Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC

103 views
Skip to first unread message

Jeff Sadowski

unread,
May 18, 2016, 12:20:04 PM5/18/16
to
So I had dhcp, radvd and bind working together nicely and now I threw in a
wrench of setting up an AD DC

I want to change my dhcp server setting to put client's into the new AD
Domain but am a little hesitant as it is all working so nicely with DDNS

I'm starting to think all I need to do is edit just my dhcpd.conf and
change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD
A little touch up of db.self and comment out and eventually remove DOMAIN1
entries as everything is working as I like.

My concern is moving from
allow-update { key rndc-key; };
notify yes;
to
update-policy {
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
grant Admini...@AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA SRV CNAME;
grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV CNAME;
};

The latter being produced when I created the domain in the example configs
that I copied into mine.
I think what that is saying is let the domain controller by name have
access to the domain's entries
I'm a little concerned about verification as I know the key method is safe
and I'm not so sure about the grant method.

Is there a way to have samba use ISC's key method?
Anyone have any suggestions?

My current setup is as below.

My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1
and a ipv6 address of fc00:1::1111:1111:1111:1111
It's outside addresses are dhcp from my ISP I do ip masquerade on both ipv4
and ipv6


My dhcpd.conf looks as follows
#================START=======================
ddns-updates on;
ddns-update-style interim;
ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
ddns-rev-domainname "in-addr.arpa.";
ignore client-updates;
option domain-search-order code 119 = string;
include "/etc/rndc.key";
zone DOMAIN1.SUBDOMAIN.TLD {
primary 192.168.1.1;
key rndc-key;
}
zone 1.168.192.in-addr.arpa. {
primary 192.168.1.1;
key rndc-key;
}
default-lease-time 100000;
max-lease-time 1000000;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.200;
option routers 192.168.1.1;
option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
option domain-name-servers 192.168.1.1;
option domain-search-order
"DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
next-server 192.168.1.1;
filename "/pxelinux.0";
allow unknown-clients;
}
#================END=========================

My radvd.conf looks like so
#================START=======================
interface eth0
{
AdvSendAdvert on;
prefix fc00:1::/64
{
AdvOnLink on;
AdvAutonomous on;
};
RDNSS fc00:1::1111:1111:1111:1111 {};
};
#================END=========================

My named.conf after adding my samba looks like so
#================START=======================
options {
listen-on port 53 { 127.0.0.1; 192.168.1.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/16; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
type master;
file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
allow-update { key rndc-key; };
notify yes;
};
zone "DOMAIN1.SUBDOMAIN.TLD" IN {
type master;
file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
allow-update { key rndc-key; };
notify yes;
};
zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
type master;
file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
update-policy {
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
grant Admini...@AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA SRV CNAME;
grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV CNAME;
};
check-names ignore;
};
zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; };
#================END=========================

content of db.self
#================START=======================
$TTL 604800 ; 1 week
@ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
2014092401 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns.DOMAIN1.SUBDOMAIN.TLD.
@ IN A 192.168.1.252
@ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
@ IN TXT "v=spf1 mx a -all"
#================END=========================

my smb.conf looks like
#================START=======================
[global]
netbios name = DOMAIN2
realm = AD.DOMAIN2.SUBDOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = AD
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
#================END=========================


my krb5.conf looks like
#================START=======================
[libdefaults]
default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
#================END=========================
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

unread,
May 23, 2016, 12:40:05 PM5/23/16
to
Hi,

Why modifying a working conf when you can build your DC on others systems
(VM)? That could be really nice to learn but you add a lot of complexity in
your process, I think.
Why not using DLZ to access your AD zones? I expect Bind to be able to mix
its behaviour: flat file for some zone, DLZ for others...

Now regarding:
update-policy {
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
grant Admini...@AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA SRV CNAME;
grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV CNAME;
};
For me this means:
grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to
modify A and AAAA it owns (ms-self) from any host (*).

grant Admini...@AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME;
Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything on
any A AAAA SRV CNAME from any host

same for last one.

I'm really a new comer to DNS world, these thoughts come from
http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm

These lines should make your Bind to use Kerberos. At least I do hope the
authentication is Kerberos (that's AD!). If it is kerberos authentication,
I expect you can rely on it as almost the whole world rely on Kerberos
these days : )

A last thing regarding ISC's key method:
https://bugzilla.samba.org/show_bug.cgi?id=11520
I don't meant this bug as something to do with what you want to achieve,
simply it could be a good thing to read if you understand anything to ISC's
key method (that I don't), perhaps you could find some leads to follow or
some information to avoid that configuration.

