thr3ads.net - samba - [Samba] Reverse DNS [Jun 2019]

If this information is useful, please help other people find it:
Share via:

Rowland penny

2019-Jun-26 07:05 UTC

[Samba] Reverse DNS

On 26/06/2019 04:38, Praveen Ghimire via samba wrote:> Hi Louis,
>
> Thank you for that
>
> I have made the changes as per below , some items might have duplicated. I
then reload apparmor restarted the samba-ad-dc and bind9 services and get the
same issue. Every time the forward DNS update works but the reverse doesn't
>
> I found a really interesting samba post going back 2017 re the DHCP and DNS
>
http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4726681.html
>
> In the article there are suggestions of not letting Windows clients
updating their own DNS records. In my test machine I manually removed the option
. The error message disappears when the machine renews it's DHCP but the DNS
(forward or reverse) doesn't update.
>
> The one thing I can't understand is despite the error messages in
syslog about denying the lin.group zone, the forward updates but the reverse
doesn't .  The DHCP server has the following
>
> ddns-rev-domainname "in-addr.arpa.";
But isn't your reverse zone called '14.168.192.in-addr.arpa' ?

Are your clients set to update their reverse zone ? The DHCP server will 
not do this by default.

Try deleting the reversezone and recreating it, it could be a 
permissions problem.

Rowland

Praveen Ghimire

2019-Jun-26 10:32 UTC

head link

[Samba] Reverse DNS

Hi Rowland,

I have tried putting the whole rev-domain name. The following is the dhcpd.conf
zone definition

      subnet 192.168.14.0 netmask 255.255.255.0 {
        authoritative;    
        ddns-update-style standard;
        option netbios-name-servers 192.168.14.10; #14.10 is the AD box
        option netbios-dd-server 192.168.14.10;
        option netbios-node-type 8;
        option domain-name-servers 192.168.14.10;
        ddns-rev-domainname "14.168.192.in-addr.arpa.";
	 option broadcast-address 192.168.14.255;
        option routers 192.168.14.254;
        option domain-name "lin.group"; #AD DOMAIN
        ddns-domainname "lin.group";
        ddns-updates on;
        update-optimization off;
        update-static-leases on;
        allow client-updates;
pool
{
.......
}

I have removed and re-created the reverse zone a few times , selecting secure
and nosecure also with and without storing the info in AD. The only time I have
seen it being populated is when I assign static IPs



Regards,
Praveen Ghimire


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny
via samba
Sent: Wednesday, 26 June 2019 5:06 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

On 26/06/2019 04:38, Praveen Ghimire via samba wrote:> Hi Louis,
>
> Thank you for that
>
> I have made the changes as per below , some items might have 
> duplicated. I then reload apparmor restarted the samba-ad-dc and bind9 
> services and get the same issue. Every time the forward DNS update 
> works but the reverse doesn't
>
> I found a really interesting samba post going back 2017 re the DHCP 
> and DNS 
> http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4
> 726681.html
>
> In the article there are suggestions of not letting Windows clients
updating their own DNS records. In my test machine I manually removed the option
. The error message disappears when the machine renews it's DHCP but the DNS
(forward or reverse) doesn't update.
>
> The one thing I can't understand is despite the error messages in 
> syslog about denying the lin.group zone, the forward updates but the 
> reverse doesn't .  The DHCP server has the following
>
> ddns-rev-domainname "in-addr.arpa.";
But isn't your reverse zone called '14.168.192.in-addr.arpa' ?

Are your clients set to update their reverse zone ? The DHCP server will not do
this by default.

Try deleting the reversezone and recreating it, it could be a permissions
problem.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

Praveen Ghimire

2019-Jun-26 11:39 UTC

head link

[Samba] Reverse DNS

Further on this. We have Win10 machine with RSAT installed in it. Using the DNS
tool, I created an A record with an associated PTR record. The A record got
created but not PTR. I was logged in the domain administrator

The following with no dns update directive in smb.conf

Jun 26 11:21:07 server5-ad samba[4812]: [2019/06/26 11:21:07.978068,  0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: starting transaction on zone
lin.group
Jun 26 11:21:14 server5-ad named[4853]: client @0x7fcfd80c71e0
192.168.14.196#59770: update 'lin.group/IN' denied
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: cancelling transaction on
zone lin.group
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: starting transaction on zone
lin.group
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: spnego update failed
Jun 26 11:21:14 server5-ad named[4853]: client @0x7fcfd80c71e0
192.168.14.196#63579/key WIN10VM01\$\@lin.GROUP: updating zone
'lin.group/NONE': update failed: rejected by secure update (REFUSED)
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: cancelling transaction on
zone lin.group
Jun 26 11:21:23 server5-ad samba[4812]:   dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedSuccessful AuthZ:
[DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Wed, 26 Jun 2019
11:21:23.001914 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Jun 26 11:21:32 server5-ad samba[4812]: [2019/06/26 11:21:32.583231,  0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:22:07 server5-ad samba[4812]:   dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 26 11:22:37 server5-ad samba[4812]: [2019/06/26 11:22:37.511948,  0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:23:37 server5-ad samba[4812]:   dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'

