Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] [samba4] DNS updates
513 views
Skip to first unread message
mathias dufresne
Jan 18, 2016, 2:50:03 PM1/18/16
to
Hi all,
I would like to be able to rely on samba given tools to manage my DNS
entries but until now, I failed.
From what I have understood there is one and only one tool responsible to
update DNS: samba_dnsupdate.
Is that previous affirmation true?
I had issue with DNS backend set to internal DNS server: samba_dnsupdate
was almost never working.
So I switched to Bind-DLZ as advised here and on the wiki.
With Bind-DLZ sometimes it works, sometimes it don't.
Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre using
Sernet packages to be sure to have working packages.
On Debian Jessie it was working easily, just following the wiki.
Rerplication was working and is still working.
Sites were created and DNS entries changed accordingly.
Today I get back on that Debian platform, move again some DC to a new site
and:
- entries on new are created
- entries on old sites are NOT removed
- samba_dnsupdate --verbose ends with "No DNS updates needed"
On Centos 7 it was never working correctly: samba_dnsupdate failed because
of TSIG authentication failure (I'm not at work so I can't be more precise
right now) and?or replication is failing.
On Centos 7 the only to get something a little bit working was to get Bind
configuration from Debian to Centos, removing /var/named and /etc/named*.
Perhaps samba_dnsupdate is not responsible to remove DNS entries, in that
case, what tool is responsible to clean up DNS?
I'm looking for more information about DNS authentication and updates:
Perhaps samba_dnsupdate is not responsible to remove these entries, in that
case, what tool is responsible to clean up DNS?
Finally is someone able to explain:
- how to manually create DNS user and give him right to modify DNS entries.
This is important to be underwstood I think because some others users can
created to do the same, to be able to find them could nice in a
securisation point of view.
- how to recreate the keytab of such user without samba_upgradedns: this
user can be deleted accidentaly, being able to recreate it without
samba_dnsupgrade seems less violent so less risky than switching
dns-backend...
- how frequent are DNS updates? Is it every X minutes ? After each Site
modification + at every samba start?
As you see I completely lost into Samba DNS and help would be welcomed.
Cheers,
mathias
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I would like to be able to rely on samba given tools to manage my DNS
entries but until now, I failed.
From what I have understood there is one and only one tool responsible to
update DNS: samba_dnsupdate.
Is that previous affirmation true?
I had issue with DNS backend set to internal DNS server: samba_dnsupdate
was almost never working.
So I switched to Bind-DLZ as advised here and on the wiki.
With Bind-DLZ sometimes it works, sometimes it don't.
Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre using
Sernet packages to be sure to have working packages.
On Debian Jessie it was working easily, just following the wiki.
Rerplication was working and is still working.
Sites were created and DNS entries changed accordingly.
Today I get back on that Debian platform, move again some DC to a new site
and:
- entries on new are created
- entries on old sites are NOT removed
- samba_dnsupdate --verbose ends with "No DNS updates needed"
On Centos 7 it was never working correctly: samba_dnsupdate failed because
of TSIG authentication failure (I'm not at work so I can't be more precise
right now) and?or replication is failing.
On Centos 7 the only to get something a little bit working was to get Bind
configuration from Debian to Centos, removing /var/named and /etc/named*.
Perhaps samba_dnsupdate is not responsible to remove DNS entries, in that
case, what tool is responsible to clean up DNS?
I'm looking for more information about DNS authentication and updates:
Perhaps samba_dnsupdate is not responsible to remove these entries, in that
case, what tool is responsible to clean up DNS?
Finally is someone able to explain:
- how to manually create DNS user and give him right to modify DNS entries.
This is important to be underwstood I think because some others users can
created to do the same, to be able to find them could nice in a
securisation point of view.
- how to recreate the keytab of such user without samba_upgradedns: this
user can be deleted accidentaly, being able to recreate it without
samba_dnsupgrade seems less violent so less risky than switching
dns-backend...
- how frequent are DNS updates? Is it every X minutes ? After each Site
modification + at every samba start?
As you see I completely lost into Samba DNS and help would be welcomed.
