Hai,
You posted the correct things here, for a quick fix i
I'm buzzy with something else atm but i saw that /dev/urandom part.
Add in the bind9 (named) apparmor profile
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
Then try again.
Source : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928398
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Praveen Ghimire via samba
> Verzonden: dinsdag 25 juni 2019 13:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Reverse DNS
>
> Hi All,
>
> Some more digging through the syslogs. The following error sticks out
>
> client @0x7fd3bc0d5910 192.168.14.196#56965: updating zone
> '168.192.IN-ADDR.ARPA/IN': update failed: not authoritative
> for update zone (NOTAUTH)
>
> This was with dns update = nonsecure and secure and static
> IP. With the dns update section removed, the reverse DNS
> update works and reverse entry is created
>
> When using nonsecure and secure and DHCP, we see the following
>
> [26654.606730] audit: type=1400 audit(1561462441.550:193):
> apparmor="DENIED" operation="open"
profile="/usr/sbin/named"
> name="/dev/urandom" pid=29418 comm="isc-worker0001"
> requested_mask="wc" denied_mask="wc" fsuid=111 ouid=0
>
> dnsserver: Invalid zone operation IsSignedTerminating
> connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>
> Following Louis' instructions in the git page, I've setup the
> following in apparmor
>
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
> # Samba4 DLZ and Active Directory Zones (default source installation)
> # bind support before samba 4.9
> /var/lib/samba/private/dns/** rwmk,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> # bind support after samba 4.9
> /var/lib/samba/bind-dns/** rwmk,
> /var/lib/samba/bind-dns/dns.keytab r,
> /var/lib/samba/bind-dns/named.conf r,
> /var/lib/samba/bind-dns/dns/** rwk,
> # Regular samba.
> /var/lib/samba/lib/** rm,
> /usr/lib/**/samba/bind9/** rmk,
> /usr/lib/**/samba/gensec/* rmk,
> /usr/lib/**/samba/ldb/** rmk,
> /usr/lib/**/ldb/modules/ldb/** rmk,
> /var/tmp/** rwmk,
> /var/lib/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
>
>
> Just a reminder the zones are following
>
> pszZoneName : 14.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : _msdcs.LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.LIN.group
>
>
> As mentioned the DHCP server is not in the same server and
> not in a machine which is not in the same domain. It is a
> standalone Ubuntu server
>
> Any suggestions?
>
>
> Regards,
> Praveen Ghimire
>
>
>
>
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Monday, 24 June 2019 12:03 PM
> To: 'L.P.H. van Belle'
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Just an update on this. I ran up a new test LXC container and
> completely removed apparmor. Then install the packages. I got
> the same errors
>
> I thought I would change the DNS from Bind to internal and
> back to bind.
>
>
> The following is going from Bind9 to Internal
>
> root at server5-ad:/var/log# service bind9 stop
> root at server5-ad:/var/log# systemctl mask bind9 Created
> symlink /etc/systemd/system/bind9.service -> /dev/null.
> root at server5-ad:/var/log# service samba-ad-dc stop
> root at server5-ad:/var/log# samba_upgradedns
> --dns-backend=SAMBA_INTERNAL
>
> I removed the
> Server service = -dns from smb.conf
>
> I got the following error,
>
> /source4/dsdb/dns/dns_update.c:290: Failed DNS update - with
> error code 110
>
> Then I ran the samba_dnsupdate, which failed
>
> Jun 24 01:26:39 server5-ad samba[800]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSignedTerminating connection -
> 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 24 01:26:49 server5-ad ntpd[120]: local_clock:
> ntp_loopfilter.c line 818: ntp_adjtime: Operation not
> permitted added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0
> IPs: ['192.168.14.10']
> Looking for DNS entry A server5.LIN.group 192.168.14.10 as
> server5.LIN.group.
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 827, in <module>
> elif not check_dns_name(d):
> File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
> raise Exception("Timeout while waiting to contact a
> working DNS server while looking for %s as %s" % (d, normalised_name))
> Exception: Timeout while waiting to contact a working DNS
> server while looking for A server5.LIN.group 192.168.14.10 as
> server5.LIN.group.
>
>
> I then reverted back to Bind9 and saw the errors I was seeing
> before. It creates the forward DNS entry but not the reverse.
> I am underlining the errors
>
>
>
> Jun 24 01:36:20 server5-ad samba[1037]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSignedSuccessful AuthZ:
>
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------------------------------------
>
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18]
> at [Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote
> host [ipv6::::0] local host
> [ipv6::::0]
> Jun 24 01:36:21 server5-ad named[1007]: resolver priming
> query complete Jun 24 01:36:23 server5-ad named[1007]:
> message repeated 2 times: [ resolver priming query complete]
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: starting
> transaction on zone LIN.group
>
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#57503: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------
>
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: samba_dlz: starting transaction on zone
> LIN.group Jun 24 01:36:24 server5-ad named[1007]: samba_dlz:
> allowing update of signer=BW10\$\@LIN.GROUP
> name=bw10.LIN.group tcpaddr=192.168.14.150 type=AAAA
>
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62
> a7-9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
>
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
>
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
>
> at 'bw10.LIN.group' AAAA
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
>
> at 'bw10.LIN.group' A
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': adding an RR at
>
> 'bw10.LIN.group' A 192.168.14. 150
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added
> rdataset bw10.LIN.group
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted
> rdataset LIN.group
> 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
>
> hostmaster.LIN.group. 43 900 600 86400 3600'
> Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added
> rdataset LIN.group
> 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
> hostmaster.LIN.group. 900 600 86400 3600'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: resolver priming query complete Jun 24 01:36:27
> server5-ad named[1007]: samba_dlz: starting transaction on
> zone LIN.group
>
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#64221: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> -------------------
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling
> transaction on zone LIN.group Jun 24 01:36:27 server5-ad
> named[1007]: samba_dlz: starting transaction on zone LIN.group
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=AAAA
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62
> a7-9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing
> update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
> 'bw10.LIN.group' AAAA Jun 24 01:36:27 server5-ad named[1007]:
> client @0x7f41b801dc20 192.168.14.150#63953/key
> BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting
> rrset at 'bw10.LIN.group' A
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: subtracted
> rdataset bw10.LIN.group
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150' Jun 24
> 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
> 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
> 'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A
> 192.168.14. 150
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added
> rdataset bw10.LIN.group
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed
> transaction on zone LIN.group
>
>
> The permissions of the bind files
>
>
> root at server5-ad:# ls -ld /var/lib/samba/private/ drwxr-xr-x 8
