samba - Aug 2015 - sernet documentation

I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware 64
14.1
for many months now in a production environment and it works just fine.  There
are a few tweaks here and there to get bind/dhcp to play nicely with Samba ... 

Note, conf file locations are Slackware, but you'll know where the same
thing
goes in your distro.  In the examples below, my Domain IP range is
192.168.0.0/24.  My AD/DC (also DNS and DHCP server and router) is 192.168.0.2. 
My domain name is hprs.local. 

First off, I provisioned my Samba as follows:

$ samba-tool domain provision --use-rfc2307 \
  --server-role='dc' --realm=hprs.local --domain=HPRS \
  --adminpass='password' --dns-backend=BIND9_FLATFILE \
  --option="interfaces=lo eth1" --option="bind interfaces
only=yes"


In the standard /etc/named.conf, in the option section you need:

----------snip-----------
options {

 forwarders {   // These are the ISP provided name servers
            66.193.88.3;
            66.192.88.4;
        };

        allow-query {        // Permit querying by others in the domain
            192.168.0.0/24;
            127.0.0.1;
        };
};
----------un-snip-----------

I've kept my local zone files defined in this named.conf:

----------snip-----------
zone "localhost" IN {
        type master;
        file "/var/named/db.local";
};

zone "127.in-addr.arpa" IN {
        type master;
        file "/var/named/db.127";
};
----------un-snip-----------

but now I reference Samba's config files for the domain stuff:

----------snip-----------
include "/etc/samba/private/named.conf";
----------un-snip-----------

Complete /etc/named.conf file:

----------snip-----------
options {
//      directory "/var/named";

        forwarders {            // These are the ISP provided name servers
            209.18.47.61;
           209.18.47.62;
        };

        allow-query {           // Permit querying by others in the domain
            192.168.0.0/24;
            127.0.0.1;
        };
};

zone "localhost" IN {
        type master;
        file "/var/named/db.local";
};

zone "127.in-addr.arpa" IN {
        type master;
        file "/var/named/db.127";
};

include "/etc/samba/private/named.conf";
----------un-snip-----------

The samba-tool provisioning step will have created the referenced
/etc/samba/private/named.conf file.  Listed below is this file with my changes. 

I've commented out line 15. 

More importantly, the domain Windows workstations will want to update the zone
files via Samba.  If they cannot, you will continuously get the syslog message:

syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update
'hprs.local/IN' denied

Hence the "allow-update" in lines 8 and 25.

Finally, I've added the "optional" reverse zone in lines 23-26.

----------snip-----------
 1  # This file should be included in your main BIND configuration file
 2  #
 3  # For example with
 4  # include "/etc/samba/private/named.conf";
 5       
 6  zone "hprs.local." IN {
 7      type master;
 8      allow-update { 192.168.0.0/24; 127.0.0.1; };           // local DHCP
server
 9      file "/etc/samba/private/dns/hprs.local.zone";
10   /*
11    * the list of principals and what they can change is created
12    * dynamically by Samba, based on the membership of the domain controllers
13    * group. The provision just creates this file as an empty file.
14    */
15  #       include "/etc/samba/private/named.conf.update";
16  
17   /* we need to use check-names ignore so _msdcs A records can be created */
18   check-names ignore;
19  };
20  
21  # The reverse zone configuration is optional.
22  
23  zone "0.168.192.in-addr.arpa" in {
24      type master;
25      allow-update { 192.168.0.0/24; 127.0.0.1; };           // local DHCP
server
26      file "/etc/samba/private/dns/db.192.168.0";
27  };
28  
29  # Note that the reverse zone file is not created during the provision
process.
30  
31  # The most recent BIND versions (9.8 or later) support secure GSS-TSIG
32  # updates.  If you are running an earlier version of BIND, or if you do not
wish
33  # to use secure GSS-TSIG updates, you may remove the update-policy sections
in
34  # both examples above.
----------un-snip-----------

For DNS, that's about it. I hand-tweaked a few things in the samba-tool
provisioned zone files to change the hostmaster email address and the various
refresh, retry, etc. timers. I'll not post those unless you need them
because
they can be fairly lengthy. Except, you mentioned static IP. As an example, I
just added the following to my /etc/samba/private/dns/hprs.local.zone file:

$TTL 3600       ; 1 hour
vaio                    A       192.168.0.102

Important note!!! I've found that samba and DNS must be NOT RUNNING when you
add
these statis IP to the zone file. Otherwise, they seem to get clobbered/removed.

For DHCP, I've simply added the following to my dhcpd.conf. All these are
important, but the first 4 are needed for Samba to be able to update leases on
behalf of clients.

----------snip-----------
ddns-updates on;
update-static-leases on;
allow unknown-clients;  # default, deprecated (man dhcpd.conf)
ignore client-updates;  # see
https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore
client-updates
ddns-update-style interim;

zone hprs.local. { primary 192.168.0.2; }
zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }

subnet 192.168.0.0 netmask 255.255.255.0 {
    option routers 192.168.0.2;
    range 192.168.0.100 192.168.0.254;
    option domain-name-servers 192.168.0.2;
    option domain-name "hprs.local";
    ddns-domainname = "hprs.local.";
    ddns-rev-domainname = "in-addr.arpa.";
}

// Example of DHCP static IP

host ricoh {
    hardware ethernet 00:26:73:55:63:AB;
    fixed-address 192.168.0.20;
}
----------un-snip-----------

This all works just fine.  I've routed my log messages for DNS and DHCPD to
their own file (not shown) and I can tail -f this file and see REQUESTs and ACKs
scrolling by in fine style. 

Not to put too much in one message, but I had to do the following on each
Windows
workstation (command line) to get time to synchronize with ntpd where
"mail" is
the hostname of my AD/DC and domain time server:

