the host has first an address in dhcp pool between 192.168.1.100-200 (it is not known by dhcpd with a fixed ip address) i would like to add a dhcpd record to provide always same ip to host (ie fixed-address 192.168.1.1) when host is joined to my samba domain in NT PDC, i can do that with "add machine script" in smb.conf but in AD DC, this script is not run so i m searching another way to run a script when a computer join the AD DC domain Le 23/05/2018 à 09:19, Rowland Penny via samba a écrit :> On Tue, 22 May 2018 14:33:45 +0200 > Arnaud FLORENT via samba <samba at lists.samba.org> wrote: > >> Hi everyone. >> >> I setup a samba AD domain >> >> >> on NT PDC, i was using 'add machine script' to run a script to add >> static dhcp lease for joined computer. >> >> but this script is not called in "active directory domain controller" >> mode >> >> >> is there another way to run a script when a computer join the domain? >> >> thank you. >> >> >> > I don't understand this, surely the computer must have an ipaddress > before it is joined, or am I missing something here ? > > Rowland >-- Arnaud FLORENT IRIS Technologies phone: (33) 03 20 65 85 80 fax: (33) 03 20 65 85 81 mailto:aflorent at iris-tech.fr
On Wed, 23 May 2018 09:36:48 +0200 Arnaud FLORENT via samba <samba at lists.samba.org> wrote:> the host has first an address in dhcp pool between 192.168.1.100-200 > (it is not known by dhcpd with a fixed ip address) > > > i would like to add a dhcpd record to provide always same ip to host > (ie fixed-address 192.168.1.1) > > when host is joined to my samba domain > > > in NT PDC, i can do that with "add machine script" in smb.conf > > but in AD DC, this script is not run > > > so i m searching another way to run a script when a computer join the > AD DC domain >Why do you feel the computers must have a fixed ipaddress ? But if you must give them a fixed ipaddress, you may be able to do this with a variation on this: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 That just updates a computers records in AD after a lease is granted, but I think you should be able to use this as a basis to do what you want. Your script would have to check that /etc/dhcp/dhcpd.conf doesn't already contain the computers MAC and if not add something like this: host <shorthostname of client> { next-server dc.your-domain.com; hardware ethernet 00:02:c3:d0:e5:83; < MAC address of client fixed-address 192.168.1.1; < IP you require } It will probably be a bit more complex than this and I say it 'may' work, because I have never tried it. Rowland
On Wed, 2018-05-23 at 09:36 +0200, Arnaud FLORENT via samba wrote:> the host has first an address in dhcp pool between 192.168.1.100-200 (it > is not known by dhcpd with a fixed ip address) > > > i would like to add a dhcpd record to provide always same ip to host (ie > fixed-address 192.168.1.1) > > when host is joined to my samba domain > > > in NT PDC, i can do that with "add machine script" in smb.conf > > but in AD DC, this script is not run > > > so i m searching another way to run a script when a computer join the AD > DC domainI agree, this kind of thing would be useful. There are some alternative solutions for some of this, but I do want to say: I know how much these scripts have added value to the NT4/Classic domain configuration, and sadly Samba's AD DC effort have not provided those hooks so far. For example, we only gained back the 'check password script' comparatively recently, and other well-used hooks have been implemented, but in a different way (for example password sync via an external tool). The new password sync tool is actually a good example, because I strongly feel that for Samba to continue to thrive that we need to remember we can and should step beyond 'what Microsoft did' in terms of a feature set, and remember that what folks love most about Samba is being able to do more and different things (like running those scripts), and better fitting in to a unix-centric world in which it is so often deployed. (We can now sync passwords into the crypt() format used by OpenLDAP and Google, as well as any other format if you are willing to GPG encrypt the password). Of course finding the time (customers) to implement these ideas is always a challenge, but we have some good examples already and it remains a guiding principal for me. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
hi Roland thanks for your help Le 23/05/2018 à 09:58, Rowland Penny via samba a écrit :> On Wed, 23 May 2018 09:36:48 +0200 > Arnaud FLORENT via samba <samba at lists.samba.org> wrote: > >> the host has first an address in dhcp pool between 192.168.1.100-200 >> (it is not known by dhcpd with a fixed ip address) >> >> >> i would like to add a dhcpd record to provide always same ip to host >> (ie fixed-address 192.168.1.1) >> >> when host is joined to my samba domain >> >> >> in NT PDC, i can do that with "add machine script" in smb.conf >> >> but in AD DC, this script is not run >> >> >> so i m searching another way to run a script when a computer join the >> AD DC domain >> > Why do you feel the computers must have a fixed ipaddress ?it is easier to identify hosts with fixed adresses (ie allow/deny access by ip in firewall for example)> > But if you must give them a fixed ipaddress, you may be able to do this > with a variation on this: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 > > That just updates a computers records in AD after a lease is granted, > but I think you should be able to use this as a basis to do what you > want. > > Your script would have to check that /etc/dhcp/dhcpd.conf doesn't > already contain the computers MAC and if not add something like this: > > host <shorthostname of client> { > next-server dc.your-domain.com; > hardware ethernet 00:02:c3:d0:e5:83; < MAC address of client > fixed-address 192.168.1.1; < IP you require > } > > It will probably be a bit more complex than this and I say it 'may' > work, because I have never tried it.i m currently trying this method. but it seems i can not restart dhcpd from itself to reload new record