samba - Nov 2016 - Reverse zones fail with secure updates

Comments inline
> -----Oorspronkelijk bericht-----
> Van: lingpanda101 [mailto:lingpanda101 at gmail.com]
> Verzonden: dinsdag 22 november 2016 15:32
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Reverse zones fail with secure updates
> 
> Hi Louis,
> 
>        Comments inline
> 
> On 11/22/2016 3:38 AM, L.P.H. van Belle via samba wrote:
> > Hai James,
> >
> > What is the connection's DNS suffix of the pc?
> domain.local
Uhm.. , if you are in production dont change it but a .local (and .lan) 
Are reserved by Apple's mDNS (zeroconf/avahi) 
> > And did you setup TLS in you samba?
> No. How?
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

> >
> >
> > Look here, in the advanded tcp settings of the pc.  ( or ipconfig /all
)
> >
> > And is it ticked "Use this connections dns suffix in dns
registration"
> > (In dhcp option 81.)
> Our routers handle DHCP.
Ok then do you routers send option 81, of the dns suffic. 
If not possible, then the Group policy is you last option. 
> >
> > Or use Group policy editors.
> > - Computer Configuration\Administrative Templates\Network\DNS Client
> > 	-Connection Specific DNS Suffix: enabled, and set to your.domain.tld
> > 	-Register DNS records with connection-specific DNS suffix: enabled
> > 	-Register PTR Records: enabled
> > 	-Dynamic Update: enabled
> I tried this method as well.
This works, i use a setup like this. 
! Must be a computer policy, and you must reboot 2x to see if it works. 
> >
> > Or use static ips, then A and PTR are registered by the computer.
> Static IP's only register if I disable secure updates.
Due to no tls/ssl 

> >
> >
> > Key is to remember, Windows uses the connection-specific DNS suffix to
> register DNS records.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
lingpanda101
> via
> >> samba
> >> Verzonden: maandag 21 november 2016 21:14
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Reverse zones fail with secure updates
> >>
> >> Hello,
> >>
> >>       I'm using Samba 4.5.1 as a ADDC and the internal DNS. If
I use
> >> 'allow dns updates = secure' in my smb.conf. Only A
records update. The
> >> applicable reverse zone fails to update. If I switch to using non
> secure
> >> updates both the A and the PTR records are updated. Is someone
else
> able
> >> to confirm this behavior? Thanks.
> >>
> >>
> >> --
> >> - James
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> --
> - James

On 11/22/2016 11:14 AM, L.P.H. van Belle via samba
wrote:
> Comments inline
>
>> -----Oorspronkelijk bericht-----
>> Van: lingpanda101 [mailto:lingpanda101 at gmail.com]
>> Verzonden: dinsdag 22 november 2016 15:32
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Reverse zones fail with secure updates
>>
>> Hi Louis,
>>
>>         Comments inline
>>
>> On 11/22/2016 3:38 AM, L.P.H. van Belle via samba wrote:
>>> Hai James,
>>>
>>> What is the connection's DNS suffix of the pc?
>> domain.local
> Uhm.. , if you are in production dont change it but a .local (and .lan)
> Are reserved by Apple's mDNS (zeroconf/avahi)
>
>>> And did you setup TLS in you samba?
>> No. How?
>
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
>
>
>>>
>>> Look here, in the advanded tcp settings of the pc.  ( or ipconfig
/all )
>>>
>>> And is it ticked "Use this connections dns suffix in dns
registration"
>>> (In dhcp option 81.)
>> Our routers handle DHCP.
> Ok then do you routers send option 81, of the dns suffic.
> If not possible, then the Group policy is you last option.
>
>>> Or use Group policy editors.
>>> - Computer Configuration\Administrative Templates\Network\DNS
Client
>>> 	-Connection Specific DNS Suffix: enabled, and set to
your.domain.tld
>>> 	-Register DNS records with connection-specific DNS suffix: enabled
>>> 	-Register PTR Records: enabled
>>> 	-Dynamic Update: enabled
>> I tried this method as well.
> This works, i use a setup like this.
> ! Must be a computer policy, and you must reboot 2x to see if it works.
>
>>> Or use static ips, then A and PTR are registered by the computer.
>> Static IP's only register if I disable secure updates.
> Due to no tls/ssl
>
>
>>>
>>> Key is to remember, Windows uses the connection-specific DNS suffix
to
>> register DNS records.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
lingpanda101
>> via
>>>> samba
>>>> Verzonden: maandag 21 november 2016 21:14
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Reverse zones fail with secure updates
>>>>
>>>> Hello,
>>>>
>>>>        I'm using Samba 4.5.1 as a ADDC and the internal
DNS. If I use
>>>> 'allow dns updates = secure' in my smb.conf. Only A
records update. The
>>>> applicable reverse zone fails to update. If I switch to using
non
>> secure
>>>> updates both the A and the PTR records are updated. Is someone
else
>> able
>>>> to confirm this behavior? Thanks.
>>>>
>>>>
>>>> --
>>>> - James
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> - James
>
>
I'm aware of the .local use. Unfortunately when I initially setup the 
domain it was suggested as appropriate. I'm unable to pass option 81 
from our routers. I'm OK with using GPO's for this. My understanding is 
TLS is enabled by default but I went ahead and created a self signed 
certificate anyhow. I'll point out that this behavior is exhibited 
through my test environment as well as production environment.