With dns update = nonsecure

Jun 26 11:30:53 server5-ad samba[4972]:   dnsserver: Invalid zone operation
IsSignedTerminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'
Jun 26 11:31:06 server5-ad samba[4972]: [2019/06/26 11:31:06.953613,  0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:31:28 server5-ad samba[4972]:   dnsserver: Invalid zone operation
IsSignedSuccessful AuthZ: [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM]
[S-1-5-18] at [Wed, 26 Jun 2019 11:31:28.187322 UTC] Remote host [ipv6::::0]
local host [ipv6::::0]
Jun 26 11:31:51 server5-ad samba[4972]: [2019/06/26 11:31:51.662909,  0]
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:31:58 server5-ad samba[4972]:   dnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection -
'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Praveen
Ghimire via samba
Sent: Wednesday, 26 June 2019 8:32 PM
To: 'Rowland penny'
Cc: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

Hi Rowland,

I have tried putting the whole rev-domain name. The following is the dhcpd.conf
zone definition

      subnet 192.168.14.0 netmask 255.255.255.0 {
        authoritative;    
        ddns-update-style standard;
        option netbios-name-servers 192.168.14.10; #14.10 is the AD box
        option netbios-dd-server 192.168.14.10;
        option netbios-node-type 8;
        option domain-name-servers 192.168.14.10;
        ddns-rev-domainname "14.168.192.in-addr.arpa.";
	 option broadcast-address 192.168.14.255;
        option routers 192.168.14.254;
        option domain-name "lin.group"; #AD DOMAIN
        ddns-domainname "lin.group";
        ddns-updates on;
        update-optimization off;
        update-static-leases on;
        allow client-updates;
pool
{
.......
}

I have removed and re-created the reverse zone a few times , selecting secure
and nosecure also with and without storing the info in AD. The only time I have
seen it being populated is when I assign static IPs



Regards,
Praveen Ghimire


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny
via samba
Sent: Wednesday, 26 June 2019 5:06 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

On 26/06/2019 04:38, Praveen Ghimire via samba wrote:> Hi Louis,
>
> Thank you for that
>
> I have made the changes as per below , some items might have 
> duplicated. I then reload apparmor restarted the samba-ad-dc and bind9 
> services and get the same issue. Every time the forward DNS update 
> works but the reverse doesn't
>
> I found a really interesting samba post going back 2017 re the DHCP 
> and DNS
> http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4
> 726681.html
>
> In the article there are suggestions of not letting Windows clients
updating their own DNS records. In my test machine I manually removed the option
. The error message disappears when the machine renews it's DHCP but the DNS
(forward or reverse) doesn't update.
>
> The one thing I can't understand is despite the error messages in 
> syslog about denying the lin.group zone, the forward updates but the 
> reverse doesn't .  The DHCP server has the following
>
> ddns-rev-domainname "in-addr.arpa.";
But isn't your reverse zone called '14.168.192.in-addr.arpa' ?

Are your clients set to update their reverse zone ? The DHCP server will not do
this by default.

Try deleting the reversezone and recreating it, it could be a permissions
problem.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

Rowland penny

2019-Jun-26 12:56 UTC

head link

[Samba] Reverse DNS

On 26/06/2019 11:32, Praveen Ghimire wrote:> Hi Rowland,
>
> I have tried putting the whole rev-domain name. The following is the
dhcpd.conf zone definition
>
>        subnet 192.168.14.0 netmask 255.255.255.0 {
>          authoritative;
>          ddns-update-style standard;
>          option netbios-name-servers 192.168.14.10; #14.10 is the AD box
>          option netbios-dd-server 192.168.14.10;
>          option netbios-node-type 8;
>          option domain-name-servers 192.168.14.10;
>          ddns-rev-domainname "14.168.192.in-addr.arpa.";
> 	 option broadcast-address 192.168.14.255;
>          option routers 192.168.14.254;
>          option domain-name "lin.group"; #AD DOMAIN
>          ddns-domainname "lin.group";
>          ddns-updates on;
>          update-optimization off;
>          update-static-leases on;
>          allow client-updates;
> pool
> {
> .......
> }
>
> I have removed and re-created the reverse zone a few times , selecting
secure and nosecure also with and without storing the info in AD. The only time
I have seen it being populated is when I assign static IPs
>Have you read this wiki page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Rowland

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Jun 2019 - Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

Possibly Parallel Threads