[Samba] How to automatically store the macAddress in AD

[Nico Kadel-Garcia]

On Sat, Mar 16, 2019 at 2:39 AM Harry Jede via samba
<samba at lists.samba.org> wrote:
>
> Am 14.03.19 um 20:20 schrieb Pierre, BRIEC via samba:
> > Hi list,
> >
> > Does someone know a way to automatically store the hwaddress in the AD?
> > I'm using Veyon in my school to manage the students PCs and if the hwadress
> > is populated in the AD, the Room configuration can be set with AD otherwise
> > i have to manage rooms manually.
> You may read the Veyon Administrator Manual
> <http://docs.veyon.io/en/4.1/admin/>.
> > I'm using samba4 with bind and isc-dhcp-server are on the same server.
> > Can we use scripts or some ways?
>
> ISC dhcpd has native support to read and store ALL dhcp attibutes you
>
> normally have in flat files to store and retrieve in ldap.
>
> What does this mean?
>
> We, the "Arktur 4 developer" have build a solution where the teacher pc
>
> have a gui to control all dhcp staff in ldap. One click to terminate a
> student pc's
>
> internet access. One click to isolate a class room from all other
> networks in case
>
> you will write an exam.
>
> I have no clue how to do this with AD, but it should work, if you use
> samba AD
>
> with bind dlz.

DNS, and DHCP, are two distinct toolkits. I think that it will help if
you go back to basics.

DHCP detects when a network device of some kind with MAC address says
"hey, look at me, I'd like a network configuration, please!!! And it
assigns one, with an IP address, a netmask, a gateway, and maybe some
other information like a domain name and DNS and NTP.  Check out
https://tools.ietf.org/html/rfc2131 and others for more details.

DNS is a service that lets a network service, such as those on your
local computer's network setup, accept a hostname and look up an IP
address that it goes with. It also supports looking up an IP address
and looking up a hostname, but they do not have to match and they
involve distinct types of DNS. And a computer hostname can have
something to do with DNS, it's very common to match, but it doesn't
have to. It's associated by convention, not by necessity.

Dynamic DNS, which Samba and AD support, allows a computer connected
to the server to register its IP address, tied to its hostname, in
DNS. It's useful: Samba can tie the act of logging into the domain
when you plug in your computer to DNS, and this is very desirable so
you can take your laptop to a different place, on a different network,
log in, and have other computers able to find it or to log connections
from it.

What this person seeks is control of DHCP, to permit or block MAC
addresses. There can be a table set up in DHCP, configured to set
certain MAC addresses to be assigned certain network configurations,
and non-listed MAC addresses get *nothing* from DHCP. Alternatively,
they can be assigned to a somewhat less accessible guest subnet or
VLAN, one that is configured at the switches and routers with less
access to shared resources. That setup is actually fairly common. It
can also have a forced proxy setup that requires separate
registration, and that is *very* common in free wifi areas or pay wifi
areas like restaurants and hotels.

The key is that this has nothing to do, directly, with Samba. DNS and
dynamic DNS would be *after* DHCP registration of the network device.
Samba wouldn't see anything until *after* DHCP has already
successfully registered the MAC address with a specific IP address and
helped the device connect to the local network.

Someone may have written a useful tool to help administrators register
and manage devices in both Samba or AD and in the local DHCP, but
they're distinct services. AD elected to build DHCP directly into
their software suite. The last time I look personally, Samba had
stayed out that, I think correctly because there were already good
DHCP servers built into every major UNIX and Linux operating system,
and why replace something else that works quite well?