Cheers,
mathias
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Jan 18, 2016, 3:20:04 PM1/18/16
to
have been using a combination of Samba4 AD, bind9 and dhcp since 2012
and find it quite amusing seeing all the problems people have and that I
have never had.
Start by having a look here:
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
If, after reading that, you think this is what you need, I will refresh
my notes and send you a copy, but note, I use debian.
Rowland
L.P.H. van Belle
Jan 19, 2016, 4:40:04 AM1/19/16
to
In addition what Rowland says.
> >
> > Finally is someone able to explain:
> > - how to manually create DNS user and give him right to modify DNS
> entries.
> > This is important to be underwstood I think because some others users
> can
> > created to do the same, to be able to find them could nice in a
> > securisation point of view.
[L.P.H. van Belle]
For a windows user: Create a normal user, and put him in the DNS Admin group that simple.
For a linux user: use samba-tool, cant tell more about this, i use the windows tools for this.
> > - how to recreate the keytab of such user without samba_upgradedns: this
> > user can be deleted accidentaly, being able to recreate it without
> > samba_dnsupgrade seems less violent so less risky than switching
> > dns-backend...
[L.P.H. van Belle]
First, No, that user can not delete the keytab file is you setup correctly.
The dns.keytab should have 640 (root:bind) rights.
Why should a user be able to access this file anyway.
You can export them, like this, a few examples
( dns.keytab )
samba-tool domain exportkeytab --principal=dns-DC-NAME@REALM
samba-tool domain exportkeytab --principal=DNS/DC-NAME.internal.domain.tld@REALM
( secrets.keytab )
samba-tool domain exportkeytab --principal=HOST/DC-NAME.internald.domain.tld@REALM
samba-tool domain exportkeytab --principal=DC-NAME$@REALM
use ktutil to get/read the file and see which principals there are.
How: type :
ktutil
rkt /path_to/keytab.file
list
> > - how frequent are DNS updates? Is it every X minutes ? After each Site
> > modification + at every samba start?
[L.P.H. van Belle] see your zone SOA
A simple dig show it already.
dig SOA domain.tld
check the numbers at the end.
For me :
238 900 600 86400 3600
Serial refresh retry expires min_TTL
> >
> > As you see I completely lost into Samba DNS and help would be welcomed.
> >
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland penny
> Verzonden: maandag 18 januari 2016 21:07
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] [samba4] DNS updates
> >
> > Finally is someone able to explain:
> > - how to manually create DNS user and give him right to modify DNS
> entries.
> > This is important to be underwstood I think because some others users
> can
> > created to do the same, to be able to find them could nice in a
> > securisation point of view.
For a windows user: Create a normal user, and put him in the DNS Admin group that simple.
For a linux user: use samba-tool, cant tell more about this, i use the windows tools for this.
> > - how to recreate the keytab of such user without samba_upgradedns: this
> > user can be deleted accidentaly, being able to recreate it without
> > samba_dnsupgrade seems less violent so less risky than switching
> > dns-backend...
First, No, that user can not delete the keytab file is you setup correctly.
The dns.keytab should have 640 (root:bind) rights.
Why should a user be able to access this file anyway.
You can export them, like this, a few examples
( dns.keytab )
samba-tool domain exportkeytab --principal=dns-DC-NAME@REALM
samba-tool domain exportkeytab --principal=DNS/DC-NAME.internal.domain.tld@REALM
( secrets.keytab )
samba-tool domain exportkeytab --principal=HOST/DC-NAME.internald.domain.tld@REALM
samba-tool domain exportkeytab --principal=DC-NAME$@REALM
use ktutil to get/read the file and see which principals there are.
How: type :
ktutil
rkt /path_to/keytab.file
list
> > - how frequent are DNS updates? Is it every X minutes ? After each Site
> > modification + at every samba start?
A simple dig show it already.
dig SOA domain.tld
check the numbers at the end.
For me :
238 900 600 86400 3600
Serial refresh retry expires min_TTL
> >
> > As you see I completely lost into Samba DNS and help would be welcomed.
> >
> On Centos 7 it was never working correctly: samba_dnsupdate failed
> because of TSIG authentication failure
That was because if incorrect bind settings, and most probly because of incorrect rights on the dns.keytab file.
