[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Markus Roth
According to my ddns denied problem with bind dlz zone i tried the internal dns server from samba4. The forward lookup zone is still working correctly and do ddns updates for my win7 Client. But when i create the reverse zone with the windows remote admin tools and restart samba4 the ddns isn't working for the reverse zone. No ip adresses will be added. How can i configure reverse ddns?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
> Hi everybody,
>
> According to my ddns denied problem with bind dlz zone i tried the internal dns server from samba4. The forward lookup zone is still working correctly and do ddns updates for my win7 Client. But when i create the reverse zone with the windows remote admin tools and restart samba4 the ddns isn't working for the reverse zone. No ip adresses will be added. How can i configure reverse ddns?
saying 'ddns denied problem with bind dlz zone'
is incorrect, you were not using bind_dlz, if you were, you would have
had lines similar to these:
Aug 10 18:29:24 dc1 named[19739]: samba_dlz: starting transaction on
zone example.com
Aug 10 18:29:24 dc1 named[19739]: samba_dlz: allowing update of
signer=dhcpduser\@EXAMPLE.COM name=ThinkPad.example.com
tcpaddr=127.0.0.1 type=A key=2541565829.sig-dc1.example.com/160/0
Aug 10 18:29:24 dc1 named[19739]: samba_dlz: allowing update of
signer=dhcpduser\@EXAMPLE.COM name=ThinkPad.example.com
tcpaddr=127.0.0.1 type=A key=2541565829.sig-dc1.example.com/160/0
Aug 10 18:29:24 dc1 named[19739]: client 127.0.0.1#50000/key
dhcpduser\@EXAMPLE.COM: updating zone 'example.com/NONE': deleting rrset
at 'ThinkPad.example.com' A
Aug 10 18:29:24 dc1 named[19739]: samba_dlz: subtracted rdataset
ThinkPad.example.com
'ThinkPad.example.com.#0113600#011IN#011A#011192.168.0.215'
Aug 10 18:29:24 dc1 named[19739]: client 127.0.0.1#50000/key
dhcpduser\@EXAMPLE.COM: updating zone 'example.com/NONE': adding an RR
at 'ThinkPad.example.com' A
Aug 10 18:29:24 dc1 named[19739]: samba_dlz: added rdataset
ThinkPad.example.com
'ThinkPad.example.com.#0113600#011IN#011A#011192.168.0.215'
Aug 10 18:29:24 dc1 named[19739]: samba_dlz: committed transaction on
zone example.com
Rowland
Markus Roth
Thanks a lot for your help. Do bind need a special configuration for dlz? I've installed bind over the centos yum packet Manager. Than i included the samba named.conf and the samba dns_update List in the bind named.conf. At last i gave named via chgrp -r /usr/local/samba/private the permission to this folder. Is that wrong? If it's so do you have a dlz how to?
Kind. Regarts
Markus
Am 10.08.14 um 20:01 schrieb Rowland Penny
Dale Schroeder
See if this has what you are looking for:
http://wiki.samba.org/index.php/DNS_Backend_BIND
Dale
Markus Roth
first thanks a lot for your help :-)
@Dale
I tried to compile bind directly but if i do it like the samba wiki it don't
create any folders or the named.conf. So i loaded the
bind-9.8.2-0.23.rc1.el6_5.1.src.rpm form y new centos6.5 server and
installed it with rpm -i. At next i edit the bind.spec file and removed the
line "--disable-isc-spengo". A few lines under these line i saw the option
"--with-gssapi". At last i add the option "--with-dlopen=yes" and did
rpmbuild -bb bind.spec. Then i installed the bind-libs and bind-9.8.2 rpms
which are now new generated.
Is this correct?
@Rowland
I think i have now bind with dlz support. Because after the denied message
it does a correct ddns for my forward and reverse lookup zone.
But i don't know why it shows me first the denied message?
My whole log entry for a client update looks like this:
----------------------------------------------------------------------------
----------------------------------------------
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: starting transaction on
zone winnet.local
Aug 13 21:39:26 Server1 named[11383]: client 192.168.178.127#59988: update
'winnet.local/IN' denied
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: cancelling transaction on
zone winnet.local
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: starting transaction on
zone winnet.local
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: allowing update of
signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA
key=1084-ms-7.1-688d.8856a952-2321-11e4-96a6-000c29a4b410/160/0
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: allowing update of
signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
key=1084-ms-7.1-688d.8856a952-2321-11e4-96a6-000c29a4b410/160/0
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: allowing update of
signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
key=1084-ms-7.1-688d.8856a952-2321-11e4-96a6-000c29a4b410/160/0
Aug 13 21:39:26 Server1 named[11383]: client 192.168.178.127#53970: updating
zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 13 21:39:26 Server1 named[11383]: client 192.168.178.127#53970: updating
zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: subtracted rdataset
client1.winnet.local
'client1.winnet.local.#0111200#011IN#011A#011192.168.178.127'
Aug 13 21:39:26 Server1 named[11383]: client 192.168.178.127#53970: updating
zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: added rdataset
client1.winnet.local
'client1.winnet.local.#0111200#011IN#011A#011192.168.178.127'
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: committed transaction on
zone winnet.local
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: starting transaction on
zone 178.168.192.in-addr.arpa
Aug 13 21:39:26 Server1 named[11383]: client 192.168.178.127#55717: update
'178.168.192.in-addr.arpa/IN' denied
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: cancelling transaction on
zone 178.168.192.in-addr.arpa
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: starting transaction on
zone 178.168.192.in-addr.arpa
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: allowing update of
signer=client1\$\@WINNET.LOCAL name=127.178.168.192.in-addr.arpa tcpaddr=
type=PTR key=1084-ms-7.1-688d.8856a952-2321-11e4-96a6-000c29a4b410/160/0
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: allowing update of
signer=client1\$\@WINNET.LOCAL name=127.178.168.192.in-addr.arpa tcpaddr=
type=PTR key=1084-ms-7.1-688d.8856a952-2321-11e4-96a6-000c29a4b410/160/0
Aug 13 21:39:26 Server1 named[11383]: client 192.168.178.127#57170: updating
zone '178.168.192.in-addr.arpa/NONE': deleting rrset at
'127.178.168.192.in-addr.arpa' PTR
Aug 13 21:39:26 Server1 named[11383]: client 192.168.178.127#57170: updating
zone '178.168.192.in-addr.arpa/NONE': adding an RR at
'127.178.168.192.in-addr.arpa' PTR
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: added
127.178.168.192.in-addr.arpa
127.178.168.192.in-addr.arpa.#0111200#011IN#011PTR#011client1.winnet.local.
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: subtracted rdataset
178.168.192.in-addr.arpa
'178.168.192.in-addr.arpa.#0113600#011IN#011SOA#011server1.winnet.local.
hostmaster.winnet.local. 2 900 600 86400 3600'
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: added rdataset
178.168.192.in-addr.arpa
'178.168.192.in-addr.arpa.#0113600#011IN#011SOA#011server1.winnet.local.
hostmaster.winnet.local. 3 900 600 86400 3600'
Aug 13 21:39:26 Server1 named[11383]: samba_dlz: committed transaction on
zone 178.168.192.in-addr.arpa
----------------------------------------------------------------------------
----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: Dale Schroeder [mailto:da...@BriannasSaladDressing.com]
Gesendet: Dienstag, 12. August 2014 23:13
An: Markus Roth; Samba
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup
Zone
Rowland Penny
> Hi everybody,
>
>
> @Dale
> I tried to compile bind directly but if i do it like the samba wiki it don't
> create any folders or the named.conf. So i loaded the
> bind-9.8.2-0.23.rc1.el6_5.1.src.rpm form y new centos6.5 server and
> installed it with rpm -i. At next i edit the bind.spec file and removed the
> line "--disable-isc-spengo". A few lines under these line i saw the option
> "--with-gssapi". At last i add the option "--with-dlopen=yes" and did
> rpmbuild -bb bind.spec. Then i installed the bind-libs and bind-9.8.2 rpms
> which are now new generated.
>
> Is this correct?
>
> @Rowland
>
> I think i have now bind with dlz support. Because after the denied message
> it does a correct ddns for my forward and reverse lookup zone.
>
> But i don't know why it shows me first the denied message?
to update dns in an unsecure way, fails and then tries again in a secure
way and succeeds.
Not really sure about this because I turned off client updates and DHCP
carries out the dns updates via a bash script.
Rowland
Markus Roth
ok, thanks to that. So do you think my config is correct? Should i post my
configuration files? How do other persons do the ddns updates? That would be
interest...
Do anybody know if ddns for a reverse lookup zone is also possible with the
internal samba dns server? I've also setup this kind of configuration and
the reverse lookup zone won't be updated...
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Rowland Penny
Gesendet: Mittwoch, 13. August 2014 22:03
An: sa...@lists.samba.org
Zone
Rowland Penny
> Hi Rowland,
>
> configuration files? How do other persons do the ddns updates? That would be
> interest...
anybody else does it.
> Do anybody know if ddns for a reverse lookup zone is also possible with the
> internal samba dns server? I've also setup this kind of configuration and
> the reverse lookup zone won't be updated...
reverse zone.
Rowland
steve
> On 13/08/14 21:54, Markus Roth wrote:
> > Hi Rowland,
> >
> > ok, thanks to that. So do you think my config is correct? Should i post my
> > configuration files? How do other persons do the ddns updates? That would be
> > interest...
>
> Steve uses sssd and this also updates the reverse zone, not sure how
> anybody else does it.
> >
> > Do anybody know if ddns for a reverse lookup zone is also possible with the
> > internal samba dns server? I've also setup this kind of configuration and
> > the reverse lookup zone won't be updated...
>
> Again, don't quote me, but I 'think' that windows doesn't use/update the
> reverse zone.
We haven't tested the internal dns recently but our production on 4.1.7
with bind9_dlz we can confirm that:
sssd with the ad backend and windows clients alike update both forward
and reverse zones.
HTH,
Steve
Markus Roth
thanks for your replay. I've found these artikel on
https://wiki.samba.org/index.php/Local_user_management_and_authentication/ss
sd. Two questions:
1. Sould i only type for the PATH-Variable on the shell "
PKG_CONFIG_PATH=/usr/local/samba/lib/pkgconfig/" ? Or should i edit a
special file to type that into that special file?
2. At next shoould i try Mehtod1 or Method 2?
If i need method1 do i have to install bind anymore?
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Gesendet: Mittwoch, 13. August 2014 23:15
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup
Zone
Markus Roth
thanks for your replay. I've found these artikel on
https://wiki.samba.org/index.php/Local_user_management_and_authentication/ss
sd. Two questions:
1. Sould i only type for the PATH-Variable on the shell "
PKG_CONFIG_PATH=/usr/local/samba/lib/pkgconfig/" ? Or should i edit a
special file to type that into that special file?
2. At next shoould i try Mehtod1 or Method 2?
If i need method1 do i have to install bind anymore?
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Gesendet: Mittwoch, 13. August 2014 23:15
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup
Zone
steve
> Hi Steve,
>
> thanks for your replay. I've found these artikel on
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/ss
> sd. Two questions:
>
> 1. Sould i only type for the PATH-Variable on the shell "
> PKG_CONFIG_PATH=/usr/local/samba/lib/pkgconfig/" ? Or should i edit a
> special file to type that into that special file?
>
> 2. At next shoould i try Mehtod1 or Method 2?
> If i need method1 do i have to install bind anymore?
That article is out of date I'm afraid. To make life easier, please grab
a recent version of sssd and go from here:
http://linuxcostablanca.blogspot.com.es/2014/04/sssd-ad-backend-with-samba4.html
That should solve both your user mapping and ddns queries in one go.
Markus Roth
Thanks a lot :-) do i understand that correct that i have to install bind9 and compile samba4 and follow your howto and than configure samba4 with the RFC 2307 and bind9 dlz?
Am 14.08.14 um 10:36 schrieb steve
steve
> Hi Steve,
>
>
No, it's not as complicated as that. You can use the existing DNS
databases.
1. Install bind9
2. edit /etc/named.conf (or the files under /etc/bind on debian) to look
like:
options {
directory "/var/lib/named";
managed-keys-directory "/var/lib/named/dyn/";
forwarders { 192.168.1.1; };
notify no;
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
3. samba_upgradedns --dns-backend=BIND9_DLZ
4. Not sure whether samba updates the permissions these days so check
that the named user has rw on the dns dbs and r on the keytab under
$SAMBAHOME/private
5. Delete the reverse zone (if you added it for the internal dns) and
restart named.
6. re-add the reverse zone
7. _Now_ follow the link for sssd.
HTH,
Steve
Markus Roth
i had setup a new centos7 test environment with sssd 1.11 so i can use your
link instead of an ldap configuration and followed your steps below. But
sssd won't start. I only geht the message under /var/log/messages:
Aug 15 22:08:11 server1 sssd: Starting up
Aug 15 22:08:11 server1 sssd[be[winnet.local]]: Starting up
Aug 15 22:08:11 server1 sssd[be[winnet.local]]: Starting up
Aug 15 22:08:13 server1 sssd[be[winnet.local]]: Starting up
Aug 15 22:08:16 server1 sssd[pam]: Starting up
Aug 15 22:08:16 server1 sssd[nss]: Starting up
Aug 15 22:08:16 server1 sssd[pam]: Starting up
Aug 15 22:08:16 server1 sssd[nss]: Starting up
Aug 15 22:08:17 server1 sssd[be[winnet.local]]: Starting up
Aug 15 22:08:17 server1 systemd: sssd.service: control process exited,
code=exited status=1
Aug 15 22:08:17 server1 systemd: Failed to start System Security Services
Daemon.
Aug 15 22:08:17 server1 systemd: Unit sssd.service entered failed state.
I had manually generate a sssd.conf under /etc/sssd. I installed sssd with
yum packet manager. I configured sssd.conf like your link:
[sssd]
services = nss, pam
config_file_version = 2
domains = winnet.local
[nss]
[pam]
[domain/winnet.local]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
what do i still wrong?
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von steve
An: Markus Roth
Cc: sa...@lists.samba.org
Zone
Markus Roth
Update:
I've now a sssd.conf which can start the sssd.conf daemon. But i also get
the denied messages in the forward and reverse lookup before samba4 do the
successfull ddns updates. Here are my configuration files:
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Sssd.conf:
[sssd]
domains = winnet.local
debug_level = 0
[nss]
[pam]
[domain/winnet.local]
ldap_referrals = false
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_schema = rfc2307bis
#ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com
#ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
#ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com
#ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_realm = WINNET.LOCAL
krb5_canonicalize = false
----------------------------------------------------------------------------
---------------------------------------------------------------------------
/etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.178.130; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.178.0/24; };
allow-recursion { localhost; 192.168.178.0/24; };
forwarders { 8.8.8.8; 8.8.4.4; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Smb.conf
# Global parameters
[global]
workgroup = WINNET
realm = WINNET.LOCAL
netbios name = SERVER1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
----------------------------------------------------------------------------
---------------------------------------------------------------------------
-----Ursprüngliche Nachricht-----
Von: Markus Roth [mailto:markusr...@gmx.net]
Gesendet: Freitag, 15. August 2014 22:11
An: 'steve'
Cc: 'sa...@lists.samba.org'
Betreff: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup
Zone
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von steve
An: Markus Roth
Cc: sa...@lists.samba.org
Zone
steve
> Hi Steve,
>
It doesn't even get passed the startup and into AD. Do you have the
MACHINE$ key in the keytab? Do you have a keytab? Please post your
smb.conf and we'll see.
