[Samba] Does automatic DNS PTR generation in Samba4 AD DC work at all?
Sven Geggus
I'm currently running a test setup with Samba4 internal DNS (Version 4.1.5
from Debian backports) and 2 clients (Linux and a Windows).
Everything seems to work so far.
However, I do not manage to get automatic PTR generation working. I'm using
the internal DNS at the moment, but I wouldn't mind changing to bind if
this will make it work.
While reverse DNS seem to work with manually generated entries (from Windows
DNS Manager, samba-tool does not work for this either) the automatic
generation does not seem to work.
When trying to trigger generation in mmc it tells me that the entry already
exists.
Is this a known issue?
Regards
Sven
--
Trotz der zunehmenden Verbreitung von Linux erfreut sich der Bär,
und - dank Knut - insbesondere der Eisbär, deutlich größerer
Beliebtheit als der Pinguin. (Gefunden bei http://telepolis.de/)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Daniel Müller
to make reverse DNS work on the fly with samba 4.1 you just have to create the reverse lookup zone with samba-tool,ex:
samba-tool dns zonecreate your-samba-dns-server 135.168.192.in-addr.arpa.
Then every client that register will auto get a reverse entry.
If you do it by hand the automatic dns update of the client will be denied in your log files and will not succeed.
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
"Der Mensch ist die Medizin des Menschen"
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Sven Geggus
Gesendet: Mittwoch, 5. März 2014 10:21
An: sa...@lists.samba.org
Betreff: [Samba] Does automatic DNS PTR generation in Samba4 AD DC work at all?
steve
> Hello again,
> samba-tool dns zonecreate your-samba-dns-server 135.168.192.in-addr.arpa.
> Then every client that register will auto get a reverse entry.
Not for Linux clients. The easiest way to get secure dns updates against
AD from Linux clients is via sssd:
dyndns_update = True
dyndns_update_ptr = True
They then behave as windows clients wrt dns.
HTH,
Steve
Sven Geggus
> Then every client that register will auto get a reverse entry.
hm, not really:
root@linuxclient:~# net ads dns register -P
Successfully registered hostname with DNS
root@linuxclient:~# nslookup linuxclient
Server: 192.168.56.10
Address: 192.168.56.10#53
Name: linuxclient.samdom.example.com
Address: 192.168.56.12
root@linuxclient:~# nslookup 192.168.56.12
Server: 192.168.56.10
Address: 192.168.56.10#53
** server can't find 12.56.168.192.in-addr.arpa.: NXDOMAIN
Reverse Zone has just been created using the following command:
samba-tool dns zonecreate sambadc 56.168.192.in-addr.arpa
Looking at the reverse zone using mmc.exe on the windows client I can not
see any entry either.
As before. Manually adding reverse dns entries to this zone still works fine.
Sven
--
Das Internet ist kein rechtsfreier Raum, das Internet ist aber auch
kein bürgerrechtsfreier Raum. (Wolfgang Wieland Bündnis 90/Die Grünen)
Sven Geggus
> Not for Linux clients. The easiest way to get secure dns updates against
> AD from Linux clients is via sssd
I don't use sssd currently but nslcd and a cronjob calling "net ads dns
register -P".
Is this not supposed to generate a forward as well as a reverse DNS entry?
Sven
--
Das allgemeine Persönlichkeitsrecht (Art. 2 Abs.1 i.V.m. Art.1 Abs. 1GG)
umfasst das Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität
informationstechnischer Systeme. (BVerfG, 1BvR 370/07)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
Raymond
My Setup
*****************************
Zentyal server 3.3
Windows 8 client with Outlook 2010
*****************************
On joining the windows 8 client to the domain I got this (The RPC server is unavailable) message popping up on Windows. All I then did is to restart the samba server and attempted to join again.
The Windows 8 PC joined the domain and all is working fine. The firewall is switched off and samba was running before I attempted to join the PC.
I am asking because I tried previously to using Outlook 2007 with Openchange and outlook kept on disconnecting with openchange. I then tried Outlook version 2010 with windows 8 and got that (RPC error) once and
afterwards when the joining was successful, I connected Outlook 2010 to Openchange and it stayed connected.
It might be that samba was the cause with Outlook 2007 not staying connected because of the RPC error and I did no pickup on it.
Anyone of you have experienced with this RPC error before? May just have been a glitch...?