> root root 27 Jun 24 01:48 /var/lib/samba/private/
> root at server5-ad:# ls -l /var/lib/samba/private/named.conf
> -rw-r--r-- 1 root root 780 Jun 24 01:35
> /var/lib/samba/private/named.conf root at server5-ad:# ls -ld
> /var/lib/samba/private/dns
> drwxrwx--- 3 root bind 4 Jun 24 01:35
> /var/lib/samba/private/dns root at server5-ad:# ls -ld
> /var/lib/samba/private/dns.keytab
> -rw-r----- 1 root bind 807 Jun 24 01:35
> /var/lib/samba/private/dns.keytab root at server5-ad:# ls -l
> /var/lib/samba/private/dns/ total 45
> -rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
> drwxrwx--- 2 root bind 8 Jun 24 01:35 sam.ldb.d
> root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
> total 3223
> -rw-rw---- 1 root bind 8597504 Jun 24 01:35
> 'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 8187904 Jun 24 01:35
> 'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 01:48
> 'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 00:38
> 'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 831488 Jun 24 01:48 metadata.tdb
>
>
> Zone list
>
> Using binding ncacn_ip_tcp:192.168.14.10[,sign] Mapped to
> DCERPC endpoint 135 added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0 added interface
> v14 ip=192.168.14.10 bcast=192.168.14.255
> netmask=255.255.255.0 Mapped to DCERPC endpoint 49152 added
> interface v14 ip=192.168.14.10 bcast=192.168.14.255
> netmask=255.255.255.0 added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0 Cannot do GSSAPI
> to an IP address Failed to start GENSEC client mech
> gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> pszZoneName : 14.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : _msdcs.LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.LIN.group
>
>
> smb.conf
> [global]
> workgroup = LIN
> realm = LIN.GROUP
> netbios name = SERVER5
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> server services = -dns
> allow dns updates = nonsecure
>
>
> /etc//hosts (the server definition)
>
> # The server5-ad and server 5 are one and the same. This is
> because the at one stage the shares were in server5 which got
> moved to server5-ad
> 192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
> 192.168.14.10 SERVER5.lin.group SERVER5
>
>
> Regards,
> Praveen Ghimire
>
>
>
>
>
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Friday, 21 June 2019 11:19 PM
> To: 'L.P.H. van Belle'
> Subject: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Thank you for that. I've got a lab environment similar to the
> prod and was able to replicate the issues.
>
> I added the following to /etc/bind/named.conf.options
>
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
>
> This caused the named-checkconf to fail
> root at server5-ad:/etc/bind# named-checkconf
> /etc/bind/rndc.key:1: unknown option 'key'
> /etc/bind/named.conf.options:27: unknown option 'controls'
>
> So I removed that line. The following is the existing
> named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 8.8.8.8;
> };
> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain yes; # conform to RFC1035
> empty-zones-enable no;
> listen-on-v6 { any; };
>
> };
>
> We are using LXC container. It turns out there is a reported
> issue with apparmor with LXC , as per below
> apparmor_parser: Unable to replace "/usr/sbin/named".
> Permission denied; attempted to load a profile while confined?
>
> The option was to purge and reinstall apparmor. The following
> is the /etc/apparmor.d/local/usr.sbin.named
>
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
>
> The following from syslog
>
> Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation
> not permitted Jun 21 12:52:38 server5-ad ntpd[174]: message
> repeated 27 times: [ adj_systime: Operation not permitted]
> Jun 21 12:52:38 server5-ad samba[201]: dnsserver: Invalid
> zone operation IsSignedTerminating connection - 'dcesrv:
> NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation
> not permitted \ samba_dlz: starting transaction on zone
> LIN.group Jun 21 12:55:27 server5-ad named[564]: client
> @0x7fa7fc013e70 192.168.14.181#54936: update 'LIN.group/IN'
> denied Jun 21 12:58:34 server5-ad ntpd[174]: 91.189.89.199
> local addr 192.168.14.10 -> <null> Jun 21 12:58:35 server5-ad
> ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null>
> Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local
> addr 192.168.14.10 -> <null> Jun 21 12:58:42 server5-ad
> named[564]: resolver priming query complete Jun 21 12:58:46
> server5-ad samba[201]: [2019/06/21 12:58:46.917811, 0]
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> Jun 21 12:58:53 server5-ad samba[201]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSigneddnsserver: Invalid zone operation IsSigneddnsserver:
> Invalid zone operation IsSigneddnsserver: Invalid zone
> operation IsSignedldb_wrap open of secrets.ldb
> Jun 21 12:59:01 server5-ad named[564]: resolver priming query
> complete Jun 21 12:59:04 server5-ad samba[201]: [2019/06/21
> 12:59:04.972119, 0]
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
>
>
> I've made changes as per your recommendations.
>
> In terms of DHCP. I did go through that wiki a while ago. To
> me it looks like it works if the DHCP server is in the same
> domain as the AD server, this is not the case here. I made
> the changes as per the wiki and added the script. I manually
> specified the domain and realm info. The script does run but
> doesn't seem to make a difference. I copied the dhcpd user
> info stuff from the AD box to the DHCP server
>
> ACL has now been installed
>
> Thank you once again
>
> Regards,
>
> Praveen
>
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Sent: Friday, 21 June 2019 7:52 PM
> To: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
>
> Hai, well i had a good look, im commented where it was needed ;-)
>
> This is part to start with, then then this is all correct,
> you can look at the DDNS and Reverse dns parts.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: woensdag 19 juni 2019 12:38
> > Aan: 'L.P.H. van Belle'
> > Onderwerp: RE: [Samba] Reverse DNS
> >
> > Hi Louis,
> >
> > Thank you, awesome script.
> >
> > Output as follows
> >
> > Collected config --- 2019-06-19-10:12 -----------
> >
> > Hostname: server5-ad
> > DNS Domain:
>
> Missing default DNS domain.
> Is "search your.primary.search.domain.tld" set in
/etc/resolv.conf
>
> > FQDN: server5-ad
> And missing domain in FQDN, as result of missing DNS domain.
>
> > ipaddress: 192.168.14.10
> >
> > -----------
> >
> > Samba is running as an AD DC
> >
> > -----------
> > Checking file: /etc/os-release
> >
> > NAME="Ubuntu"
> > VERSION="18.04.1 LTS (Bionic Beaver)"
> > ID=ubuntu
> > ID_LIKE=debian
> > PRETTY_NAME="Ubuntu 18.04.1 LTS"
> > VERSION_ID="18.04"
> > HOME_URL="https://www.ubuntu.com/"
> > SUPPORT_URL="https://help.ubuntu.com/"
> > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> > PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> > icies/privacy-policy"
> > VERSION_CODENAME=bionic
> > UBUNTU_CODENAME=bionic
> >
> > -----------
> >
> >
> > This computer is running Ubuntu 18.04.1 LTS x86_64
> >
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN
> > group default qlen 1000
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 scope host lo
> > inet6 ::1/128 scope host
> > 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc
> > noqueue state UP group default qlen 1000
> > link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff
> link-netnsid 0
> > inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> > inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
> >
> > -----------
> > Checking file: /etc/hosts
>
> Fix the hosts file
>
> >
> > 127.0.0.1 localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > 192.168.14.10 server5-ad
> > # --- BEGIN PVE ---
> > 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> > 192.168.14.10 server5
> > 192.168.14.10 server5.LIN.group
>
> Now this is also incorrect, you only need 1 line per ip.