If you have the correct keytab, tail the log in real time:
systemctl stop sssd
rm /path/to/var/lib/sss/db/*
sssd -i -d3
This will tell us what's wrong in a little more detail
steve
> Hi Steve,
>
This is not using the sssd ad backend at all. It will not do ddns
updates, neither will it pull the correct id info from AD.
You were nearly there. Did you see my other post?
Just issue:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
and try with your original ad sssd config.
Markus Roth
I've tried the below domain exportkeytab, but when i do samba-tool domain
exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 103, in run
net.export_keytab(keytab=keytab, principal=principal)
When i do the same with --principal=server1$ it does an export, but i get
also the beginning denied messages. I also tried winnet$ or winnet.local$
but it gets the same erros above.
>Hi
>This is not using the sssd ad backend at all. It will not do ddns updates,
neither will it pull the correct id info from AD.
>You were nearly there. Did you see my other post?
>Just issue:
>samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ and try
with your original ad sssd config.
>--
>To unsubscribe from this list go to the following URL and read the
Markus Roth
I've tried the below domain exportkeytab, but when i do samba-tool domain
exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 103, in run
net.export_keytab(keytab=keytab, principal=principal)
When i do the same with --principal=server1$ it does an export, but i get
also the beginning denied messages. I also tried winnet$ or winnet.local$
but it gets the same erros above.
>This is not using the sssd ad backend at all. It will not do ddns updates,
neither will it pull the correct id info from AD.
>You were nearly there. Did you see my other post?
>Just issue:
>samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ and try
with your original ad sssd config.
>--
>To unsubscribe from this list go to the following URL and read the
Markus Roth
update. I think nobody can say that i'm not creative :-) I've tried now
./samba-tool domain exportkeytab /etc/krb5.keytab without the --principal
and change my sssd.conf back to:
[sssd]
services = nss, pam
domains = winnet.local
[pam]
[domain/winnet.local]
id_provider = ad
Now i get also the denied messages, but the logs now seems to be different:
Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
zone winnet.local
Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
tcpaddr=192.168.178.130 type=A key=2171273687.sig-server1.winnet.local/160/0
Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#49475/key
SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
at 'server1.winnet.local' A
Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
server1.winnet.local 'server1.winnet.local. 3600 IN A
192.168.178.130'
Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
winnet.local 'winnet.local. 3600 IN SOA
server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
'winnet.local. 3600 IN SOA server1.winnet.local.
hostmaster.winnet.local. 5 900 600 86400 0'
Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
zone winnet.local
Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
zone winnet.local
Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
tcpaddr=192.168.178.130 type=AAAA
key=1458088344.sig-server1.winnet.local/160/0
Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60843/key
SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
at 'server1.winnet.local' AAAA
Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
zone winnet.local
Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
zone winnet.local
Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
tcpaddr=192.168.178.130 type=A key=2571247347.sig-server1.winnet.local/160/0
Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60497/key
SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
'server1.winnet.local' A
Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
server1.winnet.local 'server1.winnet.local. 3600 IN A
192.168.178.130'
Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
winnet.local 'winnet.local. 3600 IN SOA
server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
'winnet.local. 3600 IN SOA server1.winnet.local.
hostmaster.winnet.local. 6 900 600 86400 0'
Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
zone winnet.local
Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
zone 178.168.192.in-addr.arpa
Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
tcpaddr=192.168.178.130 type=PTR
key=1615781577.sig-server1.winnet.local/160/0
Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
tcpaddr=192.168.178.130 type=PTR
key=1615781577.sig-server1.winnet.local/160/0
Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
deleting rrset at '130.178.168.192.in-addr.arpa' PTR
Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
PTR server1.winnet.local.'
Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
adding an RR at '130.178.168.192.in-addr.arpa' PTR
Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
PTR server1.winnet.local.'
Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
zone 178.168.192.in-addr.arpa
Aug 16 15:40:19 server1 chronyd[831]: NTP packet received from unauthorised
host 192.168.178.200 port 123
Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
zone winnet.local
Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#53494: update
'winnet.local/IN' denied
Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
zone winnet.local
Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
zone winnet.local
Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
at 'client1.winnet.local' AAAA
Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
at 'client1.winnet.local' A
Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
client1.winnet.local 'client1.winnet.local. 1200 IN A
192.168.178.200'
Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
'client1.winnet.local' A
Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
client1.winnet.local 'client1.winnet.local. 1200 IN A
192.168.178.200'
Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
zone winnet.local
Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
zone 178.168.192.in-addr.arpa
Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#61402: update
'178.168.192.in-addr.arpa/IN' denied
Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
zone 178.168.192.in-addr.arpa
Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
zone 178.168.192.in-addr.arpa
Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
deleting rrset at '200.178.168.192.in-addr.arpa' PTR
Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
PTR client1.winnet.local.'
Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
adding an RR at '200.178.168.192.in-addr.arpa' PTR
Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
PTR client1.winnet.local.'
Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
zone 178.168.192.in-addr.arpa
Gesendet: Samstag, 16. August 2014 15:13
Cc: 'sa...@lists.samba.org'
Betreff: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup
Zone
Hi Steve,
exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 103, in run
net.export_keytab(keytab=keytab, principal=principal)
When i do the same with --principal=server1$ it does an export, but i get
also the beginning denied messages. I also tried winnet$ or winnet.local$
but it gets the same erros above.
>This is not using the sssd ad backend at all. It will not do ddns updates,
neither will it pull the correct id info from AD.
>You were nearly there. Did you see my other post?
>Just issue:
>samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ and try
with your original ad sssd config.
>--
>To unsubscribe from this list go to the following URL and read the
steve
> Hi Steve,
>
> I've tried the below domain exportkeytab, but when i do samba-tool domain
> exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
>
> ./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
> ERROR(runtime): uncaught exception - Key table entry not found
That is the key you need to export.
steve
> Hi Steve,
>
> update. I think nobody can say that i'm not creative :-) I've tried now
> ./samba-tool domain exportkeytab /etc/krb5.keytab without the --principal
> and change my sssd.conf back to:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = winnet.local
> [nss]
> [pam]
> [domain/winnet.local]
> id_provider = ad
> access_provider = ad
>
> Now i get also the denied messages, but the logs now seems to be different:
Very close now. This should do it:
http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
steve
> On Sat, 2014-08-16 at 15:05 +0200, Markus Roth wrote:
> > Hi Steve,
> >
> > I've tried the below domain exportkeytab, but when i do samba-tool domain
> > exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
> >
> > ./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
> > ERROR(runtime): uncaught exception - Key table entry not found
>
> What is the hostname of your DC? I guessed WINNET
> That is the key you need to export.
>
>
in the sssd wiki is the need to have the machine key available;)
Markus Roth
i don't know what i'm still doing wrong :-( I've create new vmware environments with centos 7 and windows 7. The hostname oft he centos 7 is server1 and the hostname from the windows 7 is client1. I've configured server1 as followed:
1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
3. edit /root/rpmbuild/SPECS/bind.spec and remove the line --disable-isc-spnego
4. rebuild bind with rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
5. remove all previous bind* and samba* installation files with yum remove
6. install bind-license, bind-libs* and bind9* with rpm -ivh
7. download samba 4.1.11
8. install dependencies for samba 4.1.11 with
yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5
8. install samba 4.1.11 with ./configure --enable-debug --enable-selftest than make than make install
9. configure samba 4.1.11 with samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
10. configure /etc/named.conf for samba4
11. chgrp named + rw access for named on dns.keytab, dns_update_list, named.conf under /usr/local/samba/private and the same on *.so files under
/usr/local/samba/lib/bind9. Next i activate the so file for bind9 in the samba named.conf
12. install sssd with yum install sssd
13. generatet he krb5.keytab with my servername in big letters fort he principal name
# samba-tool domain exportkeytab /etc/krb5.keytab --principal=SERVER1$
# chown root:root /etc/krb5.sssd.keytab
# chmod 600 /etc/krb5.sssd.keytab
14. generatet he sssd.conf with the same file permissions as the krb5.keytab + copy the samba4 krb5.conf to /etc and overwrite the existing one
15. Start named, sssd and samba daemon
16. generate reverse lookup zone with samba-tool dns zonecreate server1.winnet.local 178.168.192.in-addr.arpa
17. Start the client1 machine, give the server1 ip as the dns-server and joined the client1 to the domain
Here are my configuration files and the last log-file
Do you see any mistakes?
Named.conf
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = winnet.local
[nss]
[pam]
[domain/winnet.local]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Smb.conf
# Global parameters
[global]
workgroup = WINNET
realm = WINNET.LOCAL
netbios name = SERVER1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Samba4 named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Var/log/messages
Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from unauthorised host 192.168.178.200 port 123
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#57474: update 'winnet.local/IN' denied
Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone winnet.local
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#59638: update '178.168.192.in-addr.arpa/IN' denied
Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> >Instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
steve
> Hi Steve,
>
>
> 1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> 2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> 3. edit /root/rpmbuild/SPECS/bind.spec and remove the line --disable-isc-spnego
> 4. rebuild bind with rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
> 5. remove all previous bind* and samba* installation files with yum remove
> 6. install bind-license, bind-libs* and bind9* with rpm -ivh
> 7. download samba 4.1.11
> 8. install dependencies for samba 4.1.11 with
> yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5
> 8. install samba 4.1.11 with ./configure --enable-debug --enable-selftest than make than make install
> 9. configure samba 4.1.11 with samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
> 10. configure /etc/named.conf for samba4
> 11. chgrp named + rw access for named on dns.keytab, dns_update_list, named.conf under /usr/local/samba/private and the same on *.so files under
> /usr/local/samba/lib/bind9. Next i activate the so file for bind9 in the samba named.conf
named needs rw on the DNS databases too.
> 12. install sssd with yum install sssd
> 13. generatet he krb5.keytab with my servername in big letters fort he principal name
> # samba-tool domain exportkeytab /etc/krb5.keytab --principal=SERVER1$
The next 2 lines make no sense:
You must delete the reverse zone and recreate it as I outlined in my
last message. Also, no feedback on the latter, so I have to guess that
you have done it but it.
HTH
Markus Roth
do you mean named needs rw on the DNS databases on /usr/local/samba/private/dns? in this file the grp named has rw access to the files and folders. That was automatically done by the samba4. Should i change here something?
Oh sorry i meant krb5.keytab not krb5.sssd.keytab.
You mean for the reverse lookup zone to delete the entry for client1 with the command ldbdel? I didn't do that for this test because these VMs where complete new generated.
And before i add my client1 to samba4 i've done a backup from my server1 VM so i can restore that every time for new tests. Client1 is the only client.
On my test today i restored the server1 VM and generate a new krb5.keytab without the --principal command again. Now i saw for the first time a ddns update from my server1 machine in the log.
The server1 itself had updated without any denied messages. But when i joined my client1 to the domain and restart the client1, i first get the denied messages again before he did the updates.
Should i give the grp named rw rights to the ldb and tdb files directly in the private folder from samba4?
What i forgot to say. I use static IPs on the server1 and client1.
Here are my new logs:
server1:
Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
Aug 17 08:30:01 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=1043380558.sig-server1.winnet.local/160/0
Aug 17 08:30:01 server1 named[12525]: client 192.168.178.130#35803/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' A
Aug 17 08:30:01 server1 named[12525]: samba_dlz: subtracted rdataset server1.winnet.local 'server1.winnet.local. 900 IN A 192.168.178.130'
Aug 17 08:30:01 server1 named[12525]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 1 900 600 86400 0'
Aug 17 08:30:01 server1 named[12525]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 0'
Aug 17 08:30:01 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
server:
Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
Aug 17 08:30:01 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=AAAA key=1245284349.sig-server1.winnet.local/160/0
Aug 17 08:30:01 server1 named[12525]: client 192.168.178.130#50958/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' AAAA
Aug 17 08:30:01 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
Aug 17 08:30:01 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=200605021.sig-server1.winnet.local/160/0
Aug 17 08:30:01 server1 named[12525]: client 192.168.178.130#53088/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'server1.winnet.local' A
Aug 17 08:30:01 server1 named[12525]: samba_dlz: added rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A 192.168.178.130'
Aug 17 08:30:01 server1 named[12525]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 0'
Aug 17 08:30:01 server1 named[12525]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 0'
Aug 17 08:30:01 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
Aug 17 08:30:01 server1 named[12525]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 17 08:30:02 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=35035507.sig-server1.winnet.local/160/0
Aug 17 08:30:02 server1 named[12525]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=35035507.sig-server1.winnet.local/160/0
Aug 17 08:30:02 server1 named[12525]: client 192.168.178.130#33172/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '130.178.168.192.in-addr.arpa' PTR
Aug 17 08:30:02 server1 named[12525]: client 192.168.178.130#33172/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '130.178.168.192.in-addr.arpa' PTR
Aug 17 08:30:02 server1 named[12525]: samba_dlz: added 130.178.168.192.in-addr.arpa 130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.
Aug 17 08:30:02 server1 named[12525]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 1 900 600 86400 3600'
Aug 17 08:30:02 server1 named[12525]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 3600'
Aug 17 08:30:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
---------------------------------------------------------------------------------------------------------------
client:
Aug 17 08:30:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
Aug 17 08:34:02 server1 chronyd[852]: NTP packet received from unauthorised host 192.168.178.200 port 123
Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49669: update 'winnet.local/IN' denied
Aug 17 08:34:02 server1 named[12525]: samba_dlz: cancelling transaction on zone winnet.local
Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone winnet.local
Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49750/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49750/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#49750/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 17 08:34:02 server1 named[12525]: samba_dlz: added client1.winnet.local client1.winnet.local. 1200 IN A 192.168.178.200
Aug 17 08:34:02 server1 named[12525]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 0'
Aug 17 08:34:02 server1 named[12525]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed transaction on zone winnet.local
Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#62506: update '178.168.192.in-addr.arpa/IN' denied
Aug 17 08:34:02 server1 named[12525]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#54101/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#54101/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
Aug 17 08:34:02 server1 named[12525]: samba_dlz: added 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
Aug 17 08:34:02 server1 named[12525]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 3600'
Aug 17 08:34:02 server1 named[12525]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
Gesendet: Sonntag, 17. August 2014 um 01:53 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: Aw: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
steve
> Hi Steve,
>
> Oh sorry i meant krb5.keytab not krb5.sssd.keytab.
> You mean for the reverse lookup zone to delete the entry for client1 with the command ldbdel?
samba-tool dns zonedelete
restart named
samba-tool dns zonecreate
restart sssd
> I didn't do that for this test because these VMs where complete new generated.
> And before i add my client1 to samba4 i've done a backup from my server1 VM so i can restore that every time for new tests. Client1 is the only client.