> because of TSIG authentication failure
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland penny
> Verzonden: maandag 18 januari 2016 21:07
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] [samba4] DNS updates
mathias dufresne
Jan 20, 2016, 10:00:05 AM1/20/16
to
Hi all,
Thank you both for these leads and explanations. Mainly they helped me to
verify my (samba's) configuration was not so bad and finally to spot that I
did not disabled SELinux correctly.
All that is still using Centos 7 and Sernet packages (4.2.7).
The point was /etc/sysconfig/selinux is a link to /etc/selinux/config,
which I did not noticed before and the deployement script I wrote replaced
that link by some file, which was stupid. I'm used to be, that's not really
a relief but...
Anyway, once SELinux was removed, once the installation process was
restarted correctly, my DC + Bind-DLZ are working.
I still need to initialize replication which does not (always? answer would
need more tests) work as is.
To initialize replication (with DC1 already up and DC2 newly added) :
1° workaround about missing DNS entries:
- samba-tool dns add DC2 <zone> DC2 A 1.2.3.4
to add local server IP into local AD (DNS) database
- samba_dnsupdate
samba_dnsupdate won't (always?) work without previous command
- samba-tool dns add DC1 <zone> DC2 A 1.2.3.4
to add local server IP into another (I aim FSMO owner) AD (DNS) database,
this to workaround replication issue
2° Force replication with samba-tool
For each part of DIT we push it from DC1 to DC2
for DIT in `ls /var/lib/samba/private/sam.ldb.d/ | grep -v metadata.tdb |
sed -e s/.ldb$//`; do echo $DIT; samba-tool drs replicate dc2 dc1 $DIT ;
done
This bunch of commands is launched first on FSMO owner (DC1) and then on
newly added DC (here DC2) if showrepl still shows errors.
Error met were:
WERR_BADFILE
WERR_DS_DRA_ACCESS_DENIED
What's good in that? That's a script which install everything, no reall
work no for me (which is good news as I do mistake everytime) and I have to
deploy a bunch of servers. Hoping I could come back with precision or even
to tell you what was my mistake.
Cheers,
mathias
Thank you both for these leads and explanations. Mainly they helped me to
verify my (samba's) configuration was not so bad and finally to spot that I
did not disabled SELinux correctly.
All that is still using Centos 7 and Sernet packages (4.2.7).
The point was /etc/sysconfig/selinux is a link to /etc/selinux/config,
which I did not noticed before and the deployement script I wrote replaced
that link by some file, which was stupid. I'm used to be, that's not really
a relief but...
Anyway, once SELinux was removed, once the installation process was
restarted correctly, my DC + Bind-DLZ are working.
I still need to initialize replication which does not (always? answer would
need more tests) work as is.
To initialize replication (with DC1 already up and DC2 newly added) :
1° workaround about missing DNS entries:
- samba-tool dns add DC2 <zone> DC2 A 1.2.3.4
to add local server IP into local AD (DNS) database
- samba_dnsupdate
samba_dnsupdate won't (always?) work without previous command
- samba-tool dns add DC1 <zone> DC2 A 1.2.3.4
to add local server IP into another (I aim FSMO owner) AD (DNS) database,
this to workaround replication issue
2° Force replication with samba-tool
For each part of DIT we push it from DC1 to DC2
for DIT in `ls /var/lib/samba/private/sam.ldb.d/ | grep -v metadata.tdb |
sed -e s/.ldb$//`; do echo $DIT; samba-tool drs replicate dc2 dc1 $DIT ;
done
This bunch of commands is launched first on FSMO owner (DC1) and then on
newly added DC (here DC2) if showrepl still shows errors.
Error met were:
WERR_BADFILE
WERR_DS_DRA_ACCESS_DENIED
What's good in that? That's a script which install everything, no reall
work no for me (which is good news as I do mistake everytime) and I have to
deploy a bunch of servers. Hoping I could come back with precision or even
to tell you what was my mistake.
Cheers,
mathias
L.P.H. van Belle
Jan 20, 2016, 10:50:03 AM1/20/16
to
Hai mathias,
You welkom, always happy to help out and nice too hear you got it working.
I must ask..
Did you reboot the servers after you added the second server to the DNS?