> If its correctly set, you can run this : echo "$(hostname -i)
> $(hostname -f) $(hostname -s)"
> More aliasses, add it at the end of that line, or add them to
> the DNS as CNAME.
>
> So you hosts file should result in :
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.14.10 server5-ad.LIN.group server5-ad
>
>
> > -----------
> >
> > Checking file: /etc/resolv.conf
> >
> > # --- BEGIN PVE ---
> > search LIN.group
> > nameserver 192.168.14.10
> > # --- END PVE ---
> >
> > -----------
> >
> > Checking file: /etc/krb5.conf
> >
> > [libdefaults]
> > default_realm = LIN.GROUP
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > [realms]
> > LIN.GROUP = {
> > kdc = server5
> > admin_server = server5
> >
> > }
>
> Remove the [realm] part, not needed.
> And wasnt you server named server5-ad ?
>
> >
> > -----------
> >
> > Checking file: /etc/nsswitch.conf
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed,
> > try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> > passwd: files winbind
> > group: files winbind
> > shadow: compat
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> > -----------
> >
> > Checking file: /etc/samba/smb.conf
> >
> > [global]
> > workgroup = LIN
> > realm = LIN.GROUP
> > netbios name = server5
> Ok, here netbios name. If a mismatch with thats set in /ets/hosts.
> HOSTNAME="$(hostname -s)"
> echo ${HOSTNAME^^}"
> Results in "SERVER5-AD" and that should be in netbios name = ....
>
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > log file = /var/log/samba/log.%m
> > log level = 4
> > winbind nss info = rfc2307
> > winbind enum users = yes
> > winbind enum groups = yes
>
> Preffered enum user/group to no, it only slows down your server.
>
> > acl allow execute always = True
> > server services = -dns
> > allow dns updates = nonsecure
> > unix extensions = No
> >
> > full_audit:priority = notice
> > full_audit:facility = local5
> > full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> > full_audit:failure = none
> > full_audit:prefix = %u|%I|%S
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/LIN.group/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> >
> > [homes]
> > comment = Home Directories
> > root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700
> /home/%U &&
> > mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain
Users" /home/%U'
> >
> > # create mask = 0700
> > # directory mask = 0700
> > # browseable = No
> > read only = No
> > path = /home/%U/samba
> > vfs objects = full_audit
> > # follow symlinks = yes
> > # wide links = yes
> >
> Ah [homes], well Rowland and I just did a small test. You can
> try this.
> [homes]
> comment = Home Directories
> read only = no
> valid users = %S
> root preexec = /usr/local/sbin/mkhomedir.sh %U %H
>
> Content of mkhomedir.sh :
> #!/bin/bash
>
> if [ ! -e "$2" ]; then
> DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk
'{
> print $$1 }')"
> install -d "$2" -o "$1" -g "${DOMUSERS}"
"$2" -m 700 fi
>
> exit 0
>
> >
> >
> >
> > [data]
> > comment = Data share
> > path = /data
> > hide unreadable = Yes
> > vfs objects = full_audit
> > follow symlinks = yes
> > wide links = yes
> >
> > -----------
> >
> > Detected bind DLZ enabled..
> > Checking file: /etc/bind/named.conf
> >
> > // This is the primary configuration file for the BIND DNS server
> > named.
> > //
> > // Please read /usr/share/doc/bind9/README.Debian.gz for
> information
> > on the // structure of BIND configuration files in Debian, *BEFORE*
> > you customize // this configuration file.
> > //
> > // If you are just adding zones, please do that in
> > /etc/bind/named.conf.local
> >
> > include "/etc/bind/named.conf.options"; include
> > "/etc/bind/named.conf.local"; include
> > "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.options
> >
> > options {
> > directory "/var/cache/bind";
> >
> > // If there is a firewall between you and nameservers you want
> > // to talk to, you may need to fix the firewall to
> allow multiple
> > // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> >
> > // If your ISP provided one or more IP addresses for stable
> > // nameservers, you probably want to use them as forwarders.
> > // Uncomment the following block, and insert the
> addresses replacing
> > // the all-0's placeholder.
> >
> > // forwarders {
> > // 0.0.0.0;
> > // };
>
> Do set you forwarder to internet DNS servers.
>
> >
> >
> > //===========================================================> >
===========> > // If BIND logs error messages about the root key being
expired,
> > // you will need to update your keys. See
> > https://www.isc.org/bind-keys
> >
> > //===========================================================> >
===========> > dnssec-validation auto;
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > auth-nxdomain no; # conform to RFC1035
> your AD DC is the AUTORITIVE server of the primary zone so..
> auth-nxdomain yes;
> > listen-on-v6 { any; };
>
> Add : empty-zones-enable no;
> That avoids possible conficts with configured zones.
>
> > };
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.local
> >
> > //
> > // Do any local configuration here
> > //
> >
> > // Consider adding the 1918 zones here, if they are not
> used in your
> > // organization //include "/etc/bind/zones.rfc1918";
> Im missing here :
>
> // adding the dlopen ( Bind DLZ ) module for samba, beware,
> if you using bind9.9 then you need to change this manualy
> include "/var/lib/samba/private/named.conf";
>
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.default-zones
> >
> > // prime the server with knowledge of the root servers zone
"." {
> > type hint;
> > file "/etc/bind/db.root";
> > };
> >
> > // be authoritative for the localhost forward and reverse
> zones, and
> > for // broadcast zones as per RFC 1912
> >
> > zone "localhost" {
> > type master;
> > file "/etc/bind/db.local";
> > };
> >
> > zone "127.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.127";
> > };
> >
> > zone "0.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.0";
> > };
> >
> > zone "255.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.255";
> > };
> >
> > -----------
> >
> > Samba DNS zone list:
> > Samba DNS zone list Automated check :
> >
> > Installed packages:
>
> Im missing acl.