> On my test today i restored the server1 VM and generate a new krb5.keytab without the --principal command again. Now i saw for the first time a ddns update from my server1 machine in the log.
> The server1 itself had updated without any denied messages. But when i joined my client1 to the domain and restart the client1, i first get the denied messages again before he did the updates.
LOL, yeah. open source error messages at their best.
> Should i give the grp named rw rights to the ldb and tdb files directly in the private folder from samba4?
>
> What i forgot to say. I use static IPs on the server1 and client1.
So you don't need ddns;) The A record is produced by net ads join. You
could add the PTR and just disable the ddns updates and forget about
them.
This bit: It denies it. . .
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-661c.7a03bc0a-25d8-11e4-a29a-000c29a4b410/160/0
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#54101/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> Aug 17 08:34:02 server1 named[12525]: client 192.168.178.200#54101/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
. . .then it does it!
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 2 900 600 86400 3600'
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
>
That's the best you're gonna get. But why bother with static IPs?
HTH,
Steve
Markus Roth
first thanks a lot for your help at this time :-)
>Much easier:
>samba-tool dns zonedelete
>restart named
>samba-tool dns zonecreate
>restart sssd
ah okay good to know for future actions. So do i understand that right that my configuration is correct now and the denied messages with this configuration is ok? if its so than the denied messages are ok for me :-) But before i took my new configuration in productive use i better ask.
I took static IPs only for testing. When this configuration is ok now i would create a test envirnoment with a dhcp-server.
For the rw access you said named needs rw access on the dns databases. So i've set rw access for the group named on the *.so-files and for the ldb and tdb-files in the /usr/samba/private structure. But i don't know if this is neccesary.
Only for interest: When static IPs were used you would deaktivate the automatic ddns updates and add them manually with the samba-tool or with the windows remote administration kit? But i think it's much easier with ddns if some IPs will change, isn't it?
>LOL, yeah. open source error messages at their best.
......
> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
. . .then it does it!
....
steve
> Hi Steve,
>
>
> >Much easier:
> >samba-tool dns zonedelete
> >restart named
> >samba-tool dns zonecreate
> >restart sssd
>
> ah okay good to know for future actions. So do i understand that right that my configuration is correct now and the denied messages with this configuration is ok? if its so than the denied messages are ok for me :-) But before i took my new configuration in productive use i better ask.
named -version
BIND 9.9.4-rpz2.13269.14-P2 (Extended Support Version)
We do not get the denied messages, but we may have a lower debug level
set. Sorry, can't confirm this as we've no test domain with that
version.
_Are_ the records being updated? Change the IP of a sssd client box (NOT
the IP of the DC) and use host to check A and PTR.
>
> I took static IPs only for testing. When this configuration is ok now i would create a test envirnoment with a dhcp-server.
>
changed via dhcp.
> For the rw access you said named needs rw access on the dns databases.
Markus Roth
i have bind in Version 9.9.4-RedHat-9.9.4-14.el7.centos (Extended Support Version) under dentos7. I see the update messages without configuring a log-leve in var/log/messages.
ok so yu mean i should use always dhcp instead of static ips for a clean ddns update and logs?
when i changed the ip-adress of my client1 from 192.168.178.99 to 192.168.178.98 machine with windows 7 and analyse the dns entries with the windows remote tools he has updated the client1 successfully.
With the host command i get:
[root@server1 ~]# host -t A client1.winnet.local
client1.winnet.local has address 192.168.178.98
[root@server1 ~]# host -t PTR 192.168.178.98
98.178.168.192.in-addr.arpa domain name pointer client1.winnet.local.
so can i say that i have a correct configuration although i have the denied message? This says /var/log/messages for the ddns during the ip change:
Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#57564: update 'winnet.local/IN' denied
Aug 18 16:18:08 server1 named[12388]: samba_dlz: cancelling transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.98'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 12 900 600 86400 0'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 13 900 600 86400 0'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#62909: update '178.168.192.in-addr.arpa/IN' denied
Aug 18 16:18:08 server1 named[12388]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '98.178.168.192.in-addr.arpa' PTR
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '98.178.168.192.in-addr.arpa' PTR
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added 98.178.168.192.in-addr.arpa 98.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
Gesendet: Montag, 18. August 2014 um 00:31 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
steve
> Hi Steve,
>
want to try samba-technical or isc, I think this is the best you can
expect, especially as it's working. Remember, the errors are written by
coders and can at times have little bearing upon what is really
happening.
I'm no expert on network topography. We chose dhcp because we wanted
less work. For file servers we always use fixed IP. I'm sure that
someone will chip in with some more concrete explanations other than
sheer laziness;)
HTH,
Steve
Markus Roth
thanks a lot :-) so in this case that i have a successfull configuration i would now implement an isc dhcp server under my centos 7 test environment. But how should i configure the dhcp server? I didn't find any howto. Only a skript from http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
But is that the only way? And when it is the only way how must i integrate this script in dhcp?
Kind regarts
Markus
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von steve
Gesendet: Montag, 18. August 2014 17:08
An: Markus Roth
> > > > > 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
> > > > > update of signer=client1\$\@WINNET.LOCAL
> > > > > name=client1.winnet.local tcpaddr= type=A
> > > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> > > > > 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
> > > > > update of signer=client1\$\@WINNET.LOCAL
> > > > > name=client1.winnet.local tcpaddr= type=A
> > > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> > > > > 0 Aug 16 15:40:20 server1 named[14419]: client
> > > > > 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
> > > > > update of signer=client1\$\@WINNET.LOCAL
> > > > > name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
> > > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> > > > > 0 Aug 16 15:40:20 server1 named[14419]: client
> > > > > >samba]]][https://lists.samba.org/mailman/options/samba[https:
> > > > > >//lists.samba.org/mailman/options/samba][https://lists.samba.
> > > > > >org/mailman/options/samba[https://lists.samba.org/mailman/opt
> > > > > >ions/samba]][https://lists.samba.org/mailman/options/samba[ht
> > > > > >tps://lists.samba.org/mailman/options/samba][https://lists.sa
> > > > > >mba.org/mailman/options/samba[https://lists.samba.org/mailman
Markus Roth
i think that's no problem to setup your howto with centos 7 :-) can i have the howto? But is it correct that i can't use a dhcp setup without the script?
markus
Gesendet: Dienstag, 19. August 2014 um 22:50 Uhr
Von: "Rowland Penny" <rowlan...@googlemail.com>
An: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 19/08/14 21:27, Markus Roth wrote:
> Hi Steve,
>
> thanks a lot :-) so in this case that i have a successfull configuration i would now implement an isc dhcp server under my centos 7 test environment. But how should i configure the dhcp server? I didn't find any howto. Only a skript from http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
> But is that the only way? And when it is the only way how must i integrate this script in dhcp?
Hi, I have been doing the updates with dhcp this way for over 18 months
now, You need to add a user to do the updates, create a keytab for that
user, turn off ddns updates from windows clients and then dhcp runs a
script that via nsupdate, updates DNS. I could probably come up with a
howto, but it would be for Debian, so you would have to Centos-ify it
yourself.
Rowland
>>>>>>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.s
>>>>>>> amba.org/mailman/options/samba][https://lists.samba.org/mailm[https://lists.samba.org/mailm]
>>>>>>> an/options/samba[https://lists.samba.org/mailman/options/samb[https://lists.samba.org/mailman/options/samb]
>>>>>>> a]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lis
>>>>>>> ts.samba.org/mailman/options/samba][https://lists.samba.org/m[https://lists.samba.org/m]
>>>>>>> ailman/options/samba[https://lists.samba.org/mailman/options/[https://lists.samba.org/mailman/options/]
>>>>>>> samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https:
>>>>>>> //lists.samba.org/mailman/options/samba][https://lists.samba[https://lists.samba].
>>>>>>> org/mailman/options/samba[https://lists.samba.org/mailman/opt[https://lists.samba.org/mailman/opt]
>>>>>>> ions/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][ht
>>>>>>> tps://lists.samba.org/mailman/options/samba][https://lists.sa[https://lists.sa]
>>>>>>> mba.org/mailman/options/samba[https://lists.samba.org/mailman[https://lists.samba.org/mailman]
>>>>>>> /options/samba]]]]
>>>>>
>>>>
>>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
Rowland Penny
> Hi Steve,
>
> But is that the only way? And when it is the only way how must i integrate this script in dhcp?
now, You need to add a user to do the updates, create a keytab for that
user, turn off ddns updates from windows clients and then dhcp runs a
script that via nsupdate, updates DNS. I could probably come up with a
howto, but it would be for Debian, so you would have to Centos-ify it
yourself.
Rowland
>
Rowland Penny
(kerberos) and that's how the script works. I'll come up with a howto and
send it to you tomorrow. Provided gmail is working properly again
Rowland
Markus Roth
that would be great :-) thank you :-)
Markus
Gesendet: Dienstag, 19. August 2014 um 23:19 Uhr
Von: "Rowland Penny" <rowlan...@googlemail.com>
An: "sa...@lists.samba.org" <sa...@lists.samba.org>
Rowland
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.s
> >>>>>>>
> amba.org/mailman/options/samba][https://lists.samba.org/mailm[https://lists.samba.org/mailm][https://lists.samba.org/mailm[https://lists.samba.org/mailm]]
> >>>>>>> an/options/samba[
> https://lists.samba.org/mailman/options/samb[https://lists.samba.org/mailman/options/samb][https://lists.samba.org/mailman/options/samb[https://lists.samba.org/mailman/options/samb]]
> >>>>>>> a]][
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lis
> >>>>>>>
> ts.samba.org/mailman/options/samba][https://lists.samba.org/m[https://lists.samba.org/m][https://lists.samba.org/m[https://lists.samba.org/m]]
> >>>>>>> ailman/options/samba[
> https://lists.samba.org/mailman/options/[https://lists.samba.org/mailman/options/][https://lists.samba.org/mailman/options/[https://lists.samba.org/mailman/options/]]
> >>>>>>> samba]]][
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https
> :
> >>>>>>> //
> lists.samba.org/mailman/options/samba][https://lists.samba[https://lists.samba][https://lists.samba[https://lists.samba]]
> .
> >>>>>>> org/mailman/options/samba[
> https://lists.samba.org/mailman/opt[https://lists.samba.org/mailman/opt][https://lists.samba.org/mailman/opt[https://lists.samba.org/mailman/opt]]
> >>>>>>> ions/samba]][
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][ht
> >>>>>>> tps://
> lists.samba.org/mailman/options/samba][https://lists.sa[https://lists.sa][https://lists.sa[https://lists.sa]]
> >>>>>>>
> mba.org/mailman/options/samba[https://lists.samba.org/mailman[https://lists.samba.org/mailman][https://lists.samba.org/mailman[https://lists.samba.org/mailman]]
> >>>>>>> /options/samba]]]]
> >>>>>
> >>>>
> >>>
> >>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
steve
> On 19/08/14 21:27, Markus Roth wrote:
> > Hi Steve,
> >
> > thanks a lot :-) so in this case that i have a successfull configuration i would now implement an isc dhcp server under my centos 7 test environment. But how should i configure the dhcp server? I didn't find any howto. Only a skript from http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
> > But is that the only way? And when it is the only way how must i integrate this script in dhcp?
> Hi, I have been doing the updates with dhcp this way for over 18 months
> now, You need to add a user to do the updates, create a keytab for that
> user, turn off ddns updates from windows clients and then dhcp runs a
> script that via nsupdate, updates DNS. I could probably come up with a
> howto, but it would be for Debian, so you would have to Centos-ify it
> yourself.
>
> Rowland
That's as good a way as any, but since you've taken the trouble to get
sssd and ddns updates working anyway, you may want to leave all the
machines as they are and use a dhcp server on a box other than the DC.
You may indeed already have one as most Internet routers have one as
standard. If not it is easy to setup a dhcp server on a spare box and
remember that it doesn't need to be joined to the domain. We're on
openSUSE and you can point and click a dhcp server in a few minutes.
Maybe Centos has something similar? Otherwise it's learning file syntax
I'm afraid.
Take your pick.
Steve
Markus Roth
@Rowland
Thanks a llot for your howto. I've integrate your script in my centos 7 environment and modified it a little bit for the different pathes. When my client should get an ip-adress the dhcpd daemon brings the message "exit status 256":
Aug 21 00:34:18 server1 dhcpd: Listening on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
Aug 21 00:34:18 server1 dhcpd: Sending on LPF/eno16777736/00:0c:29:63:09:28/192.168.178.0/24
Aug 21 00:34:18 server1 dhcpd: Sending on Socket/fallback/fallback-net
Aug 21 00:34:18 server1 systemd: Started DHCPv4 Server Daemon.
Aug 21 00:34:50 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
Aug 21 00:34:50 server1 dhcpd: DHCPREQUEST for 192.168.178.11 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 00:34:50 server1 dhcpd: DHCPACK on 192.168.178.11 to 00:0c:29:a4:b4:10 (client1) via eno16777736
The dyndns.log says that my dhcpduser does not exist, but it does. I created it as follows:
samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via DHCP server"
samba-tool group addmembers DnsAdmins dhcpduser
samba-tool group addmembers "Domain Admins" dhcpduser
Than i generated the keytab:
samba-tool domain exportkeytab --principal=dhcp...@WINNET.LOCAL /etc/dhcp/dhcpduser.keytab
Extract from the dyndns.log:
No dhcp user exists, need to create it first.. exiting.
you can do this by typing the following commands
/usr/bin/kinit Admini...@WINNET.LOCAL
Usage: samba-tool <subcommand>
Main samba administration tool.
Options:
-h, --help show this help message and exit
Version Options:
-V, --version Display version number
.
.
.
.
My modified dhcp-dyndns.sh: All my files are under /etc/dhcp. In the script below i've modified my realm, domainname, temp-path, the path to my samba-tool and the keytab path.