And especialy in order, DC_with_FSMO, wait until its up again, then DC2.
This often fixes the repliction problem and as far as i know, this only happend just after the install of a extra DC.
Greetz,
Louis
You welkom, always happy to help out and nice too hear you got it working.
I must ask..
Did you reboot the servers after you added the second server to the DNS?
And especialy in order, DC_with_FSMO, wait until its up again, then DC2.
This often fixes the repliction problem and as far as i know, this only happend just after the install of a extra DC.
Greetz,
Louis
mathias dufresne
Jan 27, 2016, 1:40:07 PM1/27/16
to
Hai Louis,
I should be able to answer you tomorrow: I pushed installation of 10 DC
before leaving work and this process would not be able to use workaround
described earlier because of SSH not yet open between the two sites. I
expect all other needed ports to be open, so I expect only the replication
workaround to be failed this night.
So tomorrow I should arrive at work with 10 DC joined to my AD and just
rebooted.
FSMO would not have been rebooted at that moment. If no replication took
place in the night I'll try to reboot FSMO then to reboot all DC one by one.
Greetings,
mathias
I should be able to answer you tomorrow: I pushed installation of 10 DC
before leaving work and this process would not be able to use workaround
described earlier because of SSH not yet open between the two sites. I
expect all other needed ports to be open, so I expect only the replication
workaround to be failed this night.
So tomorrow I should arrive at work with 10 DC joined to my AD and just
rebooted.
FSMO would not have been rebooted at that moment. If no replication took
place in the night I'll try to reboot FSMO then to reboot all DC one by one.
Greetings,
mathias
mathias dufresne
Jan 28, 2016, 4:20:04 AM1/28/16
to
No replication this morning but FSMO was rebooted yesterday. Only joined DC
were rebooted.
After verifying all A records related to new DC were created, I forced
creation of replication related DNS entries as described there :
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
I forced replication (drs replicate) from a replicated DC to all 10 new DC
and also force replication in the other way. All drs replicate commands
worked well.
Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command
failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all joined
DC and samba_dnsupdate worked well on them.
This gave time to Samba to replicate things around and now all things goes
well.
Joining new DC is still a bit tricky in my opinion. Hoping this would work
better with 4.4.x
Cheers,
mathias
were rebooted.
After verifying all A records related to new DC were created, I forced
creation of replication related DNS entries as described there :
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
I forced replication (drs replicate) from a replicated DC to all 10 new DC
and also force replication in the other way. All drs replicate commands
worked well.
Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command
failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all joined
DC and samba_dnsupdate worked well on them.
This gave time to Samba to replicate things around and now all things goes
well.
Joining new DC is still a bit tricky in my opinion. Hoping this would work
better with 4.4.x
Cheers,
mathias
mathias dufresne
Jan 28, 2016, 4:20:04 AM1/28/16
to
Errata: No replication this morning but FSMO was *not* rebooted yesterday.
Only joined DC were rebooted.
Rowland penny
Jan 28, 2016, 5:10:07 AM1/28/16
to
On 28/01/16 09:11, mathias dufresne wrote:
> No replication this morning but FSMO was rebooted yesterday. Only joined DC
> were rebooted.
>
> After verifying all A records related to new DC were created, I forced
> creation of replication related DNS entries as described there :
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
>
> I forced replication (drs replicate) from a replicated DC to all 10 new DC
> and also force replication in the other way. All drs replicate commands
> worked well.
>
> Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command
> failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all joined
> DC and samba_dnsupdate worked well on them.
>
> This gave time to Samba to replicate things around and now all things goes
> well.
>
> Joining new DC is still a bit tricky in my opinion. Hoping this would work
> better with 4.4.x
>
> Cheers,
>
> mathias
>
>
When you provision a domain, all the dns records are created during the
> No replication this morning but FSMO was rebooted yesterday. Only joined DC
> were rebooted.
>
> After verifying all A records related to new DC were created, I forced
> creation of replication related DNS entries as described there :
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
>
> I forced replication (drs replicate) from a replicated DC to all 10 new DC
> and also force replication in the other way. All drs replicate commands
> worked well.