>
> apt-get install acl
>
> > ii attr 1:2.4.47-2build1
> > amd64 Utilities for manipulating filesystem
> > extended attributes
> > ii bind9 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 Internet Domain Name Server
> > ii bind9-host 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 DNS lookup utility (deprecated)
> > ii bind9utils 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 Utilities for BIND
> > ii krb5-config 2.6
> > all Configuration files for Kerberos Version 5
> > ii krb5-locales 1.16-2ubuntu0.1
> > all internationalization support for MIT Kerberos
> > ii krb5-user 1.16-2ubuntu0.1
> > amd64 basic programs to authenticate using MIT Kerberos
> > ii libacl1:amd64 2.2.52-3build1
> > amd64 Access control list shared library
> > ii libattr1:amd64 1:2.4.47-2build1
> > amd64 Extended attribute shared library
> > ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 BIND9 Shared Library used by BIND
> > ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries - krb5
> > GSS-API Mechanism
> > ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> > amd64 Heimdal Kerberos - libraries
> > ii libkrb5-3:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries
> > ii libkrb5support0:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries - Support library
> > ii libnss-winbind:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> > nameservice integration plugins
> > ii libpam-winbind:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Windows domain
> > authentication integration plugin
> > ii libwbclient0:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba winbind
> > client library
> > ii python-samba
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python
> > bindings for Samba
> > ii samba
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file,
> > print, and login server for Unix
> > ii samba-common
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files
> > used by both the Samba server and client
> > ii samba-common-bin
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common
> > files used by both the server and the client
> > ii samba-dsdb-modules
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> > Directory Services Database
> > ii samba-libs:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries
> > ii samba-vfs-modules
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual
> > FileSystem plugins
> > ii winbind
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 service to
> > resolve user and group information from Windows NT servers
> >
> > -----------
> >
> >
> > DHCP
> >
> > subnet 192.168.14.0 netmask 255.255.255.0 {
> > authoritative;
> > option netbios-name-servers 192.168.14.10;
> > option netbios-dd-server 192.168.14.10;
> > option netbios-node-type 8;
> > option domain-name-servers 192.168.14.1, 192.168.14.10;
> >
> > ddns-rev-domainname "in-addr.arpa.";
> >
> > pool {
> > range dynamic-bootp 192.168.14.150 192.168.14.150;
> > range dynamic-bootp 192.168.14.153 192.168.14.154;
> > range dynamic-bootp 192.168.14.180 192.168.14.188;
> > range dynamic-bootp 192.168.14.191 192.168.14.191;
> > range dynamic-bootp 192.168.14.193 192.168.14.196;
> > range dynamic-bootp 192.168.14.198 192.168.14.210;
> > range dynamic-bootp 192.168.14.212 192.168.14.214;
> >
> > }
> > option broadcast-address 192.168.14.255;
> > option routers 192.168.14.254;
> > option domain-name "site01";
> > ddns-domainname "site01";
>
> Here, domainname and ddns-domainname should be your primary DNS.
>
> > ddns-updates on;
> > update-optimization off;
> > update-static-leases on;
> > allow client-updates;
> > }
>
> I suggest, have a good look at :
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
>
> And in addition.
> In named.conf.options add at the end of the file include
> "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
>
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email
> Security.cloud service.
> For more information please visit
> http://www.symanteccloud.com
> ______________________________________________________________________
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hi Louis,
Thank you for that
I have made the changes as per below , some items might have duplicated. I then
reload apparmor restarted the samba-ad-dc and bind9 services and get the same
issue. Every time the forward DNS update works but the reverse doesn't
I found a really interesting samba post going back 2017 re the DHCP and DNS
http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4726681.html
In the article there are suggestions of not letting Windows clients updating
their own DNS records. In my test machine I manually removed the option . The
error message disappears when the machine renews it's DHCP but the DNS
(forward or reverse) doesn't update.
The one thing I can't understand is despite the error messages in syslog
about denying the lin.group zone, the forward updates but the reverse
doesn't . The DHCP server has the following
ddns-rev-domainname "in-addr.arpa.";
/etc/apparmor.d/local/usr.sbin.named
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/var/lib/samba/etc/smb.conf r,
/var/tmp/** rwmk,
/dev/urandown rw,
# Samba4 DLZ and Active Directory Zones (default source installation)
# bind support before samba 4.9
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
# bind support after samba 4.9
/var/lib/samba/bind-dns/** rwmk,
/var/lib/samba/bind-dns/dns.keytab r,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
# Regular samba.
/var/lib/samba/lib/** rm,
/usr/lib/**/samba/bind9/** rmk,
/usr/lib/**/samba/gensec/* rmk,
/usr/lib/**/samba/ldb/** rmk,
/usr/lib/**/ldb/modules/ldb/** rmk,
/var/tmp/** rwmk,
/var/lib/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
#Changes 26062019
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
Regards,
Praveen Ghimire
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van
Belle via samba
Sent: Tuesday, 25 June 2019 11:25 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS
Hai,
You posted the correct things here, for a quick fix i I'm buzzy with
something else atm but i saw that /dev/urandom part.
Add in the bind9 (named) apparmor profile
# Samba DLZ
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab rk,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/etc/samba/smb.conf r,
/dev/urandom rwmk,
Then try again.
Source : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928398
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Praveen
> Ghimire via samba
> Verzonden: dinsdag 25 juni 2019 13:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Reverse DNS
>
> Hi All,
>
> Some more digging through the syslogs. The following error sticks out
>
> client @0x7fd3bc0d5910 192.168.14.196#56965: updating zone
> '168.192.IN-ADDR.ARPA/IN': update failed: not authoritative for
update
> zone (NOTAUTH)
>
> This was with dns update = nonsecure and secure and static IP. With
> the dns update section removed, the reverse DNS update works and
> reverse entry is created
>
> When using nonsecure and secure and DHCP, we see the following
>
> [26654.606730] audit: type=1400 audit(1561462441.550:193):
> apparmor="DENIED" operation="open"
profile="/usr/sbin/named"
> name="/dev/urandom" pid=29418 comm="isc-worker0001"
> requested_mask="wc" denied_mask="wc" fsuid=111 ouid=0
>
> dnsserver: Invalid zone operation IsSignedTerminating connection -
> 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>
> Following Louis' instructions in the git page, I've setup the
> following in apparmor
>
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
> # Samba4 DLZ and Active Directory Zones (default source installation)
> # bind support before samba 4.9
> /var/lib/samba/private/dns/** rwmk,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> # bind support after samba 4.9
> /var/lib/samba/bind-dns/** rwmk,
> /var/lib/samba/bind-dns/dns.keytab r,
> /var/lib/samba/bind-dns/named.conf r,
> /var/lib/samba/bind-dns/dns/** rwk,
> # Regular samba.
