samba - Mar 2019 - How to automatically store the macAddress in AD

Hi list,

Does someone know a way to automatically store the hwaddress in the AD?
I'm using Veyon in my school to manage the students PCs and if the hwadress
is populated in the AD, the Room configuration can be set with AD otherwise
i have to manage rooms manually.
I'm using samba4 with bind and isc-dhcp-server are on the same server.
Can we use scripts or some ways?

thanks in advance
Pierre

--

On Thu, 14 Mar 2019 20:20:54 +0100
"Pierre, BRIEC via samba" <samba at lists.samba.org> wrote:
> Hi list,
> 
> Does someone know a way to automatically store the hwaddress in the
> AD? I'm using Veyon in my school to manage the students PCs and if
> the hwadress is populated in the AD, the Room configuration can be
> set with AD otherwise i have to manage rooms manually.
> I'm using samba4 with bind and isc-dhcp-server are on the same server.
> Can we use scripts or some ways?
> 
> thanks in advance
> Pierre
> 
> --
Well, seeing as the dhcp server passes the mac address to the update
script and there is an attribute called 'macAddress' available, it
should be fairly easy (famous last words) to add something to the
script to do what you want.

The main stumbling block will be in where to store it.

Rowland

On Thu, 14 Mar 2019 21:32:43 +0100
"Pierre, BRIEC" <pierre.briec at stetherese.net> wrote:
> Hi,
> from the veyon documentation
> A standard Active Directory does not have an attribute for storing MAC
> addresses. 
Do you think I imagined the attribute called 'macAddress' ?
Its objectclass is 'ieee802Device' and they can be added to a computers
object in AD.

Rowland
>You’ll need to populate MAC addresses manually in an
> existing unused attribute such as wwwHomepageor extend the AD scheme.
> Additionally you can grant computers group write access to SELF and
> let them store the MAC address of the first physical LAN adapter by
> using a PowerShell startup script.
> 
> So, is it possible ?
> 
> 
> Le jeu. 14 mars 2019 20:31, Rowland Penny via samba
> <samba at lists.samba.org> a écrit :
> 
> > On Thu, 14 Mar 2019 20:20:54 +0100
> > "Pierre, BRIEC via samba" <samba at lists.samba.org>
wrote:
> >  
> > > Hi list,
> > >
> > > Does someone know a way to automatically store the hwaddress in
> > > the AD? I'm using Veyon in my school to manage the students
PCs
> > > and if the hwadress is populated in the AD, the Room
> > > configuration can be set with AD otherwise i have to manage rooms
> > > manually. I'm using samba4 with bind and isc-dhcp-server are
on
> > > the same server. Can we use scripts or some ways?
> > >
> > > thanks in advance
> > > Pierre
> > >
> > > --  
> >
> > Well, seeing as the dhcp server passes the mac address to the update
> > script and there is an attribute called 'macAddress'
available, it
> > should be fairly easy (famous last words) to add something to the
> > script to do what you want.
> >
> > The main stumbling block will be in where to store it.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

On Thu, 14 Mar 2019 21:32:43 +0100
"Pierre, BRIEC" <pierre.briec at stetherese.net> wrote:
> Hi,
> from the veyon documentation
> A standard Active Directory does not have an attribute for storing MAC
> addresses. 
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-macaddress

Am 14.03.19 um 20:20 schrieb Pierre, BRIEC via samba:
> Hi list,
>
> Does someone know a way to automatically store the hwaddress in the AD?
> I'm using Veyon in my school to manage the students PCs and if the
hwadress
> is populated in the AD, the Room configuration can be set with AD otherwise
> i have to manage rooms manually.
You may read the Veyon Administrator Manual 
<http://docs.veyon.io/en/4.1/admin/>.
> I'm using samba4 with bind and isc-dhcp-server are on the same server.
> Can we use scripts or some ways?
ISC dhcpd has native support to read and store ALL dhcp attibutes you

normally have in flat files to store and retrieve in ldap.

What does this mean?

We, the "Arktur 4 developer" have build a solution where the teacher
pc

have a gui to control all dhcp staff in ldap. One click to terminate a 
student pc's

internet access. One click to isolate a class room from all other 
networks in case

you will write an exam.