w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
w32tm /config /update

reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm

Hope this helps

--Mark

-----Original Message-----
> Date: Wed, 26 Aug 2015 21:28:55 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: Robert Moskowitz <rgm at htt-consult.com>, samba at
lists.samba.org
> Subject: Re: [Samba] sernet documentation
>
> On 26/08/15 21:07, Robert Moskowitz wrote:
> >
> >
> > On 08/26/2015 03:50 PM, Rowland Penny wrote:
> >> On 26/08/15 20:39, Robert Moskowitz wrote:
> >>>
> >>>
> >>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
> >>>> On 26/08/15 20:14, Robert Moskowitz wrote:
> >>>>> One of the Centos 7 arm developers built the sernet
4.2 for me to
> >>>>> start testing.
> >>>>>
> >>>>>
http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
> >>>>>
> >>>>> and
> >>>>>
> >>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
> >>>>>
> >>>>> Since these were built on qemu, not requiring specific
armv7
> >>>>> hardware, Perhaps at some point they can be adopted by
Sernet. But
> >>>>> for now, how to test....
> >>>>>
> >>>>> I don't see any specific Sernet documentation. 
Like what is here
> >>>>> and how to set it up, perhaps different, from generic
Samba 4.
> >>>>>
> >>>>> I searched the sernet web site and this list and came
up empty,
> >>>>> but my search foo is weak.
> >>>>>
> >>>>> thanks
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> If Sernet just built samba for ARM, I do not think that it
should
> >>>> be any different to set up, so just follow the relevant 
> >>>> documentation on the samba wiki:
> >>>>
> >>>> https://wiki.samba.org/index.php/Main_Page
> >>>
> >>> I was thinking that PERHAPS te sernet build could have
specific
> >>> configs for BIND and DHCP at the least.  Unless Samba has
already
> >>> included these.  For things like DYNDNS.
> >>>
> >>
> >> Could you be a bit more specific, you can use Bind with samba4 but
it
> >> is up to the sysadmin to set this up, though there is a page on
the
> >> samba wiki. DHCP, again the sysadmin will have to set this, but
there
> >> is not much on the wiki about this, but if all else fails, I can
help
> >> with this. Finally, I don't see where DYNDNS comes in here.
> >
> > Plowing through the wiki...
> >
> > I see where if I use the internal DNS provided, I will have to set up 
> > a forwarder.  No problem, I have done that a lot.  But I plan on using
> > a private tld, htt. and the zone home.htt.  I want these zones known 
> > to other systems on my network, so I want to slave them to my main DNS
> > internal servers (I actually have a production and 2 distinct test DNS
> > servers).  Perhaps I will find in the wiki how to do this, or find my 
> > old notes.
> >
> > Are workstations assigned DNS entries when they get their DHCP lease?
> > So that 'den' becomes den.home.htt and diningroom becomes 
> > diningroom.home.htt?  That is what I would think DYNDNS would be 
> > doing.  Of course the file servers, nevia and vega would be 
> > nevia.home.htt and vega.home.htt?  But since these are statically 
> > assigned, again, I am assuming there are ways to get them into the 
> > internal DNS.
>
> Unless things have changed, DHCP doesn't work with the samba internal 
> DNS server, it does however work with the Bind9 DNS server, I have been 
> using it since Dec 2012 on my home network 192.168.0.0/24 with the 
> domain name of home.lan. To get the domain name applied to the clients, 
> you just have to set them to ask for it and the DHCP to send it. As for 
> the static clients, you can use samba-tool to add these.
>
> >
> > Finally I am testing on one RFC1918 subnet (check out the authors of 
> > 1918) and then will move all the servers to another one.  what will I 
> > need to do for this migration?
> >
>
> What do you need to migrate ? if you set the first DC in a domain and 
> then add another DC, all the AD database will be replicated to it.
>
> Rowland
>
> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if you are, 
> sorry but until this post, I had never heard of you :-)     )
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 26/08/15 22:56, Mark Foley wrote:
> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware
64 14.1
> for many months now in a production environment and it works just fine. 
There
> are a few tweaks here and there to get bind/dhcp to play nicely with Samba
...
>
> Note, conf file locations are Slackware, but you'll know where the same
thing
> goes in your distro.  In the examples below, my Domain IP range is
> 192.168.0.0/24.  My AD/DC (also DNS and DHCP server and router) is
192.168.0.2.
> My domain name is hprs.local.
>
> First off, I provisioned my Samba as follows:
>
> $ samba-tool domain provision --use-rfc2307 \
>    --server-role='dc' --realm=hprs.local --domain=HPRS \
>    --adminpass='password' --dns-backend=BIND9_FLATFILE \
>    --option="interfaces=lo eth1" --option="bind interfaces
only=yes"
>
>
> In the standard /etc/named.conf, in the option section you need:
>
> ----------snip-----------
> options {
>
>   forwarders {   // These are the ISP provided name servers
>              66.193.88.3;
>              66.192.88.4;
>          };
>
>          allow-query {        // Permit querying by others in the domain
>              192.168.0.0/24;
>              127.0.0.1;
>          };
> };
> ----------un-snip-----------
>
> I've kept my local zone files defined in this named.conf:
>
> ----------snip-----------
> zone "localhost" IN {
>          type master;
>          file "/var/named/db.local";
> };
>
> zone "127.in-addr.arpa" IN {
>          type master;
>          file "/var/named/db.127";
> };
> ----------un-snip-----------
>
> but now I reference Samba's config files for the domain stuff:
>
> ----------snip-----------
> include "/etc/samba/private/named.conf";
> ----------un-snip-----------
>
> Complete /etc/named.conf file:
>
> ----------snip-----------
> options {
> //      directory "/var/named";
>
>          forwarders {            // These are the ISP provided name servers
>              209.18.47.61;
>             209.18.47.62;
>          };
>
>          allow-query {           // Permit querying by others in the domain
>              192.168.0.0/24;
>              127.0.0.1;
>          };
> };
>
> zone "localhost" IN {
>          type master;
>          file "/var/named/db.local";
> };
>
> zone "127.in-addr.arpa" IN {
>          type master;
>          file "/var/named/db.127";
> };
>
> include "/etc/samba/private/named.conf";
> ----------un-snip-----------
>
> The samba-tool provisioning step will have created the referenced
> /etc/samba/private/named.conf file.  Listed below is this file with my
changes.
>
> I've commented out line 15.
>
> More importantly, the domain Windows workstations will want to update the
zone
> files via Samba.  If they cannot, you will continuously get the syslog
message:
>
> syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update
'hprs.local/IN' denied
>
> Hence the "allow-update" in lines 8 and 25.
>
> Finally, I've added the "optional" reverse zone in lines
23-26.
>
> ----------snip-----------
>   1  # This file should be included in your main BIND configuration file
>   2  #
>   3  # For example with
>   4  # include "/etc/samba/private/named.conf";
>   5
>   6  zone "hprs.local." IN {
>   7      type master;
>   8      allow-update { 192.168.0.0/24; 127.0.0.1; };           // local
DHCP server
>   9      file "/etc/samba/private/dns/hprs.local.zone";
> 10   /*
> 11    * the list of principals and what they can change is created
> 12    * dynamically by Samba, based on the membership of the domain
controllers
> 13    * group. The provision just creates this file as an empty file.
> 14    */
> 15  #       include "/etc/samba/private/named.conf.update";
> 16
> 17   /* we need to use check-names ignore so _msdcs A records can be
created */
> 18   check-names ignore;
> 19  };
> 20
> 21  # The reverse zone configuration is optional.
> 22
> 23  zone "0.168.192.in-addr.arpa" in {
> 24      type master;
> 25      allow-update { 192.168.0.0/24; 127.0.0.1; };           // local
DHCP server
> 26      file "/etc/samba/private/dns/db.192.168.0";
> 27  };
> 28
> 29  # Note that the reverse zone file is not created during the provision
process.
> 30
> 31  # The most recent BIND versions (9.8 or later) support secure GSS-TSIG
> 32  # updates.  If you are running an earlier version of BIND, or if you do
not wish
> 33  # to use secure GSS-TSIG updates, you may remove the update-policy
sections in
> 34  # both examples above.
> ----------un-snip-----------
>
> For DNS, that's about it. I hand-tweaked a few things in the samba-tool
> provisioned zone files to change the hostmaster email address and the
various
> refresh, retry, etc. timers. I'll not post those unless you need them
because
> they can be fairly lengthy. Except, you mentioned static IP. As an example,
I
> just added the following to my /etc/samba/private/dns/hprs.local.zone file:
>
> $TTL 3600       ; 1 hour
> vaio                    A       192.168.0.102
>
> Important note!!! I've found that samba and DNS must be NOT RUNNING
when you add
> these statis IP to the zone file. Otherwise, they seem to get
clobbered/removed.
>
> For DHCP, I've simply added the following to my dhcpd.conf. All these
are
> important, but the first 4 are needed for Samba to be able to update leases
on
> behalf of clients.
>
> ----------snip-----------
> ddns-updates on;
> update-static-leases on;
> allow unknown-clients;  # default, deprecated (man dhcpd.conf)
> ignore client-updates;  # see
https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore
client-updates
> ddns-update-style interim;
>
> zone hprs.local. { primary 192.168.0.2; }
> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>
> subnet 192.168.0.0 netmask 255.255.255.0 {
>      option routers 192.168.0.2;
>      range 192.168.0.100 192.168.0.254;
>      option domain-name-servers 192.168.0.2;
>      option domain-name "hprs.local";
>      ddns-domainname = "hprs.local.";
>      ddns-rev-domainname = "in-addr.arpa.";
> }
>
> // Example of DHCP static IP
>
> host ricoh {
>      hardware ethernet 00:26:73:55:63:AB;
>      fixed-address 192.168.0.20;
> }
> ----------un-snip-----------
>
> This all works just fine.  I've routed my log messages for DNS and
DHCPD to
> their own file (not shown) and I can tail -f this file and see REQUESTs and
ACKs
> scrolling by in fine style.
>
> Not to put too much in one message, but I had to do the following on each
Windows
> workstation (command line) to get time to synchronize with ntpd where
"mail" is
> the hostname of my AD/DC and domain time server:
>
> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> w32tm /config /update
>
> reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>
> Hope this helps
>
> --Mark
>
> -----Original Message-----
>> Date: Wed, 26 Aug 2015 21:28:55 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at
lists.samba.org
>> Subject: Re: [Samba] sernet documentation
>>
>> On 26/08/15 21:07, Robert Moskowitz wrote:
>>>
>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
>>>>>
>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
>>>>>>> One of the Centos 7 arm developers built the sernet
4.2 for me to
>>>>>>> start testing.
>>>>>>>
>>>>>>>
http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>> http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
>>>>>>>
>>>>>>> Since these were built on qemu, not requiring
specific armv7
>>>>>>> hardware, Perhaps at some point they can be adopted
by Sernet. But
>>>>>>> for now, how to test....
>>>>>>>
>>>>>>> I don't see any specific Sernet documentation. 
Like what is here
>>>>>>> and how to set it up, perhaps different, from
generic Samba 4.
>>>>>>>
>>>>>>> I searched the sernet web site and this list and
came up empty,
>>>>>>> but my search foo is weak.
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> If Sernet just built samba for ARM, I do not think that
it should
>>>>>> be any different to set up, so just follow the relevant
>>>>>> documentation on the samba wiki:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Main_Page
>>>>> I was thinking that PERHAPS te sernet build could have
specific
>>>>> configs for BIND and DHCP at the least.  Unless Samba has
already
>>>>> included these.  For things like DYNDNS.
>>>>>
>>>> Could you be a bit more specific, you can use Bind with samba4
but it
>>>> is up to the sysadmin to set this up, though there is a page on
the
>>>> samba wiki. DHCP, again the sysadmin will have to set this, but
there
>>>> is not much on the wiki about this, but if all else fails, I
can help
>>>> with this. Finally, I don't see where DYNDNS comes in here.
>>> Plowing through the wiki...
>>>
>>> I see where if I use the internal DNS provided, I will have to set
up
>>> a forwarder.  No problem, I have done that a lot.  But I plan on
using
>>> a private tld, htt. and the zone home.htt.  I want these zones
known
>>> to other systems on my network, so I want to slave them to my main
DNS
>>> internal servers (I actually have a production and 2 distinct test
DNS
>>> servers).  Perhaps I will find in the wiki how to do this, or find
my
>>> old notes.
>>>
>>> Are workstations assigned DNS entries when they get their DHCP
lease?
>>> So that 'den' becomes den.home.htt and diningroom becomes
>>> diningroom.home.htt?  That is what I would think DYNDNS would be
>>> doing.  Of course the file servers, nevia and vega would be
>>> nevia.home.htt and vega.home.htt?  But since these are statically
>>> assigned, again, I am assuming there are ways to get them into the
>>> internal DNS.
>> Unless things have changed, DHCP doesn't work with the samba
internal
>> DNS server, it does however work with the Bind9 DNS server, I have been
>> using it since Dec 2012 on my home network 192.168.0.0/24 with the
>> domain name of home.lan. To get the domain name applied to the clients,
>> you just have to set them to ask for it and the DHCP to send it. As for
>> the static clients, you can use samba-tool to add these.
>>
>>> Finally I am testing on one RFC1918 subnet (check out the authors
of
>>> 1918) and then will move all the servers to another one.  what will
I
>>> need to do for this migration?
>>>
>> What do you need to migrate ? if you set the first DC in a domain and
>> then add another DC, all the AD database will be replicated to it.
>>
>> Rowland
>>
>> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if you
are,
>> sorry but until this post, I had never heard of you :-)     )
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
Ah, but what if you have Unix clients and what about the reverse zone ?

