samba - Aug 2015 - More on bind_dlz - documentation I have not found

On 08/28/2015 08:55 AM, Rowland Penny wrote:
> On 28/08/15 13:15, Robert Moskowitz wrote:
>> In the shower this morning, I realized that samba's dlz is through 
>> its ldap interface, probably through dhcp.  :)
>>
>> All of that work researching how to set up a dlz database for 
>> naught.  This is NOT documented in either:
>>
>> https://wiki.samba.org/index.php/DNS
>> or
>> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
>
> I will discuss this with Marc and if he agrees, I will update the wiki 
> somewhere, I don't want to start altering the wiki because Marc is 
> already massively altering it.
I caught that Marc is updating the wiki.  Good time to catch this item.
>
>>
>> I have not yet checked any ldap documentation on the wiki to see what 
>> it says, but I suspect a dhcp lease results in an ldap update. Would 
>> a lease expire remove that ldap info?
>>
>> So no sql service needed on the DC.
>>
>> Question though, on statically addressed file servers:  How to get 
>> them into the dlz zone.
>>
>> My tld is:                        htt
>> My samba dns zone is:  home.htt
>>
>> I will have a master zone for htt, easy enough to setup as a flat 
>> zone file.  Did it before.
>>
>> The home.htt zone only seems to exist in ldap and bind_dlz provides 
>> lookup answers by querying ldap.  How is the AD DC handled, 
>> homebase.home.htt?  I do not see it in the 
>> /usr/share/samba/setup/named* files.  Is it already in the ldap 
>> repository?
>
> When you provision the domain zones are created for you in AD, have a 
> look in /var/lib/private/sam.ldb.d
Do you mean /var/lib/samba/private/sam.ldb.d?  That is where I am 
finding files of interest.  I do not have the directory you provided.

And what is the difference between:

/usr/share/samba/setup
and
/var/lib/private

I see named.conf in both.  And the setup has other named.* files.

But the zone htt. is NOT in there, nor would I expect it to be. normally 
MOST people use samba.mydomain.com and mydomain.com is found via the 
forwarding.  Of course there is no proper delegation of 
samba.mydomain.com so other systems cannot resolve that subdomain.  Here 
I am building my own TLD, and want proper access elsewhere in my 
internal network, thus the htt.zone file needed.

BTW, I do not see you using views in your named include files.  From 
what I got beaten up long ago on the DNS list (Mark Andrews and I go 
back a long way in the IETF, so it is 'all in fun') that you MUST use
views.
>>
>> How do I add my file server, nevia.home.htt?  I could always add it 
>> to the htt.zone file as:
>
> Samba has a swiss army type tool (i.e. it does a lot) 'samba-tool'
> If you run 'samba-tool --help' you will see the base of what it can
do.
> if you run 'samba-tool dns --help' this will show what you can do
with
> dns records, I hope you get the idea.
Will do.
>
>>
>> nevia.home    IN    A    ......
>>
>> Can I put cname entries into ldap:
>>
>> repo.home.htt    IN    CNAME    nevia.home.htt.
>>
>> Again, I COULD just put this into the htt.zone file.
>>
>> Then there are MX records for home.htt  :)
>>
>>
>
> You do not use bind flatfiles with dlz, have a look at the scripts I 
> pointed you at for a sample bind file.
Not for the samba zone, but yes for other zones.

thanks

On 28/08/15 14:13, Robert Moskowitz wrote:
>
>
>>
>>> I have not yet checked any ldap documentation on the wiki to see 
>>> what it says, but I suspect a dhcp lease results in an ldap update.
>>> Would a lease expire remove that ldap info?
It should do, if dhcp is set up correctly.
>>>
>
> Do you mean /var/lib/samba/private/sam.ldb.d?  That is where I am 
> finding files of interest.  I do not have the directory you provided.
Yes
>
> And what is the difference between:
>
> /usr/share/samba/setup
This stores samba docs used to install samba (or something like this)
> and
> /var/lib/private
This is where your databases etc are placed
>
> I see named.conf in both.  And the setup has other named.* files.
>
> But the zone htt. is NOT in there, nor would I expect it to be. 
> normally MOST people use samba.mydomain.com and mydomain.com is found 
> via the forwarding.  Of course there is no proper delegation of 
> samba.mydomain.com so other systems cannot resolve that subdomain.  
> Here I am building my own TLD, and want proper access elsewhere in my 
> internal network, thus the htt.zone file needed.
>
> BTW, I do not see you using views in your named include files. From 
> what I got beaten up long ago on the DNS list (Mark Andrews and I go 
> back a long way in the IETF, so it is 'all in fun') that you MUST
use
> views.
>
I personally don't use views and I don't think you really need them in a
samba domain

OK, to see the AD object for your forward zone, install ldb-tools, you 
do this with 'apt-get install ldb-tools' on debian
Then run this command: ldbsearch -H /var/lib/samba/private/sam.ldb 
--cross-ncs "(DC=home.htt)"
>
> Not for the samba zone, but yes for other zones.
You should really just use the samba DNS server (either the builtin one 
or bind) for the the samba zones, but I suppose you could add other 
zones, just create them with samba-tool.