I'm still unable to get secure PTR records in the zone. Only A records 
will update when using secure. I'm also skeptical the Win 7 workstations 
are even requesting that PTR records be added or updated. The Wireshark 
trace doesn't appear to show any request for PTR updates(I could be 
wrong). Are you able to confirm secure PTR updates work when using the 
internal DNS server? This is for clients requesting the update and not 
via. the DHCP server? Thanks.

-- 
- James

Hai James, 
> 
> I'm aware of the .local use. Unfortunately when I initially setup the
> domain it was suggested as appropriate. I'm unable to pass option 81
> from our routers. I'm OK with using GPO's for this. My
understanding is
> TLS is enabled by default but I went ahead and created a self signed
> certificate anyhow. I'll point out that this behavior is exhibited
> through my test environment as well as production environment.
Perfect, now read : 
https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx 
and public the root CA of you DC to the clients. 
Now key here is where do you go put the GPO for the CA. 

If you have more certificates to publish i suggest, create a new policy. 
Now link it to the top or you AD. (domain.local) Or use Default Domain Policy.
( you need authenticated user as security setting ) ( and reboot 2x ) 
After the second reboot check if the ptr record is updated.

> I'm still unable to get secure PTR records in the zone. Only A records
> will update when using secure. I'm also skeptical the Win 7
workstations
> are even requesting that PTR records be added or updated. The Wireshark
> trace doesn't appear to show any request for PTR updates(I could be
> wrong). 
I forgot to ask, did you create the reverse zone in the DNS. 

>Are you able to confirm secure PTR updates work when using the
> internal DNS server? 
Ah.. theres the difference, im using bind_dlz. 
I cant tell anything about the internal DNS, i never used it. 
>This is for clients requesting the update and not
> via. the DHCP server? Thanks.
Both should work, static of dhcp ip. 
> 
> --
> - James

Greetz, 

Louis

On 11/23/2016 7:36 AM, L.P.H. van Belle via samba wrote:
> Hai James,
>
>> I'm aware of the .local use. Unfortunately when I initially setup
the
>> domain it was suggested as appropriate. I'm unable to pass option
81
>> from our routers. I'm OK with using GPO's for this. My
understanding is
>> TLS is enabled by default but I went ahead and created a self signed
>> certificate anyhow. I'll point out that this behavior is exhibited
>> through my test environment as well as production environment.
> Perfect, now read :
> https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx
> and public the root CA of you DC to the clients.
> Now key here is where do you go put the GPO for the CA.
>
> If you have more certificates to publish i suggest, create a new policy.
> Now link it to the top or you AD. (domain.local) Or use Default Domain
Policy.
> ( you need authenticated user as security setting ) ( and reboot 2x )
> After the second reboot check if the ptr record is updated.
>
>
>> I'm still unable to get secure PTR records in the zone. Only A
records
>> will update when using secure. I'm also skeptical the Win 7
workstations
>> are even requesting that PTR records be added or updated. The Wireshark
>> trace doesn't appear to show any request for PTR updates(I could be
>> wrong).
> I forgot to ask, did you create the reverse zone in the DNS.
>
>
>> Are you able to confirm secure PTR updates work when using the
>> internal DNS server?
> Ah.. theres the difference, im using bind_dlz.
> I cant tell anything about the internal DNS, i never used it.
>
>> This is for clients requesting the update and not
>> via. the DHCP server? Thanks.
> Both should work, static of dhcp ip.
>
>> --
>> - James
>
> Greetz,
>
> Louis
>
>
>
Louis,

     I have been unsuccessful with getting this to work. However I do 
have a caveat to this. I have a legacy Windows XP device on my domain 
that did register it's PTR record. My Windows 7 and 10 devices do not. 
I'll investigate a bit further but I believe Samba is working correctly. 
Thanks for the help.

-- 
- James

Hai James, 

So a windows xp works but Win7/10 not, at least is good hint. 

So, i did have a look in my setup again. 
And i'm thinking, i have disabled ipv6 for my windows 7 and win 10 pc's.
That may be an option.. 

A thing you can try, have a look here : 
http://www.bvanleeuwen.nl/faq/?p=1142 
ipv6 Admx to simple disable ipv6. 

I've set : Disable all IPv6 components.

I also checked my dhcp options. 
Im sending these options
003 route
004 time
006 dns servers
015 DNS Domain Name 	( your_primary.domain.tld ) 
042 NTP
046 WINS Node type : (0x8) 

And last thing what can be different. 
I have made my own CA root and client certs, im not using the generated certs
from samba.
And the CA root is also published to all my win7/10 computers. 

I suggest give it a try, and report back.

Greetz,

Louis
> -----Oorspronkelijk bericht-----
> Van: lingpanda101 [mailto:lingpanda101 at gmail.com]
> Verzonden: maandag 28 november 2016 15:40
> Aan: L.P.H. van Belle; samba at lists.samba.org
...
> >
> >
> 
> Louis,
> 
>      I have been unsuccessful with getting this to work. However I do
> have a caveat to this. I have a legacy Windows XP device on my domain
> that did register it's PTR record. My Windows 7 and 10 devices do not.
> I'll investigate a bit further but I believe Samba is working
correctly.
> Thanks for the help.
> 
> --
> - James