Hi,
We have some issue with the reverse DNS in Samba AD. We're running Bind9_DLZ
on Ubuntu 18.04. The DHCP server(Ubuntu 16.04) is different to the AD server
and not in the same AD domain. The DHCP scope points to the Samba AD server as
the DNS server
When a machine with DHCP assigned address tries to update the DNS record, it is
able to update the forward zone but not the reverse zone. The only time it
updates both the forward and the reverse is if the machine is setup with a
static IP.
The global bit of the smb.conf
[global]
workgroup = LIN
realm = LIN.GROUP
netbios name = server5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%m
log level = 4
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
acl allow execute always = True
server services = -dns
allow dns updates = nonsecure
unix extensions = No
The following syslog is with the allow dns updates = nonsecure
root at server5-ad:/var/log# tail -f syslog
Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: spnego update failed
Jun 19 02:47:19 server5-ad named[3166]: client @0x7f1c64008380
192.168.14.187#59581/key site01-WIN7-01\$\@LIN.GROUP: updating zone
'LIN.group/NONE': update failed: rejected by secure update (REFUSED)
Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: cancelling transaction on
zone LIN.group
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting transaction on zone
LIN.group
Jun 19 02:47:22 server5-ad named[3166]: client @0x7f1c64008380
192.168.14.187#50012: update 'LIN.group/IN' denied
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling transaction on
zone LIN.group
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting transaction on zone
LIN.group
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: spnego update failed
Jun 19 02:47:22 server5-ad named[3166]: client @0x7f1c64008380
192.168.14.187#52845/key site01-WIN7-01\$\@LIN.GROUP: updating zone
'LIN.group/NONE': update failed: rejected by secure update (REFUSED)
Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling transaction on
zone LIN.group
Jun 19 02:47:44 server5-ad samba[3132]: dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
The following syslog is with the allow dns updates = secure
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing update of
signer=site01-WIN7-01\$\@LIN.GROUP name=site01-WIN7-01.LIN.group
tcpaddr=192.168.14.187 type=A
key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing update of
signer=site01-WIN7-01\$\@LIN.GROUP name=site01-WIN7-01.LIN.group
tcpaddr=192.168.14.187 type=A
key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0
Jun 19 02:52:54 server5-ad named[3221]: client @0x7fda290b99c0
192.168.14.187#52268/key site01-WIN7-01\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset at 'site01-WIN7-01.LIN.group'
AAAA
Jun 19 02:52:54 server5-ad named[3221]: client @0x7fda290b99c0
192.168.14.187#52268/key site01-WIN7-01\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset at 'site01-WIN7-01.LIN.group' A
Jun 19 02:52:54 server5-ad named[3221]: client @0x7fda290b99c0
192.168.14.187#52268/key site01-WIN7-01\$\@LIN.GROUP: updating zone
'LIN.group/NONE': adding an RR at 'site01-WIN7-01.LIN.group' A
192.168.14.187
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added rdataset
site01-WIN7-01.LIN.group
'site01-WIN7-01.LIN.group.#0111200#011IN#011A#011192.168.14.187'
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: subtracted rdataset LIN.group
'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group.
12474 900 600 86400 3600'
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added rdataset LIN.group
'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group.
12475 900 600 86400 3600'
Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: committed transaction on zone
LIN.group
Jun 19 02:52:56 server5-ad samba[3240]: dnsserver: Invalid zone operation
IsSignedldb_wrap open of secrets.ldb
Jun 19 02:53:27 server5-ad samba[3240]: [2019/06/19 02:53:27.656391, 0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
The following syslog is with the allow dns updates = nonsecure but with a
static IP
samba_dlz: added rdataset 14.168.192.in-addr.arpa
'14.168.192.in-addr.arpa.#0113600#011IN#011SOA#011server5.LIN.group.
hostmaster.LIN.group.
The bind files
root at server5-ad:/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
root at server5-ad:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//=======================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
The named.conf is /var/lib/samba/private
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
root at server5-ad:/var/lib/samba/private# klist -kte
/var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-crc)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-crc)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-md5)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-md5)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (arcfour-hmac)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (arcfour-hmac)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP
(aes128-cts-hmac-sha1-96)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes128-cts-hmac-sha1-96)
1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP
(aes256-cts-hmac-sha1-96)
1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes256-cts-hmac-sha1-96)
root at server5-ad:/var/log# service --status-all
[ - ] apparmor
[ + ] bind9
[ - ] console-setup.sh
[ + ] cron
[ + ] dbus
[ - ] hwclock.sh
[ - ] irqbalance
[ - ] keyboard-setup.sh
[ - ] kmod
[ - ] nmbd
[ + ] ntp
[ - ] plymouth
[ - ] plymouth-log
[ + ] postfix
[ + ] procps
[ - ] rsync
[ + ] rsyslog
[ + ] samba-ad-dc
[ - ] smbd
[ + ] ssh
[ - ] udev
[ + ] ufw
[ - ] urandom
[ - ] uuidd
[ - ] winbind
[ - ] x11-common
Regards,
Praveen Ghimire
Hai, Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: spnego update failed Jun 19 02:47:19 server5-ad named[3166]: client @0x7f1c64008380 192.168.14.187#59581/key site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': update failed: rejected by secure update (REFUSED) This part tells me your dns setup is not correct. These 2: samba_dlz: spnego update failed < DLZ failed. client @0x7f1c64008380 .... < normal attempt. update failed: rejected by secure update (REFUSED) This look like a wrong setup in bind.>From bind.conf.options.// https://wiki.samba.org/index.php/Dns-backend_bind // DNS dynamic updates via Kerberos (optional, but recommended) //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; < samba 4.9 before upgradeing the dns location. tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; < samba 4.9+ after upgradeing the dns location. // Note, i manualy moved the dns.keytab file and check the path. }; // you might be missing this one also, yes, its really needed. include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; }; The DHCP server(Ubuntu 16.04) is different to the AD server and not in the same AD domain Thats fine as long as the user and SPN's exists that are needed for updateing. Good to see your on ubuntu. Can you run this for me on the DC's. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh And post the output. And for the dhcp server, post the dhcp config. And review the dhcp setup with this link. https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 Its better to set these to No. Your setup will still work but now a bit faster ;-)> winbind enum users = yes > winbind enum groups = yesGreetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Praveen Ghimire via samba > Verzonden: woensdag 19 juni 2019 5:22 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Reverse DNS > > Hi, > > We have some issue with the reverse DNS in Samba AD. We're > running Bind9_DLZ on Ubuntu 18.04. The DHCP server(Ubuntu > 16.04) is different to the AD server and not in the same AD > domain. The DHCP scope points to the Samba AD server as the DNS server > > When a machine with DHCP assigned address tries to update the > DNS record, it is able to update the forward zone but not the > reverse zone. The only time it updates both the forward and > the reverse is if the machine is setup with a static IP. > > The global bit of the smb.conf > [global] > workgroup = LIN > realm = LIN.GROUP > netbios name = server5 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > log file = /var/log/samba/log.%m > log level = 4 > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > acl allow execute always = True > server services = -dns > allow dns updates = nonsecure > unix extensions = No > > The following syslog is with the allow dns updates = nonsecure > > root at server5-ad:/var/log# tail -f syslog > Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: spnego > update failed > Jun 19 02:47:19 server5-ad named[3166]: client > @0x7f1c64008380 192.168.14.187#59581/key > site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': > update failed: rejected by secure update (REFUSED) > Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: cancelling > transaction on zone LIN.group > Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting > transaction on zone LIN.group > Jun 19 02:47:22 server5-ad named[3166]: client > @0x7f1c64008380 192.168.14.187#50012: update 'LIN.group/IN' denied > Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling > transaction on zone LIN.group > Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting > transaction on zone LIN.group > Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: spnego > update failed > Jun 19 02:47:22 server5-ad named[3166]: client > @0x7f1c64008380 192.168.14.187#52845/key > site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': > update failed: rejected by secure update (REFUSED) > Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling > transaction on zone LIN.group > Jun 19 02:47:44 server5-ad samba[3132]: dnsserver: Invalid > zone operation IsSigneddnsserver: Invalid zone operation > IsSignedTerminating connection - 'dcesrv: > NT_STATUS_CONNECTION_DISCONNECTED' > > The following syslog is with the allow dns updates = secure > > Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing > update of signer=site01-WIN7-01\$\@LIN.GROUP > name=site01-WIN7-01.LIN.group tcpaddr=192.168.14.187 type=A > key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0 > Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing > update of signer=site01-WIN7-01\$\@LIN.GROUP > name=site01-WIN7-01.LIN.group tcpaddr=192.168.14.187 type=A > key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0 > Jun 19 02:52:54 server5-ad named[3221]: client > @0x7fda290b99c0 192.168.14.187#52268/key > site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': > deleting rrset at 'site01-WIN7-01.LIN.group' AAAA > Jun 19 02:52:54 server5-ad named[3221]: client > @0x7fda290b99c0 192.168.14.187#52268/key > site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': > deleting rrset at 'site01-WIN7-01.LIN.group' A > Jun 19 02:52:54 server5-ad named[3221]: client > @0x7fda290b99c0 192.168.14.187#52268/key > site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': > adding an RR at 'site01-WIN7-01.LIN.group' A 192.168.14.187 > Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added > rdataset site01-WIN7-01.LIN.group > 'site01-WIN7-01.LIN.group.