Rowland

On 08/28/2015 09:37 AM, Rowland Penny wrote:
> On 28/08/15 14:13, Robert Moskowitz wrote:
>>
>>
>>>
>>>> I have not yet checked any ldap documentation on the wiki to
see
>>>> what it says, but I suspect a dhcp lease results in an ldap
update.
>>>> Would a lease expire remove that ldap info?
>
> It should do, if dhcp is set up correctly.
We will be getting to this shortly!
>
>>>>
>>
>> Do you mean /var/lib/samba/private/sam.ldb.d?  That is where I am 
>> finding files of interest.  I do not have the directory you provided.
>
> Yes
>
>>
>> And what is the difference between:
>>
>> /usr/share/samba/setup
>
> This stores samba docs used to install samba (or something like this)
So I need to do the includes into /etc/named.conf from there.
>
>> and
>> /var/lib/private
>
> This is where your databases etc are placed
>
>>
>> I see named.conf in both.  And the setup has other named.* files.
>>
>> But the zone htt. is NOT in there, nor would I expect it to be. 
>> normally MOST people use samba.mydomain.com and mydomain.com is found 
>> via the forwarding.  Of course there is no proper delegation of 
>> samba.mydomain.com so other systems cannot resolve that subdomain.  
>> Here I am building my own TLD, and want proper access elsewhere in my 
>> internal network, thus the htt.zone file needed.
>>
>> BTW, I do not see you using views in your named include files. From 
>> what I got beaten up long ago on the DNS list (Mark Andrews and I go 
>> back a long way in the IETF, so it is 'all in fun') that you
MUST use
>> views.
>>
>
> I personally don't use views and I don't think you really need them
in
> a samba domain
Mark is a bit of a purist; it IS much his code.  And he pretty much 
thinks in C.
>
> OK, to see the AD object for your forward zone, install ldb-tools, you 
> do this with 'apt-get install ldb-tools' on debian
> Then run this command: ldbsearch -H /var/lib/samba/private/sam.ldb 
> --cross-ncs "(DC=home.htt)"
yum install ldb-tools
Loaded plugins: fastestmirror
Shivaserv-sernet                                         | 2.9 kB     00:00
c7buildroot                                              | 2.9 kB     00:00
c7pass1                                                  | 2.9 kB     00:00
comps                                                    | 3.6 kB     00:00
epel                                                     | 4.3 kB     00:00
(1/2): epel/updateinfo                                     | 344 kB   00:01
(2/2): epel/primary_db                                     | 3.5 MB   00:04
Loading mirror speeds from cached hostfile
Package ldb-tools-1.1.17-2.el7.armv7hl is obsoleted by 
99:sernet-samba-ad-4.2.3-18.el.armv7hl which is already installed

So it is already there thanks to sernet.

# ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
"(DC=home.htt)"
# record 1
dn: DC=home.htt,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=htt
objectClass: top
objectClass: dnsZone
instanceType: 4
whenCreated: 20150827220723.0Z
whenChanged: 20150827220723.0Z
uSNCreated: 3656
uSNChanged: 3656
showInAdvancedViewOnly: TRUE
name: home.htt
objectGUID: 34b4ec5b-bfd2-42e0-96df-c5b12a512725
objectCategory: CN=Dns-Zone,CN=Schema,CN=Configuration,DC=home,DC=htt
dNSProperty:: BAAAAAAAAAAAAAAAAQAAAAEAAAABAAAAAAAAAA=dNSProperty::
AQAAAAAAAAAAAAAAAQAAAAIAAAACAAAAAA=dNSProperty::
CAAAAAAAAAAAAAAAAQAAAAgAAAAAAAAAAAAAAAAAAAAdNSProperty::
BAAAAAAAAAAAAAAAAQAAABAAAACoAAAAAAAAAA=dNSProperty::
BAAAAAAAAAAAAAAAAQAAACAAAACoAAAAAAAAAA=dNSProperty::
BAAAAAAAAAAAAAAAAQAAAEAAAAAAAAAAAAAAAA=dNSProperty::
BAAAAAAAAAAAAAAAAQAAABIAAAAAAAAAAAAAAA=dc: home.htt
distinguishedName: 
DC=home.htt,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=htt

# returned 1 records
# 1 entries
# 0 referrals

>
>>
>> Not for the samba zone, but yes for other zones.
>
> You should really just use the samba DNS server (either the builtin 
> one or bind) for the the samba zones, but I suppose you could add 
> other zones, just create them with samba-tool.
So I tried:

# samba-tool dns zonelist localhost
Failed to connect host 127.0.0.1 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.0.1 (127.0.0.1) on port 135 - 
NT_STATUS_CONNECTION_REFUSED.
ERROR(runtime): uncaught exception - (-1073741258, 'The connection was 
refused')
   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line 
809, in run
     dns_conn = dns_connect(server, self.lp, self.creds)
   File "/usr/lib/python2.7/site-packages/samba/netcmd/dns.py", line
40,
in dns_connect
     dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

I THINK I have the services running...