[Samba] Reverse DNS
L.P.H. van Belle
belle at bazuin.nl
Thu Jun 27 12:03:13 UTC 2019
Hai Praveen,
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: donderdag 27 juni 2019 13:46
> Aan: samba at lists.samba.org
> CC: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
>
> Hi Guys,
>
> Thank you for your emails. Here is the info
>
> /etc/apparmor.d/local/usr.sbin.dhcp
>
> /etc/dhcp/ r,
> /etc/dhcp/** r,
> /etc/dhcpd{,6}.conf r,
> /etc/dhcpd{,6}_ldap.conf r,
> /usr/local/bin/dhcp-dyndns.sh ix,
Try /usr/local/bin/dhcp-dyndns.sh rix,
> /bin/grep rix,
> /usr/sbin/samba rix,
> /usr/bin/gawk rix,
> /bin/hostname rix,
> /usr/bin/wbinfo rix,
> /usr/bin/heimtools rix,
> /usr/bin/logger rix,
> /usr/bin/kinit.heimdal rix,
> /bin/date rix,
> /dev/tty wr,
> /dev/urandom w,
^^ change that to wr
> /proc/** r,
> /usr/bin/kinit w,
> /run/samba/winbindd/pipe wr,
>
> The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root
> 4117 Jun 27 10:54 dhcp-dyndns.sh
>
> I don't have the
> /var/lib/samba/private/named.conf.update.static but have
> /var/lib/samba/private/named.conf.update, which looks like
> the following
>
> /* this file is auto-generated - do not edit */
> update-policy {
> grant LIN.GROUP ms-self * A AAAA;
> grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
> grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME;
> };
This part,
grant SERVER5$@LIN.group
So that would mean your hostname is SERVER5
>
> Please note: the hostname is SERVER5-AD but it is also called
> SERVER5 as some of the old shares are pointing to
> SERVER5(have entries for both in DNS and hosts file)
No No..
A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A and PTR record.
For example there can only be ONE ptr record for an IP, the matching A is the REAL hostname.
All others are aliasses and should be CNAMES in the DNS.
Now, your resolving is failing / not correctly setup.
That a point to fix and this is the primary thing you should look at first.
>
> Louis, the machine has full control over it's forward DNS
> record . However the machine is not domain\machine but just
> "WIN7VM01$"
Thats fine also, as long as the computer as full access its ok.
>
> The reverse DNS doesn't exist so I manually added one using
> samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198
> PTR WIN7VM01.lin.group. It creates the record but the machine
> has no access.
Thats because you created it, not the computer.
> The thing to note is here is if I add an A record using the
> DNS manager and select the option to create the associated
> pointer record, it only creates the forward one. I am logged
> into the machine with RSAT using the domain administrator account
Yes, thats know with RSAT, create the PTR manualy in that case.
>
> Back to the reverse one. I setup the ADDOM\WIN7VM01$ with
> full permission in the rev record I just created.
>
> After the reboot the forward DNS record now shows permissions
> for ADDOM\WIN7VM01$ instead of just WIN7VM01$
> Is "Register this connection's address in DNS " checked? It is ticked
Good.
>
> In ipconfig /all , the details looks correct. The DNS suffix
> is pointing to the domain. It has the correct DHCP and DNS details
>
> I still see the permission denied error about the
> dhcp-dyndns.sh and also client @0x7efc5809bfd0
> 192.168.14.198#51947: update 'lin.group/IN' denied
This is correct, thats attempt one, the second should be with bind_dlz and succeede.
>
> As you can gather I am in completely different timezone (AUS)
> as you, so it might be a while before I can respond to
> emails. Hence I am providing as much info as I can while I can.
No problems, we all need to sleep sometime. ;-)
>
> Regards,
>
> Praveen
Greetz,
Louis
More information about the samba
mailing list