#0111200#011IN#011A#011192.168.14.187' > Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: subtracted > rdataset LIN.group > 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. > hostmaster.LIN.group. 12474 900 600 86400 3600' > Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added > rdataset LIN.group > 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. > hostmaster.LIN.group. 12475 900 600 86400 3600' > Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: committed > transaction on zone LIN.group > Jun 19 02:52:56 server5-ad samba[3240]: dnsserver: Invalid > zone operation IsSignedldb_wrap open of secrets.ldb > Jun 19 02:53:27 server5-ad samba[3240]: [2019/06/19 > 02:53:27.656391, 0] > ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser > ver_query_zone) > > The following syslog is with the allow dns updates = > nonsecure but with a static IP > samba_dlz: added rdataset 14.168.192.in-addr.arpa > '14.168.192.in-addr.arpa.#0113600#011IN#011SOA#011server5.LIN. > group. hostmaster.LIN.group. > > > The bind files > root at server5-ad:/etc/bind# cat named.conf > // This is the primary configuration file for the BIND DNS > server named. > // > // Please read /usr/share/doc/bind9/README.Debian.gz for > information on the > // structure of BIND configuration files in Debian, *BEFORE* > you customize > // this configuration file. > // > // If you are just adding zones, please do that in > /etc/bind/named.conf.local > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > root at server5-ad:/etc/bind# cat named.conf.options > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to > allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the > addresses replacing > // the all-0's placeholder. > > // forwarders { > // 0.0.0.0; > // }; > > > //===========================================================> ===========> // If BIND logs error messages about the root key > being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > > //===========================================================> ===========> dnssec-validation auto; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > }; > > The named.conf is /var/lib/samba/private > > dlz "AD DNS Zone" { > # For BIND 9.8.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so"; > > # For BIND 9.9.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; > > # For BIND 9.10.x > # database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so"; > > # For BIND 9.11.x > database "dlopen > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; > }; > > > root at server5-ad:/var/lib/samba/private# klist -kte > /var/lib/samba/private/dns.keytab > Keytab name: FILE:/var/lib/samba/private/dns.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-crc) > 1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-crc) > 1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-md5) > 1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-md5) > 1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (arcfour-hmac) > 1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (arcfour-hmac) > 1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP > (aes128-cts-hmac-sha1-96) > 1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes128-cts-hmac-sha1-96) > 1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP > (aes256-cts-hmac-sha1-96) > 1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes256-cts-hmac-sha1-96) > > > > > root at server5-ad:/var/log# service --status-all > [ - ] apparmor > [ + ] bind9 > [ - ] console-setup.sh > [ + ] cron > [ + ] dbus > [ - ] hwclock.sh > [ - ] irqbalance > [ - ] keyboard-setup.sh > [ - ] kmod > [ - ] nmbd > [ + ] ntp > [ - ] plymouth > [ - ] plymouth-log > [ + ] postfix > [ + ] procps > [ - ] rsync > [ + ] rsyslog > [ + ] samba-ad-dc > [ - ] smbd > [ + ] ssh > [ - ] udev > [ + ] ufw > [ - ] urandom > [ - ] uuidd > [ - ] winbind > [ - ] x11-common > > > > > > Regards, > Praveen Ghimire > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Louis,
Just an update on this. I ran up a new test LXC container and completely removed
apparmor. Then install the packages. I got the same errors
I thought I would change the DNS from Bind to internal and back to bind.
The following is going from Bind9 to Internal
root at server5-ad:/var/log# service bind9 stop
root at server5-ad:/var/log# systemctl mask bind9
Created symlink /etc/systemd/system/bind9.service -> /dev/null.
root at server5-ad:/var/log# service samba-ad-dc stop
root at server5-ad:/var/log# samba_upgradedns --dns-backend=SAMBA_INTERNAL
I removed the
Server service = -dns from smb.conf
I got the following error,
/source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110
Then I ran the samba_dnsupdate, which failed
Jun 24 01:26:39 server5-ad samba[800]: dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 24 01:26:49 server5-ad ntpd[120]: local_clock: ntp_loopfilter.c line 818:
ntp_adjtime: Operation not permitted
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
IPs: ['192.168.14.10']
Looking for DNS entry A server5.LIN.group 192.168.14.10 as server5.LIN.group.
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 827, in <module>
elif not check_dns_name(d):
File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
raise Exception("Timeout while waiting to contact a working DNS server
while looking for %s as %s" % (d, normalised_name))
Exception: Timeout while waiting to contact a working DNS server while looking
for A server5.LIN.group 192.168.14.10 as server5.LIN.group.
I then reverted back to Bind9 and saw the errors I was seeing before. It creates
the forward DNS entry but not the reverse. I am underlining the errors
Jun 24 01:36:20 server5-ad samba[1037]: dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedSuccessful AuthZ:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at
[Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote host [ipv6::::0] local host
[ipv6::::0]
Jun 24 01:36:21 server5-ad named[1007]: resolver priming query complete
Jun 24 01:36:23 server5-ad named[1007]: message repeated 2 times: [ resolver
priming query complete]
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on zone
LIN.group
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#57503: update 'LIN.group/IN' denied
------------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling transaction on
zone LIN.group
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on zone
LIN.group
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA
key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' AAAA
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' A
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': adding an RR at
'bw10.LIN.group' A 192.168.14. 150
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group
'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted rdataset LIN.group
'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
hostmaster.LIN.group. 43 900 600 86400 3600'
Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added rdataset LIN.group
'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group.
900 600 86400 3600'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed transaction on zone
LIN.group
Jun 24 01:36:24 server5-ad named[1007]: resolver priming query complete
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting transaction on zone
LIN.group
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
192.168.14.150#64221: update 'LIN.group/IN' denied
-----------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling transaction on
zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting transaction on zone
LIN.group
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA
key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068 -ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset 'bw10.LIN.group' AAAA
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset at 'bw10.LIN.group' A
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: subtracted rdataset
bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A 192.168.14.
150
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group
'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed transaction on zone
LIN.group
The permissions of the bind files
root at server5-ad:# ls -ld /var/lib/samba/private/
drwxr-xr-x 8 root root 27 Jun 24 01:48 /var/lib/samba/private/
root at server5-ad:# ls -l /var/lib/samba/private/named.conf
-rw-r--r-- 1 root root 780 Jun 24 01:35 /var/lib/samba/private/named.conf
root at server5-ad:# ls -ld /var/lib/samba/private/dns
drwxrwx--- 3 root bind 4 Jun 24 01:35 /var/lib/samba/private/dns
root at server5-ad:# ls -ld /var/lib/samba/private/dns.keytab
-rw-r----- 1 root bind 807 Jun 24 01:35 /var/lib/samba/private/dns.keytab
root at server5-ad:# ls -l /var/lib/samba/private/dns/
total 45
-rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
drwxrwx--- 2 root bind 8 Jun 24 01:35 sam.ldb.d
root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
total 3223
-rw-rw---- 1 root bind 8597504 Jun 24 01:35
'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 8187904 Jun 24 01:35
'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 01:48
'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 00:38
'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 831488 Jun 24 01:48 metadata.tdb
Zone list
Using binding ncacn_ip_tcp:192.168.14.10[,sign]
Mapped to DCERPC endpoint 135
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 49152
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
pszZoneName : 14.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : _msdcs.LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.LIN.group
smb.conf
[global]
workgroup = LIN
realm = LIN.GROUP
netbios name = SERVER5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -dns
allow dns updates = nonsecure
/etc//hosts (the server definition)
# The server5-ad and server 5 are one and the same. This is because the at one
stage the shares were in server5 which got moved to server5-ad
192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
192.168.14.10 SERVER5.lin.group SERVER5
Regards,
Praveen Ghimire
-----Original Message-----
From: Praveen Ghimire
Sent: Friday, 21 June 2019 11:19 PM
To: 'L.P.H. van Belle'
Subject: RE: [Samba] Reverse DNS
Hi Louis,
Thank you for that. I've got a lab environment similar to the prod and was
able to replicate the issues.