I have no clue how to do this with AD, but it should work, if you use 
samba AD

with bind dlz.
>
> thanks in advance
> Pierre
>
> --

-- 
Harry Jede

On Sat, Mar 16, 2019 at 2:39 AM Harry Jede via samba
<samba at lists.samba.org> wrote:
>
> Am 14.03.19 um 20:20 schrieb Pierre, BRIEC via samba:
> > Hi list,
> >
> > Does someone know a way to automatically store the hwaddress in the
AD?
> > I'm using Veyon in my school to manage the students PCs and if the
hwadress
> > is populated in the AD, the Room configuration can be set with AD
otherwise
> > i have to manage rooms manually.
> You may read the Veyon Administrator Manual
> <http://docs.veyon.io/en/4.1/admin/>.
> > I'm using samba4 with bind and isc-dhcp-server are on the same
server.
> > Can we use scripts or some ways?
>
> ISC dhcpd has native support to read and store ALL dhcp attibutes you
>
> normally have in flat files to store and retrieve in ldap.
>
> What does this mean?
>
> We, the "Arktur 4 developer" have build a solution where the
teacher pc
>
> have a gui to control all dhcp staff in ldap. One click to terminate a
> student pc's
>
> internet access. One click to isolate a class room from all other
> networks in case
>
> you will write an exam.
>
> I have no clue how to do this with AD, but it should work, if you use
> samba AD
>
> with bind dlz.
DNS, and DHCP, are two distinct toolkits. I think that it will help if
you go back to basics.

DHCP detects when a network device of some kind with MAC address says
"hey, look at me, I'd like a network configuration, please!!! And it
assigns one, with an IP address, a netmask, a gateway, and maybe some
other information like a domain name and DNS and NTP.  Check out
https://tools.ietf.org/html/rfc2131 and others for more details.

DNS is a service that lets a network service, such as those on your
local computer's network setup, accept a hostname and look up an IP
address that it goes with. It also supports looking up an IP address
and looking up a hostname, but they do not have to match and they
involve distinct types of DNS. And a computer hostname can have
something to do with DNS, it's very common to match, but it doesn't
have to. It's associated by convention, not by necessity.

Dynamic DNS, which Samba and AD support, allows a computer connected
to the server to register its IP address, tied to its hostname, in
DNS. It's useful: Samba can tie the act of logging into the domain
when you plug in your computer to DNS, and this is very desirable so
you can take your laptop to a different place, on a different network,
log in, and have other computers able to find it or to log connections
from it.

What this person seeks is control of DHCP, to permit or block MAC
addresses. There can be a table set up in DHCP, configured to set
certain MAC addresses to be assigned certain network configurations,
and non-listed MAC addresses get *nothing* from DHCP. Alternatively,
they can be assigned to a somewhat less accessible guest subnet or
VLAN, one that is configured at the switches and routers with less
access to shared resources. That setup is actually fairly common. It
can also have a forced proxy setup that requires separate
registration, and that is *very* common in free wifi areas or pay wifi
areas like restaurants and hotels.

The key is that this has nothing to do, directly, with Samba. DNS and
dynamic DNS would be *after* DHCP registration of the network device.
Samba wouldn't see anything until *after* DHCP has already
successfully registered the MAC address with a specific IP address and
helped the device connect to the local network.

Someone may have written a useful tool to help administrators register
and manage devices in both Samba or AD and in the local DHCP, but
they're distinct services. AD elected to build DHCP directly into
their software suite. The last time I look personally, Samba had
stayed out that, I think correctly because there were already good
DHCP servers built into every major UNIX and Linux operating system,
and why replace something else that works quite well?

On Thu, 14 Mar 2019 20:58:35 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Thu, 14 Mar 2019 21:32:43 +0100
> "Pierre, BRIEC" <pierre.briec at stetherese.net> wrote:
> 
> > Hi,
> > from the veyon documentation
> > A standard Active Directory does not have an attribute for storing
> > MAC addresses.   
> 
> Do you think I imagined the attribute called 'macAddress' ?
> Its objectclass is 'ieee802Device' and they can be added to a
> computers object in AD.
> 
> Rowland
> 
> >You’ll need to populate MAC addresses manually in an
> > existing unused attribute such as wwwHomepageor extend the AD
> > scheme. Additionally you can grant computers group write access to
> > SELF and let them store the MAC address of the first physical LAN
> > adapter by using a PowerShell startup script.
> > 
> > So, is it possible ?
OK, after Pierre posted the above and knowing the required attribute
does exist, I tried to get my DHCP update script to add a mac address
to a computer object. I was successful in doing this, but there is a
gotcha, you need to give 'dhcpduser' (This is the user used by the
script) write permissions on the Computers OU.

Now whether you would want to do this, or if Veyon will use the data
stored on a computers object, are further questions.