> /var/lib/samba/lib/** rm,
> /usr/lib/**/samba/bind9/** rmk,
> /usr/lib/**/samba/gensec/* rmk,
> /usr/lib/**/samba/ldb/** rmk,
> /usr/lib/**/ldb/modules/ldb/** rmk,
> /var/tmp/** rwmk,
> /var/lib/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/samba/** rwmk,
> /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
>
>
> Just a reminder the zones are following
>
> pszZoneName : 14.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : _msdcs.LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.LIN.group
>
>
> As mentioned the DHCP server is not in the same server and not in a
> machine which is not in the same domain. It is a standalone Ubuntu
> server
>
> Any suggestions?
>
>
> Regards,
> Praveen Ghimire
>
>
>
>
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Monday, 24 June 2019 12:03 PM
> To: 'L.P.H. van Belle'
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Just an update on this. I ran up a new test LXC container and
> completely removed apparmor. Then install the packages. I got the same
> errors
>
> I thought I would change the DNS from Bind to internal and back to
> bind.
>
>
> The following is going from Bind9 to Internal
>
> root at server5-ad:/var/log# service bind9 stop root at
server5-ad:/var/log#
> systemctl mask bind9 Created symlink /etc/systemd/system/bind9.service
> -> /dev/null.
> root at server5-ad:/var/log# service samba-ad-dc stop
> root at server5-ad:/var/log# samba_upgradedns
> --dns-backend=SAMBA_INTERNAL
>
> I removed the
> Server service = -dns from smb.conf
>
> I got the following error,
>
> /source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error
> code 110
>
> Then I ran the samba_dnsupdate, which failed
>
> Jun 24 01:26:39 server5-ad samba[800]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSignedTerminating connection -
> 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 24 01:26:49 server5-ad ntpd[120]: local_clock:
> ntp_loopfilter.c line 818: ntp_adjtime: Operation not permitted added
> interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0
> IPs: ['192.168.14.10']
> Looking for DNS entry A server5.LIN.group 192.168.14.10 as
> server5.LIN.group.
> Traceback (most recent call last):
> File "/usr/sbin/samba_dnsupdate", line 827, in <module>
> elif not check_dns_name(d):
> File "/usr/sbin/samba_dnsupdate", line 317, in check_dns_name
> raise Exception("Timeout while waiting to contact a working DNS
> server while looking for %s as %s" % (d, normalised_name))
> Exception: Timeout while waiting to contact a working DNS server while
> looking for A server5.LIN.group 192.168.14.10 as server5.LIN.group.
>
>
> I then reverted back to Bind9 and saw the errors I was seeing before.
> It creates the forward DNS entry but not the reverse.
> I am underlining the errors
>
>
>
> Jun 24 01:36:20 server5-ad samba[1037]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSignedSuccessful AuthZ:
>
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------------------------------------
>
> [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18]
> at [Mon, 24 Jun 2019 01:36:20.628460 UTC] Remote host
> [ipv6::::0] local host [ipv6::::0] Jun 24 01:36:21 server5-ad
> named[1007]: resolver priming query complete Jun 24 01:36:23
> server5-ad named[1007]:
> message repeated 2 times: [ resolver priming query complete] Jun 24
> 01:36:24 server5-ad named[1007]: samba_dlz: starting transaction on
> zone LIN.group
>
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#57503: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> --------------------
>
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: cancelling
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: samba_dlz: starting transaction on zone LIN.group Jun 24
> 01:36:24 server5-ad named[1007]: samba_dlz:
> allowing update of signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=AAAA
>
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62
> a7-9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
>
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: allowing update of
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
>
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
>
> at 'bw10.LIN.group' AAAA
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
>
> at 'bw10.LIN.group' A
> Jun 24 01:36:24 server5-ad named[1007]: client
> @0x7f41d810fbe0 192.168.14.150#60690/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': adding an RR at
>
> 'bw10.LIN.group' A 192.168.14. 150
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: added rdataset
> bw10.LIN.group
'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: subtracted rdataset
> LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
>
> hostmaster.LIN.group. 43 900 600 86400 3600'
> Jun 24 0136:24 server5-ad named[1007]: samba_dlz: added rdataset
> LIN.group 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group.
> hostmaster.LIN.group. 900 600 86400 3600'
> Jun 24 01:36:24 server5-ad named[1007]: samba_dlz: committed
> transaction on zone LIN.group Jun 24 01:36:24 server5-ad
> named[1007]: resolver priming query complete Jun 24 01:36:27
> server5-ad named[1007]: samba_dlz: starting transaction on zone
> LIN.group
>
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#64221: update 'LIN.group/IN' denied
> --------------------------------------------------------------
> --------------------------------------------------------------
> -------------------
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: cancelling
> transaction on zone LIN.group Jun 24 01:36:27 server5-ad
> named[1007]: samba_dlz: starting transaction on zone LIN.group Jun 24
> 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=AAAA
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62
> a7-9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A
> key=1068-ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: allowing update of
> signer=BW10\$\@LIN.GROUP name=bw10.LIN.group
> tcpaddr=192.168.14.150 type=A key=1068
> -ms-7.1-80306.78bac884-9620-11e9-62a7-
> 9a9237443f23/160/0
> Jun 24 01:36:27 server5-ad named[1007]: client
> @0x7f41b801dc20 192.168.14.150#63953/key BW10\$\@LIN.GROUP:
> updating zone 'LIN.group/NONE': deleting rrset
'bw10.LIN.group' AAAA
> Jun 24 01:36:27 server5-ad named[1007]:
> client @0x7f41b801dc20 192.168.14.150#63953/key
> BW10\$\@LIN.GROUP: updating zone 'LIN.group/NONE': deleting rrset
at
> 'bw10.LIN.group' A Jun 24 01:36:27 server5-ad named[1007]:
samba_dlz:
> subtracted rdataset bw10.LIN.group
> 'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150' Jun 24
> 01:36:27 server5-ad named[1007]: client @0x7f41b801dc20
> 192.168.14.150#63953/key BW10\$\@LIN.GROUP: updating zone
> 'LIN.group/NONE': adding an RR at 'bw10.LIN.group' A
> 192.168.14. 150
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: added rdataset