I added the following to /etc/bind/named.conf.options
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
This caused the named-checkconf to fail
root at server5-ad:/etc/bind# named-checkconf
/etc/bind/rndc.key:1: unknown option 'key'
/etc/bind/named.conf.options:27: unknown option 'controls'
So I removed that line. The following is the existing named.conf.options
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
};
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain yes; # conform to RFC1035
empty-zones-enable no;
listen-on-v6 { any; };
};
We are using LXC container. It turns out there is a reported issue with apparmor
with LXC , as per below
apparmor_parser: Unable to replace "/usr/sbin/named". Permission
denied; attempted to load a profile while confined?
The option was to purge and reinstall apparmor. The following is the
/etc/apparmor.d/local/usr.sbin.named
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
The following from syslog
Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation not permitted Jun
21 12:52:38 server5-ad ntpd[174]: message repeated 27 times: [ adj_systime:
Operation not permitted]
Jun 21 12:52:38 server5-ad samba[201]: dnsserver: Invalid zone operation
IsSignedTerminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation not permitted \
samba_dlz: starting transaction on zone LIN.group Jun 21 12:55:27 server5-ad
named[564]: client @0x7fa7fc013e70 192.168.14.181#54936: update
'LIN.group/IN' denied Jun 21 12:58:34 server5-ad ntpd[174]:
91.189.89.199 local addr 192.168.14.10 -> <null> Jun 21 12:58:35
server5-ad ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null>
Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local addr 192.168.14.10
-> <null> Jun 21 12:58:42 server5-ad named[564]: resolver priming query
complete Jun 21 12:58:46 server5-ad samba[201]: [2019/06/21 12:58:46.917811, 0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 21 12:58:53 server5-ad samba[201]: dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone
operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid
zone operation IsSignedldb_wrap open of secrets.ldb
Jun 21 12:59:01 server5-ad named[564]: resolver priming query complete Jun 21
12:59:04 server5-ad samba[201]: [2019/06/21 12:59:04.972119, 0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
I've made changes as per your recommendations.
In terms of DHCP. I did go through that wiki a while ago. To me it looks like it
works if the DHCP server is in the same domain as the AD server, this is not the
case here. I made the changes as per the wiki and added the script. I manually
specified the domain and realm info. The script does run but doesn't seem to
make a difference. I copied the dhcpd user info stuff from the AD box to the
DHCP server
ACL has now been installed
Thank you once again
Regards,
Praveen
-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl]
Sent: Friday, 21 June 2019 7:52 PM
To: Praveen Ghimire
Subject: RE: [Samba] Reverse DNS
Hai, well i had a good look, im commented where it was needed ;-)
This is part to start with, then then this is all correct, you can look at the
DDNS and Reverse dns parts.
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: woensdag 19 juni 2019 12:38
> Aan: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Thank you, awesome script.
>
> Output as follows
>
> Collected config --- 2019-06-19-10:12 -----------
>
> Hostname: server5-ad
> DNS Domain:
Missing default DNS domain.
Is "search your.primary.search.domain.tld" set in /etc/resolv.conf
> FQDN: server5-ad
And missing domain in FQDN, as result of missing DNS domain.
> ipaddress: 192.168.14.10
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.1 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.1 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.1 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
>
> -----------
> Checking file: /etc/hosts
Fix the hosts file
>
> 127.0.0.1 localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.14.10 server5-ad
> # --- BEGIN PVE ---
> 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> 192.168.14.10 server5
> 192.168.14.10 server5.LIN.group
Now this is also incorrect, you only need 1 line per ip.
If its correctly set, you can run this : echo "$(hostname -i) $(hostname
-f) $(hostname -s)"
More aliasses, add it at the end of that line, or add them to the DNS as CNAME.
So you hosts file should result in :
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.14.10 server5-ad.LIN.group server5-ad
> -----------
>
> Checking file: /etc/resolv.conf
>
> # --- BEGIN PVE ---
> search LIN.group
> nameserver 192.168.14.10
> # --- END PVE ---
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = LIN.GROUP
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> LIN.GROUP = {
> kdc = server5
> admin_server = server5
>
> }
Remove the [realm] part, not needed.
And wasnt you server named server5-ad ?
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed,
> try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd: files winbind
> group: files winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = LIN
> realm = LIN.GROUP
> netbios name = server5
Ok, here netbios name. If a mismatch with thats set in /ets/hosts.
HOSTNAME="$(hostname -s)"
echo ${HOSTNAME^^}"
Results in "SERVER5-AD" and that should be in netbios name = ....
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> log file = /var/log/samba/log.%m
> log level = 4
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
Preffered enum user/group to no, it only slows down your server.
> acl allow execute always = True
> server services = -dns
> allow dns updates = nonsecure
> unix extensions = No
>
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink
> full_audit:failure = none
> full_audit:prefix = %u|%I|%S
>
> [netlogon]
> path = /var/lib/samba/sysvol/LIN.group/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> [homes]
> comment = Home Directories
> root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700 /home/%U
&&
> mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain
Users" /home/%U'
>
> # create mask = 0700
> # directory mask = 0700
> # browseable = No
> read only = No
> path = /home/%U/samba
> vfs objects = full_audit
> # follow symlinks = yes
> # wide links = yes
>
Ah [homes], well Rowland and I just did a small test. You can try this.
[homes]
comment = Home Directories
read only = no
valid users = %S
root preexec = /usr/local/sbin/mkhomedir.sh %U %H
Content of mkhomedir.sh :
#!/bin/bash
if [ ! -e "$2" ]; then
DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk '{
print $$1 }')"
install -d "$2" -o "$1" -g "${DOMUSERS}"
"$2" -m 700 fi
exit 0
>
>
>
> [data]
> comment = Data share
> path = /data
> hide unreadable = Yes
> vfs objects = full_audit
> follow symlinks = yes
> wide links = yes
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server
> named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information
> on the // structure of BIND configuration files in Debian, *BEFORE*
> you customize // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options"; include
> "/etc/bind/named.conf.local"; include
> "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
Do set you forwarder to internet DNS servers.
>
>
> //===========================================================>
===========> // If BIND logs error messages about the root key being
expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //===========================================================>
===========> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain no; # conform to RFC1035
your AD DC is the AUTORITIVE server of the primary zone so..
auth-nxdomain yes; > listen-on-v6 { any; };
Add : empty-zones-enable no;
That avoids possible conficts with configured zones.
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization //include "/etc/bind/zones.rfc1918";
Im missing here :
// adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9
then you need to change this manualy include
"/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list:
> Samba DNS zone list Automated check :
>
> Installed packages:
Im missing acl.
apt-get install acl
> ii attr 1:2.4.47-2build1
> amd64 Utilities for manipulating filesystem
> extended attributes
> ii bind9 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Internet Domain Name Server
> ii bind9-host 1:9.11.3+dfsg-1ubuntu1.7
> amd64 DNS lookup utility (deprecated)
> ii bind9utils 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Utilities for BIND
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.16-2ubuntu0.1
> all internationalization support for MIT Kerberos
> ii krb5-user 1.16-2ubuntu0.1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.52-3build1
> amd64 Access control list shared library
> ii libattr1:amd64 1:2.4.47-2build1
> amd64 Extended attribute shared library
> ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.7
> amd64 BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - krb5
> GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Windows domain
> authentication integration plugin
> ii libwbclient0:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba winbind
> client library
> ii python-samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python
> bindings for Samba
> ii samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file,
> print, and login server for Unix
> ii samba-common
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files
> used by both the Samba server and client
> ii samba-common-bin
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries
> ii samba-vfs-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual
> FileSystem plugins
> ii winbind
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 service to
> resolve user and group information from Windows NT servers
>
> -----------
>
>
> DHCP
>
> subnet 192.168.14.0 netmask 255.255.255.0 {
> authoritative;
> option netbios-name-servers 192.168.14.10;
> option netbios-dd-server 192.168.14.10;
> option netbios-node-type 8;
> option domain-name-servers 192.168.14.1, 192.168.14.10;
>
> ddns-rev-domainname "in-addr.arpa.";
>
> pool {
> range dynamic-bootp 192.168.14.150 192.168.14.150;
> range dynamic-bootp 192.168.14.153 192.168.14.154;
> range dynamic-bootp 192.168.14.180 192.168.14.188;
> range dynamic-bootp 192.168.14.191 192.168.14.191;
> range dynamic-bootp 192.168.14.193 192.168.14.196;
> range dynamic-bootp 192.168.14.198 192.168.14.210;
> range dynamic-bootp 192.168.14.212 192.168.14.214;
>
> }
> option broadcast-address 192.168.14.255;
> option routers 192.168.14.254;
> option domain-name "site01";
> ddns-domainname "site01";
Here, domainname and ddns-domainname should be your primary DNS.