-----------------------------------------------------------------------------------------------
# ----------------------- start -------------------------
#!/bin/bash
# /etc/dhcp/dhcp-dyndns.sh
# This script is for secure DDNS updates using GSS/TSIG on Samba 4
# Version: 0.8.3 (includes TXTRR records)
# Rowland Penny rpenny...@gmail.com
# Updated with suggestions from L. v. Belle lo...@van-belle.nl
# method to check for valid kerberos ticket changed
LOG="/etc/dhcp/dyndns.log"
if [ -f /etc/dhcp/dyndns.log ]; then
:
else
touch /etc/dhcp/dyndns.log
fi
exec >> $LOG 2>&1
## CONFIGURATION ##
# Samba 4 realm, change this to YOUR realm.
SETREALM=WINNET.LOCAL
#
# DNS domain, change this to YOUR dns domain
domain=winnet.local
#
## DO NOT CHANGE ANYTHING BELOW HERE
#
## define the dhcp user that will be used for the Dynamic updates to samba4
## this will create a Principal like : user@realm
SETDHCPUSER=dhcpduser
#
# TXT RRs (rfc4701)
# Set to YES to use TXT RRs
TXTRRS="NO"
#
# DNS nameserver
ns=127.0.0.1
#
# Kerberos principal
SETPRINCIPAL=$SETDHCPUSER@$SETREALM
# Kerberos keytab
SETDHCPKEYTAB=/etc/dhcp/$SETDHCPUSER.keytab
# Default DNS resource records TTL
RRTTL="3600"
# krbcc ticket cache
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
## Command locations, with full paths it speeds up processing.
## ( tested on Ubuntu 14.04, Debian 7.5 )
CMDSORT="$(which sort)"
CMDAWK="$(which awk)"
CMDHEAD="$(which head)"
CMDECHO="$(which echo)"
CMDDATE="$(which date)"
CMDKINIT="$(which kinit)"
CMDKLIST="$(which klist)"
CMDGREP="$(which grep)"
CMDGETENT="$(which getent)"
CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
CMDCHOWN="$(which chown)"
CMDCHMOD="$(which chmod)"
CMDHOST="$(which host)"
CMDNSUPDATE="$(which nsupdate)"
TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
if [ -z "${TESTUSER}" ]; then
echo "No dhcp user exists, need to create it first.. exiting."
echo "you can do this by typing the following commands"
echo "${CMDKINIT} Administrator@${SETREALM}"
echo "${CMDSAMBATOOL} user create ${SETDHCPUSER} --description=\"Unprivileged user for DNS updates via ISC DHCP server\""
echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
exit 1
fi
# Check for Kerberos keytab
if [ -f "${SETDHCPKEYTAB}" ]; then
:
else
echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be created."
echo "Use the following commands as root"
echo "${CMDSAMBATOOL} domain exportkeytab --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
testos=$(uname -a | grep 'Debian')
if [ -z "$testos" ]; then
echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
fi
exit 1
fi
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
NSUPDFLAGS="-d"
## VARIABLES ##
# Variables supplied by dhcpd.conf
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
usage()
{
echo "USAGE:"
echo " `basename $0` add ip-address dhcid|mac-address hostname"
echo " `basename $0` delete ip-address dhcid|mac-address"
}
_KERBEROS () {
# get current time as a number
test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
# Check for valid kerberos ticket
echo "$test [dyndns] : Running check for valid kerberos ticket"
klist -c "$KRB5CCNAME" -s
if [ "$?" != "0" ]; then
echo "$test [dyndns] : Getting new ticket, old one has expired"
kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME" "${SETPRINCIPAL}"
if [ "$?" != "0" ]; then
echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
exit 1;
fi
else
echo "$test [dyndns] : New ticket not required, old one still valid"
fi
}
# Exit if no ip address or mac-address
if [ -z "$ip" ] || [ -z "$DHCID" ]; then
usage
exit 1
fi
# Exit if no computer name supplied, unless the action is 'delete'
if [ "$name" = "" ]; then
if [ "$action" = "delete" ]; then
name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' | ${CMDAWK} -F '.' '{print $1}')
else
usage
exit 1;
fi
fi
# Set PTR address
ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
# Create RRTXT record
RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
RRTXT="000101${RRTXT%% *}"
# extract txt record, if there is one
RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
## ${CMDNSUPDATE} ##
case "$action" in
add)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
# if string is not null
if [ -n "$RRTXTOLD" ]; then
# if old RRTXT is not the same as $RRTXT then exit
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: adding records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
update add $name.$domain $RRTTL A $ip
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
zone 0.168.192.in-addr.arpa
update delete $ptr $RRTTL PTR
update add $ptr $RRTTL PTR $name.$domain
send
UPDATE
result2=$?
;;
delete)
if [ "$TXTRRS" = "YES" ]; then
TXTRRS=""
if [ -n "$RRTXTOLD" ]; then
if [ "$RRTXT" != "$RRTXTOLD" ]; then
echo "DHCP-DNS: removing records for $ip ($name.$domain) FAILED: has A record but DHCID is wrong"
exit 1
fi
else
TXTRRS=";"
fi
else
TXTRRS=";"
fi
_KERBEROS
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $name.$domain $RRTTL A
${TXTRRS}update delete $name.$domain $RRTTL TXT
send
UPDATE
result1=$?
${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
server $ns
realm ${SETREALM}
update delete $ptr $RRTTL PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac
result="$result1$result2"
if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
else
echo "DHCP-DNS Update succeeded"
logger "DHCP-DNS Update succeeded"
fi
exit $result
# ------------------ end -------------------------
-----------------------------------------------------------------------------------------------
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Mittwoch, 20. August 2014 10:52
An: Markus Roth
Betreff: Re: Aw: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 19/08/14 22:27, Markus Roth wrote:
> Hi Rowland,
>
> that would be great :-) thank you :-)
>
> Markus
>
>
> Gesendet: Dienstag, 19. August 2014 um 23:19 Uhr
> Von: "Rowland Penny" <rowlan...@googlemail.com>
> An: "sa...@lists.samba.org" <sa...@lists.samba.org>
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
> lookup Zone I never found any other way to do it, you have to do it by
> a secure method
> (kerberos) and that's how the script works. I'll come up with a howto
> and send it to you tomorrow. Provided gmail is working properly again
>
> Rowland
>
>
> On 19 August 2014 21:56, Markus Roth <markusr...@gmx.net> wrote:
>
>> Hi Rowland,
>>
>> i think that's no problem to setup your howto with centos 7 :-) can i
>> have the howto? But is it correct that i can't use a dhcp setup
>> without the script?
>>
>> markus
>>
>> Gesendet: Dienstag, 19. August 2014 um 22:50 Uhr
>> Von: "Rowland Penny" <rowlan...@googlemail.com>
>> An: sa...@lists.samba.org
>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
>> lookup Zone On 19/08/14 21:27, Markus Roth wrote:
>>> Hi Steve,
>>>
>>> thanks a lot :-) so in this case that i have a successfull
>>> configuration
>> i would now implement an isc dhcp server under my centos 7 test
>> environment. But how should i configure the dhcp server? I didn't
>> find any howto. Only a skript from
>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-up
>> dates-against-secure-microsoft-dns/
>>> But is that the only way? And when it is the only way how must i
>> integrate this script in dhcp?
>> Hi, I have been doing the updates with dhcp this way for over 18
>> months now, You need to add a user to do the updates, create a keytab
>> for that user, turn off ddns updates from windows clients and then
>> dhcp runs a script that via nsupdate, updates DNS. I could probably
>> come up with a howto, but it would be for Debian, so you would have
>> to Centos-ify it yourself.
>>
>> Rowland
>>
>>> Kind regarts
>>> Markus
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-...@lists.samba.org
>>> [mailto:samba-...@lists.samba.org]
>> Im Auftrag von steve
>>> Gesendet: Montag, 18. August 2014 17:08
>>> An: Markus Roth
>>> Cc: sa...@lists.samba.org
>>> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
>> lookup Zone
>>> On Mon, 2014-08-18 at 16:28 +0200, Markus Roth wrote:
>>>> Hi Steve,
>>>>
>>>> reverse lookup Zone On Sun, 2014-08-17 at 16:55 +0200, Markus Roth wrote:
>>>>> Hi Steve,
>>>>>
>>>>>> Markus
>> Roth wrote:
>>>>>>> Hi Steve,
>>>>>>>
>>>>>>> reverse lookup Zone On Sat, 2014-08-16 at 15:46 +0200, Markus
>>>>>>> Roth
>> wrote:
>>>>>>>> Hi Steve,
>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>> the
>>>>>>>>> Instructions:
>>>>>>>>>
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][https://lists.s
>> amba.org/mailman/options/samba][https://lists.samba.org/mailm[https:/
>> /lists.samba.org/mailm][https://lists.samba.org/mailm[https://lists.s
>> amba.org/mailm]]
>>>>>>>>> an/options/samba[
>> https://lists.samba.org/mailman/options/samb[https://lists.samba.org/
>> mailman/options/samb][https://lists.samba.org/mailman/options/samb[ht
>> tps://lists.samba.org/mailman/options/samb]]
>>>>>>>>> a]][
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][https://lis
>> ts.samba.org/mailman/options/samba][https://lists.samba.org/m[https:/
>> /lists.samba.org/m][https://lists.samba.org/m[https://lists.samba.org
>> /m]]
>>>>>>>>> ailman/options/samba[
>> https://lists.samba.org/mailman/options/[https://lists.samba.org/mail
>> man/options/][https://lists.samba.org/mailman/options/[https://lists.
>> samba.org/mailman/options/]]
>>>>>>>>> samba]]][
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][https
>> :
>>>>>>>>> //
>> lists.samba.org/mailman/options/samba][https://lists.samba[https://li
>> sts.samba][https://lists.samba[https://lists.samba]]
>> .
>>>>>>>>> org/mailman/options/samba[
>> https://lists.samba.org/mailman/opt[https://lists.samba.org/mailman/o
>> pt][https://lists.samba.org/mailman/opt[https://lists.samba.org/mailm
>> an/opt]]
>>>>>>>>> ions/samba]][
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]][ht
>>>>>>>>> tps://
>> lists.samba.org/mailman/options/samba][https://lists.sa[https://lists
>> .sa][https://lists.sa[https://lists.sa]]
>> mba.org/mailman/options/samba[https://lists.samba.org/mailman[https:/
>> /lists.samba.org/mailman][https://lists.samba.org/mailman[https://lis
>> ts.samba.org/mailman]]
>>>>>>>>> /options/samba]]]]
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]]
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba[https://lists.samba.org
>> /mailman/options/samba][https://lists.samba.org/mailman/options/samba
>> [https://lists.samba.org/mailman/options/samba]]
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/
> mailman/options/samba]
OK, I have thrown the attached file together, as Steve says, you can run the dhcp server on another machine but I have not yet found a way for dhcp running on another machine to directly update DNS. You either have to use something like the script I use directly on the server or use sssd.
Rowland
Markus Roth
thanks for your help and don't worry about the Dom-Admin group :-) ok, i aktualized the script but it seems that there is a problem again. Dhcp is only updating the forward lookup zone, not the reverse lookup zone and the denied message is still there like on my static-ip-adress tests before. The sh script brings still the exit status 256. The dhcp-server is on centos 7 also running with the user dhcpd. So i set the chown -R dhcpd /etc/dhcp. For the dhcp-tests i generated new VMs so my windows 7 client with the name client1 was new added. The client gets the ip-adress 192.168.178.10 from the dhcp server. My centos 7 which is called server1 has a static ip adress 192.168.178.130. Below are my dhcp config files and the new log /var/log/messages.
Dhcpd.conf
-------------------------------------------------------------------------------------------------------------------
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
# Winnet.local
# ------------------ start -----------------------
default-lease-time 14400;
max-lease-time 14400;
authoritative;
subnet 192.168.178.0 netmask 255.255.255.0 {
range 192.168.178.10 192.168.178.13;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.178.255;
option time-offset 0;
option domain-name "winnet.local";
option domain-name-servers 192.168.178.130;
option domain-search "winnet.local";
}
on commit {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
set ClientName = pick-first-value(option host-name, config-option-host-name, client-name);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
execute("/etc/dhcp/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
log(concat("Release: IP: ", ClientIP));
execute("/etc/dhcp/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}
# ----------------------- end -------------------------------------------
-------------------------------------------------------------------------------------------------------------------
Dhcp-dyndns.sh
-------------------------------------------------------------------------------------------------------------------
LOG="/etc/dhcp/dyndns.log"
exec >> $LOG 2>&1
## CONFIGURATION ##
CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
#NSUPDFLAGS="-d"
## VARIABLES ##
}
## ${CMDNSUPDATE} ##
_KERBEROS
_KERBEROS
-------------------------------------------------------------------------------------------------------------------
/var/log/messages
-------------------------------------------------------------------------------------------------------------------
Aug 21 21:46:01 server1 systemd: Started DHCPv4 Server Daemon.
Aug 21 21:46:41 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
Aug 21 21:46:41 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:41 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:45 server1 dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
Aug 21 21:46:45 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:45 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=2009441398.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#35710/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' A
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A192.168.178.130'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 6 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 7 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=AAAA key=1488805345.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#53855/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' AAAA
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=2416078767.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#45459/key SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'server1.winnet.local' A
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A 192.168.178.130'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 7 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 8 900 600 86400 0'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
Aug 21 21:46:48 server1 named[12603]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=3724135530.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=3724135530.sig-server1.winnet.local/160/0
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#41382/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '130.178.168.192.in-addr.arpa' PTR
Aug 21 21:46:48 server1 named[12603]: samba_dlz: subtracted rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
Aug 21 21:46:48 server1 named[12603]: client 192.168.178.130#41382/key SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '130.178.168.192.in-addr.arpa' PTR
Aug 21 21:46:48 server1 named[12603]: samba_dlz: added rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
Aug 21 21:46:48 server1 named[12603]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
Aug 21 21:46:51 server1 chronyd[835]: NTP packet received from unauthorised host 192.168.178.10 port 123
Aug 21 21:46:53 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#50494: update 'winnet.local/IN' denied
Aug 21 21:46:53 server1 named[12603]: samba_dlz: cancelling transaction on zone winnet.local
Aug 21 21:46:53 server1 named[12603]: samba_dlz: starting transaction on zone winnet.local
Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
Aug 21 21:46:53 server1 named[12603]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1084-ms-7.1-6dae.e623207e-296b-11e4-2fa1-000c29a4b410/160/0
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 21 21:46:53 server1 named[12603]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A192.168.178.10'
Aug 21 21:46:53 server1 named[12603]: client 192.168.178.10#53181/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 21 21:46:53 server1 named[12603]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.10'
Aug 21 21:46:53 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
-------------------------------------------------------------------------------------------------------------------
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlan...@googlemail.com]
Gesendet: Donnerstag, 21. August 2014 11:28
An: Markus Roth
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Hi, spotted a few problems, one yours, two mine
First yours:
You changed:
CMDSAMBATOOL="$(which samba-tool)"
To:
CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
What the first does is set 'CMDSAMBATOOL' to where samba-tool is i.e. on Debian '/usr/bin/samba-tool'. Your version does something else entirely, it sets it to what running '/usr/local/samba/bin/samba-tool' in a terminal returns i.e. the usage message. I would suggest that you change:
CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
To:
CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
Now mine:
Not really a problem, but debugging is turned on, I just copied the script from my server and had forgotten to turn off debugging after the install, I have now turned it off.
To turn off debugging is simple, change:
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug NSUPDFLAGS="-d"
To:
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug #NSUPDFLAGS="-d"
I have also moved the two lines to above the '## DO NOT CHANGE ANYTHING BELOW HERE' line, as it is obviously something that you might want to change.
The last problem, you spotted, when I said 'Domain Admins' I really meant 'DnsAdmins', OOPS sorry
Do the alterations and try again, but just one last question, what user does dhcp runas, on Ubuntu it is 'dhcpd' and on Debian it is root, both of which work, but if your dhcp user is different, then you may have to change the script to suit.
Ryan Ashley
mention has been noted, forgive me. Do you happen to be using
Avahi/mDNS/Bonjour on your network? They use the ".local" domain. All of
my domains use ".lan" for this reason. It has given me issues in the
past, though I honestly do not know if it would interfere with your
issue. I am sure Rowland or Steve would know though.
steve
What do you have in /etc/nsswitch.conf?