Rowland

On 08/26/2015 05:56 PM, Mark Foley wrote:
> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and Slackware
64 14.1
> for many months now in a production environment and it works just fine. 
There
> are a few tweaks here and there to get bind/dhcp to play nicely with Samba
...
Do you run bind in chroot?

One thing nobody seems to mention. 

This setup samba 4 + bind9_flate file setup works ok.. BUT 
If you add a new DC, you will run in to problems.. 

bind9_flatefile setup is NOT multi master replication setup. 
OK for 1 DC, but if you use more DC's, make sure you make your changes on
the first dc.
setup a bind master/slave.. and for a dhcp server with failover setup, 
which works also with samba4, but with restrictions.
If you need something like this i need to dig in my archive of setups.. 

I did more then a year ago, and my advice to Mark is, setup bind9_DLZ. 
Much more flexible, and most important the multimaster replication. 
which you really want.. 

when you provision.. --realm=hprs.local... DONT use .local.
this is a reserved name for Apple's mDNZ (zeroconf) , 
yes it does work, but better not. ( same for .lan ) 
>> Important note!!! I've found that samba and DNS must be NOT 
>RUNNING when you add
>> these statis IP to the zone file. Otherwise, they seem to 
>>get clobbered/removed.
then you did something wrong, or you did not use the correct programs to add it.
like samba-tool or you did not freeze the zone first. 
when you run in bind9_flatfile, do not manualy change the zonefiles used by
samba.