> ddns-updates on;
> update-optimization off;
> update-static-leases on;
> allow client-updates;
> }
I suggest, have a good look at :
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
And in addition.
In named.conf.options add at the end of the file include
"/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Hi All,
Some more digging through the syslogs. The following error sticks out
client @0x7fd3bc0d5910 192.168.14.196#56965: updating zone
'168.192.IN-ADDR.ARPA/IN': update failed: not authoritative for update
zone (NOTAUTH)
This was with dns update = nonsecure and secure and static IP. With the dns
update section removed, the reverse DNS update works and reverse entry is
created
When using nonsecure and secure and DHCP, we see the following
[26654.606730] audit: type=1400 audit(1561462441.550:193):
apparmor="DENIED" operation="open"
profile="/usr/sbin/named" name="/dev/urandom" pid=29418
comm="isc-worker0001" requested_mask="wc"
denied_mask="wc" fsuid=111 ouid=0
dnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
Following Louis' instructions in the git page, I've setup the following
in apparmor
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
# Samba4 DLZ and Active Directory Zones (default source installation)
# bind support before samba 4.9
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
# bind support after samba 4.9
/var/lib/samba/bind-dns/** rwmk,
/var/lib/samba/bind-dns/dns.keytab r,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
# Regular samba.
/var/lib/samba/lib/** rm,
/usr/lib/**/samba/bind9/** rmk,
/usr/lib/**/samba/gensec/* rmk,
/usr/lib/**/samba/ldb/** rmk,
/usr/lib/**/ldb/modules/ldb/** rmk,
/var/tmp/** rwmk,
/var/lib/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
Just a reminder the zones are following
pszZoneName : 14.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : _msdcs.LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.LIN.group
As mentioned the DHCP server is not in the same server and not in a machine
which is not in the same domain. It is a standalone Ubuntu server
Any suggestions?
Regards,
Praveen Ghimire
-----Original Message-----
From: Praveen Ghimire
Sent: Monday, 24 June 2019 12:03 PM
To: 'L.P.H. van Belle'
Cc: samba at lists.samba.org
Subject: RE: [Samba] Reverse DNS
Hi Louis,
Just an update on this. I ran up a new test LXC container and completely removed
apparmor. Then install the packages. I got the same errors
I thought I would change the DNS from Bind to internal and back to bind.
The following is going from Bind9 to Internal
root at server5-ad:/var/log# service bind9 stop root at server5-ad:/var/log#
systemctl mask bind9 Created symlink /etc/systemd/system/bind9.service ->
/dev/null.
root at server5-ad:/var/log# service samba-ad-dc stop root at
server5-ad:/var/log# samba_upgradedns --dns-backend=SAMBA_INTERNAL
I removed the
Server service = -dns from smb.conf
I got the following error,
/source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110
Then I ran the samba_dnsupdate, which failed
Jun 24 01:26:39 server5-ad samba[800]: dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 24 01:26:49 server5-ad ntpd[120]: local_clock: ntp_loopfilter.c line 818:
ntp_adjtime: Operation not permitted added interface v14 ip=192.168.14.10
bcast=192.168.14.255 netmask=255.255.255.0
IPs: ['192.168.14.10']
Looking for DNS entry A server5.LIN.group 192.168.14.10 as server5.LIN.group.
Traceback (most recent call last):
File "/usr/sbin/samba_dnsupdate", line 827, in <module>
elif not check_dns_name(d):
File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
raise Exception("Timeout while waiting to contact a working DNS server
while looking for %s as %s" % (d, normalised_name))
Exception: Timeout while waiting to contact a working DNS server while looking
for A server5.LIN.group 192.168.14.10 as server5.LIN.group.
I then reverted back to Bind9 and saw the errors I was seeing before. It creates
the forward DNS entry but not the reverse. I am underlining the errors
Jun 24 01:36:20 server5-ad samba[1037]: dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedSuccessful AuthZ:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at
[Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote host [ipv6::::0] local host
[ipv6::::0]
Jun 24 01:36:21 server5-ad named[1007]: resolver priming query complete Jun 24
01:36:23 server5-ad named[1007]: message repeated 2 times: [ resolver priming
query complete] Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting
transaction on zone LIN.group
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#57503: update 'LIN.group/IN' denied
------------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling transaction on
zone LIN.group Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting
transaction on zone LIN.group Jun 24 01:36:24 server5-ad named[1007]: samba_dlz:
allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
tcpaddr=192.168.14.150 type=AAAA
key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068
-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' AAAA
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset
at 'bw10.LIN.group' A
Jun 24 01:36:24 server5-ad named[1007]: client @0x7f41d810fbe0
192.168.14.150#60690/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': adding an RR at
'bw10.LIN.group' A 192.168.14. 150
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group
'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted rdataset LIN.group
'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
hostmaster.LIN.group. 43 900 600 86400 3600'
Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added rdataset LIN.group
'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. hostmaster.LIN.group.
900 600 86400 3600'
Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed transaction on zone
LIN.group Jun 24 01:36:24 server5-ad named[1007]: resolver priming query
complete Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting transaction
on zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
192.168.14.150#64221: update 'LIN.group/IN' denied
-----------------------------------------------------------------------------------------------------------------------------------------------
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling transaction on
zone LIN.group Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: starting
transaction on zone LIN.group
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA
key=1068-ms-7.1-80306.78bac884-9620-11e9-62 a7-9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
signer=BW10\$\@LIN.GROUP name=bw10.LIN.group tcpaddr=192.168.14.150 type=A
key=1068 -ms-7.1-80306.78bac884-9620-11e9-62a7- 9a9237443f23/160/0
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': deleting rrset 'bw10.LIN.group' AAAA Jun 24
01:36:27 server5-ad named[1007]: client @0x7f41b801dc20 192.168.14.150#63953/key
BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset at
'bw10.LIN.group' A
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: subtracted rdataset
bw10.LIN.group 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A 192.168.14.
150
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added rdataset bw10.LIN.group
'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed transaction on zone
LIN.group
The permissions of the bind files
root at server5-ad:# ls -ld /var/lib/samba/private/ drwxr-xr-x 8 root root 27
Jun 24 01:48 /var/lib/samba/private/ root at server5-ad:# ls -l
/var/lib/samba/private/named.conf
-rw-r--r-- 1 root root 780 Jun 24 01:35 /var/lib/samba/private/named.conf root
at server5-ad:# ls -ld /var/lib/samba/private/dns
drwxrwx--- 3 root bind 4 Jun 24 01:35 /var/lib/samba/private/dns root at
server5-ad:# ls -ld /var/lib/samba/private/dns.keytab
-rw-r----- 1 root bind 807 Jun 24 01:35 /var/lib/samba/private/dns.keytab root
at server5-ad:# ls -l /var/lib/samba/private/dns/ total 45
-rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
drwxrwx--- 2 root bind 8 Jun 24 01:35 sam.ldb.d
root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
total 3223
-rw-rw---- 1 root bind 8597504 Jun 24 01:35
'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 8187904 Jun 24 01:35
'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 01:48
'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 4247552 Jun 24 00:38
'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
-rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
-rw-rw---- 2 root bind 831488 Jun 24 01:48 metadata.tdb
Zone list
Using binding ncacn_ip_tcp:192.168.14.10[,sign] Mapped to DCERPC endpoint 135
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
added interface v14 ip=192.168.14.10 bcast=192.168.14.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 49152 added interface v14 ip=192.168.14.10
bcast=192.168.14.255 netmask=255.255.255.0 added interface v14 ip=192.168.14.10
bcast=192.168.14.255 netmask=255.255.255.0 Cannot do GSSAPI to an IP address
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
pszZoneName : 14.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.LIN.group
pszZoneName : _msdcs.LIN.group
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.LIN.group
smb.conf
[global]
workgroup = LIN
realm = LIN.GROUP
netbios name = SERVER5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -dns
allow dns updates = nonsecure
/etc//hosts (the server definition)
# The server5-ad and server 5 are one and the same. This is because the at one
stage the shares were in server5 which got moved to server5-ad
192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
192.168.14.10 SERVER5.lin.group SERVER5
Regards,
Praveen Ghimire
-----Original Message-----
From: Praveen Ghimire
Sent: Friday, 21 June 2019 11:19 PM
To: 'L.P.H. van Belle'
Subject: RE: [Samba] Reverse DNS
Hi Louis,
Thank you for that. I've got a lab environment similar to the prod and was
able to replicate the issues.