> bw10.LIN.group
'bw10.LIN.group.#0111200#011IN#011A#011192.168.14.150'
> Jun 24 01:36:27 server5-ad named[1007]: samba_dlz: committed
> transaction on zone LIN.group
>
>
> The permissions of the bind files
>
>
> root at server5-ad:# ls -ld /var/lib/samba/private/ drwxr-xr-x 8 root
> root 27 Jun 24 01:48 /var/lib/samba/private/ root at server5-ad:# ls -l
> /var/lib/samba/private/named.conf
> -rw-r--r-- 1 root root 780 Jun 24 01:35
> /var/lib/samba/private/named.conf root at server5-ad:# ls -ld
> /var/lib/samba/private/dns
> drwxrwx--- 3 root bind 4 Jun 24 01:35 /var/lib/samba/private/dns
> root at server5-ad:# ls -ld /var/lib/samba/private/dns.keytab
> -rw-r----- 1 root bind 807 Jun 24 01:35
> /var/lib/samba/private/dns.keytab root at server5-ad:# ls -l
> /var/lib/samba/private/dns/ total 45
> -rw-rw---- 1 root bind 3014656 Jun 24 01:35 sam.ldb
> drwxrwx--- 2 root bind 8 Jun 24 01:35 sam.ldb.d
> root at server5-ad:# ls -l /var/lib/samba/private/dns/sam.ldb.d/
> total 3223
> -rw-rw---- 1 root bind 8597504 Jun 24 01:35
> 'CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 8187904 Jun 24 01:35
> 'CN=SCHEMA,CN=CONFIGURATION,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 01:48
> 'DC=DOMAINDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 4247552 Jun 24 00:38
> 'DC=FORESTDNSZONES,DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 1 root bind 1286144 Jun 24 01:35 'DC=LIN,DC=GROUP.ldb'
> -rw-rw---- 2 root bind 831488 Jun 24 01:48 metadata.tdb
>
>
> Zone list
>
> Using binding ncacn_ip_tcp:192.168.14.10[,sign] Mapped to
> DCERPC endpoint 135 added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0 added interface
> v14 ip=192.168.14.10 bcast=192.168.14.255
> netmask=255.255.255.0 Mapped to DCERPC endpoint 49152 added
> interface v14 ip=192.168.14.10 bcast=192.168.14.255
> netmask=255.255.255.0 added interface v14 ip=192.168.14.10
> bcast=192.168.14.255 netmask=255.255.255.0 Cannot do GSSAPI
> to an IP address Failed to start GENSEC client mech
> gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> pszZoneName : 14.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.LIN.group
>
> pszZoneName : _msdcs.LIN.group
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.LIN.group
>
>
> smb.conf
> [global]
> workgroup = LIN
> realm = LIN.GROUP
> netbios name = SERVER5
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> server services = -dns
> allow dns updates = nonsecure
>
>
> /etc//hosts (the server definition)
>
> # The server5-ad and server 5 are one and the same. This is
> because the at one stage the shares were in server5 which got
> moved to server5-ad
> 192.168.14.10 SERVER5-ad.lin.group SERVER5-ad
> 192.168.14.10 SERVER5.lin.group SERVER5
>
>
> Regards,
> Praveen Ghimire
>
>
>
>
>
> -----Original Message-----
> From: Praveen Ghimire
> Sent: Friday, 21 June 2019 11:19 PM
> To: 'L.P.H. van Belle'
> Subject: RE: [Samba] Reverse DNS
>
> Hi Louis,
>
> Thank you for that. I've got a lab environment similar to the
> prod and was able to replicate the issues.
>
> I added the following to /etc/bind/named.conf.options
>
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
>
> This caused the named-checkconf to fail
> root at server5-ad:/etc/bind# named-checkconf
> /etc/bind/rndc.key:1: unknown option 'key'
> /etc/bind/named.conf.options:27: unknown option 'controls'
>
> So I removed that line. The following is the existing
> named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 8.8.8.8;
> };
> dnssec-validation auto;
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> auth-nxdomain yes; # conform to RFC1035
> empty-zones-enable no;
> listen-on-v6 { any; };
>
> };
>
> We are using LXC container. It turns out there is a reported
> issue with apparmor with LXC , as per below
> apparmor_parser: Unable to replace "/usr/sbin/named".
> Permission denied; attempted to load a profile while confined?
>
> The option was to purge and reinstall apparmor. The following
> is the /etc/apparmor.d/local/usr.sbin.named
>
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /var/lib/samba/etc/smb.conf r,
> /var/tmp/** rwmk,
> /dev/urandown rw,
>
> The following from syslog
>
> Jun 21 12:52:11 server5-ad ntpd[174]: adj_systime: Operation
> not permitted Jun 21 12:52:38 server5-ad ntpd[174]: message
> repeated 27 times: [ adj_systime: Operation not permitted]
> Jun 21 12:52:38 server5-ad samba[201]: dnsserver: Invalid
> zone operation IsSignedTerminating connection - 'dcesrv:
> NT_STATUS_CONNECTION_DISCONNECTED'
> Jun 21 12:52:39 server5-ad ntpd[174]: adj_systime: Operation
> not permitted \ samba_dlz: starting transaction on zone
> LIN.group Jun 21 12:55:27 server5-ad named[564]: client
> @0x7fa7fc013e70 192.168.14.181#54936: update 'LIN.group/IN'
> denied Jun 21 12:58:34 server5-ad ntpd[174]: 91.189.89.199
> local addr 192.168.14.10 -> <null> Jun 21 12:58:35 server5-ad
> ntpd[174]: 91.189.89.198 local addr 192.168.14.10 -> <null>
> Jun 21 12:58:36 server5-ad ntpd[174]: 91.189.91.157 local
> addr 192.168.14.10 -> <null> Jun 21 12:58:42 server5-ad
> named[564]: resolver priming query complete Jun 21 12:58:46
> server5-ad samba[201]: [2019/06/21 12:58:46.917811, 0]
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> Jun 21 12:58:53 server5-ad samba[201]: dnsserver: Invalid
> zone operation IsSigneddnsserver: Invalid zone operation
> IsSigneddnsserver: Invalid zone operation IsSigneddnsserver:
> Invalid zone operation IsSigneddnsserver: Invalid zone
> operation IsSignedldb_wrap open of secrets.ldb
> Jun 21 12:59:01 server5-ad named[564]: resolver priming query
> complete Jun 21 12:59:04 server5-ad samba[201]: [2019/06/21
> 12:59:04.972119, 0]
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
>
>
> I've made changes as per your recommendations.
>
> In terms of DHCP. I did go through that wiki a while ago. To
> me it looks like it works if the DHCP server is in the same
> domain as the AD server, this is not the case here. I made
> the changes as per the wiki and added the script. I manually
> specified the domain and realm info. The script does run but
> doesn't seem to make a difference. I copied the dhcpd user
> info stuff from the AD box to the DHCP server
>
> ACL has now been installed
>
> Thank you once again
>
> Regards,
>
> Praveen
>
> -----Original Message-----
> From: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Sent: Friday, 21 June 2019 7:52 PM
> To: Praveen Ghimire
> Subject: RE: [Samba] Reverse DNS
>
> Hai, well i had a good look, im commented where it was needed ;-)
>
> This is part to start with, then then this is all correct,
> you can look at the DDNS and Reverse dns parts.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au]
> > Verzonden: woensdag 19 juni 2019 12:38
> > Aan: 'L.P.H. van Belle'
> > Onderwerp: RE: [Samba] Reverse DNS
> >
> > Hi Louis,
> >
> > Thank you, awesome script.