Greetz,

Louis

>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 27 augustus 2015 00:05
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] sernet documentation
>
>On 26/08/15 22:56, Mark Foley wrote:
>> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 
>and Slackware 64 14.1
>> for many months now in a production environment and it works 
>just fine.  There
>> are a few tweaks here and there to get bind/dhcp to play 
>nicely with Samba ...
>>
>> Note, conf file locations are Slackware, but you'll know 
>where the same thing
>> goes in your distro.  In the examples below, my Domain IP range is
>> 192.168.0.0/24.  My AD/DC (also DNS and DHCP server and 
>router) is 192.168.0.2.
>> My domain name is hprs.local.
>>
>> First off, I provisioned my Samba as follows:
>>
>> $ samba-tool domain provision --use-rfc2307 \
>>    --server-role='dc' --realm=hprs.local --domain=HPRS \
>>    --adminpass='password' --dns-backend=BIND9_FLATFILE \
>>    --option="interfaces=lo eth1" --option="bind
interfaces only=yes"
>>
>>
>> In the standard /etc/named.conf, in the option section you need:
>>
>> ----------snip-----------
>> options {
>>
>>   forwarders {   // These are the ISP provided name servers
>>              66.193.88.3;
>>              66.192.88.4;
>>          };
>>
>>          allow-query {        // Permit querying by others 
>in the domain
>>              192.168.0.0/24;
>>              127.0.0.1;
>>          };
>> };
>> ----------un-snip-----------
>>
>> I've kept my local zone files defined in this named.conf:
>>
>> ----------snip-----------
>> zone "localhost" IN {
>>          type master;
>>          file "/var/named/db.local";
>> };
>>
>> zone "127.in-addr.arpa" IN {
>>          type master;
>>          file "/var/named/db.127";
>> };
>> ----------un-snip-----------
>>
>> but now I reference Samba's config files for the domain stuff:
>>
>> ----------snip-----------
>> include "/etc/samba/private/named.conf";
>> ----------un-snip-----------
>>
>> Complete /etc/named.conf file:
>>
>> ----------snip-----------
>> options {
>> //      directory "/var/named";
>>
>>          forwarders {            // These are the ISP 
>provided name servers
>>              209.18.47.61;
>>             209.18.47.62;
>>          };
>>
>>          allow-query {           // Permit querying by 
>others in the domain
>>              192.168.0.0/24;
>>              127.0.0.1;
>>          };
>> };
>>
>> zone "localhost" IN {
>>          type master;
>>          file "/var/named/db.local";
>> };
>>
>> zone "127.in-addr.arpa" IN {
>>          type master;
>>          file "/var/named/db.127";
>> };
>>
>> include "/etc/samba/private/named.conf";
>> ----------un-snip-----------
>>
>> The samba-tool provisioning step will have created the referenced
>> /etc/samba/private/named.conf file.  Listed below is this 
>file with my changes.
>>
>> I've commented out line 15.
>>
>> More importantly, the domain Windows workstations will want 
>to update the zone
>> files via Samba.  If they cannot, you will continuously get 
>the syslog message:
>>
>> syslog:Jul 30 20:35:20 mail named[792]: client 
>192.168.0.101#58026: update 'hprs.local/IN' denied
>>
>> Hence the "allow-update" in lines 8 and 25.
>>
>> Finally, I've added the "optional" reverse zone in lines
23-26.
>>
>> ----------snip-----------
>>   1  # This file should be included in your main BIND 
>configuration file
>>   2  #
>>   3  # For example with
>>   4  # include "/etc/samba/private/named.conf";
>>   5
>>   6  zone "hprs.local." IN {
>>   7      type master;
>>   8      allow-update { 192.168.0.0/24; 127.0.0.1; };        
>   // local DHCP server
>>   9      file "/etc/samba/private/dns/hprs.local.zone";
>> 10   /*
>> 11    * the list of principals and what they can change is created
>> 12    * dynamically by Samba, based on the membership of the 
>domain controllers
>> 13    * group. The provision just creates this file as an empty file.
>> 14    */
>> 15  #       include "/etc/samba/private/named.conf.update";
>> 16
>> 17   /* we need to use check-names ignore so _msdcs A 
>records can be created */
>> 18   check-names ignore;
>> 19  };
>> 20
>> 21  # The reverse zone configuration is optional.
>> 22
>> 23  zone "0.168.192.in-addr.arpa" in {
>> 24      type master;
>> 25      allow-update { 192.168.0.0/24; 127.0.0.1; };         
>  // local DHCP server
>> 26      file "/etc/samba/private/dns/db.192.168.0";
>> 27  };
>> 28
>> 29  # Note that the reverse zone file is not created during 
>the provision process.
>> 30
>> 31  # The most recent BIND versions (9.8 or later) support 
>secure GSS-TSIG
>> 32  # updates.  If you are running an earlier version of 
>BIND, or if you do not wish
>> 33  # to use secure GSS-TSIG updates, you may remove the 
>update-policy sections in
>> 34  # both examples above.
>> ----------un-snip-----------
>>
>> For DNS, that's about it. I hand-tweaked a few things in the 
>samba-tool
>> provisioned zone files to change the hostmaster email 
>address and the various
>> refresh, retry, etc. timers. I'll not post those unless you 
>need them because
>> they can be fairly lengthy. Except, you mentioned static IP. 
>As an example, I
>> just added the following to my 
>/etc/samba/private/dns/hprs.local.zone file:
>>
>> $TTL 3600       ; 1 hour
>> vaio                    A       192.168.0.102
>>
>> Important note!!! I've found that samba and DNS must be NOT 
>RUNNING when you add
>> these statis IP to the zone file. Otherwise, they seem to 
>get clobbered/removed.
>>
>> For DHCP, I've simply added the following to my dhcpd.conf. 
>All these are
>> important, but the first 4 are needed for Samba to be able 
>to update leases on
>> behalf of clients.
>>
>> ----------snip-----------
>> ddns-updates on;
>> update-static-leases on;
>> allow unknown-clients;  # default, deprecated (man dhcpd.conf)
>> ignore client-updates;  # see 
>https://www.centos.org/forums/viewtopic.php?t=29256, man 
>dhcpd.conf: ignore client-updates
>> ddns-update-style interim;
>>
>> zone hprs.local. { primary 192.168.0.2; }
>> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>>
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>      option routers 192.168.0.2;
>>      range 192.168.0.100 192.168.0.254;
>>      option domain-name-servers 192.168.0.2;
>>      option domain-name "hprs.local";
>>      ddns-domainname = "hprs.local.";
>>      ddns-rev-domainname = "in-addr.arpa.";
>> }
>>
>> // Example of DHCP static IP
>>
>> host ricoh {
>>      hardware ethernet 00:26:73:55:63:AB;
>>      fixed-address 192.168.0.20;
>> }
>> ----------un-snip-----------
>>
>> This all works just fine.  I've routed my log messages for 
>DNS and DHCPD to
>> their own file (not shown) and I can tail -f this file and 
>see REQUESTs and ACKs
>> scrolling by in fine style.
>>
>> Not to put too much in one message, but I had to do the 
>following on each Windows
>> workstation (command line) to get time to synchronize with 
>ntpd where "mail" is
>> the hostname of my AD/DC and domain time server:
>>
>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>> w32tm /config /update
>>
>> reference: 
>https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>>
>> Hope this helps
>>
>> --Mark
>>
>> -----Original Message-----
>>> Date: Wed, 26 Aug 2015 21:28:55 +0100
>>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at
lists.samba.org
>>> Subject: Re: [Samba] sernet documentation
>>>
>>> On 26/08/15 21:07, Robert Moskowitz wrote:
>>>>
>>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
>>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
>>>>>>
>>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
>>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
>>>>>>>> One of the Centos 7 arm developers built the
sernet
>4.2 for me to
>>>>>>>> start testing.
>>>>>>>>
>>>>>>>>
http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
>>>>>>>>
>>>>>>>> and
>>>>>>>>
>>>>>>>>
http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
>>>>>>>>
>>>>>>>> Since these were built on qemu, not requiring
specific armv7
>>>>>>>> hardware, Perhaps at some point they can be
adopted by
>Sernet. But
>>>>>>>> for now, how to test....
>>>>>>>>
>>>>>>>> I don't see any specific Sernet
documentation.  Like
>what is here
>>>>>>>> and how to set it up, perhaps different, from
generic Samba 4.
>>>>>>>>
>>>>>>>> I searched the sernet web site and this list
and came up empty,
>>>>>>>> but my search foo is weak.
>>>>>>>>
>>>>>>>> thanks
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> If Sernet just built samba for ARM, I do not think
that
>it should
>>>>>>> be any different to set up, so just follow the
relevant
>>>>>>> documentation on the samba wiki:
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Main_Page
>>>>>> I was thinking that PERHAPS te sernet build could have
specific
>>>>>> configs for BIND and DHCP at the least.  Unless Samba
has already
>>>>>> included these.  For things like DYNDNS.
>>>>>>
>>>>> Could you be a bit more specific, you can use Bind with 
>samba4 but it
>>>>> is up to the sysadmin to set this up, though there is a 
>page on the
>>>>> samba wiki. DHCP, again the sysadmin will have to set 
>this, but there
>>>>> is not much on the wiki about this, but if all else 
>fails, I can help
>>>>> with this. Finally, I don't see where DYNDNS comes in
here.
>>>> Plowing through the wiki...
>>>>
>>>> I see where if I use the internal DNS provided, I will 
>have to set up
>>>> a forwarder.  No problem, I have done that a lot.  But I 
>plan on using
>>>> a private tld, htt. and the zone home.htt.  I want these 
>zones known
>>>> to other systems on my network, so I want to slave them to 
>my main DNS
>>>> internal servers (I actually have a production and 2 
>distinct test DNS
>>>> servers).  Perhaps I will find in the wiki how to do this, 
>or find my
>>>> old notes.
>>>>
>>>> Are workstations assigned DNS entries when they get their 
>DHCP lease?
>>>> So that 'den' becomes den.home.htt and diningroom
becomes
>>>> diningroom.home.htt?  That is what I would think DYNDNS would
be
>>>> doing.  Of course the file servers, nevia and vega would be
>>>> nevia.home.htt and vega.home.htt?  But since these are
statically
>>>> assigned, again, I am assuming there are ways to get them into
the
>>>> internal DNS.
>>> Unless things have changed, DHCP doesn't work with the 
>samba internal
>>> DNS server, it does however work with the Bind9 DNS server, 
>I have been
>>> using it since Dec 2012 on my home network 192.168.0.0/24 with the
>>> domain name of home.lan. To get the domain name applied to 
>the clients,
>>> you just have to set them to ask for it and the DHCP to 
>send it. As for
>>> the static clients, you can use samba-tool to add these.
>>>
>>>> Finally I am testing on one RFC1918 subnet (check out the 
>authors of
>>>> 1918) and then will move all the servers to another one.  
>what will I
>>>> need to do for this migration?
>>>>
>>> What do you need to migrate ? if you set the first DC in a 
>domain and
>>> then add another DC, all the AD database will be replicated to it.
>>>
>>> Rowland
>>>
>>> PS: you wouldn't be the B. Moskowitz from RFC would you ? 
>(if you are,
>>> sorry but until this post, I had never heard of you :-)     )
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>
>Ah, but what if you have Unix clients and what about the reverse zone ?
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 08/26/2015 11:10 PM, Robert Moskowitz wrote:
>
>
> On 08/26/2015 05:56 PM, Mark Foley wrote:
>> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and 
>> Slackware 64 14.1
>> for many months now in a production environment and it works just 
>> fine.  There
>> are a few tweaks here and there to get bind/dhcp to play nicely with 
>> Samba ...
>
> Do you run bind in chroot?
Buried in the wiki I found:

https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates

  * Do NOT run bind chrooted with a samba AD DC and make sure every
    thing has the correct privileges ..


