[Samba] Reverse DNS

Thu Jun 27 12:03:13 UTC 2019

Hai Praveen, 

> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] 
> Verzonden: donderdag 27 juni 2019 13:46
> Aan: samba at lists.samba.org
> CC: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
> 
> Hi Guys,
> 
> Thank you for your emails. Here is the info
> 
> /etc/apparmor.d/local/usr.sbin.dhcp
> 
> /etc/dhcp/ r,
> /etc/dhcp/** r,
> /etc/dhcpd{,6}.conf r,
> /etc/dhcpd{,6}_ldap.conf r,
> /usr/local/bin/dhcp-dyndns.sh ix,

Try /usr/local/bin/dhcp-dyndns.sh rix, 

> /bin/grep rix,
> /usr/sbin/samba rix,
> /usr/bin/gawk rix,
> /bin/hostname rix,
> /usr/bin/wbinfo rix,
> /usr/bin/heimtools rix,
> /usr/bin/logger rix,
> /usr/bin/kinit.heimdal rix,
> /bin/date rix,
> /dev/tty wr,

> /dev/urandom w,
^^ change that to wr

> /proc/** r,
> /usr/bin/kinit w,
> /run/samba/winbindd/pipe wr,
> 
> The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x  1 root root 
> 4117 Jun 27 10:54 dhcp-dyndns.sh 
> 
> I don't have the 
> /var/lib/samba/private/named.conf.update.static but have 
> /var/lib/samba/private/named.conf.update, which looks like 
> the following
> 
> /* this file is auto-generated - do not edit */
> update-policy {
>         grant LIN.GROUP ms-self * A AAAA;
>         grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
>         grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME;
> };

This part, 
grant SERVER5$@LIN.group  
So that would mean your hostname is SERVER5 

> 
> Please note: the hostname is SERVER5-AD but it is also called 
> SERVER5 as some of the old shares are pointing to 
> SERVER5(have entries for both in DNS and hosts file)
No No.. 

A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A and PTR record. 
For example there can only be ONE ptr record for an IP, the matching A is the REAL hostname. 

All others are aliasses and should be CNAMES in the DNS. 
Now, your resolving is failing / not correctly setup. 
That a point to fix and this is the primary thing you should look at first. 

> 
> Louis, the machine has full control over it's forward DNS 
> record . However the machine is not domain\machine but just 
> "WIN7VM01$" 

Thats fine also, as long as the computer as full access its ok. 

> 
> The reverse DNS doesn't exist so I manually added one using 
> samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 
> PTR WIN7VM01.lin.group. It creates the record but the machine 
> has no access.
Thats because you created it, not the computer. 

> The thing to note is here is if I add an A record using the 
> DNS manager and select the option to create the associated 
> pointer record, it only creates the forward one. I am logged 
> into the machine with RSAT using the domain administrator account
Yes, thats know with RSAT, create the PTR manualy in that case. 

> 
> Back to the reverse one. I setup the ADDOM\WIN7VM01$ with 
> full permission in the rev record I just created.
> 
> After the reboot the forward DNS record now shows permissions 
> for ADDOM\WIN7VM01$ instead of just WIN7VM01$
> Is "Register this connection's address in DNS " checked? It is ticked
Good. 
> 
> In ipconfig /all , the details looks correct. The DNS suffix 
> is pointing to the domain. It has the correct DHCP and DNS details
> 
> I still see the permission denied error about the 
> dhcp-dyndns.sh and also client @0x7efc5809bfd0 
> 192.168.14.198#51947: update 'lin.group/IN' denied
This is correct, thats attempt one, the second should be with bind_dlz and succeede. 

> 
> As you can gather I am in completely different timezone (AUS) 
> as you,  so it might be a while before I can respond to 
> emails. Hence I am providing as much info as I can while I can. 

No problems, we all need to sleep sometime. ;-) 
> 
> Regards,
> 
> Praveen

Greetz, 

Louis