Thank you,
Ray
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>email-banner</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body bgcolor="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
</br>
<a href="http://www.joburgtheatre.com"><img src="http://www.showbusiness.co.za/emailbanner/banner14.jpg" width="660" height="165" />
<!-- ImageReady Slices (banner4web.jpg) --><!-- End ImageReady Slices --></a></br>
</body>
</html>
steve
> steve <st...@steve-ss.com> wrote:
>
> > Not for Linux clients. The easiest way to get secure dns updates against
> > AD from Linux clients is via sssd
>
> I don't use sssd currently but nslcd and a cronjob calling "net ads dns
> register -P".
>
> Is this not supposed to generate a forward as well as a reverse DNS entry?
Steve
L.P.H. van Belle
i guess this is not working correcly.. or im missing something.
I used the windows RATS tool to create the reverse zone. ( with the first pc i joined in the domain )
i joined with 2 pc's ( win7 32bit and win7 64bit) with static ips.
none of these pc's got the ptr record automaticly. :-)
any tips ?
( debian wheezy, samba 4.1.5 backports )
can you explain this a bit more.
>will be denied in your log files and will not succeed.
Mar 4 13:33:26 RTD-DC1 named[32667]: client 10.249.250.64#52886: update 'INTERNAL.DOMAIN.TLD/IN' denied
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: cancelling transaction on zone INTERNAL.DOMAIN.TLD
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: starting transaction on zone INTERNAL.DOMAIN.TLD
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: allowing update of signer=admin-pc\$\@INTERNAL.DOMAIN.TLD name=Admin-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=AAAA key=808-ms-7.1-6f64.302d95ec-a399-11e3-e2ad-d067e50ae371/160/0
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: allowing update of signer=admin-pc\$\@INTERNAL.DOMAIN.TLD name=Admin-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=A key=808-ms-7.1-6f64.302d95ec-a399-11e3-e2ad-d067e50ae371/160/0
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: allowing update of signer=admin-pc\$\@INTERNAL.DOMAIN.TLD name=Admin-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=A key=808-ms-7.1-6f64.302d95ec-a399-11e3-e2ad-d067e50ae371/160/0
Mar 4 13:33:26 RTD-DC1 named[32667]: client 10.249.250.64#65459: updating zone 'INTERNAL.DOMAIN.TLD/NONE': deleting rrset at 'Admin-PC.INTERNAL.DOMAIN.TLD' AAAA
Mar 4 13:33:26 RTD-DC1 named[32667]: client 10.249.250.64#65459: updating zone 'INTERNAL.DOMAIN.TLD/NONE': deleting rrset at 'Admin-PC.INTERNAL.DOMAIN.TLD' A
Mar 4 13:33:26 RTD-DC1 named[32667]: client 10.249.250.64#65459: updating zone 'INTERNAL.DOMAIN.TLD/NONE': adding an RR at 'Admin-PC.INTERNAL.DOMAIN.TLD' A
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: added Admin-PC.INTERNAL.DOMAIN.TLD Admin-PC.INTERNAL.DOMAIN.TLD.#0111200#011IN#011A#01110.249.250.64
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: subtracted rdataset INTERNAL.DOMAIN.TLD 'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 1 900 600 86400 0'
Mar 4 13:33:26 RTD-DC1 named[32667]: samba_dlz: added rdataset INTERNAL.DOMAIN.TLD 'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 2 900 600 86400 0'
and
Mar 4 13:35:25 RTD-DC1 named[32667]: client 10.249.250.64#52469: RFC 1918 response from Internet for 230.250.249.10.in-addr.arpa
Mar 4 14:55:49 RTD-DC1 smbd[4586]: [2014/03/04 14:55:49.465331, 0] ../source3/rpc_server/srv_pipe.c:1395(api_rpcTNP)
Mar 4 14:55:49 RTD-DC1 smbd[4586]: api_rpcTNP: \svcctl: SVCCTL_GETSERVICEKEYNAMEW failed.