Try:
hosts: files dns
Disable nscd
Markus Roth
i put the sh skript to /usr/local/sbin but it still says the exit message. I wonder that in the dyndns.log it says that the dhcpduser not exists. My keytab was generated with the --principal=dhcpduser.
Oh i think you was in the wrong line for the signer update. Your line shows the ddns update from my server. Here a cut of the log only for my client "client1":
Aug 22 00:04:01 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
Aug 22 00:04:01 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 22 00:04:01 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 22 00:04:05 server1 chronyd[826]: NTP packet received from unauthorised host 192.168.178.10 port 123
Aug 22 00:04:09 server1 named[13498]: samba_dlz: starting transaction on zone winnet.local
Aug 22 00:04:09 server1 named[13498]: client 192.168.178.10#64257: update 'winnet.local/IN' denied
Aug 22 00:04:09 server1 named[13498]: samba_dlz: cancelling transaction on zone winnet.local
Aug 22 00:04:09 server1 named[13498]: samba_dlz: starting transaction on zone winnet.local
Aug 22 00:04:09 server1 named[13498]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1056-ms-7.1-72af.131d9a10-297f-11e4-209a-000c29a4b410/160/0
Aug 22 00:04:09 server1 named[13498]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1056-ms-7.1-72af.131d9a10-297f-11e4-209a-000c29a4b410/160/0
Aug 22 00:04:09 server1 named[13498]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1056-ms-7.1-72af.131d9a10-297f-11e4-209a-000c29a4b410/160/0
Aug 22 00:04:09 server1 named[13498]: client 192.168.178.10#50718/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 22 00:04:09 server1 named[13498]: client 192.168.178.10#50718/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 22 00:04:09 server1 named[13498]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.10'
Aug 22 00:04:09 server1 named[13498]: client 192.168.178.10#50718/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 22 00:04:09 server1 named[13498]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.10'
Aug 22 00:04:09 server1 named[13498]: samba_dlz: committed transaction on zone winnet.local
Yes I'm running sssd.conf with the dns update:
[sssd]
services = nss, pam
config_file_version = 2
domains = winnet.local
[nss]
[pam]
[domain/winnet.local]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
my /etc/krb5.keytab was generatet with the --principal server1$
Gesendet: Donnerstag, 21. August 2014 um 22:53 Uhr
Von: "Rowland Penny" <rowlan...@googlemail.com>
An: "Markus Roth" <markusr...@gmx.net>
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On 21/08/14 21:29, Markus Roth wrote:
> Hi Rowland,
>
> CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
> #NSUPDFLAGS="-d"
> Aug 21 21:46:53 server1 named[12603]: samba_dlz: committed transaction on zone winnet.local
>
> -------------------------------------------------------------------------------------------------------------------
>
>
> -----Ursprüngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlan...@googlemail.com]
> Gesendet: Donnerstag, 21. August 2014 11:28
> An: Markus Roth
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
>> ----------------------------------------------------------------------
>> -------------------------
>>
> Hi, spotted a few problems, one yours, two mine
>
> First yours:
> You changed:
>
> CMDSAMBATOOL="$(which samba-tool)"
>
> To:
>
> CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
>
> What the first does is set 'CMDSAMBATOOL' to where samba-tool is i.e. on Debian '/usr/bin/samba-tool'. Your version does something else entirely, it sets it to what running '/usr/local/samba/bin/samba-tool' in a terminal returns i.e. the usage message. I would suggest that you change:
>
> CMDSAMBATOOL="$(/usr/local/samba/bin/samba-tool)"
>
> To:
>
> CMDSAMBATOOL="/usr/local/samba/bin/samba-tool"
>
> Now mine:
> Not really a problem, but debugging is turned on, I just copied the script from my server and had forgotten to turn off debugging after the install, I have now turned it off.
> To turn off debugging is simple, change:
>
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug NSUPDFLAGS="-d"
>
> To:
>
> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug #NSUPDFLAGS="-d"
>
> I have also moved the two lines to above the '## DO NOT CHANGE ANYTHING BELOW HERE' line, as it is obviously something that you might want to change.
>
> The last problem, you spotted, when I said 'Domain Admins' I really meant 'DnsAdmins', OOPS sorry
>
> Do the alterations and try again, but just one last question, what user does dhcp runas, on Ubuntu it is 'dhcpd' and on Debian it is root, both of which work, but if your dhcp user is different, then you may have to change the script to suit.
>
> Rowland
>
OK, have you still got sssd running and is the dns update line still in
sssd,conf ?
Your log excerpt shows that the machine keytab is being used to do the
update:
samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL
On Mine:
samba_dlz: allowing update of signer=dhcpduser\@EXAMPLE.COM
Please put the update script in /usr/local/sbin, you are getting this:
dhcpd: execute: /etc/dhcp/dhcp-dyndns.sh exit status 256
I get:
dhcpd: execute_statement argv[0] = /usr/local/sbin/dhcp-dyndns.sh
dhcpd: execute_statement argv[1] = add
dhcpd: execute_statement argv[2] = 192.168.0.215
dhcpd: execute_statement argv[3] = 1:84:a6:c8:3b:da:7b
dhcpd: execute_statement argv[4] = ThinkPad
I do not think that the script is being run correctly, if at all
Markus Roth
the deamon nscd was still disabled. In my nsswitch.conf i changed the entry hosts: files dns myhostname to hosts: files dns. But the problem is still the same :-(
Gesendet: Donnerstag, 21. August 2014 um 23:40 Uhr
Von: steve <st...@steve-ss.com>
An: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Markus Roth
i don't think so. It's a standard installation of centos 7. yum only knows avahi and that's not installed :-(
I have not followed every post on this thread, so if what I am about to
mention has been noted, forgive me. Do you happen to be using
Avahi/mDNS/Bonjour on your network? They use the ".local" domain. All of
my domains use ".lan" for this reason. It has given me issues in the
past, though I honestly do not know if it would interfere with your
issue. I am sure Rowland or Steve would know though.
steve
> Yes I'm running sssd.conf with the dns update:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = winnet.local
> [nss]
> [pam]
> [domain/winnet.local]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> ldap_id_mapping = False
> dyndns_update = True
>
> my /etc/krb5.keytab was generatet with the --principal server1$
>
Markus Roth
oh no :-) Sicne you gave me the tip for sssd, i use it. The interessting thing is that since i have sssd my server1 is also doing ddns updates. Before sssd it didn't. And the ddns update from my server1 is without any denied messages (server1 has the static IP 192.168.178.130). My client1 windows7 brings first the denied message with a static ip and then it's doing the updates. And at this point i thougt you said my configs are ok, or the best i can get with static IPs :-)
So i started to implement dhcp for my further tests before i go to productive use. So now i have the problem with dhcp i get the exit 256 message and than the denied message from my client1 again. It seems that my client is doing the ddns updates instead the script in the dhcp-config. :-) But i don't know why. I think the exit 256 message is the problem. My dhcpd-user has rw rights on the sh-script and recursive on /etc/dhcp and now the sh-script is under /usr/local/sbin as rowland said.
In the dyndns.log from the sh-script it says every time that no dhcp-user exists and that the script would generate one.
Gesendet: Freitag, 22. August 2014 um 01:01 Uhr
Von: steve <st...@steve-ss.com>
An: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
Rowland Penny
root@dc01:~# ls -la /usr/local/sbin/dhcp-dyndns.sh
-rwxr-xr-x 1 root root 6197 Aug 21 10:14 /usr/local/sbin/dhcp-dyndns.sh
It told you this in the howto I sent you:
Make it executable.
chmod +x /usr/local/sbin/dhcp-dyndns.sh
Rowland
steve
> Hi Steve,
>
> oh no :-) Sicne you gave me the tip for sssd, i use it. The interessting thing is that since i have sssd my server1 is also doing ddns updates. Before sssd it didn't. And the ddns update from my server1 is without any denied messages (server1 has the static IP 192.168.178.130). My client1 windows7 brings first the denied message with a static ip and then it's doing the updates. And at this point i thougt you said my configs are ok, or the best i can get with static IPs :-)
>
> So i started to implement dhcp for my further tests before i go to productive use. So now i have the problem with dhcp i get the exit 256 message and than the denied message from my client1 again. It seems that my client is doing the ddns updates instead the script in the dhcp-config. :-) But i don't know why. I think the exit 256 message is the problem. My dhcpd-user has rw rights on the sh-script and recursive on /etc/dhcp and now the sh-script is under /usr/local/sbin as rowland said.
> In the dyndns.log from the sh-script it says every time that no dhcp-user exists and that the script would generate one.
>
As we see it, you use either Rowland's dhcp direct-inject-on-dc script
and turn off ddns on your clients or you use sssd on Linux and allow the
window clients to send their own ddns requests. If the latter, you
disable ddns updates if you run sssd on the DC.
@Rowland Is this what we are taking about here?
Cheers and sorry about the confusion,
Steve
L.P.H. van Belle
Do i understand this good..
If we use the scripts for DDNS updates.
The DDNS update in windows must be turnt off ( for example by GPO )
so you dont have that 1 denied message before the script runs.
( this is known to me )
And if you use SSSD, this DDNS update from windows works ok?
and then the script isnt needed? If so that would be nice..
I dont use SSSD but im thinking of it for some servers..
Best regards,
Louis
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: vrijdag 22 augustus 2014 10:30
>Aan: Markus Roth
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] samba4 internal dns Server ddns for the
Rowland Penny
> On Fri, 2014-08-22 at 09:54 +0200, Markus Roth wrote:
>> Hi Steve,
>>
>> oh no :-) Sicne you gave me the tip for sssd, i use it. The interessting thing is that since i have sssd my server1 is also doing ddns updates. Before sssd it didn't. And the ddns update from my server1 is without any denied messages (server1 has the static IP 192.168.178.130). My client1 windows7 brings first the denied message with a static ip and then it's doing the updates. And at this point i thougt you said my configs are ok, or the best i can get with static IPs :-)
>>
>> So i started to implement dhcp for my further tests before i go to productive use. So now i have the problem with dhcp i get the exit 256 message and than the denied message from my client1 again. It seems that my client is doing the ddns updates instead the script in the dhcp-config. :-) But i don't know why. I think the exit 256 message is the problem. My dhcpd-user has rw rights on the sh-script and recursive on /etc/dhcp and now the sh-script is under /usr/local/sbin as rowland said.
>> In the dyndns.log from the sh-script it says every time that no dhcp-user exists and that the script would generate one.
>>
> Hi Markus,
> As we see it, you use either Rowland's dhcp direct-inject-on-dc script
> and turn off ddns on your clients or you use sssd on Linux and allow the
> window clients to send their own ddns requests. If the latter, you
> disable ddns updates if you run sssd on the DC.
> @Rowland Is this what we are taking about here?
> Cheers and sorry about the confusion,
And yes, you can only use one, either get sssd to update the forward and
reverse zones OR use the setup I use. You cannot use both.
Rowland
Rowland Penny
> Hai Guys,
>
> Do i understand this good..
>
> If we use the scripts for DDNS updates.
> The DDNS update in windows must be turnt off ( for example by GPO )
> so you dont have that 1 denied message before the script runs.
> ( this is known to me )
>
> And if you use SSSD, this DDNS update from windows works ok?
> and then the script isnt needed? If so that would be nice..
> I dont use SSSD but im thinking of it for some servers..
>
clients trying to update their dns records, unless you do not use either
sssd or a variation to the script I use AND do not have a reverse zone.
The problem is the reverse zone, windows (unless someone knows better)
does not update the reverse zone, so you need something else to do this.
Rowland
steve
> On 22/08/14 09:30, steve wrote:
> > On Fri, 2014-08-22 at 09:54 +0200, Markus Roth wrote:
> >> Hi Steve,
> >>
> >> oh no :-) Sicne you gave me the tip for sssd, i use it. The interessting thing is that since i have sssd my server1 is also doing ddns updates. Before sssd it didn't. And the ddns update from my server1 is without any denied messages (server1 has the static IP 192.168.178.130). My client1 windows7 brings first the denied message with a static ip and then it's doing the updates. And at this point i thougt you said my configs are ok, or the best i can get with static IPs :-)
> >>
> >> So i started to implement dhcp for my further tests before i go to productive use. So now i have the problem with dhcp i get the exit 256 message and than the denied message from my client1 again. It seems that my client is doing the ddns updates instead the script in the dhcp-config. :-) But i don't know why. I think the exit 256 message is the problem. My dhcpd-user has rw rights on the sh-script and recursive on /etc/dhcp and now the sh-script is under /usr/local/sbin as rowland said.
> >> In the dyndns.log from the sh-script it says every time that no dhcp-user exists and that the script would generate one.
> >>
> > Hi Markus,
> > As we see it, you use either Rowland's dhcp direct-inject-on-dc script
> > and turn off ddns on your clients or you use sssd on Linux and allow the
> > window clients to send their own ddns requests. If the latter, you
> > disable ddns updates if you run sssd on the DC.
> > @Rowland Is this what we are taking about here?
> > Cheers and sorry about the confusion,
>
> Your confused, I think just about everybody is confused here ;-)
>
> And yes, you can only use one, either get sssd to update the forward and
> reverse zones OR use the setup I use. You cannot use both.