Of course 'correct privileges' is open to interpretation....

Oh, also at:

https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD


  Known issues and ways to fix/workaround


    Chroot BIND

If you use BIND as Backend for your Samba AD, it must not run chroot, 
because it must be able to live access files and databases from your 
Samba installation.



So it is well enough documented.  I just did not get to that part of the 
documentation until this morning.

"Ah, but what if you have Unix clients"

I do have Unix clients. They work just fine. The Samba AD/DC is the DHCP server.
The Windows and Linux clients get their IP addresses and everyone can see all
the hosts on the domain. for example:
>From the domain controller (host name MAIL)
$ host mark    # mark is a Windows 7 workstation
MARK.hprs.local has address 192.168.0.55

$ host webserver  # webserver is a Linux server
webserver.hprs.local has address 192.168.0.3
>From the Linux webserver:
$ host mail   # mail is the Linux Samba4 domain controller
mail.hprs.local has address 192.168.0.2

$ host dennis   # dennis is a Windows 7 workstation
DENNIS.hprs.local has address 192.168.0.57

$ host OHPRSstorage  $ this is the Linux NAS RAID
OHPRSstorage.hprs.local has address 192.168.0.5

Is there something in my posted configs that leads to to believe there is a
problem with Linux hosts in this setup?

"and what about the reverse zone ?"

I do have the reverse zones configured. See the 'snip' section where
I've said
"I've kept my local zone files defined in this named.conf" and
also the
corresponding lines in the full /etc/named.conf; and see lines 23-27 in my
posted /etc/samba/private/named.conf file.

--Mark

(btw - I know this is probably a function of your mail client, but is there any
way you can post your replies at the top instead of the bottom of the message?
Sometimes it a long way to scroll down!)

-----Original Message-----
> Date: Wed, 26 Aug 2015 23:04:57 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] sernet documentation
> 
> On 26/08/15 22:56, Mark Foley wrote:
> > I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and
Slackware 64 14.1
> > for many months now in a production environment and it works just
fine.  There
> > are a few tweaks here and there to get bind/dhcp to play nicely with
Samba ...
> >
> > Note, conf file locations are Slackware, but you'll know where the
same thing
> > goes in your distro.  In the examples below, my Domain IP range is
> > 192.168.0.0/24.  My AD/DC (also DNS and DHCP server and router) is
192.168.0.2.
> > My domain name is hprs.local.
> >
> > First off, I provisioned my Samba as follows:
> >
> > $ samba-tool domain provision --use-rfc2307 \
> >    --server-role='dc' --realm=hprs.local --domain=HPRS \
> >    --adminpass='password' --dns-backend=BIND9_FLATFILE \
> >    --option="interfaces=lo eth1" --option="bind
interfaces only=yes"
> >
> >
> > In the standard /etc/named.conf, in the option section you need:
> >
> > ----------snip-----------
> > options {
> >
> >   forwarders {   // These are the ISP provided name servers
> >              66.193.88.3;
> >              66.192.88.4;
> >          };
> >
> >          allow-query {        // Permit querying by others in the
domain
> >              192.168.0.0/24;
> >              127.0.0.1;
> >          };
> > };
> > ----------un-snip-----------
> >
> > I've kept my local zone files defined in this named.conf:
> >
> > ----------snip-----------
> > zone "localhost" IN {
> >          type master;
> >          file "/var/named/db.local";
> > };
> >
> > zone "127.in-addr.arpa" IN {
> >          type master;
> >          file "/var/named/db.127";
> > };
> > ----------un-snip-----------
> >
> > but now I reference Samba's config files for the domain stuff:
> >
> > ----------snip-----------
> > include "/etc/samba/private/named.conf";
> > ----------un-snip-----------
> >
> > Complete /etc/named.conf file:
> >
> > ----------snip-----------
> > options {
> > //      directory "/var/named";
> >
> >          forwarders {            // These are the ISP provided name
servers
> >              209.18.47.61;
> >             209.18.47.62;
> >          };
> >
> >          allow-query {           // Permit querying by others in the
domain
> >              192.168.0.0/24;
> >              127.0.0.1;
> >          };
> > };
> >
> > zone "localhost" IN {
> >          type master;
> >          file "/var/named/db.local";
> > };
> >
> > zone "127.in-addr.arpa" IN {
> >          type master;
> >          file "/var/named/db.127";
> > };
> >
> > include "/etc/samba/private/named.conf";
> > ----------un-snip-----------
> >
> > The samba-tool provisioning step will have created the referenced
> > /etc/samba/private/named.conf file.  Listed below is this file with my
changes.
> >
> > I've commented out line 15.
> >
> > More importantly, the domain Windows workstations will want to update
the zone
> > files via Samba.  If they cannot, you will continuously get the syslog
message:
> >
> > syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026:
update 'hprs.local/IN' denied
> >
> > Hence the "allow-update" in lines 8 and 25.
> >
> > Finally, I've added the "optional" reverse zone in lines
23-26.
> >
> > ----------snip-----------
> >   1  # This file should be included in your main BIND configuration
file
> >   2  #
> >   3  # For example with
> >   4  # include "/etc/samba/private/named.conf";
> >   5
> >   6  zone "hprs.local." IN {
> >   7      type master;
> >   8      allow-update { 192.168.0.0/24; 127.0.0.1; };           //
local DHCP server
> >   9      file "/etc/samba/private/dns/hprs.local.zone";
> > 10   /*
> > 11    * the list of principals and what they can change is created
> > 12    * dynamically by Samba, based on the membership of the domain
controllers
> > 13    * group. The provision just creates this file as an empty file.
> > 14    */
> > 15  #       include "/etc/samba/private/named.conf.update";
> > 16
> > 17   /* we need to use check-names ignore so _msdcs A records can be
created */
> > 18   check-names ignore;
> > 19  };
> > 20
> > 21  # The reverse zone configuration is optional.
> > 22
> > 23  zone "0.168.192.in-addr.arpa" in {
> > 24      type master;
> > 25      allow-update { 192.168.0.0/24; 127.0.0.1; };           //
local DHCP server
> > 26      file "/etc/samba/private/dns/db.192.168.0";
> > 27  };
> > 28
> > 29  # Note that the reverse zone file is not created during the
provision process.
> > 30
> > 31  # The most recent BIND versions (9.8 or later) support secure
GSS-TSIG
> > 32  # updates.  If you are running an earlier version of BIND, or if
you do not wish
> > 33  # to use secure GSS-TSIG updates, you may remove the update-policy
sections in
> > 34  # both examples above.
> > ----------un-snip-----------
> >
> > For DNS, that's about it. I hand-tweaked a few things in the
samba-tool
> > provisioned zone files to change the hostmaster email address and the
various
> > refresh, retry, etc. timers. I'll not post those unless you need
them because
> > they can be fairly lengthy. Except, you mentioned static IP. As an
example, I
> > just added the following to my /etc/samba/private/dns/hprs.local.zone
file:
> >
> > $TTL 3600       ; 1 hour
> > vaio                    A       192.168.0.102
> >
> > Important note!!! I've found that samba and DNS must be NOT
RUNNING when you add
> > these statis IP to the zone file. Otherwise, they seem to get
clobbered/removed.
> >
> > For DHCP, I've simply added the following to my dhcpd.conf. All
these are
> > important, but the first 4 are needed for Samba to be able to update
leases on
> > behalf of clients.
> >
> > ----------snip-----------
> > ddns-updates on;
> > update-static-leases on;
> > allow unknown-clients;  # default, deprecated (man dhcpd.conf)
> > ignore client-updates;  # see
https://www.centos.org/forums/viewtopic.php?t=29256, man dhcpd.conf: ignore
client-updates
> > ddns-update-style interim;
> >
> > zone hprs.local. { primary 192.168.0.2; }
> > zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
> >
> > subnet 192.168.0.0 netmask 255.255.255.0 {
> >      option routers 192.168.0.2;
> >      range 192.168.0.100 192.168.0.254;
> >      option domain-name-servers 192.168.0.2;
> >      option domain-name "hprs.local";
> >      ddns-domainname = "hprs.local.";
> >      ddns-rev-domainname = "in-addr.arpa.";
> > }
> >
> > // Example of DHCP static IP
> >
> > host ricoh {
> >      hardware ethernet 00:26:73:55:63:AB;
> >      fixed-address 192.168.0.20;
> > }
> > ----------un-snip-----------
> >
> > This all works just fine.  I've routed my log messages for DNS and
DHCPD to
> > their own file (not shown) and I can tail -f this file and see
REQUESTs and ACKs
> > scrolling by in fine style.
> >
> > Not to put too much in one message, but I had to do the following on
each Windows
> > workstation (command line) to get time to synchronize with ntpd where
"mail" is
> > the hostname of my AD/DC and domain time server:
> >
> > w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> > w32tm /config /update
> >
> > reference: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
> >
> > Hope this helps
> >
> > --Mark
> >
> > -----Original Message-----
> >> Date: Wed, 26 Aug 2015 21:28:55 +0100
> >> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> >> To: Robert Moskowitz <rgm at htt-consult.com>, samba at
lists.samba.org
> >> Subject: Re: [Samba] sernet documentation
> >>
> >> On 26/08/15 21:07, Robert Moskowitz wrote:
> >>>
> >>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
> >>>> On 26/08/15 20:39, Robert Moskowitz wrote:
> >>>>>
> >>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
> >>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
> >>>>>>> One of the Centos 7 arm developers built the
sernet 4.2 for me to
> >>>>>>> start testing.
> >>>>>>>
> >>>>>>>
http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
> >>>>>>>
> >>>>>>> and
> >>>>>>>
> >>>>>>>
http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
> >>>>>>>
> >>>>>>> Since these were built on qemu, not requiring
specific armv7
> >>>>>>> hardware, Perhaps at some point they can be
adopted by Sernet. But
> >>>>>>> for now, how to test....
> >>>>>>>
> >>>>>>> I don't see any specific Sernet
documentation.  Like what is here
> >>>>>>> and how to set it up, perhaps different, from
generic Samba 4.
> >>>>>>>
> >>>>>>> I searched the sernet web site and this list
and came up empty,
> >>>>>>> but my search foo is weak.
> >>>>>>>
> >>>>>>> thanks
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> If Sernet just built samba for ARM, I do not think
that it should
> >>>>>> be any different to set up, so just follow the
relevant
> >>>>>> documentation on the samba wiki:
> >>>>>>
> >>>>>> https://wiki.samba.org/index.php/Main_Page
> >>>>> I was thinking that PERHAPS te sernet build could have
specific
> >>>>> configs for BIND and DHCP at the least.  Unless Samba
has already
> >>>>> included these.  For things like DYNDNS.
> >>>>>
> >>>> Could you be a bit more specific, you can use Bind with
samba4 but it
> >>>> is up to the sysadmin to set this up, though there is a
page on the
> >>>> samba wiki. DHCP, again the sysadmin will have to set
this, but there
> >>>> is not much on the wiki about this, but if all else fails,
I can help
> >>>> with this. Finally, I don't see where DYNDNS comes in
here.
> >>> Plowing through the wiki...
> >>>
> >>> I see where if I use the internal DNS provided, I will have to
set up
> >>> a forwarder.  No problem, I have done that a lot.  But I plan
on using
> >>> a private tld, htt. and the zone home.htt.  I want these zones
known
> >>> to other systems on my network, so I want to slave them to my
main DNS
> >>> internal servers (I actually have a production and 2 distinct
test DNS
> >>> servers).  Perhaps I will find in the wiki how to do this, or
find my
> >>> old notes.
> >>>
> >>> Are workstations assigned DNS entries when they get their DHCP
lease?
> >>> So that 'den' becomes den.home.htt and diningroom
becomes
> >>> diningroom.home.htt?  That is what I would think DYNDNS would
be
> >>> doing.  Of course the file servers, nevia and vega would be
> >>> nevia.home.htt and vega.home.htt?  But since these are
statically
> >>> assigned, again, I am assuming there are ways to get them into
the
> >>> internal DNS.
> >> Unless things have changed, DHCP doesn't work with the samba
internal
> >> DNS server, it does however work with the Bind9 DNS server, I have
been
> >> using it since Dec 2012 on my home network 192.168.0.0/24 with the
> >> domain name of home.lan. To get the domain name applied to the
clients,
> >> you just have to set them to ask for it and the DHCP to send it.
As for
> >> the static clients, you can use samba-tool to add these.
> >>
> >>> Finally I am testing on one RFC1918 subnet (check out the
authors of
> >>> 1918) and then will move all the servers to another one.  what
will I
> >>> need to do for this migration?
> >>>
> >> What do you need to migrate ? if you set the first DC in a domain
and
> >> then add another DC, all the AD database will be replicated to it.
> >>
> >> Rowland
> >>
> >> PS: you wouldn't be the B. Moskowitz from RFC would you ? (if
you are,
> >> sorry but until this post, I had never heard of you :-)     )
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> 
> Ah, but what if you have Unix clients and what about the reverse zone ?
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

"Do you run bind in chroot?"

Not that I know of.  Its startup script is /etc/rc.d/rc.bind which runs
/usr/sbin/named.  This script is normally run at boot time by /etc/rc.d/rc.M
which is the Slackware boot init script.  I can also start and stop it as root
with /etc/rc.d/rc.bind [start|stop]. named runs as the root user.

I forgot to mention ... I've also modified the startup order by moving
things to
my /etc/rc.d/rc.local script. I start things in this order:

1. Samba AD/DC

2. Bind

3. DHCPD

4. ntpd

5. dovecot IMAP mail server

There was a reason this order was important, but I don't recall at the
moment.

--Mark

-----Original Message-----
> From rgm at htt-consult.com  Wed Aug 26 23:11:20 2015
> X-Virus-Scanned: amavisd-new at htt-consult.com
> Subject: Re: [Samba] sernet documentation
> To: Mark Foley <mfoley at novatec-inc.com>, samba at lists.samba.org
> From: Robert Moskowitz <rgm at htt-consult.com>
> Date: Wed, 26 Aug 2015 23:10:34 -0400
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
>  Thunderbird/38.1.0
> Content-Type: text/plain; charset=windows-1252; format=flowed
> X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,
> 	SPF_PASS autolearn=ham version=3.3.2-_revision__1.4__
> X-Spam-Report: 
> 	* -0.0 SPF_PASS SPF: sender matches SPF record
> 	* -0.5 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
> 	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> 	*      [score: 0.0000]
> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.4__ (2011-06-06) on
> 	server.novatec-inc.com
>
>
>
> On 08/26/2015 05:56 PM, Mark Foley wrote:
> > I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 and
Slackware 64 14.1
> > for many months now in a production environment and it works just
fine.  There
> > are a few tweaks here and there to get bind/dhcp to play nicely with
Samba ...
>
> Do you run bind in chroot?
>
>

Thanks for the info,

At the moment, I don't have more than 1 DC, but I am planning on doing the
bind
master/slave thing thing soon using the Linux webserver host.  With failover, I
don't see why that wouldn't work with multiple DCs (but of course
haven't tried
yet). In any case, our AD/DC also hosts mail and redirected folders do if it
goes down we've got big problem anyway -- probably not going to attempt to
create a redundant email/redirectedFolders host. 

I did try the bind9_DLZ early on when experimenting with AD/DC installation, but
I couldn't get it to work. The only one that worked painlessly was
BIND9_FLATFILE and I've experienced zero problems since.

Yes, I've heard it is not a good idea to use .local, but I don't recall
the
Samba wiki docs saying that at the time.  The reason I did that was because I
migrated the office domain to Samba4 from SBS 2008 and the Windows domain was
called hprs.local (not initially set up by me).  So, not being an expert with
either Samba4 or Small Business Server, I decided not to mess.  Plus, I had
anticipated using OpenChange as the MTA (not!) and didn't know whether I had
to
keep such things the same.  Anyway, too late now. 

As to modifying the zone files with Samba/bind running, I don't use any tool
to
modify these. I just hand-edit. In fact, I didn't know there was such a
tool.
Since reading your message I've tried `samba-tool dns zonelist` and
can't really
make head-or-tails of it. Not convinced samba-tool would work on
non-Samba-builtin DNS. I'm not really a DNS guru and I don't really know
what it
means to "freeze the zone first". Stopping Samba and bind first is
rather simple.

