Set auth-nxdomain yes; And stop/start bind9 Other source : https://blogs.technet.microsoft.com/teamdhcp/2015/09/10/a-description-of-the-dns-dynamic-update-message-format/ /snap The DNS Client and Server services support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each authoritative server configured to load either a standard primary or AD-integrated zone. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: basti [mailto:mailinglist at unix-solution.de] > Verzonden: dinsdag 22 januari 2019 14:32 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Samba BIND9_DLZ autoupdate PTR > > root at dc1:/etc/bind# named-checkconf -p > options { > directory "/var/cache/bind"; > listen-on-v6 { > "any"; > }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > auth-nxdomain no; > dnssec-enable yes; > dnssec-validation yes; > recursion yes; > allow-query { > 192.168.30.0/24; > "localhost"; > "localnets"; > }; > }; > acl "slaves" { > 192.168.30.6/32; > }; > acl "lan" { > 192.168.30.0/24; > }; > > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > dlz "AD DNS Zone" { > database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; > }; > root at dc1:/etc/bind# > > Am 22.01.19 um 14:28 schrieb L.P.H. van Belle: > > Hello Basti, > > > > > > Can you post your full bind config so we can look. > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> basti via samba > >> Verzonden: dinsdag 22 januari 2019 14:23 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] Samba BIND9_DLZ autoupdate PTR > >> > >> Hello, > >> I have installed Samba 4 AD with bind9_dlz and automatic update. > >> (https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Setti > >> ng_up_Dynamic_DNS_Updates_Using_Kerberos) > >> > >> Is this only working for A records? > >> The PTR is not updated, or my setup is not complete. > >> > >> Where should I include /var/lib/samba/private/named.conf.update ?? > >> Include this in /etc/bind/named.conf is no allowed. (unknown option > >> 'update-policy'). > >> > >> As I understand named.conf.update in the wright way is > only update A > >> AAAA SRV and CNAME Records? > >> > >> My setup is: > >> > >> grep include /etc/bind/named.conf > >> ... > >> include "/var/lib/samba/private/named.conf"; > >> > >> > >> root at dc1:/etc/bind# cat /var/lib/samba/private/named.conf > >> # This DNS configuration is for BIND 9.8.0 or later with > >> dlz_dlopen support. > >> # > >> # This file should be included in your main BIND configuration file > >> # > >> # For example with > >> # include "/var/lib/samba/private/named.conf"; > >> > >> # > >> # This configures dynamically loadable zones (DLZ) from AD schema > >> # Uncomment only single database line, depending on your > BIND version > >> # > >> dlz "AD DNS Zone" { > >> # For BIND 9.8.x > >> # database "dlopen > >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; > >> > >> # For BIND 9.9.x > >> # database "dlopen > >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > >> > >> # For BIND 9.10.x > >> database "dlopen > >> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; > >> }; > >> > >> Best Regards, > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > >
I have set this option to yes.
I think the problem is on an other place. The DHCP server is not the DNS
Server. And I don't know how does the dhcp inform the dns server.
I a classic setup without DLZ somethink like the following is working well.
zone "example.com" in {
...
include "/etc/bind/update-policy";
}
zone "30.168.192.in-addr.arpa." {
...
include "/etc/bind/update-policy";
};
cat /etc/bind/update-policy
// to be included by every zone configuration
update-policy {
grant local-ddns zonesub any;
grant dhcpkey zonesub any;
};
How can I do this with DLZ in samba?
I have try this: https://kb.isc.org/docs/aa-00995
My named.conf looks as follow:
root at dc1:/etc/bind# cat /var/lib/samba/private/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "ad_dns" {
# For BIND 9.10.x
database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
};
key dhcpkey {
algorithm hmac-md5;
secret "......";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { dhcpkey; };
};
zone "sam.domain.com." {
type master;
dlz ad_dns;
include "/etc/bind/update-policy";
};
Jan 22 16:46:14 dc1 named[12777]: generating session key for dynamic DNS
Jan 22 16:46:14 dc1 named[12777]: sizing zone task pool based on 8 zones
Jan 22 16:46:14 dc1 named[12777]: Loading 'ad_dns' using driver dlopen
Jan 22 16:46:14 dc1 named[12777]: samba_dlz: started for DN
DC=sam,DC=domain,DC=com
Jan 22 16:46:14 dc1 named[12777]: samba_dlz: starting configure
Jan 22 16:46:14 dc1 named[12777]: samba_dlz: configured writeable zone
'30.168.192.in-addr.arpa'
Jan 22 16:46:14 dc1 named[12777]: samba_dlz: Failed to configure zone
'sam.domain.com'
Jan 22 16:46:14 dc1 named[12777]: loading configuration: already exists
Jan 22 16:46:14 dc1 named[12777]: exiting (due to fatal error)
root at dc1:/etc/bind# named -V
BIND 9.10.3-P4-Debian <id:ebd72b3>
built by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--with-python=python3'
'--localstatedir=/'
'--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-gost=no'
'--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
'--enable-rrl'
'--enable-filter-aaaa' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2'
compiled by GCC 6.3.0 20170516
compiled with OpenSSL version: OpenSSL 1.0.2l 25 May 2017
linked to OpenSSL version: OpenSSL 1.0.2q 20 Nov 2018
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
root at dc1:/etc/bind#
Am 22.01.19 um 14:35 schrieb L.P.H. van Belle via samba:> Set auth-nxdomain yes;