>
> Rowland
1. Decide which way to go. AND TELL US! Let's assume he goes with
Rowland's dhcp-ddns script on the DC. So,
2. Disable ddns. Is this it?
http://support.microsoft.com/kb/816592
3. Disable ddns updates from sssd on the DC and the Linux cleints in
sssd.conf:
dyndns_update=false
HTH
Steve
L.P.H. van Belle
# FOR USE WITH BIND9_DLZ and dynamic updates
# It should be noted that using this method will affect functionality of windows clients,
# as they will still attempt to update DNS on their own and will be denied permission
# to do so as the record will be owned by the dhcp user.
#
# you'll need a Windows PC with the RSAT tools installed.
# Simply create a dedicated GPO with the Group Policy Editor,
# apply only to OUs that contain workstations
# (so that servers can still update using 'ipconfig /registerdns')
# and configure the following settings:
###
# Computer Configuration
# Policies
# Administrative Templates
# Network
# DNS Client
# Dynamic Update = Disabled
# Register PTR Records = Disabled
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] samba4 internal dns Server ddns for the
Markus Roth
first thanks a lot for all the help. Sorry that all are a little bit confused for me :-( ok, i don't know that i have to decide if i should use sssd ddns or the script from rowland. i thought i Need both. So i decide to take rowlands Skript now. So i would do the following steps for the next test:
1. Create the GPO from van Belle below
2. Set dyndns_update = false in the sssd.conf
3. check the correct permissions of dhcp sh script
4. Restart named, sssd, samba4, dhcpd
5. Restart client1 and analyse the /var/log/message protocoll
Gesendet: Freitag, 22. August 2014 um 12:39 Uhr
Von: "L.P.H. van Belle" <be...@bazuin.nl>
An: "sa...@lists.samba.org" <sa...@lists.samba.org>
Greetz,
Louis
>> >> instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>> >
>>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
Rowland Penny
> Hi everybody,
>
> first thanks a lot for all the help. Sorry that all are a little bit confused for me :-( ok, i don't know that i have to decide if i should use sssd ddns or the script from rowland. i thought i Need both. So i decide to take rowlands Skript now. So i would do the following steps for the next test:
>
> 1. Create the GPO from van Belle below
> 2. Set dyndns_update = false in the sssd.conf
> 3. check the correct permissions of dhcp sh script
> 4. Restart named, sssd, samba4, dhcpd
> 5. Restart client1 and analyse the /var/log/message protocoll
>
Rowland
Markus Roth
i've done the steps below but it always says the exit 256 message. the sh-skript has the x acces for owner, group and others. So i don't think it's a permission problem. What does exit 256 exactly mean? Could it be that i must change some things for centos? Sorry, i'm no expert in scripting :-(
-rwxrwx--x 1 dhcpd root 6375 24. Aug 17:59 dhcp-dyndns.sh
var/log/messages says:
Aug 24 15:55:40 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
Aug 24 15:56:02 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
Aug 24 15:56:02 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 24 15:56:02 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 24 15:56:05 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
Aug 24 15:56:05 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 24 15:56:05 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 24 15:56:11 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
/etc/dhcp/dyndns.log says:
No dhcp user exists, need to create it first.. exiting.
you can do this by typing the following commands
/bin/kinit Admini...@WINNET.LOCAL
/usr/local/samba/bin/samba-tool user create dhcpduser --description="Unprivileged user for DNS updates via ISC DHCP server"
/usr/local/samba/bin/samba-tool user setexpiry dhcpduser --noexpiry
/usr/local/samba/bin/samba-tool group addmembers DnsAdmins dhcpduser
Gesendet: Freitag, 22. August 2014 um 15:39 Uhr
Von: "Rowland Penny" <rowlan...@googlemail.com>
Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
Rowland Penny
> Hi everybody,
>
>
> -rwxrwx--x 1 dhcpd root 6375 24. Aug 17:59 dhcp-dyndns.sh
>
> var/log/messages says:
>
> Aug 24 15:55:40 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
> Aug 24 15:56:02 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
> Aug 24 15:56:02 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:02 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:05 server1 dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh exit status 256
> Aug 24 15:56:05 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:05 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 15:56:11 server1 chronyd[831]: NTP packet received from unauthorised host 192.168.178.10 port 123
>
> /etc/dhcp/dyndns.log says:
>
> No dhcp user exists, need to create it first.. exiting.
TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
if [ -z "${TESTUSER}" ]; then
So:
A) what does 'getent passwd' show, is dhcpduser there ?
B) does 'which getent' return anything and if so what ?
C) does 'which grep' return anything and if so what ?
Lets go from there.
Rowland
Markus Roth
now i'm confused again :-)
A)
getent passwd gives me the linux-users, but my dhcpduser is only in active directory from samba4.
from getent passwd i get the user from my dhcp-daemon:
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
B)
here i get:
/bin/getent
C)
here i get:
alias grep='grep --color=auto'
/bin/grep
Gesendet: Sonntag, 24. August 2014 um 19:29 Uhr
Von: "Rowland Penny" <rowlan...@googlemail.com>
An: Kein Empfänger
Cc: sa...@lists.samba.org
So:
Lets go from there.
Rowland
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
Rowland Penny
> Hi Rowland,
>
> now i'm confused again :-)
OK, lets see if we can de-confuse you ;-)
>
> A)
> getent passwd gives me the linux-users, but my dhcpduser is only in active directory from samba4.
> from getent passwd i get the user from my dhcp-daemon:
>
> dhcpd:x:177:177:DHCP server:/:/sbin/nologin
This is where your problems start, if I run 'getent passwd' on the S4 AD
DC, I get (amongst others):
EXAMPLE\dhcpduser:*:3000018:10000::/home/EXAMPLE/dhcpduser:/bin/bash
'3000018' is the xidNumber for 'dhcpduser' from idmap.ldb
You need to investigate why running 'getent passwd' on the S4 AD DC (you
are doing this on the DC, aren't you?) does not show you dhcpduser
>
> B)
> here i get:
>
> /bin/getent
Good.
>
> C)
> here i get:
>
> alias grep='grep --color=auto'
> /bin/grep
>
>
Not so good, I just get '/bin/grep'
In the short term, change this in the script:
CMDGREP="$(which grep)"
To:
CMDGREP="/bin/grep"
I will have to think how to get round this problem properly, this will
probably involve checking for what OS the script is running on and
setting the commands accordingly.
Rowland
Markus Roth
A)
hmm. that sounds strange. I deleted the account and create it new with the windows rsat tool instead of the samba command.
But the user is not in the /etc/passwd. (i think getent passwd reads the /etc/passwd?). Do i have to configure something special?
I compiled samba 4.1.11 by my own with:
1. ./configure --enable-debug --enable-selftest
2. make
3. make install
4. samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
4.1 Here i chose my winnet.local as the realm and domainname, than the option dc and then bind9_dlz
did i forget anything else?
B)
ok :-)
C)
ok i change that :-)
Gesendet: Sonntag, 24. August 2014 um 20:29 Uhr
Good.
CMDGREP="$(which grep)"
To:
CMDGREP="/bin/grep"
Rowland
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
Rowland Penny
> Hi Rowland,
>
> hmm. that sounds strange. I deleted the account and create it new with the windows rsat tool instead of the samba command.
> But the user is not in the /etc/passwd. (i think getent passwd reads the /etc/passwd?). Do i have to configure something special?
in there. If you are running a S4 AD DC, you do not need any local users
over and above the ones the install creates, or if a package creates a user.
Over on the wiki, on this page:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Installing_Samba
You will find this:
Make domain users/groups available locally through Winbind
To have your domain users and groups available locally on your Member
Server, you need to place two links in your /lib64 folder:
# ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
# ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
# ldconfig
If you are running a 32-bit system ("uname -i" will return "i686"), you
have to use /lib instead!
The final step of the configuration is to add 'winbind' to the 'passwd'
and 'group' entry of your /etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
You need to do the above to get winbind to work, if you compile samba
yourself
NOTE to Marc: could you please put this back on the Samba AD DC Howto page.
> I compiled samba 4.1.11 by my own with:
Excuse me, but as an aside, would you by any chance be German ?
>
> 1. ./configure --enable-debug --enable-selftest
You do not need '--enable-debug --enable-selftest' anymore
> 2. make
> 3. make install
> 4. samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
> 4.1 Here i chose my winnet.local as the realm and domainname, than the option dc and then bind9_dlz
>
> did i forget anything else?
No
Rowland Penny
>> On 24/08/14 20:26, Markus Roth wrote:
>>> Hi Rowland,
>>>
>>> A)
>>> hmm. that sounds strange. I deleted the account and create it new with the windows rsat tool instead of the samba command.
>>> But the user is not in the /etc/passwd. (i think getent passwd reads the /etc/passwd?). Do i have to configure something special?
>> The user shouldn't be in /etc/passwd, you should only have local users
>> in there. If you are running a S4 AD DC, you do not need any local users
>> over and above the ones the install creates, or if a package creates a user.
>>
>> Over on the wiki, on this page:
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Installing_Samba
>>
>> You will find this:
>>
>> Make domain users/groups available locally through Winbind
>>
>> To have your domain users and groups available locally on your Member
>> Server, you need to place two links in your /lib64 folder:
>>
>> # ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
>> # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
>> # ldconfig
>>
>> If you are running a 32-bit system ("uname -i" will return "i686"), you
>> have to use /lib instead!
>>
>> The final step of the configuration is to add 'winbind' to the 'passwd'
>> and 'group' entry of your /etc/nsswitch.conf:
>>
>> passwd: compat winbind
>> group: compat winbind
>>
> disabled, so that should read:
> passwd: files sss
> group : files sss
>
> Has he started sssd?
>
Ah yes, I forgot that, but whichever he uses, getent needs to show
'dhcpduser' and it isn't. He needs to check if sssd is running and he
has the correct lines in nsswitch.conf OR do the winbind setup I posted.
Rowland
steve
> On 24/08/14 20:26, Markus Roth wrote:
> > Hi Rowland,
> >
> > A)
> > hmm. that sounds strange. I deleted the account and create it new with the windows rsat tool instead of the samba command.
> > But the user is not in the /etc/passwd. (i think getent passwd reads the /etc/passwd?). Do i have to configure something special?
> The user shouldn't be in /etc/passwd, you should only have local users
> in there. If you are running a S4 AD DC, you do not need any local users
> over and above the ones the install creates, or if a package creates a user.
>
> Over on the wiki, on this page:
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Installing_Samba
>
> You will find this:
>
> Make domain users/groups available locally through Winbind
>
> To have your domain users and groups available locally on your Member
> Server, you need to place two links in your /lib64 folder:
>
> # ln -s /usr/local/samba/lib/libnss_winbind.so /lib64
> # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
> # ldconfig
>
> If you are running a 32-bit system ("uname -i" will return "i686"), you
> have to use /lib instead!
>
> The final step of the configuration is to add 'winbind' to the 'passwd'
> and 'group' entry of your /etc/nsswitch.conf:
>
> passwd: compat winbind
> group: compat winbind
>
disabled, so that should read:
passwd: files sss
group : files sss
Has he started sssd?
Markus Roth
ah ok, i don't know that. I'v done these things and now i get the dhcpduser with getent passwd :-)
WINNET\dhcpduser:*:3000021:100::/home/WINNET/dhcpduser:/bin/false
yyyeeeaaahhh it works now :-) In My reverse-zone there is still the old entry of the static IP. Do samba4 delete that after a while?
Now the log says :-)
Aug 24 22:25:41 server1 named[12881]: samba_dlz: starting transaction on zone winnet.local
Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=client1.winnet.local tcpaddr=127.0.0.1 type=A key=650662793.sig-server1.winnet.local/160/0
Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=client1.winnet.local tcpaddr=127.0.0.1 type=A key=650662793.sig-server1.winnet.local/160/0
Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#60750/key dhcpduser\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 24 22:25:41 server1 named[12881]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 3600 IN A 192.168.178.10'
Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#60750/key dhcpduser\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 24 22:25:41 server1 named[12881]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 3600 IN A 192.168.178.10'
Aug 24 22:25:41 server1 named[12881]: samba_dlz: committed transaction on zone winnet.local
Aug 24 22:25:41 server1 named[12881]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=10.178.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=958371820.sig-server1.winnet.local/160/0
Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=10.178.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=958371820.sig-server1.winnet.local/160/0
Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#59111/key dhcpduser\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '10.178.168.192.in-addr.arpa' PTR
Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#59111/key dhcpduser\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '10.178.168.192.in-addr.arpa' PTR
Aug 24 22:25:41 server1 named[12881]: samba_dlz: added 10.178.168.192.in-addr.arpa 10.178.168.192.in-addr.arpa. 3600 IN PTR client1.winnet.local.
Aug 24 22:25:41 server1 named[12881]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
Aug 24 22:25:41 server1 named[12881]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
Aug 24 22:25:41 server1 named[12881]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
Aug 24 22:25:41 server1 logger: DHCP-DNS Update succeeded
Aug 24 22:25:41 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
Aug 24 22:25:41 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
yes i'm german :-) why? i hope not of my bad english :-(
Gesendet: Sonntag, 24. August 2014 um 21:47 Uhr
You will find this:
>>>>> http://support.microsoft.com/kb/816592[http://support.microsoft.com/kb/816592]
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
steve
We were going on the plan from a few posts back:
>>> 1. Create the GPO from van Belle below
>>> 2. Set dyndns_update = false in the sssd.conf
>>> 3. check the correct permissions of dhcp sh script
>>> 4. Restart named, sssd, samba4, dhcpd
>>> 5. Restart client1 and analyse the /var/log/message protocoll
rm /var/lib/sss/db/*
and restart sssd
Rowland Penny
> Hi Rowland,
>
>
> WINNET\dhcpduser:*:3000021:100::/home/WINNET/dhcpduser:/bin/false
>
> yyyeeeaaahhh it works now :-) In My reverse-zone there is still the old entry of the static IP. Do samba4 delete that after a while?
I believe that it will, but it may take some time, if not I am sure that
someone will explain how to remove it.
>
> Now the log says :-)
>
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: starting transaction on zone winnet.local
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=client1.winnet.local tcpaddr=127.0.0.1 type=A key=650662793.sig-server1.winnet.local/160/0
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=client1.winnet.local tcpaddr=127.0.0.1 type=A key=650662793.sig-server1.winnet.local/160/0
> Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#60750/key dhcpduser\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 3600 IN A 192.168.178.10'
> Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#60750/key dhcpduser\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 3600 IN A 192.168.178.10'
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: committed transaction on zone winnet.local
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=10.178.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=958371820.sig-server1.winnet.local/160/0
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: allowing update of signer=dhcpduser\@WINNET.LOCAL name=10.178.168.192.in-addr.arpa tcpaddr=127.0.0.1 type=PTR key=958371820.sig-server1.winnet.local/160/0
> Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#59111/key dhcpduser\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '10.178.168.192.in-addr.arpa' PTR
> Aug 24 22:25:41 server1 named[12881]: client 127.0.0.1#59111/key dhcpduser\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '10.178.168.192.in-addr.arpa' PTR
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: added 10.178.168.192.in-addr.arpa 10.178.168.192.in-addr.arpa. 3600 IN PTR client1.winnet.local.
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
> Aug 24 22:25:41 server1 named[12881]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> Aug 24 22:25:41 server1 logger: DHCP-DNS Update succeeded
> Aug 24 22:25:41 server1 dhcpd: DHCPREQUEST for 192.168.178.10 from 00:0c:29:a4:b4:10 (client1) via eno16777736
> Aug 24 22:25:41 server1 dhcpd: DHCPACK on 192.168.178.10 to 00:0c:29:a4:b4:10 (client1) via eno16777736
>
Thank goodness for that, yes that looks ok now ;-)
> yes i'm german :-) why? i hope not of my bad english :-(
>
I am the last person to knock your English, I cannot speak a word of
German, but could I point out that an English person would not say 'I
compiled samba4.1.11 by my own', they would say ' I compiled samba
myself' ;-)
Your English is very good, but like all non-english speaking people, you
translate your language into English based on how you speak your
language and only the English speak like the English. We have words that
have multiple meanings depending on how you pronounce them, we use the
minimum of words possible, we use words in different order to the rest
of the world, so it is understandable that you do not write English as I
would ;-)
Rowland
>
>
>
> Gesendet: Sonntag, 24. August 2014 um 21:47 Uhr
Markus Roth
ok perfect :-) thanks a lot for your help, and thanks a lot to all other people who helped me :-)
hehe... ok that's right.. :-) aahh myself. A classic mistake i make every time :-) do you come from england or USA?
@steve @rowland
so we have a functonal installation with winbind. But i find it very interesting to get it working with sssd too.
So i changed my nsswitch.conf back to files sssd, cleared the sssd cache and restart all my services. But now i don't get the AD-users with getent passwd.
So based on that the dhcp-script is also not working.
Are there other things to analye?
Gesendet: Sonntag, 24. August 2014 um 22:56 Uhr
Von: "Rowland Penny" <rowlan...@googlemail.com>
An: Kein Empfänger
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
Rowland
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>
>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
steve
> i changed my nsswitch.conf back to files sssd
not
files sssd
;)
Rowland Penny
> Ho Rowland,
>
> ok perfect :-) thanks a lot for your help, and thanks a lot to all other people who helped me :-)
> hehe... ok that's right.. :-) aahh myself. A classic mistake i make every time :-) do you come from england or USA?
I am from England.
>
> @steve @rowland
>
> so we have a functonal installation with winbind. But i find it very interesting to get it working with sssd too.
> So i changed my nsswitch.conf back to files sssd, cleared the sssd cache and restart all my services. But now i don't get the AD-users with getent passwd.
> So based on that the dhcp-script is also not working.
> Are there other things to analye?
Did you change /etc/nsswitch.conf ?
Rowland
>
>
> Gesendet: Sonntag, 24. August 2014 um 22:56 Uhr
steve
> In My reverse-zone there is still the old entry of the static IP. Do samba4 delete that after a while?
called). From your tests there'll be a lot of rubbish in the reverse
zone. But you know how to deal with this one from before:
Delete the reverse zone
restart named
recreate it
now let Rowland's script populate the clean zone.
HTH
Steve
Markus Roth
the output is:
(Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No SUDO module provided for [winnet.local] !!
(Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No autofs module provided for [winnet.local] !!
(Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No selinux module provided for [winnet.local] !!
(Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No host info module provided for [winnet.local] !!
(Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [ad_dyndns_nsupdate_done] (0x0040): DNS update finished
Gesendet: Sonntag, 24. August 2014 um 23:42 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
On Sun, 2014-08-24 at 23:40 +0200, Markus Roth wrote:
> oh sorry my mistake :-) i mean sss but after i restart named, samba4, sssd and dhcpd and clear the sssd cache i don't get the AD users via getent passwd.
> Should i do other links like the winbind configuration?
No, there are none.
stop sssd and post the output of:
sssd -i -d3
steve
> oh sorry my mistake :-) i mean sss but after i restart named, samba4, sssd and dhcpd and clear the sssd cache i don't get the AD users via getent passwd.
> Should i do other links like the winbind configuration?
No, there are none.
stop sssd and post the output of:
sssd -i -d3
Markus Roth
Should i do other links like the winbind configuration?
Gesendet: Sonntag, 24. August 2014 um 23:32 Uhr
Von: steve <st...@steve-ss.com>
An: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
steve
> Hi Steve,
>
> the output is:
>
> (Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No SUDO module provided for [winnet.local] !!
> (Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No autofs module provided for [winnet.local] !!
> (Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No selinux module provided for [winnet.local] !!
> (Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No host info module provided for [winnet.local] !!
> (Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
> (Sun Aug 24 23:44:44 2014) [sssd[be[winnet.local]]] [ad_dyndns_nsupdate_done] (0x0040): DNS update finished
OK. That's what we thought. One more time: which method have you chosen
for the dns updates? In the last post you said Rowland's script. Here
you are using sssd. OTOH, this could be how sssd responds even when dns
updates are disabled. Sorry, not near a domain ATM. Please check
sssd.conf
Markus Roth
yes i would take the script from Rowland with the winbind implementation. But for interest i would also learn the sssd implementation. Is this correct that i also should see the AD-Users with getent passwd like the winbind implementation?
Oh sorry in my sssd.conf the dns updates are still disabled for the last tests with rowlands script :-)
Gesendet: Montag, 25. August 2014 um 08:06 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: Aw: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
steve
> Hi Steve,
>
>
> Oh sorry in my sssd.conf the dns updates are still disabled for the last tests with rowlands script :-)
Markus Roth
ok so we have the problem :-) i can't see the AD-Users. I think some entries are missing in the sssd.conf? Here my configurations:
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = winnet.local
[nss]
[pam]
[domain/winnet.local]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
dyndns_update = True
nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
the links from rowlands configuration for winbind are still active.
Gesendet: Montag, 25. August 2014 um 18:17 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
steve
> Hi Steve,
>
>
> sssd.conf
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = winnet.local
> [nss]
> [pam]
> [domain/winnet.local]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> ldap_id_mapping = False
> dyndns_update = True
>
> nsswitch.conf
>
> passwd: files sss
> shadow: files sss
> group: files sss
>
> the links from rowlands configuration for winbind are still active.
send the output
disable nscd
rm /var/lib/sss/db/*
sssd -i -d3
then on another terminal:
getent passwd <a-domain-user>
send the output from the first terminal
Rowland Penny
> Hi Steve,
>
>
> sssd.conf
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = winnet.local
> [nss]
> [pam]
> [domain/winnet.local]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> ldap_id_mapping = False
'ldap_id_mapping = False' to 'ldap_id_mapping = True', then restart sssd.
Rowland
Markus Roth
i don't know if i stored the shadow passwd in ad :-\ i think in on of our last mails i sould set this in the nsswitch.conf?
@Rowland
i changed ldap_id_mapping on true but with no result
@Steve
for the commands i get the following:
[root@server1 run]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 server1$@WINNET.LOCAL
1 server1$@WINNET.LOCAL
1 server1$@WINNET.LOCAL
1 server1$@WINNET.LOCAL
1 server1$@WINNET.LOCAL
[root@server1 run]# sssd -i -d3
(Mon Aug 25 22:15:04:201426 2014) [sssd] [server_setup] (0x0010): Error creating pidfile: /var/run/sssd! (17 [File exists])
[root@server1 run]# rm -dfr sssd.pid
[root@server1 run]# sssd -i -d3
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No SUDO module provided for [winnet.local] !!
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No autofs module provided for [winnet.local] !!
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No selinux module provided for [winnet.local] !!
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No host info module provided for [winnet.local] !!
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [sdap_async_sys_connect_done] (0x0020): connect failed [111][Verbindungsaufbau abgelehnt].
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed.
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed.
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [ad_get_client_site_connect_done] (0x0080): Unable to connect to domain controller [server1.winnet.local:389]
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [sdap_async_sys_connect_done] (0x0020): connect failed [111][Verbindungsaufbau abgelehnt].
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed.
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed.
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Eingabe-/Ausgabefehler])
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Mon Aug 25 22:15:21 2014) [sssd[be[winnet.local]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Mon Aug 25 22:15:21 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.
(Mon Aug 25 22:15:21 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/group.
(Mon Aug 25 22:18:40 2014) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sdap_async_sys_connect_done] (0x0020): connect failed [111][Verbindungsaufbau abgelehnt].
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed.
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed.
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [ad_get_client_site_connect_done] (0x0080): Unable to connect to domain controller [server1.winnet.local:389]
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sdap_async_sys_connect_done] (0x0020): connect failed [111][Verbindungsaufbau abgelehnt].
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed.
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed.
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sdap_async_sys_connect_done] (0x0020): connect failed [111][Verbindungsaufbau abgelehnt].
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed.
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed.
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Eingabe-/Ausgabefehler])
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request
(Mon Aug 25 22:18:40 2014) [sssd[be[winnet.local]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request
(Mon Aug 25 22:18:40 2014) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 3, 11, Internal Error (Maximale Anzahl an Versuchen für den Dienst erreicht)
Will try to return what we have in cache
(Mon Aug 25 22:18:40 2014) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Gesendet: Montag, 25. August 2014 um 19:52 Uhr
steve
> Hi Steve, hi Rowland,
>
> i don't know if i stored the shadow passwd in ad :-\ i think in on of our last mails i sould set this in the nsswitch.conf?
>
> @Rowland
> i changed ldap_id_mapping on true but with no result
>
> @Steve
> for the commands i get the following:
>
> [root@server1 run]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 1 server1$@WINNET.LOCAL
> 1 server1$@WINNET.LOCAL
> 1 server1$@WINNET.LOCAL
> 1 server1$@WINNET.LOCAL
> 1 server1$@WINNET.LOCAL
> [root@server1 run]# sssd -i -d3
> (Mon Aug 25 22:15:04:201426 2014) [sssd] [server_setup] (0x0010): Error creating pidfile: /var/run/sssd! (17 [File exists])
> [root@server1 run]# rm -dfr sssd.pid
> [root@server1 run]# sssd -i -d3
> (Mon Aug 25 22:15:21 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.
> (Mon Aug 25 22:18:40 2014) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
add:
ad_hostname server1.winnet.local
ad_server server1.winnet.local
to the domain/ section of sssd.conf
and sssd -i -d3 again
If still nothing please post outputs for:
host server1.winnet.local
ping server1
hostname -d
hostname -f
hostname -s
The log of the DC when you start sssd:
easier to start samba as:
samba -i -d3
and watch live
The contents of:
/etc/hosts
/etc/hostname
HTH,
Steve
Markus Roth
ok, here we go :-)
after i added the two lines in sssd.conf i get:
[root@server1 run]# sssd -i -d3
(Mon Aug 25 23:22:48:345405 2014) [sssd] [server_setup] (0x0010): Error creating pidfile: /var/run/sssd! (17 [File exists])
[root@server1 run]# rm -dfr /var/run/sssd.pid
[root@server1 run]# sssd -i -d3
(Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No SUDO module provided for [winnet.local] !!
(Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No autofs module provided for [winnet.local] !!
(Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No selinux module provided for [winnet.local] !!
(Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No host info module provided for [winnet.local] !!
(Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Mon Aug 25 23:23:00 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.
(Mon Aug 25 23:23:00 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/group.
(Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [ad_dyndns_nsupdate_done] (0x0040): DNS update finished
-----------------------------------------------------------------------------------------------------------------------------------
[root@server1 run]# host server1.winnet.local
server1.winnet.local has address 192.168.178.130
[root@server1 run]# ping server1
PING server1 (192.168.178.130) 56(84) bytes of data.
64 bytes from server1 (192.168.178.130): icmp_seq=1 ttl=64 time=0.040 ms
64 bytes from server1 (192.168.178.130): icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from server1 (192.168.178.130): icmp_seq=3 ttl=64 time=0.039 ms
[root@server1 run]# hostname -d
[root@server1 run]# hostname -f
server1
[root@server1 run]# hostname -s
server1
-----------------------------------------------------------------------------------------------------------------------------------
Aug 25 23:35:16 server1 samba[15291]: [2014/08/25 23:35:16.725551, 0] ../source4/smbd/server.c:370(binary_smbd_main)
Aug 25 23:35:16 server1 samba[15291]: samba version 4.1.11 started.
Aug 25 23:35:16 server1 samba[15291]: Copyright Andrew Tridgell and the Samba Team 1992-2013
Aug 25 23:35:16 server1 samba4: Starting samba4: [ OK ]
Aug 25 23:35:16 server1 systemd: Started LSB: start and stop samba4.
Aug 25 23:35:17 server1 samba[15292]: [2014/08/25 23:35:17.282959, 0] ../source4/smbd/server.c:488(binary_smbd_main)
Aug 25 23:35:17 server1 samba[15292]: samba: using 'standard' process model
Aug 25 23:35:17 server1 samba[15292]: [2014/08/25 23:35:17.295902, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Aug 25 23:35:17 server1 smbd[15296]: [2014/08/25 23:35:17.558980, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Aug 25 23:35:24 server1 systemd: Starting System Security Services Daemon...
Aug 25 23:35:24 server1 sssd: Starting up
Aug 25 23:35:24 server1 sssd[be[winnet.local]]: Starting up
Aug 25 23:35:24 server1 sssd[nss]: Starting up
Aug 25 23:35:24 server1 sssd[pam]: Starting up
Aug 25 23:35:24 server1 systemd: Started System Security Services Daemon.
Aug 25 23:35:24 server1 named[12755]: samba_dlz: starting transaction on zone winnet.local
Aug 25 23:35:24 server1 named[12755]: samba_dlz: allowing update of signer=server1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=3076625766.sig-server1.winnet.local/160/0
Aug 25 23:35:24 server1 named[12755]: client 192.168.178.130#35678/key server1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' A
Aug 25 23:35:24 server1 named[12755]: samba_dlz: subtracted rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A 192.168.178.130'
Aug 25 23:35:24 server1 named[12755]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 67 900 600 86400 0'
Aug 25 23:35:24 server1 named[12755]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 68 900 600 86400 0'
Aug 25 23:35:24 server1 named[12755]: samba_dlz: committed transaction on zone winnet.local
Aug 25 23:35:24 server1 named[12755]: samba_dlz: starting transaction on zone winnet.local
Aug 25 23:35:24 server1 named[12755]: samba_dlz: allowing update of signer=server1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=AAAA key=1651992907.sig-server1.winnet.local/160/0
Aug 25 23:35:24 server1 named[12755]: client 192.168.178.130#55338/key server1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'server1.winnet.local' AAAA
Aug 25 23:35:24 server1 named[12755]: samba_dlz: committed transaction on zone winnet.local
Aug 25 23:35:24 server1 named[12755]: samba_dlz: starting transaction on zone winnet.local
Aug 25 23:35:24 server1 named[12755]: samba_dlz: allowing update of signer=server1\$\@WINNET.LOCAL name=server1.winnet.local tcpaddr=192.168.178.130 type=A key=1121994789.sig-server1.winnet.local/160/0
Aug 25 23:35:24 server1 named[12755]: client 192.168.178.130#46781/key server1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'server1.winnet.local' A
Aug 25 23:35:24 server1 named[12755]: samba_dlz: added rdataset server1.winnet.local 'server1.winnet.local. 3600 IN A 192.168.178.130'
Aug 25 23:35:24 server1 named[12755]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 68 900 600 86400 0'
Aug 25 23:35:24 server1 named[12755]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 69 900 600 86400 0'
Aug 25 23:35:24 server1 named[12755]: samba_dlz: committed transaction on zone winnet.local
Aug 25 23:35:24 server1 named[12755]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 25 23:35:24 server1 named[12755]: samba_dlz: allowing update of signer=server1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=651940748.sig-server1.winnet.local/160/0
Aug 25 23:35:24 server1 named[12755]: samba_dlz: allowing update of signer=server1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa tcpaddr=192.168.178.130 type=PTR key=651940748.sig-server1.winnet.local/160/0
Aug 25 23:35:24 server1 named[12755]: client 192.168.178.130#43966/key server1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '130.178.168.192.in-addr.arpa' PTR
Aug 25 23:35:24 server1 named[12755]: samba_dlz: subtracted rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
Aug 25 23:35:24 server1 named[12755]: client 192.168.178.130#43966/key server1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '130.178.168.192.in-addr.arpa' PTR
Aug 25 23:35:24 server1 named[12755]: samba_dlz: added rdataset 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN PTR server1.winnet.local.'