I added the following to /etc/bind/named.conf.options
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
This caused the named-checkconf to fail
root at server5-ad:/etc/bind# named-checkconf
/etc/bind/rndc.key:1: unknown option 'key'
/etc/bind/named.conf.options:27: unknown option 'controls'
So I removed that line. The following is the existing named.conf.options
options {
directory "/var/cache/bind";
forwarders {
8.8.8.8;
};
dnssec-validation auto;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
auth-nxdomain yes; # conform to RFC1035
empty-zones-enable no;
listen-on-v6 { any; };
};
We are using LXC container. It turns out there is a reported issue with apparmor
with LXC , as per below
apparmor_parser: Unable to replace "/usr/sbin/named". Permission
denied; attempted to load a profile while confined?
The option was to purge and reinstall apparmor. The following is the
/etc/apparmor.d/local/usr.sbin.named
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
The following from syslog
Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation not permitted Jun
21 12:52:38 server5-ad ntpd[174]: message repeated 27 times: [ adj_systime:
Operation not permitted]
Jun 21 12:52:38 server5-ad samba[201]: dnsserver: Invalid zone operation
IsSignedTerminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation not permitted \
samba_dlz: starting transaction on zone LIN.group Jun 21 12:55:27 server5-ad
named[564]: client @0x7fa7fc013e70 192.168.14.181#54936: update
'LIN.group/IN' denied Jun 21 12:58:34 server5-ad ntpd[174]:
91.189.89.199 local addr 192.168.14.10 -> <null> Jun 21 12:58:35
server5-ad ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null>
Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local addr 192.168.14.10
-> <null> Jun 21 12:58:42 server5-ad named[564]: resolver priming query
complete Jun 21 12:58:46 server5-ad samba[201]: [2019/06/21 12:58:46.917811, 0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 21 12:58:53 server5-ad samba[201]: dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone
operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid
zone operation IsSignedldb_wrap open of secrets.ldb
Jun 21 12:59:01 server5-ad named[564]: resolver priming query complete Jun 21
12:59:04 server5-ad samba[201]: [2019/06/21 12:59:04.972119, 0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
I've made changes as per your recommendations.
In terms of DHCP. I did go through that wiki a while ago. To me it looks like it
works if the DHCP server is in the same domain as the AD server, this is not the
case here. I made the changes as per the wiki and added the script. I manually
specified the domain and realm info. The script does run but doesn't seem to
make a difference. I copied the dhcpd user info stuff from the AD box to the
DHCP server
ACL has now been installed
Thank you once again
Regards,
Praveen
-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl]
Sent: Friday, 21 June 2019 7:52 PM
To: Praveen Ghimire
Subject: RE: [Samba] Reverse DNS
Hai, well i had a good look, im commented where it was needed ;-)
This is part to start with, then then this is all correct, you can look at the
DDNS and Reverse dns parts.
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> Verzonden: woensdag 19 juni 2019 12:38
> Aan: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Thank you, awesome script.
>
> Output as follows
>
> Collected config --- 2019-06-19-10:12 -----------
>
> Hostname: server5-ad
> DNS Domain:
Missing default DNS domain.
Is "search your.primary.search.domain.tld" set in /etc/resolv.conf
> FQDN: server5-ad
And missing domain in FQDN, as result of missing DNS domain.
> ipaddress: 192.168.14.10
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> NAME="Ubuntu"
> VERSION="18.04.1 LTS (Bionic Beaver)"
> ID=ubuntu
> ID_LIKE=debian
> PRETTY_NAME="Ubuntu 18.04.1 LTS"
> VERSION_ID="18.04"
> HOME_URL="https://www.ubuntu.com/"
> SUPPORT_URL="https://help.ubuntu.com/"
> BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> icies/privacy-policy"
> VERSION_CODENAME=bionic
> UBUNTU_CODENAME=bionic
>
> -----------
>
>
> This computer is running Ubuntu 18.04.1 LTS x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
>
> -----------
> Checking file: /etc/hosts
Fix the hosts file
>
> 127.0.0.1 localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.14.10 server5-ad
> # --- BEGIN PVE ---
> 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> 192.168.14.10 server5
> 192.168.14.10 server5.LIN.group
Now this is also incorrect, you only need 1 line per ip.
If its correctly set, you can run this : echo "$(hostname -i) $(hostname
-f) $(hostname -s)"
More aliasses, add it at the end of that line, or add them to the DNS as CNAME.
So you hosts file should result in :
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.14.10 server5-ad.LIN.group server5-ad
> -----------
>
> Checking file: /etc/resolv.conf
>
> # --- BEGIN PVE ---
> search LIN.group
> nameserver 192.168.14.10
> # --- END PVE ---
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = LIN.GROUP
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> LIN.GROUP = {
> kdc = server5
> admin_server = server5
>
> }
Remove the [realm] part, not needed.
And wasnt you server named server5-ad ?
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed,
> try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd: files winbind
> group: files winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = LIN
> realm = LIN.GROUP
> netbios name = server5
Ok, here netbios name. If a mismatch with thats set in /ets/hosts.
HOSTNAME="$(hostname -s)"
echo ${HOSTNAME^^}"
Results in "SERVER5-AD" and that should be in netbios name = ....
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> log file = /var/log/samba/log.%m
> log level = 4
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
Preffered enum user/group to no, it only slows down your server.
> acl allow execute always = True
> server services = -dns
> allow dns updates = nonsecure
> unix extensions = No
>
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink
> full_audit:failure = none
> full_audit:prefix = %u|%I|%S
>
> [netlogon]
> path = /var/lib/samba/sysvol/LIN.group/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> [homes]
> comment = Home Directories
> root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700 /home/%U
&&
> mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain
Users" /home/%U'
>
> # create mask = 0700
> # directory mask = 0700
> # browseable = No
> read only = No
> path = /home/%U/samba
> vfs objects = full_audit
> # follow symlinks = yes
> # wide links = yes
>
Ah [homes], well Rowland and I just did a small test. You can try this.
[homes]
comment = Home Directories
read only = no
valid users = %S
root preexec = /usr/local/sbin/mkhomedir.sh %U %H
Content of mkhomedir.sh :
#!/bin/bash
if [ ! -e "$2" ]; then
DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk '{
print $$1 }')"
install -d "$2" -o "$1" -g "${DOMUSERS}"
"$2" -m 700 fi
exit 0
>
>
>
> [data]
> comment = Data share
> path = /data
> hide unreadable = Yes
> vfs objects = full_audit
> follow symlinks = yes
> wide links = yes
>
> -----------
>
> Detected bind DLZ enabled..
> Checking file: /etc/bind/named.conf
>
> // This is the primary configuration file for the BIND DNS server
> named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information
> on the // structure of BIND configuration files in Debian, *BEFORE*
> you customize // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options"; include
> "/etc/bind/named.conf.local"; include
> "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
Do set you forwarder to internet DNS servers.
>
>
> //===========================================================>
===========> // If BIND logs error messages about the root key being
expired,
> // you will need to update your keys. See
> https://www.isc.org/bind-keys
>
> //===========================================================>
===========> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain no; # conform to RFC1035
your AD DC is the AUTORITIVE server of the primary zone so..
auth-nxdomain yes; > listen-on-v6 { any; };
Add : empty-zones-enable no;
That avoids possible conficts with configured zones.
> };
>
> -----------
>
> Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization //include "/etc/bind/zones.rfc1918";
Im missing here :
// adding the dlopen ( Bind DLZ ) module for samba, beware, if you using bind9.9
then you need to change this manualy include
"/var/lib/samba/private/named.conf";
>
> -----------
>
> Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and
> for // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> -----------
>
> Samba DNS zone list:
> Samba DNS zone list Automated check :
>
> Installed packages:
Im missing acl.
apt-get install acl
> ii attr 1:2.4.47-2build1
> amd64 Utilities for manipulating filesystem
> extended attributes
> ii bind9 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Internet Domain Name Server
> ii bind9-host 1:9.11.3+dfsg-1ubuntu1.7
> amd64 DNS lookup utility (deprecated)
> ii bind9utils 1:9.11.3+dfsg-1ubuntu1.7
> amd64 Utilities for BIND
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.16-2ubuntu0.1
> all internationalization support for MIT Kerberos
> ii krb5-user 1.16-2ubuntu0.1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.52-3build1
> amd64 Access control list shared library
> ii libattr1:amd64 1:2.4.47-2build1
> amd64 Extended attribute shared library
> ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.7
> amd64 BIND9 Shared Library used by BIND
> ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - krb5
> GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.16-2ubuntu0.1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Windows domain
> authentication integration plugin
> ii libwbclient0:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba winbind
> client library
> ii python-samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python
> bindings for Samba
> ii samba
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file,
> print, and login server for Unix
> ii samba-common
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files
> used by both the Samba server and client
> ii samba-common-bin
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries
> ii samba-vfs-modules
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual
> FileSystem plugins
> ii winbind
> 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 service to
> resolve user and group information from Windows NT servers
>
> -----------
>
>
> DHCP
>
> subnet 192.168.14.0 netmask 255.255.255.0 {
> authoritative;
> option netbios-name-servers 192.168.14.10;
> option netbios-dd-server 192.168.14.10;
> option netbios-node-type 8;
> option domain-name-servers 192.168.14.1, 192.168.14.10;
>
> ddns-rev-domainname "in-addr.arpa.";
>
> pool {
> range dynamic-bootp 192.168.14.150 192.168.14.150;
> range dynamic-bootp 192.168.14.153 192.168.14.154;
> range dynamic-bootp 192.168.14.180 192.168.14.188;
> range dynamic-bootp 192.168.14.191 192.168.14.191;
> range dynamic-bootp 192.168.14.193 192.168.14.196;
> range dynamic-bootp 192.168.14.198 192.168.14.210;
> range dynamic-bootp 192.168.14.212 192.168.14.214;
>
> }
> option broadcast-address 192.168.14.255;
> option routers 192.168.14.254;
> option domain-name "site01";
> ddns-domainname "site01";
Here, domainname and ddns-domainname should be your primary DNS.
> ddns-updates on;
> update-optimization off;
> update-static-leases on;
> allow client-updates;
> }
I suggest, have a good look at :
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
And in addition.
In named.conf.options add at the end of the file include
"/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Hai,
You posted the correct things here, for a quick fix i
I'm buzzy with something else atm but i saw that /dev/urandom part.
Add in the bind9 (named) apparmor profile
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
Then try again.
Source : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928398
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Praveen Ghimire via samba
> Verzonden: dinsdag 25 juni 2019 13:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Reverse DNS
>
> Hi All,
>
> Some more digging through the syslogs. The following error sticks out
>
> client @0x7fd3bc0d5910 192.168.14.196#56965: updating zone
> '168.192.IN-ADDR.ARPA/IN': update failed: not authoritative
> for update zone (NOTAUTH)
>
> This was with dns update = nonsecure and secure and static
> IP. With the dns update section removed, the reverse DNS
> update works and reverse entry is created
>
> When using nonsecure and secure and DHCP, we see the following
>
> [26654.606730] audit: type=1400 audit(1561462441.550:193):
> apparmor="DENIED" operation="open"
profile="/usr/sbin/named"
> name="/dev/urandom" pid=29418 comm="isc-worker0001"
> requested_mask="wc" denied_mask="wc" fsuid=111 ouid=0
>
> dnsserver: Invalid zone operation IsSignedTerminating
> connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>
> Following Louis' instructions in the git page, I've setup the
> following in apparmor
>
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
> # Samba4 DLZ and Active Directory Zones (default source installation)
> # bind support before samba 4.9
> /var/lib/samba/private/dns/** rwmk,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> # bind support after samba 4.9
> /var/lib/samba/bind-dns/** rwmk,
> /var/lib/samba/bind-dns/dns.keytab r,
> /var/lib/samba/bind-dns/named.conf r,
> /var/lib/samba/bind-dns/dns/** rwk,
> # Regular samba.
> /var/lib/samba/lib/** rm,
> /usr/lib/**/samba/bind9/** rmk,
> /usr/lib/**/samba/gensec/* rmk,
> /usr/lib/**/samba/ldb/** rmk,
> /usr/lib/**/ldb/modules/ldb/** rmk,
> /var/tmp/** rwmk,
> /var/lib/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
>
>
> Just a reminder the zones are following
>
> pszZoneName : 14.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : _msdcs.LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.LIN.group
>
>
> As mentioned the DHCP server is not in the same server and
> not in a machine which is not in the same domain. It is a
> standalone Ubuntu server
>
> Any suggestions?
>
>
> Regards,
> Praveen Ghimire
>
>
>
>
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Monday, 24 June 2019 12:03 PM
> To: 'L.P.H. van Belle'
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Just an update on this. I ran up a new test LXC container and
> completely removed apparmor. Then install the packages. I got
> the same errors
>
> I thought I would change the DNS from Bind to internal and
> back to bind.
>
>
> The following is going from Bind9 to Internal
>
> root at server5-ad:/var/log# service bind9 stop
> root at server5-ad:/var/log# systemctl mask bind9 Created
> symlink /etc/systemd/system/bind9.service -> /dev/null.
> root at server5-ad:/var/log# service samba-ad-dc stop
> root at server5-ad:/var/log# samba_upgradedns
> --dns-backend=SAMBA_INTERNAL
>
> I removed the
> Server service = -dns from smb.conf
>
> I got the following error,
>
> /source4/dsdb/dns/dns_update.c:290: Failed DNS update - with
> error code 110
>
> Then I ran the samba_dnsupdate, which failed
>
> Jun 24 01:26:39 server5-ad samba[800]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSignedTerminating connection -
> 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 24 01:26:49 server5-ad ntpd[120]: local_clock:
> ntp_loopfilter.c line 818: ntp_adjtime: Operation not
> permitted added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0
> IPs: ['192.168.14.10']
> Looking for DNS entry A server5.LIN.group 192.168.14.10 as
> server5.LIN.group.
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 827, in <module>
> elif not check_dns_name(d):
> File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
> raise Exception("Timeout while waiting to contact a
> working DNS server while looking for %s as %s" % (d, normalised_name))
> Exception: Timeout while waiting to contact a working DNS
> server while looking for A server5.LIN.group 192.168.14.10 as
> server5.LIN.group.
>
>
> I then reverted back to Bind9 and saw the errors I was seeing
> before. It creates the forward DNS entry but not the reverse.
> I am underlining the errors
>
>
>
> Jun 24 01:36:20 server5-ad samba[1037]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSignedSuccessful AuthZ:
>
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------------------------------------
>
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18]
> at [Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote
> host [ipv6::::0] local host
> [ipv6::::0]
> Jun 24 01:36:21 server5-ad named[1007]: resolver priming
> query complete Jun 24 01:36:23 server5-ad named[1007]:
> message repeated 2 times: [ resolver priming query complete]
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting
> transaction on zone LIN.group
>
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#57503: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------
>
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: samba_dlz: starting transaction on zone
> LIN.group Jun 24 01:36:24 server5-ad named[1007]: samba_dlz:
> allowing update of signer=BW10\$\@LIN.GROUP
> name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA
>
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62
> a7-9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
>
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
>
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
>
> at 'bw10.LIN.group' AAAA
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
>
> at 'bw10.LIN.group' A
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': adding an RR at
>
> 'bw10.LIN.group' A 192.168.14. 150
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added
> rdataset bw10.LIN.group
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted
> rdataset LIN.group
> 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
>
> hostmaster.LIN.group. 43 900 600 86400 3600'
> Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added
> rdataset LIN.group
> 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
> hostmaster.LIN.group. 900 600 86400 3600'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: resolver priming query complete Jun 24 01:36:27
> server5-ad named[1007]: samba_dlz: starting transaction on
> zone LIN.group
>
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#64221: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> -------------------
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling
> transaction on zone LIN.group Jun 24 01:36:27 server5-ad
> named[1007]: samba_dlz: starting transaction on zone LIN.group
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=AAAA
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62
> a7-9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
> 'bw10.LIN.group' AAAA Jun 24 01:36:27 server5-ad named[1007]:
> client @0x7f41b801dc20 192.168.14.150#63953/key
> BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting
> rrset at 'bw10.LIN.group' A
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: subtracted
> rdataset bw10.LIN.group
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150' Jun 24
> 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
> 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
> 'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A
> 192.168.14. 150
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added
> rdataset bw10.LIN.group
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed
> transaction on zone LIN.group
>
>
> The permissions of the bind files
>
>
> root at server5-ad:# ls -ld /var/lib/samba/private/ drwxr-xr-x 8
> root root 27 Jun 24 01:48 /var/lib/samba/private/
> root at server5-ad:# ls -l /var/lib/samba/private/named.conf
> -rw-r--r-- 1 root root 780 Jun 24 01:35
> /var/lib/samba/private/named.conf root at server5-ad:# ls -ld
> /var/lib/samba/private/dns
> drwxrwx--- 3 root bind 4 Jun 24 01:35
> /var/lib/samba/private/dns root at server5-ad:# ls -ld
> /var/lib/samba/private/dns.keytab
> -rw-r----- 1 root bind 807 Jun 24 01:35
> /var/lib/samba/private/dns.keytab root at server5-ad:# ls -l
> /var/lib/samba/private/dns/ total 45
> -rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
> drwxrwx--- 2 root bind 8 Jun 24 01:35 sam.ldb.d
> root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
> total 3223
> -rw-rw---- 1 root bind 8597504 Jun 24 01:35
> 'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 8187904 Jun 24 01:35
> 'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 01:48
> 'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 00:38
> 'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 831488 Jun 24 01:48 metadata.tdb
>
>
> Zone list
>
> Using binding ncacn_ip_tcp:192.168.14.10[,sign] Mapped to
> DCERPC endpoint 135 added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0 added interface
> v14 ip=192.168.14.10 bcast=192.168.14.255
> netmask=255.255.255.0 Mapped to DCERPC endpoint 49152 added
> interface v14 ip=192.168.14.10 bcast=192.168.14.255
> netmask=255.255.255.0 added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0 Cannot do GSSAPI
> to an IP address Failed to start GENSEC client mech
> gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> pszZoneName : 14.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : _msdcs.LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.LIN.group
>
>
> smb.conf
> [global]
> workgroup = LIN
> realm = LIN.GROUP
> netbios name = SERVER5
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> server services = -dns
> allow dns updates = nonsecure
>
>
> /etc//hosts (the server definition)
>
> # The server5-ad and server 5 are one and the same. This is
> because the at one stage the shares were in server5 which got
> moved to server5-ad
> 192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
> 192.168.14.10 SERVER5.lin.group SERVER5
>
>
> Regards,
> Praveen Ghimire
>
>
>
>
>
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Friday, 21 June 2019 11:19 PM
> To: 'L.P.H. van Belle'
> Subject: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Thank you for that. I've got a lab environment similar to the
> prod and was able to replicate the issues.
>
> I added the following to /etc/bind/named.conf.options
>
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
>
> This caused the named-checkconf to fail
> root at server5-ad:/etc/bind# named-checkconf
> /etc/bind/rndc.key:1: unknown option 'key'
> /etc/bind/named.conf.options:27: unknown option 'controls'
>
> So I removed that line. The following is the existing
> named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 8.8.8.8;
> };
> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain yes; # conform to RFC1035
> empty-zones-enable no;
> listen-on-v6 { any; };
>
> };
>
> We are using LXC container. It turns out there is a reported
> issue with apparmor with LXC , as per below
> apparmor_parser: Unable to replace "/usr/sbin/named".
> Permission denied; attempted to load a profile while confined?
>
> The option was to purge and reinstall apparmor. The following
> is the /etc/apparmor.d/local/usr.sbin.named
>
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
>
> The following from syslog
>
> Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation
> not permitted Jun 21 12:52:38 server5-ad ntpd[174]: message
> repeated 27 times: [ adj_systime: Operation not permitted]
> Jun 21 12:52:38 server5-ad samba[201]: dnsserver: Invalid
> zone operation IsSignedTerminating connection - 'dcesrv:
> NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation
> not permitted \ samba_dlz: starting transaction on zone
> LIN.group Jun 21 12:55:27 server5-ad named[564]: client
> @0x7fa7fc013e70 192.168.14.181#54936: update 'LIN.group/IN'
> denied Jun 21 12:58:34 server5-ad ntpd[174]: 91.189.89.199
> local addr 192.168.14.10 -> <null> Jun 21 12:58:35 server5-ad
> ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null>
> Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local
> addr 192.168.14.10 -> <null> Jun 21 12:58:42 server5-ad
> named[564]: resolver priming query complete Jun 21 12:58:46
> server5-ad samba[201]: [2019/06/21 12:58:46.917811, 0]
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> Jun 21 12:58:53 server5-ad samba[201]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSigneddnsserver: Invalid zone operation IsSigneddnsserver:
> Invalid zone operation IsSigneddnsserver: Invalid zone
> operation IsSignedldb_wrap open of secrets.ldb
> Jun 21 12:59:01 server5-ad named[564]: resolver priming query
> complete Jun 21 12:59:04 server5-ad samba[201]: [2019/06/21
> 12:59:04.972119, 0]
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
>
>
> I've made changes as per your recommendations.
>
> In terms of DHCP. I did go through that wiki a while ago. To
> me it looks like it works if the DHCP server is in the same
> domain as the AD server, this is not the case here. I made
> the changes as per the wiki and added the script. I manually
> specified the domain and realm info. The script does run but
> doesn't seem to make a difference. I copied the dhcpd user
> info stuff from the AD box to the DHCP server
>
> ACL has now been installed
>
> Thank you once again
>
> Regards,
>
> Praveen
>
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Sent: Friday, 21 June 2019 7:52 PM
> To: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
>
> Hai, well i had a good look, im commented where it was needed ;-)
>
> This is part to start with, then then this is all correct,
> you can look at the DDNS and Reverse dns parts.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: woensdag 19 juni 2019 12:38
> > Aan: 'L.P.H. van Belle'
> > Onderwerp: RE: [Samba] Reverse DNS
> >
> > Hi Louis,
> >
> > Thank you, awesome script.
> >
> > Output as follows
> >
> > Collected config --- 2019-06-19-10:12 -----------
> >
> > Hostname: server5-ad
> > DNS Domain:
>
> Missing default DNS domain.
> Is "search your.primary.search.domain.tld" set in
/etc/resolv.conf
>
> > FQDN: server5-ad
> And missing domain in FQDN, as result of missing DNS domain.
>
> > ipaddress: 192.168.14.10
> >
> > -----------
> >
> > Samba is running as an AD DC
> >
> > -----------
> > Checking file: /etc/os-release
> >
> > NAME="Ubuntu"
> > VERSION="18.04.1 LTS (Bionic Beaver)"
> > ID=ubuntu
> > ID_LIKE=debian
> > PRETTY_NAME="Ubuntu 18.04.1 LTS"
> > VERSION_ID="18.04"
> > HOME_URL="https://www.ubuntu.com/"
> > SUPPORT_URL="https://help.ubuntu.com/"
> > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> > PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> > icies/privacy-policy"
> > VERSION_CODENAME=bionic
> > UBUNTU_CODENAME=bionic
> >
> > -----------
> >
> >
> > This computer is running Ubuntu 18.04.1 LTS x86_64
> >
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN
> > group default qlen 1000
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 scope host lo
> > inet6 ::1/128 scope host
> > 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc
> > noqueue state UP group default qlen 1000
> > link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff
> link-netnsid 0
> > inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> > inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
> >
> > -----------
> > Checking file: /etc/hosts
>
> Fix the hosts file
>
> >
> > 127.0.0.1 localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > 192.168.14.10 server5-ad
> > # --- BEGIN PVE ---
> > 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> > 192.168.14.10 server5
> > 192.168.14.10 server5.LIN.group
>
> Now this is also incorrect, you only need 1 line per ip.
> If its correctly set, you can run this : echo "$(hostname -i)
> $(hostname -f) $(hostname -s)"
> More aliasses, add it at the end of that line, or add them to
> the DNS as CNAME.
>
> So you hosts file should result in :
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.14.10 server5-ad.LIN.group server5-ad
>
>
> > -----------
> >
> > Checking file: /etc/resolv.conf
> >
> > # --- BEGIN PVE ---
> > search LIN.group
> > nameserver 192.168.14.10
> > # --- END PVE ---
> >
> > -----------
> >
> > Checking file: /etc/krb5.conf
> >
> > [libdefaults]
> > default_realm = LIN.GROUP
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > [realms]
> > LIN.GROUP = {
> > kdc = server5
> > admin_server = server5
> >
> > }
>
> Remove the [realm] part, not needed.
> And wasnt you server named server5-ad ?
>
> >
> > -----------
> >
> > Checking file: /etc/nsswitch.conf
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed,
> > try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> > passwd: files winbind
> > group: files winbind
> > shadow: compat
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> > -----------
> >
> > Checking file: /etc/samba/smb.conf
> >
> > [global]
> > workgroup = LIN
> > realm = LIN.GROUP
> > netbios name = server5
> Ok, here netbios name. If a mismatch with thats set in /ets/hosts.
> HOSTNAME="$(hostname -s)"
> echo ${HOSTNAME^^}"
> Results in "SERVER5-AD" and that should be in netbios name = ....
>
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > log file = /var/log/samba/log.%m
> > log level = 4
> > winbind nss info = rfc2307
> > winbind enum users = yes
> > winbind enum groups = yes
>
> Preffered enum user/group to no, it only slows down your server.
>
> > acl allow execute always = True
> > server services = -dns
> > allow dns updates = nonsecure
> > unix extensions = No
> >
> > full_audit:priority = notice
> > full_audit:facility = local5
> > full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> > full_audit:failure = none
> > full_audit:prefix = %u|%I|%S
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/LIN.group/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> >
> > [homes]
> > comment = Home Directories
> > root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700
> /home/%U &&
> > mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain
Users" /home/%U'
> >
> > # create mask = 0700
> > # directory mask = 0700
> > # browseable = No
> > read only = No
> > path = /home/%U/samba
> > vfs objects = full_audit
> > # follow symlinks = yes
> > # wide links = yes
> >
> Ah [homes], well Rowland and I just did a small test. You can
> try this.
> [homes]
> comment = Home Directories
> read only = no
> valid users = %S
> root preexec = /usr/local/sbin/mkhomedir.sh %U %H
>
> Content of mkhomedir.sh :
> #!/bin/bash
>
> if [ ! -e "$2" ]; then
> DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk
'{
> print $$1 }')"
> install -d "$2" -o "$1" -g "${DOMUSERS}"
"$2" -m 700 fi
>
> exit 0
>
> >
> >
> >
> > [data]
> > comment = Data share
> > path = /data
> > hide unreadable = Yes
> > vfs objects = full_audit
> > follow symlinks = yes
> > wide links = yes
> >
> > -----------
> >
> > Detected bind DLZ enabled..
> > Checking file: /etc/bind/named.conf
> >
> > // This is the primary configuration file for the BIND DNS server
> > named.
> > //
> > // Please read /usr/share/doc/bind9/README.Debian.gz for
> information
> > on the // structure of BIND configuration files in Debian, *BEFORE*
> > you customize // this configuration file.
> > //
> > // If you are just adding zones, please do that in
> > /etc/bind/named.conf.local
> >
> > include "/etc/bind/named.conf.options"; include
> > "/etc/bind/named.conf.local"; include
> > "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.options
> >
> > options {
> > directory "/var/cache/bind";
> >
> > // If there is a firewall between you and nameservers you want
> > // to talk to, you may need to fix the firewall to
> allow multiple
> > // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> >
> > // If your ISP provided one or more IP addresses for stable
> > // nameservers, you probably want to use them as forwarders.
> > // Uncomment the following block, and insert the
> addresses replacing
> > // the all-0's placeholder.
> >
> > // forwarders {
> > // 0.0.0.0;
> > // };
>
> Do set you forwarder to internet DNS servers.
>
> >
> >
> > //===========================================================> >
===========> > // If BIND logs error messages about the root key being
expired,
> > // you will need to update your keys. See
> > https://www.isc.org/bind-keys
> >
> > //===========================================================> >
===========> > dnssec-validation auto;
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > auth-nxdomain no; # conform to RFC1035
> your AD DC is the AUTORITIVE server of the primary zone so..
> auth-nxdomain yes;
> > listen-on-v6 { any; };
>
> Add : empty-zones-enable no;
> That avoids possible conficts with configured zones.
>
> > };
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.local
> >
> > //
> > // Do any local configuration here
> > //
> >
> > // Consider adding the 1918 zones here, if they are not
> used in your
> > // organization //include "/etc/bind/zones.rfc1918";
> Im missing here :
>
> // adding the dlopen ( Bind DLZ ) module for samba, beware,
> if you using bind9.9 then you need to change this manualy
> include "/var/lib/samba/private/named.conf";
>
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.default-zones
> >
> > // prime the server with knowledge of the root servers zone
"." {
> > type hint;
> > file "/etc/bind/db.root";
> > };
> >
> > // be authoritative for the localhost forward and reverse
> zones, and
> > for // broadcast zones as per RFC 1912
> >
> > zone "localhost" {
> > type master;
> > file "/etc/bind/db.local";
> > };
> >
> > zone "127.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.127";
> > };
> >
> > zone "0.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.0";
> > };
> >
> > zone "255.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.255";
> > };
> >
> > -----------
> >
> > Samba DNS zone list:
> > Samba DNS zone list Automated check :
> >
> > Installed packages:
>
> Im missing acl.
>
> apt-get install acl
>
> > ii attr 1:2.4.47-2build1
> > amd64 Utilities for manipulating filesystem
> > extended attributes
> > ii bind9 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 Internet Domain Name Server
> > ii bind9-host 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 DNS lookup utility (deprecated)
> > ii bind9utils 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 Utilities for BIND
> > ii krb5-config 2.6
> > all Configuration files for Kerberos Version 5
> > ii krb5-locales 1.16-2ubuntu0.1
> > all internationalization support for MIT Kerberos
> > ii krb5-user 1.16-2ubuntu0.1
> > amd64 basic programs to authenticate using MIT Kerberos
> > ii libacl1:amd64 2.2.52-3build1
> > amd64 Access control list shared library
> > ii libattr1:amd64 1:2.4.47-2build1
> > amd64 Extended attribute shared library
> > ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 BIND9 Shared Library used by BIND
> > ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries - krb5
> > GSS-API Mechanism
> > ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> > amd64 Heimdal Kerberos - libraries
> > ii libkrb5-3:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries
> > ii libkrb5support0:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries - Support library
> > ii libnss-winbind:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> > nameservice integration plugins
> > ii libpam-winbind:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Windows domain
> > authentication integration plugin
> > ii libwbclient0:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba winbind
> > client library
> > ii python-samba
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python
> > bindings for Samba
> > ii samba
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file,
> > print, and login server for Unix
> > ii samba-common
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files
> > used by both the Samba server and client
> > ii samba-common-bin
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common
> > files used by both the server and the client
> > ii samba-dsdb-modules
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> > Directory Services Database
> > ii samba-libs:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries
> > ii samba-vfs-modules
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual
> > FileSystem plugins
> > ii winbind
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 service to
> > resolve user and group information from Windows NT servers
> >
> > -----------
> >
> >
> > DHCP
> >
> > subnet 192.168.14.0 netmask 255.255.255.0 {
> > authoritative;
> > option netbios-name-servers 192.168.14.10;
> > option netbios-dd-server 192.168.14.10;
> > option netbios-node-type 8;
> > option domain-name-servers 192.168.14.1, 192.168.14.10;
> >
> > ddns-rev-domainname "in-addr.arpa.";
> >
> > pool {
> > range dynamic-bootp 192.168.14.150 192.168.14.150;
> > range dynamic-bootp 192.168.14.153 192.168.14.154;
> > range dynamic-bootp 192.168.14.180 192.168.14.188;
> > range dynamic-bootp 192.168.14.191 192.168.14.191;
> > range dynamic-bootp 192.168.14.193 192.168.14.196;
> > range dynamic-bootp 192.168.14.198 192.168.14.210;
> > range dynamic-bootp 192.168.14.212 192.168.14.214;
> >
> > }
> > option broadcast-address 192.168.14.255;
> > option routers 192.168.14.254;
> > option domain-name "site01";
> > ddns-domainname "site01";
>
> Here, domainname and ddns-domainname should be your primary DNS.
>
> > ddns-updates on;
> > update-optimization off;
> > update-static-leases on;
> > allow client-updates;
> > }
>
> I suggest, have a good look at :
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
>
> And in addition.
> In named.conf.options add at the end of the file include
> "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
>
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email
> Security.cloud service.
> For more information please visit
> http://www.symanteccloud.com
> ______________________________________________________________________
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>