[Samba] Any advice for installing Samba as an AD server on Raspbian Buster with BIND9 and ISC DHCP?
Rick Hollinbeck
rickh-samba at westernwares.com
Fri Apr 17 20:13:04 UTC 2020
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<title></title>
<meta http-equiv="content-type" content="text/html;charset=utf-8"/>
<meta http-equiv="Content-Style-Type" content="text/css"/>
</head>
<body>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I've taken the good suggestions and made some progress getting a bind-dhcp-samba server
running on the Pi.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Rowland wrote:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">> The best way would be to find whatever is rewriting /etc/resolv.conf </span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">> (dnsmasq ?) and stop it.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I disabled dnsmasq and dhcpcd and set up a manual ip configuration</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">in /etc/network/interfaces.d/eth0 instead:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">-----------</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">auto eth0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">allow-hotplug eth0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">iface eth0 inet static</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">address 192.168.0.24</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">netmask 255.255.255.0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">gateway 192.168.0.22</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">#dns-nameservers 192.168.0.6 # Old Windows 2008 DC</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">dns-nameservers 192.168.0.24 # New Samba 4.11 DC on Pi</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">dns-search office.example.com</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">iface eth0 inet6 static</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">address fd55:5555:5555:5555::24</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">netmask 64</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">gateway fd55:5555:5555:5555::22</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">------------</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">It turns out that even with dynmasq and dhcpcd disabled, /etc/resolv.conf was still</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">getting rewritten by the dns-nameservers and dns-search options above.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">When I ran the JOIN with samba-tool, I had dns-nameservers point to the old Windows DC
that I wanted to join.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Once the join finished, I changed this option to the ip of the Samba Pi itself.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Now, /etc/resolv.conf has the correct entries.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I'm in the final stretches of getting a bind9-dhcpd-samba AD DC server working.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">But (at least) 2 things still aren't working.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">1. Replication back from the new Pi DC to one of the Windows DC's ACTS like</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">its working (samba-tool drs showrepl says it is successful).</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">But, if I look at the contents of, say, the office.example.com container in DNS Manager,</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">a computer name PTR record has not been deleted on the old DC, even though it was
deleted (by me) on the Pi DC (and it does not show up there in DNS Manager).</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I even tried to manually replicate as mentioned in the samba wiki with:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">sudo samba-tool drs replicate olddc2 pidc2 dc=office,dc=example,dc=com</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">No error is shown, but olddc2 still does not reflect the deleted computer name on pidc2.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">(It's still shown)</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">2. This might be related to #1... I cannot get the dynamic dns updates to work with ISC
dhcpd. It's not even updating on the Pi DC itself, where dhcpd is also running.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I followed the directions from the samba wiki making the dhcpd-dyndns.sh script.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">The daemon.log file shows this attempt to add a new DNS entry when a client DHCP request
is made:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:11 PiDC2 dhcpd[818]: Commit: IP: 192.168.0.151 DHCID: 08:62:66:e0:80:0e
Name: ASUS-W10-LAPTOP</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[1] = add</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[2] = 192.168.0.151</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[3] = 08:62:66:e0:80:0e</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[4] = ASUS-W10-LAPTOP</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:12 PiDC2 dhcpd[818]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:12 PiDC2 dhcpd[818]: DHCPREQUEST for 192.168.0.151 from
08:62:66:e0:80:0e (ASUS-W10-LAPTOP) via eth0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Apr 17 12:12:12 PiDC2 dhcpd[818]: DHCPACK on 192.168.0.151 to 08:62:66:e0:80:0e
(ASUS-W10-LAPTOP) via eth0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I couldn't figure out what the '2816' exit status meant, so I tried running the script's command
manually:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">sudo /usr/local/bin/dhcp-dyndns.sh add 192.168.0.151 08:62:66:e0:80:0e
ASUS-W10-LAPTOP &>dhcp-dyndns.txt</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Here is the output file dhcp-dyndns.txt:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">-------------------</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Reply from SOA query:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61443</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; QUESTION SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;ASUS-W10-LAPTOP.OFFICE.EXAMPLE.COM. IN SOA</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; AUTHORITY SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">office.EXAMPLE.com. 0 IN SOA pidc2.office.EXAMPLE.com.
hostmaster.office.EXAMPLE.com. 16192552 900 600 86400 3600</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Found zone name: office.EXAMPLE.com</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">The master is: pidc2.office.EXAMPLE.com</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">start_gssrequest</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">send_gssrequest</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Outgoing update query:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48000</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; QUESTION SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;4271396648.sig-pidc2.office.EXAMPLE.com. ANY TKEY</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ADDITIONAL SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">4271396648.sig-pidc2.office.EXAMPLE.com. 0 ANY TKEY gss-tsig. 1587145838
1587145838 3 NOERROR 1498 YIIF1gYGKwYBBQUCoIIFyjCCBcagDTALBgkqhki$</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">recvmsg reply from GSS-TSIG query</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48000</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; QUESTION SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;4271396648.sig-pidc2.office.EXAMPLE.com. ANY TKEY</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">response to GSS-TSIG query was unsuccessful</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Reply from SOA query:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26565</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; QUESTION SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;0.168.192.in-addr.arpa. IN SOA</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ANSWER SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">0.168.192.in-addr.arpa. 3600 IN SOA pidc2.office.EXAMPLE.com.
hostmaster.office.EXAMPLE.com. 954 900 600 86400 3600</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; AUTHORITY SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">0.168.192.in-addr.arpa. 3600 IN NS pidc2.office.EXAMPLE.com.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">0.168.192.in-addr.arpa. 3600 IN NS dc2.office.EXAMPLE.com.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">0.168.192.in-addr.arpa. 3600 IN NS pe2600.office.EXAMPLE.com.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">0.168.192.in-addr.arpa. 3600 IN NS servi.office.EXAMPLE.com.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ADDITIONAL SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">pe2600.office.EXAMPLE.com. 3600 IN A 192.168.0.7</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">servi.office.EXAMPLE.com. 3600 IN A 192.168.0.6</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">dc2.office.EXAMPLE.com. 3600 IN A 192.168.0.10</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">pidc2.office.EXAMPLE.com. 900 IN A 192.168.0.24</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">pe2600.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555::7</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">pe2600.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555:8683:a47e:9c6f:5f8c</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">servi.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555:1e49:bc2a:e195:69bc</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">servi.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555::6</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">pidc2.office.EXAMPLE.com. 900 IN AAAA fd55:5555:5555:5555::24</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Found zone name: 0.168.192.in-addr.arpa</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">The master is: pidc2.office.EXAMPLE.com</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">start_gssrequest</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">send_gssrequest</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Outgoing update query:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12460</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; QUESTION SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;3053225212.sig-pidc2.office.EXAMPLE.com. ANY TKEY</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ADDITIONAL SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">3053225212.sig-pidc2.office.EXAMPLE.com. 0 ANY TKEY gss-tsig. 1587145838
1587145838 3 NOERROR 1498 YIIF1gYGKwYBBQUCoIIFyjCCBcagDTALBgkqhki$</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">recvmsg reply from GSS-TSIG query</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12460</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;; QUESTION SECTION:</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">;3053225212.sig-pidc2.office.EXAMPLE.com. ANY TKEY</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">response to GSS-TSIG query was unsuccessful</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">------------------</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I followed the instructions in the Samba wiki to set up the dhcpduser account and key, etc.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">I also added the additional suggestions into the script for reverse dns updating on Raspbian
Jessie mentioned in the wiki (even though I am on Buster).</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">But this does still look like some issue with GSS-TSIG (whatever that is) when nsupdate is
run from the script.</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Any idea what my problem might be?</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Or some new logging options I could try?</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt">Thanks for the advice and help!</span></font></div>
<div align="left"><font face="Arial" size="2"><span style=" font-size:10pt"><br />
</span></font></div>
<div align="left"> </div>
</body>
</html>
More information about the samba
mailing list