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
> hostmaster.LIN.group.  900 600 86400 3600'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed 
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: resolver priming query complete Jun 24 01:36:27 
> server5-ad named[1007]: samba_dlz: starting transaction on zone 
> LIN.group
> 
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#64221: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> -------------------
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling 
> transaction on zone LIN.group Jun 24 01:36:27 server5-ad
> named[1007]: samba_dlz: starting transaction on zone LIN.group Jun 24 
> 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of 
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=AAAA 
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62               
> a7-9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of 
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A 
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7-               
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of 
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068 
> -ms-7.1-80306.78bac884-9620-11e9-62a7-               
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP: 
> updating zone 'LIN.group/NONE': deleting rrset 'bw10.LIN.group' AAAA 
> Jun 24 01:36:27 server5-ad named[1007]:
> client @0x7f41b801dc20 192.168.14.150#63953/key
> BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset at 
> 'bw10.LIN.group' A Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: 
> subtracted rdataset bw10.LIN.group 
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150' Jun 24
> 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 
> 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
> 'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A 
> 192.168.14.               150
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added rdataset 
> bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed 
> transaction on zone LIN.group
> 
> 
> The permissions of the bind files
> 
> 
> root at server5-ad:# ls -ld /var/lib/samba/private/ drwxr-xr-x 8 root 
> root 27 Jun 24 01:48 /var/lib/samba/private/ root at server5-ad:# ls -l 
> /var/lib/samba/private/named.conf
> -rw-r--r-- 1 root root 780 Jun 24 01:35 
> /var/lib/samba/private/named.conf root at server5-ad:# ls -ld 
> /var/lib/samba/private/dns
> drwxrwx--- 3 root bind 4 Jun 24 01:35 /var/lib/samba/private/dns 
> root at server5-ad:# ls -ld /var/lib/samba/private/dns.keytab
> -rw-r----- 1 root bind 807 Jun 24 01:35 
> /var/lib/samba/private/dns.keytab root at server5-ad:# ls -l 
> /var/lib/samba/private/dns/ total 45
> -rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
> drwxrwx--- 2 root bind       8 Jun 24 01:35 sam.ldb.d
> root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
> total 3223
> -rw-rw---- 1 root bind 8597504 Jun 24 01:35 
> 'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 8187904 Jun 24 01:35 
> 'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 01:48 
> 'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 00:38 
> 'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind  831488 Jun 24 01:48  metadata.tdb
> 
> 
> Zone list
> 
> Using binding ncacn_ip_tcp:192.168.14.10[,sign] Mapped to 
> DCERPC endpoint 135 added interface v14 ip=192.168.14.10 
> bcast=192.168.14.255 netmask=255.255.255.0 added interface 
> v14 ip=192.168.14.10 bcast=192.168.14.255 
> netmask=255.255.255.0 Mapped to DCERPC endpoint 49152 added 
> interface v14 ip=192.168.14.10 bcast=192.168.14.255 
> netmask=255.255.255.0 added interface v14 ip=192.168.14.10 
> bcast=192.168.14.255 netmask=255.255.255.0 Cannot do GSSAPI 
> to an IP address Failed to start GENSEC client mech 
> gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> pszZoneName                 : 14.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.LIN.group
> 
>   pszZoneName                 : LIN.group
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.LIN.group
> 
>   pszZoneName                 : _msdcs.LIN.group
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.LIN.group
> 
> 
> smb.conf
> [global]
>         workgroup = LIN
>         realm = LIN.GROUP
>         netbios name = SERVER5
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         server services = -dns
>         allow dns updates = nonsecure
> 
> 
> /etc//hosts (the server definition)
> 
> # The server5-ad and server 5 are one and the same. This is 
> because the at one stage the shares were in server5 which got 
> moved to server5-ad
> 192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
> 192.168.14.10 SERVER5.lin.group SERVER5
> 
> 
> Regards,
> Praveen Ghimire
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Friday, 21 June 2019 11:19 PM
> To: 'L.P.H. van Belle'
> Subject: RE: [Samba] Reverse DNS
> 
> Hi Louis,
> 
> Thank you for that. I've got a lab environment similar to the 
> prod and was able to replicate the issues.
