samba - Jan 2016 - [samba4] DNS updates

Hi all,

I would like to be able to rely on samba given tools to manage my DNS
entries but until now, I failed.
>From what I have understood there is one and only one tool responsible to
update DNS: samba_dnsupdate.

Is that previous affirmation true?

I had issue with DNS backend set to internal DNS server: samba_dnsupdate
was almost never working.

So I switched to Bind-DLZ as advised here and on the wiki.

With Bind-DLZ sometimes it works, sometimes it don't.
Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre using
Sernet packages to be sure to have working packages.

On Debian Jessie it was working easily, just following the wiki.
Rerplication was working and is still working.
Sites were created and DNS entries changed accordingly.
Today I get back on that Debian platform, move again some DC to a new site
and:
- entries on new are created
- entries on old sites are NOT removed
- samba_dnsupdate --verbose ends with "No DNS updates needed"

On Centos 7 it was never working correctly: samba_dnsupdate failed because
of TSIG authentication failure (I'm not at work so I can't be more
precise
right now) and?or replication is failing.
On Centos 7 the only to get something a little bit working was to get Bind
configuration from Debian to Centos, removing /var/named and /etc/named*.

Perhaps samba_dnsupdate is not responsible to remove DNS entries, in that
case, what tool is responsible to clean up DNS?

I'm looking for more information about DNS authentication and updates:
Perhaps samba_dnsupdate is not responsible to remove these entries, in that
case, what tool is responsible to clean up DNS?

Finally is someone able to explain:
- how to manually create DNS user and give him right to modify DNS entries.
This is important to be underwstood I think because some others users can
created to do the same, to be able to find them could nice in a
securisation point of view.
- how to recreate the keytab of such user without samba_upgradedns: this
user can be deleted accidentaly, being able to recreate it without
samba_dnsupgrade seems less violent so less risky than switching
dns-backend...
- how frequent are DNS updates? Is it every X minutes ? After each Site
modification + at every samba start?

As you see I completely lost into Samba DNS and help would be welcomed.

Cheers,

mathias

On 18/01/16 19:44, mathias dufresne wrote:
> Hi all,
>
> I would like to be able to rely on samba given tools to manage my DNS
> entries but until now, I failed.
>
>  From what I have understood there is one and only one tool responsible to
> update DNS: samba_dnsupdate.
>
> Is that previous affirmation true?
>
> I had issue with DNS backend set to internal DNS server: samba_dnsupdate
> was almost never working.
>
> So I switched to Bind-DLZ as advised here and on the wiki.
>
> With Bind-DLZ sometimes it works, sometimes it don't.
> Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre using
> Sernet packages to be sure to have working packages.
>
> On Debian Jessie it was working easily, just following the wiki.
> Rerplication was working and is still working.
> Sites were created and DNS entries changed accordingly.
> Today I get back on that Debian platform, move again some DC to a new site
> and:
> - entries on new are created
> - entries on old sites are NOT removed
> - samba_dnsupdate --verbose ends with "No DNS updates needed"
>
> On Centos 7 it was never working correctly: samba_dnsupdate failed because
> of TSIG authentication failure (I'm not at work so I can't be more
precise
> right now) and?or replication is failing.
> On Centos 7 the only to get something a little bit working was to get Bind
> configuration from Debian to Centos, removing /var/named and /etc/named*.
>
> Perhaps samba_dnsupdate is not responsible to remove DNS entries, in that
> case, what tool is responsible to clean up DNS?
>
> I'm looking for more information about DNS authentication and updates:
> Perhaps samba_dnsupdate is not responsible to remove these entries, in that
> case, what tool is responsible to clean up DNS?
>
> Finally is someone able to explain:
> - how to manually create DNS user and give him right to modify DNS entries.
> This is important to be underwstood I think because some others users can
> created to do the same, to be able to find them could nice in a
> securisation point of view.
> - how to recreate the keytab of such user without samba_upgradedns: this
> user can be deleted accidentaly, being able to recreate it without
> samba_dnsupgrade seems less violent so less risky than switching
> dns-backend...
> - how frequent are DNS updates? Is it every X minutes ? After each Site
> modification + at every samba start?
>
> As you see I completely lost into Samba DNS and help would be welcomed.
>
> Cheers,
>
> mathias
it is actually 'nsupdate' (a bind tool) that updates your DNS records, I
have been using a combination of Samba4 AD, bind9 and dhcp since 2012 
and find it quite amusing seeing all the problems people have and that I 
have never had.

Start by having a look here:

http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

If, after reading that, you think this is what you need, I will refresh 
my notes and send you a copy, but note, I use debian.

Rowland

In addition what Rowland says.
> >
> > Finally is someone able to explain:
> > - how to manually create DNS user and give him right to modify DNS
> entries.
> > This is important to be underwstood I think because some others users
> can
> > created to do the same, to be able to find them could nice in a
> > securisation point of view.
[L.P.H. van Belle] 
For a windows user: Create a normal user, and put him in the DNS Admin group
that simple.
For a linux user: use samba-tool, cant tell more about this, i use the windows
tools for this.
> > - how to recreate the keytab of such user without samba_upgradedns:
this
> > user can be deleted accidentaly, being able to recreate it without
> > samba_dnsupgrade seems less violent so less risky than switching
> > dns-backend...
[L.P.H. van Belle] 
First, No, that user can not delete the keytab file is you setup correctly.  
The dns.keytab should have 640 (root:bind) rights. 
Why should a user be able to access this file anyway. 

You can export them, like this, a few examples 

( dns.keytab ) 
samba-tool domain exportkeytab --principal=dns-DC-NAME at REALM 
samba-tool domain exportkeytab --principal=DNS/DC-NAME.internal.domain.tld at
REALM

( secrets.keytab )
samba-tool domain exportkeytab --principal=HOST/DC-NAME.internald.domain.tld at
REALM
samba-tool domain exportkeytab --principal=DC-NAME$@REALM

use ktutil to get/read the file and see which principals there are. 
How:  type : 
ktutil
rkt /path_to/keytab.file 
list
> > - how frequent are DNS updates? Is it every X minutes ? After each
Site
> > modification + at every samba start?
[L.P.H. van Belle] see your zone SOA 
A simple dig show it already. 
dig SOA domain.tld 
check the numbers at the end. 
For me : 
238     900      600   86400  3600
Serial refresh retry expires min_TTL

> >
> > As you see I completely lost into Samba DNS and help would be
welcomed.
> >
> On Centos 7 it was never working correctly: samba_dnsupdate failed 
> because of TSIG authentication failure
That was because if incorrect bind settings, and most probly because of
incorrect rights on the dns.keytab file.

Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: maandag 18 januari 2016 21:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [samba4] DNS updates
> 
> On 18/01/16 19:44, mathias dufresne wrote:
> > Hi all,
> >
> > I would like to be able to rely on samba given tools to manage my DNS
> > entries but until now, I failed.
> >
> >  From what I have understood there is one and only one tool
responsible
> to
> > update DNS: samba_dnsupdate.
> >
> > Is that previous affirmation true?
> >
> > I had issue with DNS backend set to internal DNS server:
samba_dnsupdate
> > was almost never working.
> >
> > So I switched to Bind-DLZ as advised here and on the wiki.
> >
> > With Bind-DLZ sometimes it works, sometimes it don't.
> > Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre
> using
> > Sernet packages to be sure to have working packages.
> >
> > On Debian Jessie it was working easily, just following the wiki.
> > Rerplication was working and is still working.
> > Sites were created and DNS entries changed accordingly.
> > Today I get back on that Debian platform, move again some DC to a new
> site
> > and:
> > - entries on new are created
> > - entries on old sites are NOT removed
> > - samba_dnsupdate --verbose ends with "No DNS updates
needed"
> >
> > On Centos 7 it was never working correctly: samba_dnsupdate failed
> because
> > of TSIG authentication failure (I'm not at work so I can't be
more
> precise
> > right now) and?or replication is failing.
> > On Centos 7 the only to get something a little bit working was to get
> Bind
> > configuration from Debian to Centos, removing /var/named and
> /etc/named*.
> >
> > Perhaps samba_dnsupdate is not responsible to remove DNS entries, in
> that
> > case, what tool is responsible to clean up DNS?
> >
> > I'm looking for more information about DNS authentication and
updates:
> > Perhaps samba_dnsupdate is not responsible to remove these entries, in
> that
> > case, what tool is responsible to clean up DNS?
> >
> > Finally is someone able to explain:
> > - how to manually create DNS user and give him right to modify DNS
> entries.
> > This is important to be underwstood I think because some others users
> can
> > created to do the same, to be able to find them could nice in a
> > securisation point of view.
> > - how to recreate the keytab of such user without samba_upgradedns:
this
> > user can be deleted accidentaly, being able to recreate it without
> > samba_dnsupgrade seems less violent so less risky than switching
> > dns-backend...
> > - how frequent are DNS updates? Is it every X minutes ? After each
Site
> > modification + at every samba start?
> >
> > As you see I completely lost into Samba DNS and help would be
welcomed.
> >
> > Cheers,
> >
> > mathias
> 
> it is actually 'nsupdate' (a bind tool) that updates your DNS
records, I
> have been using a combination of Samba4 AD, bind9 and dhcp since 2012
> and find it quite amusing seeing all the problems people have and that I
> have never had.
> 
> Start by having a look here:
> 
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-
> updates-against-secure-microsoft-dns/
> 
> If, after reading that, you think this is what you need, I will refresh
> my notes and send you a copy, but note, I use debian.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi all,

Thank you both for these leads and explanations. Mainly they helped me to
verify my (samba's) configuration was not so bad and finally to spot that I
did not disabled SELinux correctly.

All that is still using Centos 7 and Sernet packages (4.2.7).

The point was /etc/sysconfig/selinux is a link to /etc/selinux/config,
which I did not noticed before and the deployement script I wrote replaced
that link by some file, which was stupid. I'm used to be, that's not
really
a relief but...

Anyway, once SELinux was removed, once the installation process was
restarted correctly, my DC + Bind-DLZ are working.

I still need to initialize replication which does not (always? answer would
need more tests) work as is.

To initialize replication (with DC1 already up and DC2 newly added) :
1° workaround about missing DNS entries:
- samba-tool dns add DC2 <zone> DC2 A 1.2.3.4
to add local server IP into local AD (DNS) database
- samba_dnsupdate
samba_dnsupdate won't (always?) work without previous command
- samba-tool dns add DC1 <zone> DC2 A 1.2.3.4
to add local server IP into another (I aim FSMO owner) AD (DNS) database,
this to workaround replication issue

2° Force replication with samba-tool
For each part of DIT we push it from DC1 to DC2
for DIT in `ls /var/lib/samba/private/sam.ldb.d/ | grep -v metadata.tdb |
sed -e s/.ldb$//`; do echo $DIT; samba-tool drs replicate dc2 dc1 $DIT ;
done

This bunch of commands is launched first on FSMO owner (DC1) and then on
newly added DC (here DC2) if showrepl still shows errors.

Error met were:
WERR_BADFILE
WERR_DS_DRA_ACCESS_DENIED

What's good in that? That's a script which install everything, no reall
work no for me (which is good news as I do mistake everytime) and I have to
deploy a bunch of servers. Hoping I could come back with precision or even
to tell you what was my mistake.