>
> Back to newly joined DC I launched samba_dnsupdate, on 10 DC this command
> failed on 9 DC with mesage: "update failed: NOTAUTH". I rebooted all joined
> DC and samba_dnsupdate worked well on them.
>
> This gave time to Samba to replicate things around and now all things goes
> well.
>
> Joining new DC is still a bit tricky in my opinion. Hoping this would work
> better with 4.4.x
>
> Cheers,
>
> mathias
>
>
provision, but when you join a DC to a domain they aren't. You need to
restart Samba on the newly joined DC, once Samba is restarted,
samba_dnsupdate will be run, this reads the file 'dns_update_list' and
then adds (if needed) the records it finds in the file. If you do not
restart Samba, the dns records do not get added and your problems start.
Rowland
mathias dufresne
Jan 28, 2016, 5:50:04 AM1/28/16
to
In fact after joining a DC I start samba-ad service. Here samba_dnsupdate
should be run a first time. If you say the right process is to start samba
once, then restart it, I would say this process seems to me a bit strange.
Then once the instalaltion script is finished it reboots the newly joined
DC, starting samba again and running samba_dnsupdate again. And DNS entries
are created locally as expected.
There is also the missing DNS entries related to replication as described
in the follwoing link :
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
If you forget them, even you restart samba, or the whole computer, problem
are existing: as replication can't work without them, the fact
samba_dnsupdate created DNS entries locally can't be reflected on the whole
AD.
We can create locally (on newly joined DC) these missing entries for
objectGUID CNAME but if we don't perform that creation also on already
replicated DC, replicated servers won't receive these newly created CNAME
because they are created on newly joined DC which does not replicate to
others.
Please note I worked around all these traps, my DC are installed by a
script which deliver working DC (meaning synchronized with others, no
missing DNS entry too).
To achieve that I force creation of:
1° A record for newly joined DC on local database + on FSMO owner (as this
one replicates to already deployed DC), using SSH + samba-tool dns add...
2° missing objectGUID CNAME on newly joined DC and on FSMO owner, using SSH.
Finally with this four actions I'm able to run replication.
Now to speak about yesterday issue were the 10 DC installed this night did
not replicated the reason was these DC are not yet allowed to run SSH
command to the 10 others DC (those already installed, already replicating).
So no SSH means no work around and this morning newly joined DC were not
replicated even if they were all rebooted (all still means all newly joined
DC).
FSMO was not rebooted because I don't see the point rebooting a working
server when it's not needed.
And lanching failed SSH commands this morning solved all replication issues
I spoted.
Cheers,
mathias
should be run a first time. If you say the right process is to start samba
once, then restart it, I would say this process seems to me a bit strange.
Then once the instalaltion script is finished it reboots the newly joined
DC, starting samba again and running samba_dnsupdate again. And DNS entries
are created locally as expected.
There is also the missing DNS entries related to replication as described
in the follwoing link :
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
If you forget them, even you restart samba, or the whole computer, problem
are existing: as replication can't work without them, the fact
samba_dnsupdate created DNS entries locally can't be reflected on the whole
AD.
We can create locally (on newly joined DC) these missing entries for
objectGUID CNAME but if we don't perform that creation also on already
replicated DC, replicated servers won't receive these newly created CNAME
because they are created on newly joined DC which does not replicate to
others.
Please note I worked around all these traps, my DC are installed by a
script which deliver working DC (meaning synchronized with others, no
missing DNS entry too).
To achieve that I force creation of:
1° A record for newly joined DC on local database + on FSMO owner (as this
one replicates to already deployed DC), using SSH + samba-tool dns add...
2° missing objectGUID CNAME on newly joined DC and on FSMO owner, using SSH.
Finally with this four actions I'm able to run replication.
Now to speak about yesterday issue were the 10 DC installed this night did
not replicated the reason was these DC are not yet allowed to run SSH
command to the 10 others DC (those already installed, already replicating).
So no SSH means no work around and this morning newly joined DC were not
replicated even if they were all rebooted (all still means all newly joined
DC).
FSMO was not rebooted because I don't see the point rebooting a working
server when it's not needed.
And lanching failed SSH commands this morning solved all replication issues
I spoted.
Cheers,
mathias
0 new messages