> 
> I added the following to /etc/bind/named.conf.options
> 
> include "/etc/bind/rndc.key";
>     controls {
>      inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
> 
> This caused the named-checkconf to fail
> root at server5-ad:/etc/bind# named-checkconf
> /etc/bind/rndc.key:1: unknown option 'key'
> /etc/bind/named.conf.options:27: unknown option 'controls'
> 
> So I removed that line. The following is the existing 
> named.conf.options
> 
> options {
>         directory "/var/cache/bind";
> 
>          forwarders {
>                 8.8.8.8;
>          };
>         dnssec-validation auto;
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         auth-nxdomain yes;    # conform to RFC1035
>         empty-zones-enable no;
>         listen-on-v6 { any; };
> 
> };
> 
> We are using LXC container. It turns out there is a reported 
> issue with apparmor with LXC , as per below
> apparmor_parser: Unable to replace "/usr/sbin/named".  
> Permission denied; attempted to load a profile while confined?
> 
> The option was to purge and reinstall apparmor. The following 
> is the /etc/apparmor.d/local/usr.sbin.named
> 
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
> 
> The following from syslog
> 
> Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation 
> not permitted Jun 21 12:52:38 server5-ad ntpd[174]: message 
> repeated 27 times: [ adj_systime: Operation not permitted]
> Jun 21 12:52:38 server5-ad samba[201]:   dnsserver: Invalid 
> zone operation IsSignedTerminating connection - 'dcesrv: 
> NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation 
> not permitted \ samba_dlz: starting transaction on zone 
> LIN.group Jun 21 12:55:27 server5-ad named[564]: client 
> @0x7fa7fc013e70 192.168.14.181#54936: update 'LIN.group/IN' 
> denied Jun 21 12:58:34 server5-ad ntpd[174]: 91.189.89.199 
> local addr 192.168.14.10 -> <null> Jun 21 12:58:35 server5-ad 
> ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null> 
> Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local 
> addr 192.168.14.10 -> <null> Jun 21 12:58:42 server5-ad 
> named[564]: resolver priming query complete Jun 21 12:58:46 
> server5-ad samba[201]: [2019/06/21 12:58:46.917811,  0] 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> Jun 21 12:58:53 server5-ad samba[201]:   dnsserver: Invalid 
> zone operation IsSigneddnsserver: Invalid zone operation 
> IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: 
> Invalid zone operation IsSigneddnsserver: Invalid zone 
> operation IsSignedldb_wrap open of secrets.ldb
> Jun 21 12:59:01 server5-ad named[564]: resolver priming query 
> complete Jun 21 12:59:04 server5-ad samba[201]: [2019/06/21 
> 12:59:04.972119,  0] 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> 
> 
> I've made changes as per your recommendations. 
> 
> In terms of DHCP. I did go through that wiki a while ago. To 
> me it looks like it works if the DHCP server is in the same 
> domain as the AD server, this is not the case here. I made 
> the changes as per the wiki and added the script. I manually 
> specified the domain and realm info. The script does run but 
> doesn't seem to make a difference. I copied the dhcpd user 
> info stuff from the AD box to the DHCP server
> 
> ACL has now been installed 
> 
> Thank you once again
> 
> Regards,
> 
> Praveen
> 
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Sent: Friday, 21 June 2019 7:52 PM
> To: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
> 
> Hai, well i had a good look, im commented where it was needed ;-) 
> 
> This is part to start with, then then this is all correct, 
> you can look at the DDNS and Reverse dns parts. 
>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: woensdag 19 juni 2019 12:38
> > Aan: 'L.P.H. van Belle'
> > Onderwerp: RE: [Samba] Reverse DNS
> > 
> > Hi Louis,
> > 
> > Thank you, awesome script.
> > 
> > Output as follows
> > 
> > Collected config  --- 2019-06-19-10:12 -----------
> > 
> > Hostname: server5-ad
> > DNS Domain: 
> 
> Missing default DNS domain.
> Is "search your.primary.search.domain.tld" set in /etc/resolv.conf
> 
> > FQDN: server5-ad
> And missing domain in FQDN, as result of missing DNS domain. 
> 
> > ipaddress: 192.168.14.10
> > 
> > -----------
> > 
> > Samba is running as an AD DC
> > 
> > -----------
> >        Checking file: /etc/os-release
> > 
> > NAME="Ubuntu"
> > VERSION="18.04.1 LTS (Bionic Beaver)"
> > ID=ubuntu
> > ID_LIKE=debian
> > PRETTY_NAME="Ubuntu 18.04.1 LTS"
> > VERSION_ID="18.04"
> > HOME_URL="https://www.ubuntu.com/"
> > SUPPORT_URL="https://help.ubuntu.com/"
> > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> > PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> > icies/privacy-policy"
> > VERSION_CODENAME=bionic
> > UBUNTU_CODENAME=bionic
> > 
> > -----------
> > 
> > 
> > This computer is running Ubuntu 18.04.1 LTS x86_64
> > 
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
> > group default qlen 1000
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 scope host lo
> >     inet6 ::1/128 scope host
> > 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
> > noqueue state UP group default qlen 1000
> >     link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff 
> link-netnsid 0
> >     inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> >     inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
> > 
> > -----------
> >        Checking file: /etc/hosts
> 
> Fix the hosts file 
> 
> > 
> > 127.0.0.1	localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> > ::1		localhost ip6-localhost ip6-loopback
> > ff02::1		ip6-allnodes
> > ff02::2		ip6-allrouters
> > 
> > 192.168.14.10	server5-ad
> > # --- BEGIN PVE ---
> > 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> > 192.168.14.10 server5
> > 192.168.14.10 server5.LIN.group
> 
> Now this is also incorrect, you only need 1 line per ip. 
> If its correctly set, you can run this : echo "$(hostname -i) 
> $(hostname -f) $(hostname -s)"
> More aliasses, add it at the end of that line, or add them to 
> the DNS as CNAME. 
> 
> So you hosts file should result in : 
> 127.0.0.1	localhost
> ::1		localhost ip6-localhost ip6-loopback
> ff02::1		ip6-allnodes
> ff02::2		ip6-allrouters
> 
> 192.168.14.10 server5-ad.LIN.group server5-ad
> 
> 
> > -----------
> > 
> >        Checking file: /etc/resolv.conf
> > 
> > # --- BEGIN PVE ---
> > search LIN.group
> > nameserver 192.168.14.10
> > # --- END PVE ---
> > 
> > -----------
> > 
> >        Checking file: /etc/krb5.conf
> > 
> > [libdefaults]
> > 	default_realm = LIN.GROUP
> > 	dns_lookup_realm = false
> > 	dns_lookup_kdc = true
> > 
> > [realms]
> >         LIN.GROUP = {
> >                 kdc = server5
> >                 admin_server = server5
> > 
> > }
> 
> Remove the [realm] part, not needed. 
> And wasnt you server named server5-ad ? 
> 
> > 
> > -----------
> > 
> >        Checking file: /etc/nsswitch.conf
> > 
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages 
> installed,
> > try:
> > # `info libc "Name Service Switch"' for information about this file.
> > 
> > passwd:         files winbind
> > group:          files winbind
> > shadow:         compat
> > gshadow:        files
> > 
> > hosts:          files dns
> > networks:       files
> > 
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> > 
> > netgroup:       nis
> > 
> > -----------
> > 
> >        Checking file: /etc/samba/smb.conf
> > 
> > [global]
> >         workgroup = LIN
> >         realm = LIN.GROUP
> >         netbios name = server5
> Ok, here netbios name. If a mismatch with thats set in /ets/hosts. 
> HOSTNAME="$(hostname -s)"
> echo ${HOSTNAME^^}"
> Results in "SERVER5-AD" and that should be in netbios name = .... 
> 
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         log file = /var/log/samba/log.%m
> >         log level = 4
> >         winbind nss info = rfc2307
> > 	winbind enum users = yes
> >     winbind enum groups = yes
> 
> 	Preffered enum user/group to no, it only slows down your server.
> 
> > 	acl allow execute always = True
> > 	server services = -dns
> > 	allow dns updates = nonsecure
> >         unix extensions = No
> > 
> >         full_audit:priority = notice
> >         full_audit:facility = local5
> >         full_audit:success = mkdir rmdir read pread write pwrite 
> > rename unlink
> >         full_audit:failure = none
> >         full_audit:prefix = %u|%I|%S
> > 
> > [netlogon]
> >        path = /var/lib/samba/sysvol/LIN.group/scripts
> >         read only = No
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > 
> > 
> > [homes] 
> >         comment = Home Directories
> > root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700 
> /home/%U && 
> > mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain Users" /home/%U'
> > 
> > #        create mask = 0700
> > #        directory mask = 0700
> > #        browseable = No
> >         read only = No
> >         path = /home/%U/samba
> >         vfs objects = full_audit
> > #        follow symlinks = yes
> > #        wide links = yes
> > 
> Ah [homes], well Rowland and I just did a small test. You can 
> try this. 