> >
> > Output as follows
> >
> > Collected config --- 2019-06-19-10:12 -----------
> >
> > Hostname: server5-ad
> > DNS Domain:
>
> Missing default DNS domain.
> Is "search your.primary.search.domain.tld" set in
/etc/resolv.conf
>
> > FQDN: server5-ad
> And missing domain in FQDN, as result of missing DNS domain.
>
> > ipaddress: 192.168.14.10
> >
> > -----------
> >
> > Samba is running as an AD DC
> >
> > -----------
> > Checking file: /etc/os-release
> >
> > NAME="Ubuntu"
> > VERSION="18.04.1 LTS (Bionic Beaver)"
> > ID=ubuntu
> > ID_LIKE=debian
> > PRETTY_NAME="Ubuntu 18.04.1 LTS"
> > VERSION_ID="18.04"
> > HOME_URL="https://www.ubuntu.com/"
> > SUPPORT_URL="https://help.ubuntu.com/"
> > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
> > PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol
> > icies/privacy-policy"
> > VERSION_CODENAME=bionic
> > UBUNTU_CODENAME=bionic
> >
> > -----------
> >
> >
> > This computer is running Ubuntu 18.04.1 LTS x86_64
> >
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN
> > group default qlen 1000
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 scope host lo
> > inet6 ::1/128 scope host
> > 161: v14 at if162: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc
> > noqueue state UP group default qlen 1000
> > link/ether 7a:bf:29:61:5b:14 brd ff:ff:ff:ff:ff:ff
> link-netnsid 0
> > inet 192.168.14.10/24 brd 192.168.14.255 scope global v14
> > inet6 fe80::78bf:29ff:fe61:5b14/64 scope link
> >
> > -----------
> > Checking file: /etc/hosts
>
> Fix the hosts file
>
> >
> > 127.0.0.1 localhost 827be14a-ffda-60f5-f7f9-b260c6cab739
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > 192.168.14.10 server5-ad
> > # --- BEGIN PVE ---
> > 192.168.14.10 server5-ad.LIN.group server5-ad # --- END PVE ---
> > 192.168.14.10 server5
> > 192.168.14.10 server5.LIN.group
>
> Now this is also incorrect, you only need 1 line per ip.
> If its correctly set, you can run this : echo "$(hostname -i)
> $(hostname -f) $(hostname -s)"
> More aliasses, add it at the end of that line, or add them to
> the DNS as CNAME.
>
> So you hosts file should result in :
> 127.0.0.1 localhost
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 192.168.14.10 server5-ad.LIN.group server5-ad
>
>
> > -----------
> >
> > Checking file: /etc/resolv.conf
> >
> > # --- BEGIN PVE ---
> > search LIN.group
> > nameserver 192.168.14.10
> > # --- END PVE ---
> >
> > -----------
> >
> > Checking file: /etc/krb5.conf
> >
> > [libdefaults]
> > default_realm = LIN.GROUP
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > [realms]
> > LIN.GROUP = {
> > kdc = server5
> > admin_server = server5
> >
> > }
>
> Remove the [realm] part, not needed.
> And wasnt you server named server5-ad ?
>
> >
> > -----------
> >
> > Checking file: /etc/nsswitch.conf
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed,
> > try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> > passwd: files winbind
> > group: files winbind
> > shadow: compat
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> > -----------
> >
> > Checking file: /etc/samba/smb.conf
> >
> > [global]
> > workgroup = LIN
> > realm = LIN.GROUP
> > netbios name = server5
> Ok, here netbios name. If a mismatch with thats set in /ets/hosts.
> HOSTNAME="$(hostname -s)"
> echo ${HOSTNAME^^}"
> Results in "SERVER5-AD" and that should be in netbios name = ....
>
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > log file = /var/log/samba/log.%m
> > log level = 4
> > winbind nss info = rfc2307
> > winbind enum users = yes
> > winbind enum groups = yes
>
> Preffered enum user/group to no, it only slows down your server.
>
> > acl allow execute always = True
> > server services = -dns
> > allow dns updates = nonsecure
> > unix extensions = No
> >
> > full_audit:priority = notice
> > full_audit:facility = local5
> > full_audit:success = mkdir rmdir read pread write pwrite
> > rename unlink
> > full_audit:failure = none
> > full_audit:prefix = %u|%I|%S
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/LIN.group/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> >
> > [homes]
> > comment = Home Directories
> > root preexec = bash -c '[[ -d /home/%U ]] || mkdir -m 0700
> /home/%U &&
> > mkdir -m 0700 /home/%U/samba && chown -R %U:"Domain
Users" /home/%U'
> >
> > # create mask = 0700
> > # directory mask = 0700
> > # browseable = No
> > read only = No
> > path = /home/%U/samba
> > vfs objects = full_audit
> > # follow symlinks = yes
> > # wide links = yes
> >
> Ah [homes], well Rowland and I just did a small test. You can
> try this.
> [homes]
> comment = Home Directories
> read only = no
> valid users = %S
> root preexec = /usr/local/sbin/mkhomedir.sh %U %H
>
> Content of mkhomedir.sh :
> #!/bin/bash
>
> if [ ! -e "$2" ]; then
> DOMUSERS="$(wbinfo -g |grep -i "domain users" | awk
'{
> print $$1 }')"
> install -d "$2" -o "$1" -g "${DOMUSERS}"
"$2" -m 700 fi
>
> exit 0
>
> >
> >
> >
> > [data]
> > comment = Data share
> > path = /data
> > hide unreadable = Yes
> > vfs objects = full_audit
> > follow symlinks = yes
> > wide links = yes
> >
> > -----------
> >
> > Detected bind DLZ enabled..
> > Checking file: /etc/bind/named.conf
> >
> > // This is the primary configuration file for the BIND DNS server
> > named.
> > //
> > // Please read /usr/share/doc/bind9/README.Debian.gz for
> information
> > on the // structure of BIND configuration files in Debian, *BEFORE*
> > you customize // this configuration file.
> > //
> > // If you are just adding zones, please do that in
> > /etc/bind/named.conf.local
> >
> > include "/etc/bind/named.conf.options"; include
> > "/etc/bind/named.conf.local"; include
> > "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.options
> >
> > options {
> > directory "/var/cache/bind";
> >
> > // If there is a firewall between you and nameservers you want
> > // to talk to, you may need to fix the firewall to
> allow multiple
> > // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> >
> > // If your ISP provided one or more IP addresses for stable
> > // nameservers, you probably want to use them as forwarders.