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: starting transaction on zone INTERNAL.DOMAIN.TLD
Mar 5 12:15:03 rtd-dc1 named[32667]: client 10.249.250.32#61301: update 'INTERNAL.DOMAIN.TLD/IN' denied
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: cancelling transaction on zone INTERNAL.DOMAIN.TLD
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: starting transaction on zone INTERNAL.DOMAIN.TLD
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: allowing update of signer=admin32-pc\$\@INTERNAL.DOMAIN.TLD name=Admin32-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=AAAA key=1124-ms-7.1-6814.11a3bdab-a457-11e3-6e92-d067e50f1671/160/0
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: allowing update of signer=admin32-pc\$\@INTERNAL.DOMAIN.TLD name=Admin32-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=A key=1124-ms-7.1-6814.11a3bdab-a457-11e3-6e92-d067e50f1671/160/0
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: allowing update of signer=admin32-pc\$\@INTERNAL.DOMAIN.TLD name=Admin32-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=A key=1124-ms-7.1-6814.11a3bdab-a457-11e3-6e92-d067e50f1671/160/0
Mar 5 12:15:03 rtd-dc1 named[32667]: client 10.249.250.32#55191: updating zone 'INTERNAL.DOMAIN.TLD/NONE': deleting rrset at 'Admin32-PC.INTERNAL.DOMAIN.TLD' AAAA
Mar 5 12:15:03 rtd-dc1 named[32667]: client 10.249.250.32#55191: updating zone 'INTERNAL.DOMAIN.TLD/NONE': deleting rrset at 'Admin32-PC.INTERNAL.DOMAIN.TLD' A
Mar 5 12:15:03 rtd-dc1 named[32667]: client 10.249.250.32#55191: updating zone 'INTERNAL.DOMAIN.TLD/NONE': adding an RR at 'Admin32-PC.INTERNAL.DOMAIN.TLD' A
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: added Admin32-PC.INTERNAL.DOMAIN.TLD Admin32-PC.INTERNAL.DOMAIN.TLD.#0111200#011IN#011A#01110.249.250.32
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: subtracted rdataset INTERNAL.DOMAIN.TLD 'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 2 900 600 86400 0'
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: added rdataset INTERNAL.DOMAIN.TLD 'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 3 900 600 86400 0'
Mar 5 12:15:03 rtd-dc1 named[32667]: samba_dlz: committed transaction on zone INTERNAL.DOMAIN.TLD
setup...
basic samba4 setup, default config ( with rfc2307 )
default windows 7 SP1 installed with all updates, nothing changed in windows 7.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: mue...@tropenklinik.de
>[mailto:samba-...@lists.samba.org] Namens Daniel Müller
>Verzonden: woensdag 5 maart 2014 10:32
>Aan: 'Sven Geggus'; sa...@lists.samba.org
>Onderwerp: Re: [Samba] Does automatic DNS PTR generation in
L.P.H. van Belle
I managed to get this to work. ( STATIC IP'S on PC's) !
I powered off the pc's.
rebooted the samba server.
booted the pcs and...
Im a happy man.. :-))
Mar 5 13:52:16 rtd-dc1 named[3717]: samba_dlz: added 32.250.249.10.in-addr.arpa 32.250.249.10.in-addr.arpa.#0111200#011IN#011PTR#011Admin32-PC.INTERNAL.DOMAIN.TLD.
Mar 5 13:52:16 rtd-dc1 named[3717]: samba_dlz: subtracted rdataset 250.249.10.in-addr.arpa '250.249.10.in-addr.arpa.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 3 900 600 86400 3600'
Mar 5 13:52:16 rtd-dc1 named[3717]: samba_dlz: added rdataset 250.249.10.in-addr.arpa '250.249.10.in-addr.arpa.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 4 900 600 86400 3600'
Mar 5 13:52:16 rtd-dc1 named[3717]: samba_dlz: committed transaction on zone 250.249.10.in-addr.arpa
Now the dhcp test :-)
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: be...@bazuin.nl [mailto:samba-...@lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: woensdag 5 maart 2014 13:06
>Aan: sa...@lists.samba.org
>Samba4 AD DC work at all?
>
steve
> Hai
> i guess this is not working correcly.. or im missing something.
>
> I used the windows RATS tool to create the reverse zone. ( with the first pc i joined in the domain )
> i joined with 2 pc's ( win7 32bit and win7 64bit) with static ips.
>
> none of these pc's got the ptr record automaticly. :-)
> any tips ?
AD does not need ptr rr's to function. We need them because we teach
using them. I believe some security systems also use reverse lookups but
on windows they will take care of this during their installation. If you
need them you can add a reverse zone on any DNS server you have access
to. It doesn't have to be your DC. Add the rr's using ddns updates. On
Linux, we use sssd for both forward and reverse rr's. On windows, use
this:
http://www.techrepublic.com/blog/the-enterprise-cloud/how-do-i-configure-dhcp-for-dynamic-updates-in-windows-server-2008/377/#.
HTH
Steve
L.P.H. van Belle
I've read your site several times, good info, thank you for this.
The tip of putting the reverse on the other server is a good tip.
didnt think about this... looking in to it.
Thanks !!
Louis
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: woensdag 5 maart 2014 13:58
>Aan: sa...@lists.samba.org
>Samba4 AD DC work at all?
>