Sorry not to help more. Have a nice day,

mathias

Jeff Sadowski

unread,
May 27, 2016, 9:50:04 AM5/27/16
to
I had left my config alone for now and dhcp still writes to
DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about not being able
to write to bind in its zone.

[2016/05/27 07:30:06.738434, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_UNSUCCESSFUL

If you are right about it using kerberos I think I am missing a bit more
configuration to allow bind to use kerberos. I have a place for it to use
the key but nothing in it about kerberos and how to verify that.

On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infra...@gmail.com>
wrote:

Rowland penny

unread,
May 27, 2016, 11:30:02 AM5/27/16
to
You are going about this the wrong way, you do not setup dhcp and bind
then add a Samba4 AD DC, you setup the AD DC with bind9 and then add the
dhcp server.

Rowland

Jeff Sadowski

unread,
May 27, 2016, 12:20:03 PM5/27/16
to
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
helped me find that I needed to add

options {
[...]
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
[...]
};

That seems to have fixed my errors with DNS
Your right now I will try adding dhcp to that same rule set


> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

Rowland penny

unread,
May 27, 2016, 12:30:04 PM5/27/16
to
> <infra...@gmail.com <mailto:infra...@gmail.com>>
> <jeff.s...@gmail.com <mailto:jeff.s...@gmail.com>>:
> <http://192.168.1.0/16>; };
> recursion yes;
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
> zone "." IN {
> type hint;
> file "named.ca <http://named.ca>";
> 2014092401 <tel:2014092401> ; serial
I will give you a few hints: 'on commit' 'on release' and 'on expiry' :-)

Rowland

PS: if you get stuck, I could always tell you how I have been doing it
for nearly 4 years.

Jeff Sadowski

unread,
May 27, 2016, 1:10:03 PM5/27/16
to
This page http://www.zytrax.com/books/dns/ch9/dhcp.html makes it seem
that I can replace the

allow-update {key "ddns-a-rrs";}; # allowed key
with
update-policy {grant "ddns-a-ptr" self * A TXT DHCID;};

so I just added "grant rndc-key self * A TXT DHCID;" to my update policy


>
> Rowland
>
> PS: if you get stuck, I could always tell you how I have been doing it for
> nearly 4 years.
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

Rowland penny

unread,
May 27, 2016, 1:20:03 PM5/27/16
to
On 27/05/16 18:07, Jeff Sadowski wrote:
>
>
> On Fri, May 27, 2016 at 10:23 AM, Rowland penny <rpe...@samba.org
> <mailto:rpe...@samba.org>> wrote:
>
> On 27/05/16 17:11, Jeff Sadowski wrote:
>
> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
> helped me find that I needed to add
>
> options {
> [...]
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> [...]
> };
> That seems to have fixed my errors with DNS
>
> On Fri, May 27, 2016 at 9:26 AM, Rowland penny
> <rpe...@samba.org <mailto:rpe...@samba.org>
> <mailto:rpe...@samba.org <mailto:rpe...@samba.org>>> wrote:
>
> On 27/05/16 14:37, Jeff Sadowski wrote:
>
> I had left my config alone for now and dhcp still
> writes to
> DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining
> about
> not being able
> to write to bind in its zone.
>
> [2016/05/27 07:30:06.738434, 0]
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
> NT_STATUS_UNSUCCESSFUL
>
> If you are right about it using kerberos I think I am
> missing
> a bit more
> configuration to allow bind to use kerberos. I have a
> place
> for it to use
> the key but nothing in it about kerberos and how to
> verify that.
>
> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne
> <infra...@gmail.com <mailto:infra...@gmail.com>
> <mailto:infra...@gmail.com <mailto:infra...@gmail.com>>>
> <mailto:jeff.s...@gmail.com
> 2014092401 <tel:2014092401> <tel:2014092401 <tel:2014092401>>
What about the reverse zone ?

Anyway, what do I know, as I said, I have only been using Samba4, Bind9
and dhcp for nearly 4 years without major incidence. I have seen plenty
of others with problems, but my system has been rock solid, so obviously
I don't know what I am doing :-)

Rowland
0 new messages