> > // Uncomment the following block, and insert the
> addresses replacing
> > // the all-0's placeholder.
> >
> > // forwarders {
> > // 0.0.0.0;
> > // };
>
> Do set you forwarder to internet DNS servers.
>
> >
> >
> > //===========================================================> >
===========> > // If BIND logs error messages about the root key being
expired,
> > // you will need to update your keys. See
> > https://www.isc.org/bind-keys
> >
> > //===========================================================> >
===========> > dnssec-validation auto;
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > auth-nxdomain no; # conform to RFC1035
> your AD DC is the AUTORITIVE server of the primary zone so..
> auth-nxdomain yes;
> > listen-on-v6 { any; };
>
> Add : empty-zones-enable no;
> That avoids possible conficts with configured zones.
>
> > };
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.local
> >
> > //
> > // Do any local configuration here
> > //
> >
> > // Consider adding the 1918 zones here, if they are not
> used in your
> > // organization //include "/etc/bind/zones.rfc1918";
> Im missing here :
>
> // adding the dlopen ( Bind DLZ ) module for samba, beware,
> if you using bind9.9 then you need to change this manualy
> include "/var/lib/samba/private/named.conf";
>
> >
> > -----------
> >
> > Checking file: /etc/bind/named.conf.default-zones
> >
> > // prime the server with knowledge of the root servers zone
"." {
> > type hint;
> > file "/etc/bind/db.root";
> > };
> >
> > // be authoritative for the localhost forward and reverse
> zones, and
> > for // broadcast zones as per RFC 1912
> >
> > zone "localhost" {
> > type master;
> > file "/etc/bind/db.local";
> > };
> >
> > zone "127.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.127";
> > };
> >
> > zone "0.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.0";
> > };
> >
> > zone "255.in-addr.arpa" {
> > type master;
> > file "/etc/bind/db.255";
> > };
> >
> > -----------
> >
> > Samba DNS zone list:
> > Samba DNS zone list Automated check :
> >
> > Installed packages:
>
> Im missing acl.
>
> apt-get install acl
>
> > ii attr 1:2.4.47-2build1
> > amd64 Utilities for manipulating filesystem
> > extended attributes
> > ii bind9 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 Internet Domain Name Server
> > ii bind9-host 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 DNS lookup utility (deprecated)
> > ii bind9utils 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 Utilities for BIND
> > ii krb5-config 2.6
> > all Configuration files for Kerberos Version 5
> > ii krb5-locales 1.16-2ubuntu0.1
> > all internationalization support for MIT Kerberos
> > ii krb5-user 1.16-2ubuntu0.1
> > amd64 basic programs to authenticate using MIT Kerberos
> > ii libacl1:amd64 2.2.52-3build1
> > amd64 Access control list shared library
> > ii libattr1:amd64 1:2.4.47-2build1
> > amd64 Extended attribute shared library
> > ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.7
> > amd64 BIND9 Shared Library used by BIND
> > ii libgssapi-krb5-2:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries - krb5
> > GSS-API Mechanism
> > ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-1
> > amd64 Heimdal Kerberos - libraries
> > ii libkrb5-3:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries
> > ii libkrb5support0:amd64 1.16-2ubuntu0.1
> > amd64 MIT Kerberos runtime libraries - Support library
> > ii libnss-winbind:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> > nameservice integration plugins
> > ii libpam-winbind:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Windows domain
> > authentication integration plugin
> > ii libwbclient0:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba winbind
> > client library
> > ii python-samba
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Python
> > bindings for Samba
> > ii samba
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 SMB/CIFS file,
> > print, and login server for Unix
> > ii samba-common
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 all common files
> > used by both the Samba server and client
> > ii samba-common-bin
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba common
> > files used by both the server and the client
> > ii samba-dsdb-modules
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba
> > Directory Services Database
> > ii samba-libs:amd64
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba core libraries
> > ii samba-vfs-modules
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 Samba Virtual
> > FileSystem plugins
> > ii winbind
> > 2:4.7.6+dfsg~ubuntu-0ubuntu2.11 amd64 service to
> > resolve user and group information from Windows NT servers
> >
> > -----------
> >
> >
> > DHCP
> >
> > subnet 192.168.14.0 netmask 255.255.255.0 {
> > authoritative;
> > option netbios-name-servers 192.168.14.10;
> > option netbios-dd-server 192.168.14.10;
> > option netbios-node-type 8;
> > option domain-name-servers 192.168.14.1, 192.168.14.10;
> >
> > ddns-rev-domainname "in-addr.arpa.";
> >
> > pool {
> > range dynamic-bootp 192.168.14.150 192.168.14.150;
> > range dynamic-bootp 192.168.14.153 192.168.14.154;
> > range dynamic-bootp 192.168.14.180 192.168.14.188;
> > range dynamic-bootp 192.168.14.191 192.168.14.191;
> > range dynamic-bootp 192.168.14.193 192.168.14.196;
> > range dynamic-bootp 192.168.14.198 192.168.14.210;
> > range dynamic-bootp 192.168.14.212 192.168.14.214;
> >
> > }
> > option broadcast-address 192.168.14.255;
> > option routers 192.168.14.254;
> > option domain-name "site01";
> > ddns-domainname "site01";
>
> Here, domainname and ddns-domainname should be your primary DNS.
>
> > ddns-updates on;
> > update-optimization off;
> > update-static-leases on;
> > allow client-updates;
> > }
>
> I suggest, have a good look at :
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
>
> And in addition.
> In named.conf.options add at the end of the file include
> "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; };
>
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email
> Security.cloud service.
> For more information please visit
> http://www.symanteccloud.com
> ______________________________________________________________________
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
On 26/06/2019 04:38, Praveen Ghimire via samba wrote:> Hi Louis, > > Thank you for that > > I have made the changes as per below , some items might have duplicated. I then reload apparmor restarted the samba-ad-dc and bind9 services and get the same issue. Every time the forward DNS update works but the reverse doesn't > > I found a really interesting samba post going back 2017 re the DHCP and DNS > http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4726681.html > > In the article there are suggestions of not letting Windows clients updating their own DNS records. In my test machine I manually removed the option . The error message disappears when the machine renews it's DHCP but the DNS (forward or reverse) doesn't update. > > The one thing I can't understand is despite the error messages in syslog about denying the lin.group zone, the forward updates but the reverse doesn't . The DHCP server has the following > > ddns-rev-domainname "in-addr.arpa.";But isn't your reverse zone called '14.168.192.in-addr.arpa' ? Are your clients set to update their reverse zone ? The DHCP server will not do this by default. Try deleting the reversezone and recreating it, it could be a permissions problem. Rowland