Rowland

Hi Pierre,
> Does someone know a way to automatically store the hwaddress in the AD?
> I'm using Veyon in my school to manage the students PCs and if the
hwadress
> is populated in the AD, the Room configuration can be set with AD otherwise
> i have to manage rooms manually.
> I'm using samba4 with bind and isc-dhcp-server are on the same server.
> Can we use scripts or some ways?
There is nothing to do that directly integrated in Samba-AD. If you have 
WAPT installed on your network, you should check the following thread on 
the WAPT mailing list, the exact same topic on configuring Veyon and 
macAddress was covered with a simple solution (as long as you have WAPT 
installed): 
https://lists.tranquil.it/pipermail/wapt/2019-January/003034.html

Cheers,

Denis

>
> thanks in advance
> Pierre
>
> --
>
-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

On Mon, 18 Mar 2019 09:16:01 +0100
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi Pierre,
> 
> > Does someone know a way to automatically store the hwaddress in the
> > AD? I'm using Veyon in my school to manage the students PCs and if
> > the hwadress is populated in the AD, the Room configuration can be
> > set with AD otherwise i have to manage rooms manually.
> > I'm using samba4 with bind and isc-dhcp-server are on the same
> > server. Can we use scripts or some ways?  
> 
> There is nothing to do that directly integrated in Samba-AD. If you
> have WAPT installed on your network, you should check the following
> thread on the WAPT mailing list, the exact same topic on configuring
> Veyon and macAddress was covered with a simple solution (as long as
> you have WAPT installed): 
> https://lists.tranquil.it/pipermail/wapt/2019-January/003034.html
> 
> Cheers,
> 
> Denis
Hi Denis,
The only problem with your method is that it will only work for
Windows clients, having said that, if you only have Windows clients,
then it isn't a problem ;-)

If you are using Bind9 and updating dns via the script found here:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

You can extend it to do the same thing and this will update all domain
members, Linux and Windows.

All you need to do is, replace the last line 'exit ${result}' with this:

Hostname=$(hostname -s)

# For this to work, you must add 'dhcpduser' to the 'Domain
Admins' group
Computer_Object=$(ldbsearch -k yes -H ldap://"$Hostname"
"(&(objectclass=computer)(objectclass=ieee802Device)(cn=$name))" |
grep -v '#' | grep -v 'ref:')
if [ -z "$Computer_Object" ]; then
    # Computer object not found with the 'ieee802Device' objectclass,
    # does the computer actually exist, it should if it is joined to the domain.
    Computer_Object=$(ldbsearch -k yes -H ldap://"$Hostname"
"(&(objectclass=computer)(cn=$name))" | grep -v '#' | grep
-v 'ref:')
    if [ -z "$Computer_Object" ]; then
        logger "Computer '$name' not found. Exiting."
        result="${result}68"
        exit "${result}"
    else
        DN=$(echo "$Computer_Object" | grep 'dn:')
        objldif="$DN
changetype: modify
add: objectclass
objectclass: ieee802Device"

        attrldif="$DN
changetype: modify
add: macAddress
macAddress: $DHCID"

        # add the ldif
        echo "$objldif" | ldbmodify -k yes -H
ldap://"$Hostname"
        ret="$?"
        if [ "$ret" -ne 0 ]; then
            logger "Error modifying Computer objectclass $name in AD."
            result="${result}${ret}"
            exit "${result}"
        fi
        sleep 2
        echo "$attrldif" | ldbmodify -k yes -H
ldap://"$Hostname"
        ret="$?"
        if [ "$ret" -ne 0 ]; then
            logger "Error modifying Computer attribute $name in AD."
            result="${result}${ret}"
            exit "${result}"
        fi
        unset objldif
        unset attrldif
        logger "Successfully modified Computer $name in AD"
    fi
else
    DN=$(echo "$Computer_Object" | grep 'dn:')
   attrldif="$DN
changetype: modify
replace: macAddress
macAddress: $DHCID"

    echo "$attrldif" | ldbmodify -k yes -H
ldap://"$Hostname"
        ret="$?"
        if [ "$ret" -ne 0 ]; then
        logger "Error modifying Computer attribute $name in AD."
        result="${result}${ret}"
        exit "${result}"
    fi
    unset attrldif
    logger "Successfully modified Computer $name in AD"
    result="${result}0"
fi

exit ${result}

Add 'dhcpduser' to the 'Domain Admins' group and it should just
work.

There are a couple of 'gotchas', it will (obviously) only work for
clients that get their IP via DHCP and then only if they are joined to
the domain.

Finally, somebody should tell Veyon that their documentation is wrong,
there is a standard AD attribute to store a MAC address in.

Rowland