[Samba] Reverse DNS

Praveen Ghimire PGhimire at sundata.com.au
Thu Jun 27 01:06:49 UTC 2019


Hi Rowland,

Just as a test, I installed the dhcp server in the DC ( in the lab). Then configured the dhcp as per the wiki

This is what I see. And again the forward zone update despite the errors but the reverse doesn't 

When releasing the lease

Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[1] = delete
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[2] = 192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[3] = 00:50:56:9b:37:9b
Jun 27 10:55:07 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh: Permission denied
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 32256
Jun 27 10:55:07 server5-ad kernel: [ 1396.188371] audit: type=1400 audit(1561596907.856:94): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/usr/local/bin/dhcp-dyndns.sh" pid=2557 comm="dhcp-dyndns.sh" requested_mask="r" denied_mask="r" fsuid=112 ouid=0
Jun 27 10:55:07 server5-ad dhcpd[2525]: DHCPRELEASE of 192.168.14.198 from 00:50:56:9b:37:9b (WIN7VM01) via ens160 (found)
Jun 27 10:55:07 server5-ad dhcpd[2525]: Removed reverse map on 198.14.168.192.in-addr.arpa.
Jun 27 10:55:09 server5-ad named[1097]: samba_dlz: starting transaction on zone lin.group
Jun 27 10:55:09 server5-ad named[1097]: client @0x7efc58052610 192.168.14.198#50682: update 'lin.group/IN' denied

When renewing the lease

Jun 27 10:55:09 server5-ad dhcpd[2525]: DHCPDISCOVER from 00:50:56:9b:37:9b via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPOFFER on 192.168.14.198 to 00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: Client 0:50:56:9b:37:9b requests 1:f:3:6:2c:2e:2f:1f:21:79:f9:2b - MSFT 5.0 - #001
Jun 27 10:55:10 server5-ad dhcpd[2525]: vendor-class-id: MSFT 5.0
Jun 27 10:55:10 server5-ad dhcpd[2525]: dhcp-client-identifier: #001
Jun 27 10:55:10 server5-ad dhcpd[2525]: hardware: 0:50:56:9b:37:9b
Jun 27 10:55:10 server5-ad dhcpd[2525]: 1:0:50:56
Jun 27 10:55:10 server5-ad dhcpd[2525]: Commit: IP: 192.168.14.198 DHCID: 00:50:56:9b:37:9b Name: WIN7VM01
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[1] = add
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[2] = 192.168.14.198
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[3] = 00:50:56:9b:37:9b
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[4] = WIN7VM01
Jun 27 10:55:10 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh: Permission denied
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 32256
Jun 27 10:55:10 server5-ad kernel: [ 1399.297689] audit: type=1400 audit(1561596910.964:95): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/usr/local/bin/dhcp-dyndns.sh" pid=2558 comm="dhcp-dyndns.sh" requested_mask="r" denied_mask="r" fsuid=112 ouid=0
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPREQUEST for 192.168.14.198 (192.168.14.10) from 00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPACK on 192.168.14.198 to 00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: Added reverse map from 198.14.168.192.in-addr.arpa. to WIN7VM01.lin.group
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: starting transaction on zone lin.group
Jun 27 10:55:16 server5-ad named[1097]: client @0x7efc580a60e0 192.168.14.198#63157: update 'lin.group/IN' denied
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: cancelling transaction on zone lin.group
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: starting transaction on zone lin.group


Before that I had removed the reverse zone and added it using
samba-tool dns zonecreate server5-ad.lin.group 14.168.192.in-addr.arpa -U administrator

I've added the apparmor bits in usr.sbin.dhcp
-rwxr-xr-x  1 root root 4117 Jun 27 10:54 dhcp-dyndns.sh


Regards,
Praveen Ghimire






-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Praveen Ghimire via samba
Sent: Thursday, 27 June 2019 8:24 AM
To: 'Rowland penny'
Cc: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

Hi Rowland,

I've gone through it a few times. The situation is different in our case
- The server with DHCP is not the AD DC
- The server doesn't have Samba
- The server is not in the same AD DC domain
- The server is a standalone Ubuntu box with other functionalities

The question I have is why is it failing to update the reverse zone when it updates the forward zone, despite the errors in the syslog?

Regards,
Praveen Ghimire


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny via samba
Sent: Wednesday, 26 June 2019 10:56 PM
To: sambalist
Subject: Re: [Samba] Reverse DNS

On 26/06/2019 11:32, Praveen Ghimire wrote:
> Hi Rowland,
>
> I have tried putting the whole rev-domain name. The following is the 
> dhcpd.conf zone definition
>
>        subnet 192.168.14.0 netmask 255.255.255.0 {
>          authoritative;
>          ddns-update-style standard;
>          option netbios-name-servers 192.168.14.10; #14.10 is the AD box
>          option netbios-dd-server 192.168.14.10;
>          option netbios-node-type 8;
>          option domain-name-servers 192.168.14.10;
>          ddns-rev-domainname "14.168.192.in-addr.arpa.";
> 	 option broadcast-address 192.168.14.255;
>          option routers 192.168.14.254;
>          option domain-name "lin.group"; #AD DOMAIN
>          ddns-domainname "lin.group";
>          ddns-updates on;
>          update-optimization off;
>          update-static-leases on;
>          allow client-updates;
> pool
> {
> .......
> }
>
> I have removed and re-created the reverse zone a few times , selecting 
> secure and nosecure also with and without storing the info in AD. The 
> only time I have seen it being populated is when I assign static IPs
>
Have you read this wiki page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________



More information about the samba mailing list