--Mark

-----Original Message-----
> From: "L.P.H. van Belle" <belle at bazuin.nl>
> To: "samba at lists.samba.org" <samba at lists.samba.org>
> Date: Thu, 27 Aug 2015 08:37:42 +0200
> Subject: Re: [Samba] sernet documentation
>
> One thing nobody seems to mention. 
>
> This setup samba 4 + bind9_flate file setup works ok.. BUT 
> If you add a new DC, you will run in to problems.. 
>
> bind9_flatefile setup is NOT multi master replication setup. 
> OK for 1 DC, but if you use more DC's, make sure you make your changes
on the first dc.
> setup a bind master/slave.. and for a dhcp server with failover setup, 
> which works also with samba4, but with restrictions.
> If you need something like this i need to dig in my archive of setups.. 
>
> I did more then a year ago, and my advice to Mark is, setup bind9_DLZ. 
> Much more flexible, and most important the multimaster replication. 
> which you really want.. 
>
> when you provision.. --realm=hprs.local... DONT use .local.
> this is a reserved name for Apple's mDNZ (zeroconf) , 
> yes it does work, but better not. ( same for .lan ) 
>
> >> Important note!!! I've found that samba and DNS must be NOT 
> >RUNNING when you add
> >> these statis IP to the zone file. Otherwise, they seem to 
> >>get clobbered/removed.
> then you did something wrong, or you did not use the correct programs to
add it.
> like samba-tool or you did not freeze the zone first. 
> when you run in bind9_flatfile, do not manualy change the zonefiles used by
samba.
>
>
> Greetz,
>
> Louis
>
>
> >-----Oorspronkelijk bericht-----
> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
Penny
> >Verzonden: donderdag 27 augustus 2015 00:05
> >Aan: samba at lists.samba.org
> >Onderwerp: Re: [Samba] sernet documentation
> >
> >On 26/08/15 22:56, Mark Foley wrote:
> >> I've been using bind9 and DHCP on Samba 4.1.0 thru 4.1.17 
> >and Slackware 64 14.1
> >> for many months now in a production environment and it works 
> >just fine.  There
> >> are a few tweaks here and there to get bind/dhcp to play 
> >nicely with Samba ...
> >>
> >> Note, conf file locations are Slackware, but you'll know 
> >where the same thing
> >> goes in your distro.  In the examples below, my Domain IP range is
> >> 192.168.0.0/24.  My AD/DC (also DNS and DHCP server and 
> >router) is 192.168.0.2.
> >> My domain name is hprs.local.
> >>
> >> First off, I provisioned my Samba as follows:
> >>
> >> $ samba-tool domain provision --use-rfc2307 \
> >>    --server-role='dc' --realm=hprs.local --domain=HPRS \
> >>    --adminpass='password' --dns-backend=BIND9_FLATFILE \
> >>    --option="interfaces=lo eth1" --option="bind
interfaces only=yes"
> >>
> >>
> >> In the standard /etc/named.conf, in the option section you need:
> >>
> >> ----------snip-----------
> >> options {
> >>
> >>   forwarders {   // These are the ISP provided name servers
> >>              66.193.88.3;
> >>              66.192.88.4;
> >>          };
> >>
> >>          allow-query {        // Permit querying by others 
> >in the domain
> >>              192.168.0.0/24;
> >>              127.0.0.1;
> >>          };
> >> };
> >> ----------un-snip-----------
> >>
> >> I've kept my local zone files defined in this named.conf:
> >>
> >> ----------snip-----------
> >> zone "localhost" IN {
> >>          type master;
> >>          file "/var/named/db.local";
> >> };
> >>
> >> zone "127.in-addr.arpa" IN {
> >>          type master;
> >>          file "/var/named/db.127";
> >> };
> >> ----------un-snip-----------
> >>
> >> but now I reference Samba's config files for the domain stuff:
> >>
> >> ----------snip-----------
> >> include "/etc/samba/private/named.conf";
> >> ----------un-snip-----------
> >>
> >> Complete /etc/named.conf file:
> >>
> >> ----------snip-----------
> >> options {
> >> //      directory "/var/named";
> >>
> >>          forwarders {            // These are the ISP 
> >provided name servers
> >>              209.18.47.61;
> >>             209.18.47.62;
> >>          };
> >>
> >>          allow-query {           // Permit querying by 
> >others in the domain
> >>              192.168.0.0/24;
> >>              127.0.0.1;
> >>          };
> >> };
> >>
> >> zone "localhost" IN {
> >>          type master;
> >>          file "/var/named/db.local";
> >> };
> >>
> >> zone "127.in-addr.arpa" IN {
> >>          type master;
> >>          file "/var/named/db.127";
> >> };
> >>
> >> include "/etc/samba/private/named.conf";
> >> ----------un-snip-----------
> >>
> >> The samba-tool provisioning step will have created the referenced
> >> /etc/samba/private/named.conf file.  Listed below is this 
> >file with my changes.
> >>
> >> I've commented out line 15.
> >>
> >> More importantly, the domain Windows workstations will want 
> >to update the zone
> >> files via Samba.  If they cannot, you will continuously get 
> >the syslog message:
> >>
> >> syslog:Jul 30 20:35:20 mail named[792]: client 
> >192.168.0.101#58026: update 'hprs.local/IN' denied
> >>
> >> Hence the "allow-update" in lines 8 and 25.
> >>
> >> Finally, I've added the "optional" reverse zone in
lines 23-26.
> >>
> >> ----------snip-----------
> >>   1  # This file should be included in your main BIND 
> >configuration file
> >>   2  #
> >>   3  # For example with
> >>   4  # include "/etc/samba/private/named.conf";
> >>   5
> >>   6  zone "hprs.local." IN {
> >>   7      type master;
> >>   8      allow-update { 192.168.0.0/24; 127.0.0.1; };        
> >   // local DHCP server
> >>   9      file "/etc/samba/private/dns/hprs.local.zone";
> >> 10   /*
> >> 11    * the list of principals and what they can change is created
> >> 12    * dynamically by Samba, based on the membership of the 
> >domain controllers
> >> 13    * group. The provision just creates this file as an empty
file.
> >> 14    */
> >> 15  #       include
"/etc/samba/private/named.conf.update";
> >> 16
> >> 17   /* we need to use check-names ignore so _msdcs A 
> >records can be created */
> >> 18   check-names ignore;
> >> 19  };
> >> 20
> >> 21  # The reverse zone configuration is optional.
> >> 22
> >> 23  zone "0.168.192.in-addr.arpa" in {
> >> 24      type master;
> >> 25      allow-update { 192.168.0.0/24; 127.0.0.1; };         
> >  // local DHCP server
> >> 26      file "/etc/samba/private/dns/db.192.168.0";
> >> 27  };
> >> 28
> >> 29  # Note that the reverse zone file is not created during 
> >the provision process.
> >> 30
> >> 31  # The most recent BIND versions (9.8 or later) support 
> >secure GSS-TSIG
> >> 32  # updates.  If you are running an earlier version of 
> >BIND, or if you do not wish
> >> 33  # to use secure GSS-TSIG updates, you may remove the 
> >update-policy sections in
> >> 34  # both examples above.
> >> ----------un-snip-----------
> >>
> >> For DNS, that's about it. I hand-tweaked a few things in the 
> >samba-tool
> >> provisioned zone files to change the hostmaster email 
> >address and the various
> >> refresh, retry, etc. timers. I'll not post those unless you 
> >need them because
> >> they can be fairly lengthy. Except, you mentioned static IP. 
> >As an example, I
> >> just added the following to my 
> >/etc/samba/private/dns/hprs.local.zone file:
> >>
> >> $TTL 3600       ; 1 hour
> >> vaio                    A       192.168.0.102
> >>
> >> Important note!!! I've found that samba and DNS must be NOT 
> >RUNNING when you add
> >> these statis IP to the zone file. Otherwise, they seem to 
> >get clobbered/removed.
> >>
> >> For DHCP, I've simply added the following to my dhcpd.conf. 
> >All these are
> >> important, but the first 4 are needed for Samba to be able 
> >to update leases on
> >> behalf of clients.
> >>