> [homes]
>     comment = Home Directories
>     read only = no
>     valid users = %S
>     root preexec = /usr/local/sbin/mkhomedir.sh %U %H
> 
> Content of mkhomedir.sh : 
> #!/bin/bash
> 
> if [ ! -e "$2" ]; then
>     DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk '{  
> print $$1 }')"
>     install -d "$2" -o "$1" -g "${DOMUSERS}" "$2" -m 700 fi
> 
> exit 0
> 
> > 
> > 
> > 
> > [data]
> > 	comment = Data share
> > 	path = /data
> > 	hide unreadable = Yes
> > 	vfs objects = full_audit
> >         follow symlinks = yes
> >         wide links = yes
> > 
> > -----------
> > 
> > Detected bind DLZ enabled..
> >        Checking file: /etc/bind/named.conf
> > 
> > // This is the primary configuration file for the BIND DNS server 
> > named.
> > //
> > // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information 
> > on the // structure of BIND configuration files in Debian, *BEFORE* 
> > you customize // this configuration file.
> > //
> > // If you are just adding zones, please do that in 
> > /etc/bind/named.conf.local
> > 
> > include "/etc/bind/named.conf.options"; include 
> > "/etc/bind/named.conf.local"; include 
> > "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> > 
> > -----------
> > 
> >        Checking file: /etc/bind/named.conf.options
> > 
> > options {
> > 	directory "/var/cache/bind";
> > 
> > 	// If there is a firewall between you and nameservers you want
> > 	// to talk to, you may need to fix the firewall to 
> allow multiple
> > 	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> > 
> > 	// If your ISP provided one or more IP addresses for stable 
> > 	// nameservers, you probably want to use them as forwarders.  
> > 	// Uncomment the following block, and insert the 
> addresses replacing
> > 	// the all-0's placeholder.
> > 
> > 	// forwarders {
> > 	// 	0.0.0.0;
> > 	// };
> 
> Do set you forwarder to internet DNS servers. 
> 
> > 
> > 	
> > //============================================================
> > ============
> > 	// If BIND logs error messages about the root key being expired,
> > 	// you will need to update your keys.  See 
> > https://www.isc.org/bind-keys
> > 	
> > //============================================================
> > ============
> > 	dnssec-validation auto;
> > 	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > 	auth-nxdomain no;    # conform to RFC1035
> 	your AD DC is the AUTORITIVE server of the primary zone so.. 
> 	auth-nxdomain yes; 
> > 	listen-on-v6 { any; };
> 
> Add :  empty-zones-enable no;
> That avoids possible conficts with configured zones. 
> 
> > };
> > 
> > -----------
> > 
> >        Checking file: /etc/bind/named.conf.local
> > 
> > //
> > // Do any local configuration here
> > //
> > 
> > // Consider adding the 1918 zones here, if they are not 
> used in your 
> > // organization //include "/etc/bind/zones.rfc1918";
> Im missing here : 
> 
> // adding the dlopen ( Bind DLZ ) module for samba, beware, 
> if you using bind9.9 then you need to change this manualy 
> include "/var/lib/samba/private/named.conf";  
> 
> > 
> > -----------
> > 
> >        Checking file: /etc/bind/named.conf.default-zones
> > 
> > // prime the server with knowledge of the root servers zone "." {
> > 	type hint;
> > 	file "/etc/bind/db.root";
> > };
> > 
> > // be authoritative for the localhost forward and reverse 
> zones, and 
> > for // broadcast zones as per RFC 1912
> > 
> > zone "localhost" {
> > 	type master;
> > 	file "/etc/bind/db.local";
> > };
> > 
> > zone "127.in-addr.arpa" {
> > 	type master;
> > 	file "/etc/bind/db.127";
> > };
> > 
> > zone "0.in-addr.arpa" {
> > 	type master;
> > 	file "/etc/bind/db.0";
> > };
> > 
> > zone "255.in-addr.arpa" {
> > 	type master;
> > 	file "/etc/bind/db.255";
> > };
> > 
> > -----------
> > 
> > Samba DNS zone list: 
> > Samba DNS zone list Automated check : 
> > 
> > Installed packages: 
> 
> Im missing acl.