Aug 25 23:35:24 server1 named[12755]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
-----------------------------------------------------------------------------------------------------------------------------------
27.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.178.130 server1 server1.winnet.local
-----------------------------------------------------------------------------------------------------------------------------------
hostname shows:
server1.winnet.local
Gesendet: Montag, 25. August 2014 um 23:15 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
steve
> hi steve,
>
> ok, here we go :-)
>
> after i added the two lines in sssd.conf i get:
>
> [root@server1 run]# sssd -i -d3
> (Mon Aug 25 23:22:48:345405 2014) [sssd] [server_setup] (0x0010): Error creating pidfile: /var/run/sssd! (17 [File exists])
> [root@server1 run]# rm -dfr /var/run/sssd.pid
> [root@server1 run]# sssd -i -d3
> (Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No SUDO module provided for [winnet.local] !!
> (Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No autofs module provided for [winnet.local] !!
> (Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No selinux module provided for [winnet.local] !!
> (Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No host info module provided for [winnet.local] !!
> (Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
> (Mon Aug 25 23:23:00 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.
> (Mon Aug 25 23:23:00 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/group.
> (Mon Aug 25 23:23:00 2014) [sssd[be[winnet.local]]] [ad_dyndns_nsupdate_done] (0x0040): DNS update finished
>
Did you try getent passwd <domain-user> ?
>
> [root@server1 run]# host server1.winnet.local
> server1.winnet.local has address 192.168.178.130
>
> [root@server1 run]# ping server1
> PING server1 (192.168.178.130) 56(84) bytes of data.
> 64 bytes from server1 (192.168.178.130): icmp_seq=1 ttl=64 time=0.040 ms
> 64 bytes from server1 (192.168.178.130): icmp_seq=2 ttl=64 time=0.046 ms
> 64 bytes from server1 (192.168.178.130): icmp_seq=3 ttl=64 time=0.039 ms
>
> [root@server1 run]# hostname -d
ad_domain winnet.local
to the domain section of sssd.conf
> [root@server1 run]# hostname -f
> server1
server1.winnet.local here but let's ignore that for now.
ticket is being requested and which hostname is being sent.
>
> 27.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
> 192.168.178.130 server1 server1.winnet.local
>
> -----------------------------------------------------------------------------------------------------------------------------------
>
127.0.0.1 localhost
192.168.178.130 server1.winnet.local server1
> hostname shows:
>
> server1.winnet.local
change it to:
server1
Restart everything and go through the previous post again.
Oh, and don't forget to test the getent command;)
We'll be offline now 'til 06:00 CEST, so,
Cheers and good luck
Markus Roth
thanks a lot :-) I will try that tomorrow and give you the status :-) This environment is still a test. When i get sssd also working like the winbind configuration i will create the productive environment.
Gesendet: Dienstag, 26. August 2014 um 00:07 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
Markus Roth
so i'm at home :-) I hope you had a good day and better weather than in germany :-) I added the ad_domain option and changed the /etc/hosts and /etc/hostname. getent passwd shows no AD-users :-(
Now i get the following:
[root@server1 var]# host server1.winnet.local
server1.winnet.local has address 192.168.178.130
[root@server1 var]# ping server1
PING server1.winnet.local (192.168.178.130) 56(84) bytes of data.
64 bytes from server1.winnet.local (192.168.178.130): icmp_seq=1 ttl=64 time=0.018 ms
64 bytes from server1.winnet.local (192.168.178.130): icmp_seq=2 ttl=64 time=0.047 ms
64 bytes from server1.winnet.local (192.168.178.130): icmp_seq=3 ttl=64 time=0.029 ms
^C
--- server1.winnet.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.018/0.031/0.047/0.012 ms
[root@server1 var]# hostname -d
winnet.local
[root@server1 var]# hostname -f
server1.winnet.local
[root@server1 var]# hostname -s
server1
sssd-log:
[root@server1 var]# sssd -i -d3
(Tue Aug 26 19:50:25 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No SUDO module provided for [winnet.local] !!
(Tue Aug 26 19:50:25 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0080): No autofs module provided for [winnet.local] !!
(Tue Aug 26 19:50:25 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No selinux module provided for [winnet.local] !!
(Tue Aug 26 19:50:25 2014) [sssd[be[winnet.local]]] [be_process_init] (0x0020): No host info module provided for [winnet.local] !!
(Tue Aug 26 19:50:25 2014) [sssd[be[winnet.local]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Tue Aug 26 19:50:25 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.
(Tue Aug 26 19:50:25 2014) [sssd[nss]] [sss_mc_create_file] (0x0010): Failed to lock file /var/lib/sss/mc/group.
(Tue Aug 26 19:50:25 2014) [sssd[be[winnet.local]]] [ad_dyndns_nsupdate_done] (0x0040): DNS update finished
Gesendet: Dienstag, 26. August 2014 um 00:07 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
steve
touch /var/lib/sss/mc/passwd /var/lib/sss/mc/group
restart sssd
There should be no dns updates Please post sssd.conf
Markus Roth
ok i deactivate the dns_update flag in the sssd.conf and did the rm and touch command, but no AD-users with getent passwd. Here is my sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = winnet.local
[nss]
[pam]
[domain/winnet.local]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
dyndns_update = False
ad_hostname = server1.winnet.local
ad_server = server1.winnet.local
ad_domain = winnet.local
Gesendet: Dienstag, 26. August 2014 um 20:16 Uhr
steve
> Hi Steve,
>
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = winnet.local
> [nss]
> [pam]
> [domain/winnet.local]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> ldap_id_mapping = False
> dyndns_update = False
> ad_hostname = server1.winnet.local
> ad_server = server1.winnet.local
> ad_domain = winnet.local
uidNumber:
gidNumber:
attributes filled in for your domain users?
Markus Roth
no not manual. I have only done the ./samba-tool domain provision command and then i added the dhcpduser with Rowloands howto. Should i filled in these numbers and if it's so where can i do that?
Gesendet: Mittwoch, 27. August 2014 um 13:35 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
steve
> Hi Steve,
>
>
ldbmodify
Cheers,
Steve
Markus Roth
ok i'm a litte bit confused again :-) how can i do that with ldbmodify? I found something on the samba-wiki https://wiki.samba.org/index.php/Samba4/LDBIntro but i don't know which syntax is correct for me.
Gesendet: Mittwoch, 27. August 2014 um 21:32 Uhr
steve
> Hi Steve,
>
>
favourite editor:
ldbedit -e your-fave-editor --url=/path/to/samba/private/sam.ldb
cn=markus
where markus is a domain user. It doesn't have to be markus, but it has
to be a user you added with samba-tool or with ADUC.
Oh, and I'm a little confused. You say you have getent working with
winbind with idmap_ad so you must aready have the required attributes.
Could your post smb.conf again, just to make sure and also the output
from the ldbedit
HTH,
Steve
>
>
> Gesendet: Mittwoch, 27. August 2014 um 21:32 Uhr
Markus Roth
yes you're right. With the winbind howto from rowland i had the ad-users via getent passwd.
ldbedit output for example with the dhcpduser:
# editing 1 records
# record 1
dn: CN=dhcpduser,CN=Users,DC=winnet,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: dhcpduser
instanceType: 4
whenCreated: 20140824200551.0Z
uSNCreated: 3963
name: dhcpduser
objectGUID: 97cb6821-18b4-47cf-a6d9-5f73ffa1793e
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-604854294-2647735964-1380626919-1107
logonCount: 0
sAMAccountName: dhcpduser
sAMAccountType: 805306368
userPrincipalName: dhcp...@winnet.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=winnet,DC=local
pwdLastSet: 130533843510000000
memberOf: CN=DnsAdmins,CN=Users,DC=winnet,DC=local
userAccountControl: 66048
accountExpires: 0
whenChanged: 20140824200700.0Z
uSNChanged: 3967
distinguishedName: CN=dhcpduser,CN=Users,DC=winnet,DC=local
smb.conf:
# Global parameters
[global]
workgroup = WINNET
realm = WINNET.LOCAL
netbios name = SERVER1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
--------------------------------------------------------------------------------------------------------------------------
Gesendet: Donnerstag, 28. August 2014 um 10:02 Uhr
HTH,
Steve
> > instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
steve
> Hi Steve,
>
does not have any, so sssd without idmapping sssd will return nothing
with getent.
example, I'll use steve2 as an example domain user.
1. add to Domian Users:
gidNumber: 20513
2. wbinfo -i steve2
wbinfo -i steve2
HH3\steve2:*:3000021:100::/home/HH3/steve2:/bin/false
3. Add to steve2:
uidNumber: 3000021
gidNumber: 20513
For steps 1 and 3, use ldbedit.
getent will now work with the configuration which you posted for sssd.
It would be a really good exercise to work out why.
HTH,
Steve
Markus Roth
i'm sorry but i don't get the AD-Users with getent passwd :-( Do i have any mistakes?
My steps:
1.)
/usr/local/samba/bin/ldbedit -e vi --url=/usr/local/samba/private/sam.ldb cn=Users
add gidNumber: 20513
2.)
wbinfo -i dhcpduser shows:
WINNET\dhcpduser:*:3000021:100::/home/WINNET/dhcpduser:/bin/false
3.)
/usr/local/samba/bin/ldbedit -e vi --url=/usr/local/samba/private/sam.ldb cn=dhcpduser
add gidNumber: 20513
add uidNumber: 3000021
the whole content for Users:
# editing 2 records
# record 1
dn: CN=Users,CN=Builtin,DC=winnet,DC=local
objectClass: top
objectClass: group
cn: Users
description: Users are prevented from making accidental or intentional system-
wide changes and can run most applications
member: CN=Domain Users,CN=Users,DC=winnet,DC=local
member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=winnet,DC=local
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=winnet,DC=local
instanceType: 4
whenCreated: 20140816212553.0Z
uSNCreated: 3563
name: Users
objectGUID: b61e428b-dfb4-490a-b784-1e4759e798ee
objectSid: S-1-5-32-545
sAMAccountName: Users
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=winnet,DC=local
isCriticalSystemObject: TRUE
gidNumber: 20513
whenChanged: 20140828200706.0Z
uSNChanged: 4167
distinguishedName: CN=Users,CN=Builtin,DC=winnet,DC=local
# record 2
dn: CN=Users,DC=winnet,DC=local
objectClass: top
objectClass: container
cn: Users
instanceType: 4
whenCreated: 20140816212553.0Z
whenChanged: 20140816212553.0Z
uSNCreated: 3372
name: Users
objectGUID: 4c691f0a-e2b2-4110-95bc-a5d4a67060c1
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=winnet,DC=local
description: Default container for upgraded user accounts
systemFlags: -1946157056
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: FALSE
the whole content for the dhcpduser
gidNumber: 20513
uidNumber: 3000021
whenChanged: 20140828200805.0Z
uSNChanged: 4168
distinguishedName: CN=dhcpduser,CN=Users,DC=winnet,DC=local
my sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = winnet.local
[nss]
[pam]
[domain/winnet.local]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
dyndns_update = False
ad_hostname = server1.winnet.local
ad_server = server1.winnet.local
ad_domain = winnet.local
Gesendet: Donnerstag, 28. August 2014 um 21:35 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
steve
> Hi Steve,
>
>
> My steps:
>
> 1.)
> /usr/local/samba/bin/ldbedit -e vi --url=/usr/local/samba/private/sam.ldb cn=Users
Hi
Markus, please understand that we are trying to add gidNumber to your
domain group "Domain Users" (please use quotes as there is a space in
Domain Users).
>
> add gidNumber: 20513
ldbedit --url=/usr/local/samba/private/sam.ldb cn="Domain Users"
Now, go back and remoce gidNumber from Users and add it to Doamin Users
instead.
Now it will work. . .
Markus Roth
oh, sorry my mistake :-( i have deleted the gidNumber from the users group and added it to the Domain Users group. Then i restart samba4, delete the sssd-cache and restarted sssd, but
i don't get the AD-Users via getent passwd :-( I don't know why...
Below the output from Domain Users, dhcpduser and getent passwd:
Domain Users:
# editing 1 records
# record 1
dn: CN=Domain Users,CN=Users,DC=winnet,DC=local
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20140816212553.0Z
uSNCreated: 3541
name: Domain Users
objectGUID: aeaa3a43-89a0-4e3d-ae4a-3e9639256ddc
objectSid: S-1-5-21-604854294-2647735964-1380626919-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=winnet,DC=local
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=winnet,DC=local
gidNumber: 20513
whenChanged: 20140829170733.0Z
uSNChanged: 4172
distinguishedName: CN=Domain Users,CN=Users,DC=winnet,DC=local
dhcpduser:
# editing 1 records
# record 1
dn: CN=dhcpduser,CN=Users,DC=winnet,DC=local
cn: dhcpduser
instanceType: 4
whenCreated: 20140824200551.0Z
uSNCreated: 3963
name: dhcpduser
objectGUID: 97cb6821-18b4-47cf-a6d9-5f73ffa1793e
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-604854294-2647735964-1380626919-1107
logonCount: 0
sAMAccountName: dhcpduser
sAMAccountType: 805306368
userPrincipalName: dhcp...@winnet.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=winnet,DC=local
pwdLastSet: 130533843510000000
memberOf: CN=DnsAdmins,CN=Users,DC=winnet,DC=local
userAccountControl: 66048
accountExpires: 0
gidNumber: 20513
uidNumber: 3000021
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
whenChanged: 20140828211144.0Z
"/tmp/ldbedit.kwLixh" 37L, 950C
getent passwd:
[root@server1 ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
unbound:x:998:997:Unbound DNS resolver:/etc/unbound:/sbin/nologin
colord:x:997:996:User for colord:/var/lib/colord:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
saslauth:x:996:76:"Saslauthd user":/run/saslauthd:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
libstoragemgmt:x:995:994:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
chrony:x:994:993::/var/lib/chrony:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:993:991::/run/gnome-initial-setup/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
verwaltung:x:1000:1000:verwaltung:/home/verwaltung:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
getent passwd dhcpduser
[root@server1 ~]# getent passwd dhcpduser
dhcpduser:*:3000021:20513:dhcpduser:/:
Gesendet: Freitag, 29. August 2014 um 09:28 Uhr
Von: steve <st...@steve-ss.com>
An: "Markus Roth" <markusr...@gmx.net>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zoneable
Rowland Penny
> Hi Steve,
>
update script and as such, this user should never be used as a normal
user, secondly you do not need the 'posixAccount' objectClass.
Rowland
Markus Roth
i wouldn't use the dhcpduser as a normal user. But when i'd like to use your dhcp-script with sssd i thougt i take this one, because when i would see the dhcpduser with getent passwd your script is
working again.
i know that with the posixaccounts from the samba wiki yesterday, but i'm hopless know and thougt i try it...
I set enumerate = false in the [domain/winnet.local] section, stop sssd, delete the sssd-cache and start sssd. Unfortunately the same problem :-(
should i post my configs again? Or could it be that the problem occurs from my centos7? I installed sssd with the packet manager yum. In this case it also installed separate samba4-libs.
Is this a problem?
>Hi, two things, you created 'dhcpduser' as the user for my Bind9/DHCP
>update script and as such, this user should never be used as a normal
>user, secondly you do not need the 'posixAccount' objectClass.
>
>
>
instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]