> >> ----------snip-----------
> >> ddns-updates on;
> >> update-static-leases on;
> >> allow unknown-clients;  # default, deprecated (man dhcpd.conf)
> >> ignore client-updates;  # see 
> >https://www.centos.org/forums/viewtopic.php?t=29256, man 
> >dhcpd.conf: ignore client-updates
> >> ddns-update-style interim;
> >>
> >> zone hprs.local. { primary 192.168.0.2; }
> >> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
> >>
> >> subnet 192.168.0.0 netmask 255.255.255.0 {
> >>      option routers 192.168.0.2;
> >>      range 192.168.0.100 192.168.0.254;
> >>      option domain-name-servers 192.168.0.2;
> >>      option domain-name "hprs.local";
> >>      ddns-domainname = "hprs.local.";
> >>      ddns-rev-domainname = "in-addr.arpa.";
> >> }
> >>
> >> // Example of DHCP static IP
> >>
> >> host ricoh {
> >>      hardware ethernet 00:26:73:55:63:AB;
> >>      fixed-address 192.168.0.20;
> >> }
> >> ----------un-snip-----------
> >>
> >> This all works just fine.  I've routed my log messages for 
> >DNS and DHCPD to
> >> their own file (not shown) and I can tail -f this file and 
> >see REQUESTs and ACKs
> >> scrolling by in fine style.
> >>
> >> Not to put too much in one message, but I had to do the 
> >following on each Windows
> >> workstation (command line) to get time to synchronize with 
> >ntpd where "mail" is
> >> the hostname of my AD/DC and domain time server:
> >>
> >> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> >> w32tm /config /update
> >>
> >> reference: 
> >https://www.meinbergglobal.com/english/info/ntp-w32time.htm
> >>
> >> Hope this helps
> >>
> >> --Mark
> >>
> >> -----Original Message-----
> >>> Date: Wed, 26 Aug 2015 21:28:55 +0100
> >>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> >>> To: Robert Moskowitz <rgm at htt-consult.com>, samba at
lists.samba.org
> >>> Subject: Re: [Samba] sernet documentation
> >>>
> >>> On 26/08/15 21:07, Robert Moskowitz wrote:
> >>>>
> >>>> On 08/26/2015 03:50 PM, Rowland Penny wrote:
> >>>>> On 26/08/15 20:39, Robert Moskowitz wrote:
> >>>>>>
> >>>>>> On 08/26/2015 03:26 PM, Rowland Penny wrote:
> >>>>>>> On 26/08/15 20:14, Robert Moskowitz wrote:
> >>>>>>>> One of the Centos 7 arm developers built
the sernet
> >4.2 for me to
> >>>>>>>> start testing.
> >>>>>>>>
> >>>>>>>>
http://repo.shivaserv.fr/centos/7/shivaserv-sernet.repo
> >>>>>>>>
> >>>>>>>> and
> >>>>>>>>
> >>>>>>>>
http://repo.shivaserv.fr/centos/7/sernet/armv7hl/
> >>>>>>>>
> >>>>>>>> Since these were built on qemu, not
requiring specific armv7
> >>>>>>>> hardware, Perhaps at some point they can
be adopted by
> >Sernet. But
> >>>>>>>> for now, how to test....
> >>>>>>>>
> >>>>>>>> I don't see any specific Sernet
documentation.  Like
> >what is here
> >>>>>>>> and how to set it up, perhaps different,
from generic Samba 4.
> >>>>>>>>
> >>>>>>>> I searched the sernet web site and this
list and came up empty,
> >>>>>>>> but my search foo is weak.
> >>>>>>>>
> >>>>>>>> thanks
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> If Sernet just built samba for ARM, I do not
think that
> >it should
> >>>>>>> be any different to set up, so just follow the
relevant
> >>>>>>> documentation on the samba wiki:
> >>>>>>>
> >>>>>>> https://wiki.samba.org/index.php/Main_Page
> >>>>>> I was thinking that PERHAPS te sernet build could
have specific
> >>>>>> configs for BIND and DHCP at the least.  Unless
Samba has already
> >>>>>> included these.  For things like DYNDNS.
> >>>>>>
> >>>>> Could you be a bit more specific, you can use Bind
with
> >samba4 but it
> >>>>> is up to the sysadmin to set this up, though there is
a
> >page on the
> >>>>> samba wiki. DHCP, again the sysadmin will have to set 
> >this, but there
> >>>>> is not much on the wiki about this, but if all else 
> >fails, I can help
> >>>>> with this. Finally, I don't see where DYNDNS comes
in here.
> >>>> Plowing through the wiki...
> >>>>
> >>>> I see where if I use the internal DNS provided, I will 
> >have to set up
> >>>> a forwarder.  No problem, I have done that a lot.  But I 
> >plan on using
> >>>> a private tld, htt. and the zone home.htt.  I want these 
> >zones known
> >>>> to other systems on my network, so I want to slave them to
> >my main DNS
> >>>> internal servers (I actually have a production and 2 
> >distinct test DNS
> >>>> servers).  Perhaps I will find in the wiki how to do this,
> >or find my
> >>>> old notes.
> >>>>
> >>>> Are workstations assigned DNS entries when they get their 
> >DHCP lease?
> >>>> So that 'den' becomes den.home.htt and diningroom
becomes
> >>>> diningroom.home.htt?  That is what I would think DYNDNS
would be
> >>>> doing.  Of course the file servers, nevia and vega would
be
> >>>> nevia.home.htt and vega.home.htt?  But since these are
statically
> >>>> assigned, again, I am assuming there are ways to get them
into the
> >>>> internal DNS.
> >>> Unless things have changed, DHCP doesn't work with the 
> >samba internal
> >>> DNS server, it does however work with the Bind9 DNS server, 
> >I have been
> >>> using it since Dec 2012 on my home network 192.168.0.0/24 with
the
> >>> domain name of home.lan. To get the domain name applied to 
> >the clients,
> >>> you just have to set them to ask for it and the DHCP to 
> >send it. As for
> >>> the static clients, you can use samba-tool to add these.
> >>>
> >>>> Finally I am testing on one RFC1918 subnet (check out the 
> >authors of
> >>>> 1918) and then will move all the servers to another one.  
> >what will I
> >>>> need to do for this migration?
> >>>>
> >>> What do you need to migrate ? if you set the first DC in a 
> >domain and
> >>> then add another DC, all the AD database will be replicated to
it.
> >>>
> >>> Rowland
> >>>
> >>> PS: you wouldn't be the B. Moskowitz from RFC would you ? 
> >(if you are,
> >>> sorry but until this post, I had never heard of you :-)     )
> >>>
> >>> -- 
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >
> >Ah, but what if you have Unix clients and what about the reverse zone ?
> >
> >Rowland
> >
> >-- 
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark Foley
>Verzonden: donderdag 27 augustus 2015 17:14
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] sernet documentation
>
>Thanks for the info,
just a sugestion.. 
by example. 
>make head-or-tails of it. Not convinced samba-tool would work on
>non-Samba-builtin DNS. I'm not really a DNS guru and I don't 
>really know what it
>means to "freeze the zone first". Stopping Samba and bind 
>first is rather simple.
>
ok, normaly if  you update your dns zone, without stopping bind, you
"freeze" the zone.
this make sure your "journal" file and zone file keeps in sync. ( if
you use dynamic updates )

but other example, 

you stop samba. ( your authorisation layer is gone, nobody can login.. ) 
your editted "faulty" in your dns, errors can happen, we are human..
:-/
start samba,.. wont start.. stress.. .. etc. .

so again bind9_dlz, 2 dcs.. multimaster replication.. 
update a running bind, and always authentication available. 

and sure you can do it also with bind9_flate files, but NOT multimaster
replication!
By example.. 
a master/slave setup
Your master dns does down.. samba DBs get out of sync.. etc. 
really this is not what you want.. 
and thing like 
update-policy {grant EXAMPLE.COM krb5-self EXAMPLE.COM A AAAA;};  
DONT work ! i tried it, about a year ago.. 
even with a recompiled version of bind and samba where i added the grant in 

and why not.. 
look in the file named : named.conf.update  in the samba/private folder
There is an update-policy there, which you can not edit.. 

But, sure give it a try, and learn from it... 
I did... 

Greetz, 

Louis