> 
> apt-get install acl
> 
> > ii  attr                          1:2.4.47-2build1            
> >       amd64        Utilities for manipulating filesystem 
> > extended attributes
> > ii  bind9                         1:9.11.3+dfsg-1ubuntu1.7    
> >       amd64        Internet Domain Name Server
> > ii  bind9-host                    1:9.11.3+dfsg-1ubuntu1.7    
> >       amd64        DNS lookup utility (deprecated)
> > ii  bind9utils                    1:9.11.3+dfsg-1ubuntu1.7    
> >       amd64        Utilities for BIND
> > ii  krb5-config                   2.6                         
> >       all          Configuration files for Kerberos Version 5
> > ii  krb5-locales                  1.16-2ubuntu0.1             
> >       all          internationalization support for MIT Kerberos
> > ii  krb5-user                     1.16-2ubuntu0.1             
> >       amd64        basic programs to authenticate using MIT Kerberos
> > ii  libacl1:amd64                 2.2.52-3build1              
> >       amd64        Access control list shared library
> > ii  libattr1:amd64                1:2.4.47-2build1            
> >       amd64        Extended attribute shared library
> > ii  libbind9-160:amd64            1:9.11.3+dfsg-1ubuntu1.7    
> >       amd64        BIND9 Shared Library used by BIND
> > ii  libgssapi-krb5-2:amd64        1.16-2ubuntu0.1             
> >       amd64        MIT Kerberos runtime libraries - krb5 
> > GSS-API Mechanism
> > ii  libkrb5-26-heimdal:amd64      7.5.0+dfsg-1                
> >       amd64        Heimdal Kerberos - libraries
> > ii  libkrb5-3:amd64               1.16-2ubuntu0.1             
> >       amd64        MIT Kerberos runtime libraries
> > ii  libkrb5support0:amd64         1.16-2ubuntu0.1             
> >       amd64        MIT Kerberos runtime libraries - Support library
> > ii  libnss-winbind:amd64          
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba 
> > nameservice integration plugins
> > ii  libpam-winbind:amd64          
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Windows domain 
> > authentication integration plugin
> > ii  libwbclient0:amd64            
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba winbind 
> > client library
> > ii  python-samba                  
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Python 
> > bindings for Samba
> > ii  samba                         
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        SMB/CIFS file, 
> > print, and login server for Unix
> > ii  samba-common                  
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   all          common files 
> > used by both the Samba server and client
> > ii  samba-common-bin              
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba common 
> > files used by both the server and the client
> > ii  samba-dsdb-modules            
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba 
> > Directory Services Database
> > ii  samba-libs:amd64              
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba core libraries
> > ii  samba-vfs-modules             
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        Samba Virtual 
> > FileSystem plugins
> > ii  winbind                       
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11   amd64        service to 
> > resolve user and group information from Windows NT servers
> > 
> > -----------
> > 
> > 
> > DHCP
> > 
> > subnet 192.168.14.0 netmask 255.255.255.0 {
> >         authoritative;      
> >         option netbios-name-servers 192.168.14.10;
> >         option netbios-dd-server 192.168.14.10;
> >         option netbios-node-type 8;
> >         option domain-name-servers 192.168.14.1, 192.168.14.10;
> > 
> >         ddns-rev-domainname "in-addr.arpa.";
> > 
> >         pool {
> >                 range dynamic-bootp 192.168.14.150 192.168.14.150;
> >                 range dynamic-bootp 192.168.14.153 192.168.14.154;
> >                 range dynamic-bootp 192.168.14.180 192.168.14.188;
> >                 range dynamic-bootp 192.168.14.191 192.168.14.191;
> >                 range dynamic-bootp 192.168.14.193 192.168.14.196;
> >                 range dynamic-bootp 192.168.14.198 192.168.14.210;
> >                 range dynamic-bootp 192.168.14.212 192.168.14.214;
> >               
> >         }
> >         option broadcast-address 192.168.14.255;
> >         option routers 192.168.14.254;
> >         option domain-name "site01";
> >         ddns-domainname "site01";
> 
> Here, domainname and ddns-domainname should be your primary DNS. 
> 
> >         ddns-updates on;
> >         update-optimization off;
> >         update-static-leases on;
> >         allow client-updates;
> >    }
> 
> I suggest, have a good look at : 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9 
> 
> And in addition. 
> In named.conf.options add at the end of the file include 
> "/etc/bind/rndc.key";
>     controls {
>      inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
> 
> 
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email 
> Security.cloud service.
> For more information please visit 
> http://www.symanteccloud.com 
> ______________________________________________________________________
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________



More information about the samba mailing list