[Samba] Reverse DNS

Praveen Ghimire PGhimire at sundata.com.au
Thu Jun 27 11:45:47 UTC 2019 

Hi Guys,

Thank you for your emails. Here is the info

/etc/apparmor.d/local/usr.sbin.dhcp

/etc/dhcp/ r,
/etc/dhcp/** r,
/etc/dhcpd{,6}.conf r,
/etc/dhcpd{,6}_ldap.conf r,
/usr/local/bin/dhcp-dyndns.sh ix,
/bin/grep rix,
/usr/sbin/samba rix,
/usr/bin/gawk rix,
/bin/hostname rix,
/usr/bin/wbinfo rix,
/usr/bin/heimtools rix,
/usr/bin/logger rix,
/usr/bin/kinit.heimdal rix,
/bin/date rix,
/dev/tty wr,
/dev/urandom w,
/proc/** r,
/usr/bin/kinit w,
/run/samba/winbindd/pipe wr,

The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x  1 root root 4117 Jun 27 10:54 dhcp-dyndns.sh 

I don't have the /var/lib/samba/private/named.conf.update.static but have /var/lib/samba/private/named.conf.update, which looks like the following

/* this file is auto-generated - do not edit */
update-policy {
        grant LIN.GROUP ms-self * A AAAA;
        grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
        grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME;
};

Please note: the hostname is SERVER5-AD but it is also called SERVER5 as some of the old shares are pointing to SERVER5(have entries for both in DNS and hosts file)

Louis, the machine has full control over it's forward DNS record . However the machine is not domain\machine but just "WIN7VM01$"

The reverse DNS doesn't exist so I manually added one using samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 PTR WIN7VM01.lin.group. It creates the record but the machine has no access.
The thing to note is here is if I add an A record using the DNS manager and select the option to create the associated pointer record, it only creates the forward one. I am logged into the machine with RSAT using the domain administrator account

Back to the reverse one. I setup the ADDOM\WIN7VM01$ with full permission in the rev record I just created.

After the reboot the forward DNS record now shows permissions for ADDOM\WIN7VM01$ instead of just WIN7VM01$
Is "Register this connection's address in DNS " checked? It is ticked

In ipconfig /all , the details looks correct. The DNS suffix is pointing to the domain. It has the correct DHCP and DNS details

I still see the permission denied error about the dhcp-dyndns.sh and also client @0x7efc5809bfd0 192.168.14.198#51947: update 'lin.group/IN' denied

As you can gather I am in completely different timezone (AUS) as you,  so it might be a while before I can respond to emails. Hence I am providing as much info as I can while I can. 

Regards,

Praveen



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van Belle via samba
Sent: Thursday, 27 June 2019 6:54 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

Hai, 

A few things to add/check. 

For that test with that pc: this part from the previous mail. 
Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198 Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[1] = delete Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[2] = 192.168.14.198 Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[3] = 00:50:56:9b:37:9b Jun 27 10:55:07 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh: Permission denied Jun 27 10:55:07 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 32256 Jun 27 10:55:07 server5-ad kernel: [ 1396.188371] audit: type=1400 audit(1561596907.856:94): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/usr/local/bin/dhcp-dyndns.sh" pid=2557 comm="dhcp-dyndns.sh" requested_mask="r" denied_mask="r" fsuid=112 ouid=0 Jun 27 10:55:07 server5-ad dhcpd[2525]: DHCPRELEASE of 192.168.14.198 from 00:50:56:9b:37:9b (WIN7VM01) via ens160 (found) Jun 27 10:55:07 server5-ad dhcpd[2525]: Removed reverse map on 198.14.168.192.in-addr.arpa.
Jun 27 10:55:09 server5-ad named[1097]: samba_dlz: starting transaction on zone lin.group Jun 27 10:55:09 server5-ad named[1097]: client @0x7efc58052610 192.168.14.198#50682: update 'lin.group/IN' denied

The apparmer profile, you added?  : /usr/local/bin/dhcp-dyndns.sh r  ? Or rx ? 
Can you show what you added? And where exact. 

Now can you check the following.
Open the windows DNS mannager, and goto the needed forward zone where WIN7VM01 exist. 
Check its rights on that object? Do you see "WIN7VM01$(ADDOM\WIN7VM01$) with full control? 
And do the same for the reverse zone. Do you see on the reversi IP also "WIN7VM01$(ADDOM\WIN7VM01$) with full control? 
If that full control is missing, add it. 

Then reboot the pc, wait/login and check again. 
Then i also suggest, you check the output of ipconfig /all of the windows client with the dhcp settings. 
To make sure this is all correctly set. 

As in check if that matches with the needed settings for DDNS updates. 

The client will then request that the server update the PTR record by using the FQDN. 
The DHCP server is configured to register DNS records according to the client's request, the client registers the following records: 
The PTR record.
The A record that uses the name that is a concatenation of the computer name and the primary DNS suffix.
The A record that uses the name that is a concatenation of the computer name and the connection-specific DNS suffix.

And on the client check if this is set correctly.  
Then goto Control Panel, double-click Network Connections.
Right-click the connection that you want to configure, and then click Properties. 
Click Internet Protocol (TCP/IP), click Properties, and then click Advanced.
Click DNS. 
Is "Register this connection's address in DNS " checked? 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny 
> via samba
> Verzonden: donderdag 27 juni 2019 8:50
> Aan: sambalist
> Onderwerp: Re: [Samba] Reverse DNS
> 
> On 27/06/2019 02:06, Praveen Ghimire wrote:
> > Hi Rowland,
> >
> > Just as a test, I installed the dhcp server in the DC ( in
> the lab). Then configured the dhcp as per the wiki
> >
> > This is what I see. And again the forward zone update
> despite the errors but the reverse doesn't
> >
> I think you will find that the DHCP server isn't updating anything, it 
> is your clients updating their own records, but they are not setup to 
> update their reverse record (I believe this is the default)
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

More information about the samba mailing list