On Tue, 22 Jan 2019 16:51:58 +0100 basti via samba <samba at lists.samba.org> wrote:> I have set this option to yes. > > I think the problem is on an other place. The DHCP server is not the > DNS Server. And I don't know how does the dhcp inform the dns server. > > I a classic setup without DLZ somethink like the following is working > well. > > zone "example.com" in { > ... > include "/etc/bind/update-policy"; > } > > zone "30.168.192.in-addr.arpa." { > ... > include "/etc/bind/update-policy"; > }; > > cat /etc/bind/update-policy > // to be included by every zone configuration > update-policy { > grant local-ddns zonesub any; > grant dhcpkey zonesub any; > }; > > How can I do this with DLZ in samba? > I have try this: https://kb.isc.org/docs/aa-00995 > My named.conf looks as follow: > > root at dc1:/etc/bind# cat /var/lib/samba/private/named.conf > # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen > support. # > # This file should be included in your main BIND configuration file > # > # For example with > # include "/var/lib/samba/private/named.conf"; > > # > # This configures dynamically loadable zones (DLZ) from AD schema > # Uncomment only single database line, depending on your BIND version > # > dlz "ad_dns" { > > # For BIND 9.10.x > database > "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; }; > > key dhcpkey { > algorithm hmac-md5; > secret "......"; > }; > > controls { > inet 127.0.0.1 allow { localhost; } keys { dhcpkey; }; > }; > > zone "sam.domain.com." { > type master; > dlz ad_dns; > include "/etc/bind/update-policy"; > }; > > Jan 22 16:46:14 dc1 named[12777]: generating session key for dynamic > DNS Jan 22 16:46:14 dc1 named[12777]: sizing zone task pool based on > 8 zones Jan 22 16:46:14 dc1 named[12777]: Loading 'ad_dns' using > driver dlopen Jan 22 16:46:14 dc1 named[12777]: samba_dlz: started > for DN DC=sam,DC=domain,DC=com > Jan 22 16:46:14 dc1 named[12777]: samba_dlz: starting configure > Jan 22 16:46:14 dc1 named[12777]: samba_dlz: configured writeable zone > '30.168.192.in-addr.arpa' > Jan 22 16:46:14 dc1 named[12777]: samba_dlz: Failed to configure zone > 'sam.domain.com' > Jan 22 16:46:14 dc1 named[12777]: loading configuration: already > exists Jan 22 16:46:14 dc1 named[12777]: exiting (due to fatal error) >Why didn't you say that you were trying to set the dns records from dhcp ? Try reading this: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 This is written with Bind9 and dhcp running on the DC, but you should be able to make it work with the dhcp on another computer, but the BIND9 server must run on the DC. Rowland
This is my running config..
(run : named-checkconf -p)
What works...
PC static ip, the PC updates A and PTR records.
PC dhcp ip, the SERVER updates A and PTR records. (DHCP server on the DC)
PC dhcp ip, the dhcp server outsite the samba domain.
the PC updates A and PTR records.
My complete config. ( almost change a little here )
/etc/bind/named.conf.options
acl thisserverip {
192.168.0.1;
};
acl all-networks {
192.168.249.0/24;
};
options {
directory "/var/cache/bind";
version "0.0.7";
forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; };
dnssec-validation no;
auth-nxdomain yes; # conform to RFC1035 =no
listen-on-v6 { "none"; };
listen-on port 53 { "thisserverip"; 127.0.0.1; };
notify no;
empty-zones-enable no;
allow-query { "all-networks"; 127.0.0.1/32; };
allow-recursion { "all-networks"; 127.0.0.1/32; };
// https://wiki.samba.org/index.php/Dns-backend_bind
// DNS dynamic updates via Kerberos (optional, but recommended)
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};
/etc/bind/named.conf.local
// Consider adding the 1918 zones here, if they are not used in your
organization
//include "/etc/bind/zones.rfc1918";
//
// COMMENT LVB, Take note of... Consider adding ... if they are not used.
//
// adding the dlopen ( Bind DLZ ) module for samba.
include "/var/lib/samba/private/named.conf";
/etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
@L.P.H. this config looks more simple than https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 do you update via DHCP? @Rowland thanks for the link. I have try dns/dhcp updates after the change of auth-nxdomain yes; does not show the result I want to see. Sorry for this inconvenience. I will try it tomorrow. In the link you post a can read "don't forget to stop your windows clients trying to update their own records, ..." How is this done? On 22.01.19 17:14, L.P.H. van Belle via samba wrote:> This is my running config.. > (run : named-checkconf -p) > > What works... > PC static ip, the PC updates A and PTR records. > PC dhcp ip, the SERVER updates A and PTR records. (DHCP server on the DC) > PC dhcp ip, the dhcp server outsite the samba domain. > the PC updates A and PTR records. > > My complete config. ( almost change a little here ) > > /etc/bind/named.conf.options > acl thisserverip { > 192.168.0.1; > }; > acl all-networks { > 192.168.249.0/24; > }; > > options { > directory "/var/cache/bind"; > version "0.0.7"; > forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; }; > > dnssec-validation no; > auth-nxdomain yes; # conform to RFC1035 =no > > listen-on-v6 { "none"; }; > listen-on port 53 { "thisserverip"; 127.0.0.1; }; > > notify no; > empty-zones-enable no; > > allow-query { "all-networks"; 127.0.0.1/32; }; > allow-recursion { "all-networks"; 127.0.0.1/32; }; > > // https://wiki.samba.org/index.php/Dns-backend_bind > // DNS dynamic updates via Kerberos (optional, but recommended) > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > }; > > /etc/bind/named.conf.local > // Consider adding the 1918 zones here, if they are not used in your organization > //include "/etc/bind/zones.rfc1918"; > // > // COMMENT LVB, Take note of... Consider adding ... if they are not used. > // > > // adding the dlopen ( Bind DLZ ) module for samba. > include "/var/lib/samba/private/named.conf"; > > > /etc/bind/named.conf.default-zones > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > > > >