[Samba] Any advice for installing Samba as an AD server on Raspbian Buster with BIND9 and ISC DHCP?

Rick Hollinbeck rickh-samba at westernwares.com
Sat Apr 18 21:53:39 UTC 2020 

Sorry about the HTML in the last email - I'm attempting to resend
(with fingers crossed that my mailer doesn't throw in a bunch of HTML this time...)
---->

I've taken the good suggestions and made some progress getting a bind-dhcp-samba server 
running on the Pi with Raspbian Buster.

Rowland wrote:
> The best way would be to find whatever is rewriting /etc/resolv.conf 
> (dnsmasq ?) and stop it.

I disabled dnsmasq and dhcpcd and set up a manual ip configuration
in /etc/network/interfaces.d/eth0 instead:
-----------
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.0.24
netmask 255.255.255.0
gateway 192.168.0.22
#dns-nameservers 192.168.0.6   # Old Windows 2008 DC
dns-nameservers 192.168.0.24 # New Samba 4.11 DC on Pi
dns-search office.example.com
iface eth0 inet6 static
address fd55:5555:5555:5555::24
netmask 64
gateway fd55:5555:5555:5555::22
------------
It turns out that even with dynmasq and dhcpcd disabled, /etc/resolv.conf was still
getting rewritten by the dns-nameservers and dns-search options above.

When I ran the JOIN with samba-tool, I had dns-nameservers point to the old Windows DC 
that I wanted to join.
Once the join finished, I changed this option to the ip of the Samba Pi itself.
Now, /etc/resolv.conf has the correct entries.

I'm in the final stretches of getting a bind9-dhcpd-samba AD DC server working.

But (at least) 2 things still aren't working.

1. Replication back from the new Pi DC to one of the Windows DC's ACTS like
its working (samba-tool drs showrepl says it is successful).
But, if I look at the contents of, say, the office.example.com container in DNS Manager,
a computer name PTR record has not been deleted on the old DC, even though it was 
deleted (by me) on the Pi DC (and it does not show up there in DNS Manager).
I even tried to manually replicate as mentioned in the samba wiki with:

sudo samba-tool drs replicate olddc2 pidc2 dc=office,dc=example,dc=com

No error is shown, but olddc2 still does not reflect the deleted computer name on pidc2.
(It's still shown)

2. This might be related to #1... I cannot get the dynamic dns updates to work with ISC 
dhcpd. It's not even updating on the Pi DC itself, where dhcpd is also running.

I followed the directions from the samba wiki making the dhcpd-dyndns.sh script.

The daemon.log file shows this attempt to add a new DNS entry when a client DHCP request 
is made:

Apr 17 12:12:11 PiDC2 dhcpd[818]: Commit: IP: 192.168.0.151 DHCID: 08:62:66:e0:80:0e 
Name: ASUS-W10-LAPTOP
Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[0] = 
/usr/local/bin/dhcp-dyndns.sh
Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[1] = add
Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[2] = 192.168.0.151
Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[3] = 08:62:66:e0:80:0e
Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[4] = ASUS-W10-LAPTOP
Apr 17 12:12:12 PiDC2 dhcpd[818]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816
Apr 17 12:12:12 PiDC2 dhcpd[818]: DHCPREQUEST for 192.168.0.151 from 
08:62:66:e0:80:0e (ASUS-W10-LAPTOP) via eth0
Apr 17 12:12:12 PiDC2 dhcpd[818]: DHCPACK on 192.168.0.151 to 08:62:66:e0:80:0e 
(ASUS-W10-LAPTOP) via eth0

I couldn't figure out what the '2816' exit status meant, so I tried running the script's command 
manually:

sudo /usr/local/bin/dhcp-dyndns.sh add 192.168.0.151 08:62:66:e0:80:0e 
ASUS-W10-LAPTOP &>dhcp-dyndns.txt

Here is the output file dhcp-dyndns.txt:
-------------------
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  61443
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ASUS-W10-LAPTOP.OFFICE.EXAMPLE.COM. IN SOA

;; AUTHORITY SECTION:
office.EXAMPLE.com. 0      IN      SOA     pidc2.office.EXAMPLE.com. 
hostmaster.office.EXAMPLE.com. 16192552 900 600 86400 3600

Found zone name: office.EXAMPLE.com
The master is: pidc2.office.EXAMPLE.com
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  48000
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;4271396648.sig-pidc2.office.EXAMPLE.com. ANY TKEY

;; ADDITIONAL SECTION:
4271396648.sig-pidc2.office.EXAMPLE.com. 0 ANY TKEY gss-tsig. 1587145838 
1587145838 3 NOERROR 1498 YIIF1gYGKwYBBQUCoIIFyjCCBcagDTALBgkqhki$

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:  48000
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;4271396648.sig-pidc2.office.EXAMPLE.com. ANY TKEY

response to GSS-TSIG query was unsuccessful
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  26565
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
;; QUESTION SECTION:
;0.168.192.in-addr.arpa.                IN      SOA

;; ANSWER SECTION:
0.168.192.in-addr.arpa. 3600    IN      SOA     pidc2.office.EXAMPLE.com. 
hostmaster.office.EXAMPLE.com. 954 900 600 86400 3600

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600    IN      NS      pidc2.office.EXAMPLE.com.
0.168.192.in-addr.arpa. 3600    IN      NS      dc2.office.EXAMPLE.com.
0.168.192.in-addr.arpa. 3600    IN      NS      pe2600.office.EXAMPLE.com.
0.168.192.in-addr.arpa. 3600    IN      NS      servi.office.EXAMPLE.com.

;; ADDITIONAL SECTION:
pe2600.office.EXAMPLE.com. 3600 IN A       192.168.0.7
servi.office.EXAMPLE.com. 3600 IN  A       192.168.0.6
dc2.office.EXAMPLE.com. 3600 IN    A       192.168.0.10
pidc2.office.EXAMPLE.com. 900 IN   A       192.168.0.24
pe2600.office.EXAMPLE.com. 3600 IN AAAA    fd55:5555:5555:5555::7
pe2600.office.EXAMPLE.com. 3600 IN AAAA    fd55:5555:5555:5555:8683:a47e:9c6f:5f8c
servi.office.EXAMPLE.com. 3600 IN  AAAA    fd55:5555:5555:5555:1e49:bc2a:e195:69bc
servi.office.EXAMPLE.com. 3600 IN  AAAA    fd55:5555:5555:5555::6
pidc2.office.EXAMPLE.com. 900 IN   AAAA    fd55:5555:5555:5555::24

Found zone name: 0.168.192.in-addr.arpa
The master is: pidc2.office.EXAMPLE.com
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  12460
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3053225212.sig-pidc2.office.EXAMPLE.com. ANY TKEY

;; ADDITIONAL SECTION:
3053225212.sig-pidc2.office.EXAMPLE.com. 0 ANY TKEY gss-tsig. 1587145838 
1587145838 3 NOERROR 1498 YIIF1gYGKwYBBQUCoIIFyjCCBcagDTALBgkqhki$

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:  12460
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3053225212.sig-pidc2.office.EXAMPLE.com. ANY TKEY

response to GSS-TSIG query was unsuccessful
------------------

I followed the instructions in the Samba wiki to set up the dhcpduser account and key, etc.
I also added the additional suggestions into the script for reverse dns updating on Raspbian 
Jessie mentioned in the wiki (even though I am on Buster).

But this does still look like some issue with GSS-TSIG (whatever that is) when nsupdate is 
run from the script.

Any idea what my problem might be?
Or some new logging options I could try?

Thanks for the advice and help!

More information about the samba mailing list