Cheers,

mathias

2016-01-19 10:32 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> In addition what Rowland says.
>
> > >
> > > Finally is someone able to explain:
> > > - how to manually create DNS user and give him right to modify
DNS
> > entries.
> > > This is important to be underwstood I think because some others
users
> > can
> > > created to do the same, to be able to find them could nice in a
> > > securisation point of view.
> [L.P.H. van Belle]
> For a windows user: Create a normal user, and put him in the DNS Admin
> group that simple.
> For a linux user: use samba-tool, cant tell more about this, i use the
> windows tools for this.
>
> > > - how to recreate the keytab of such user without
samba_upgradedns:
> this
> > > user can be deleted accidentaly, being able to recreate it
without
> > > samba_dnsupgrade seems less violent so less risky than switching
> > > dns-backend...
> [L.P.H. van Belle]
> First, No, that user can not delete the keytab file is you setup correctly.
> The dns.keytab should have 640 (root:bind) rights.
> Why should a user be able to access this file anyway.
>
> You can export them, like this, a few examples
>
> ( dns.keytab )
> samba-tool domain exportkeytab --principal=dns-DC-NAME at REALM
> samba-tool domain exportkeytab
> --principal=DNS/DC-NAME.internal.domain.tld at REALM
>
> ( secrets.keytab )
> samba-tool domain exportkeytab
> --principal=HOST/DC-NAME.internald.domain.tld at REALM
> samba-tool domain exportkeytab --principal=DC-NAME$@REALM
>
> use ktutil to get/read the file and see which principals there are.
> How:  type :
> ktutil
> rkt /path_to/keytab.file
> list
>
> > > - how frequent are DNS updates? Is it every X minutes ? After
each Site
> > > modification + at every samba start?
> [L.P.H. van Belle] see your zone SOA
> A simple dig show it already.
> dig SOA domain.tld
> check the numbers at the end.
> For me :
> 238     900      600   86400  3600
> Serial refresh retry expires min_TTL
>
>
> > >
> > > As you see I completely lost into Samba DNS and help would be
welcomed.
> > >
>
>
> > On Centos 7 it was never working correctly: samba_dnsupdate failed
> > because of TSIG authentication failure
> That was because if incorrect bind settings, and most probly because of
> incorrect rights on the dns.keytab file.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
penny
> > Verzonden: maandag 18 januari 2016 21:07
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] [samba4] DNS updates
> >
> > On 18/01/16 19:44, mathias dufresne wrote:
> > > Hi all,
> > >
> > > I would like to be able to rely on samba given tools to manage my
DNS
> > > entries but until now, I failed.
> > >
> > >  From what I have understood there is one and only one tool
responsible
> > to
> > > update DNS: samba_dnsupdate.
> > >
> > > Is that previous affirmation true?
> > >
> > > I had issue with DNS backend set to internal DNS server:
> samba_dnsupdate
> > > was almost never working.
> > >
> > > So I switched to Bind-DLZ as advised here and on the wiki.
> > >
> > > With Bind-DLZ sometimes it works, sometimes it don't.
> > > Two tests platforms: Debian Jessie and Centos 7. Both plqtforms
qre
> > using
> > > Sernet packages to be sure to have working packages.
> > >
> > > On Debian Jessie it was working easily, just following the wiki.
> > > Rerplication was working and is still working.
> > > Sites were created and DNS entries changed accordingly.
> > > Today I get back on that Debian platform, move again some DC to a
new
> > site
> > > and:
> > > - entries on new are created
> > > - entries on old sites are NOT removed
> > > - samba_dnsupdate --verbose ends with "No DNS updates
needed"
> > >
> > > On Centos 7 it was never working correctly: samba_dnsupdate
failed
> > because
> > > of TSIG authentication failure (I'm not at work so I
can't be more
> > precise
> > > right now) and?or replication is failing.
> > > On Centos 7 the only to get something a little bit working was to
get
> > Bind
> > > configuration from Debian to Centos, removing /var/named and
> > /etc/named*.
> > >
> > > Perhaps samba_dnsupdate is not responsible to remove DNS entries,
in
> > that
> > > case, what tool is responsible to clean up DNS?
> > >
> > > I'm looking for more information about DNS authentication and
updates:
> > > Perhaps samba_dnsupdate is not responsible to remove these
entries, in
> > that
> > > case, what tool is responsible to clean up DNS?
> > >
> > > Finally is someone able to explain:
> > > - how to manually create DNS user and give him right to modify
DNS
> > entries.
> > > This is important to be underwstood I think because some others
users
> > can
> > > created to do the same, to be able to find them could nice in a
> > > securisation point of view.
> > > - how to recreate the keytab of such user without
samba_upgradedns:
> this
> > > user can be deleted accidentaly, being able to recreate it
without
> > > samba_dnsupgrade seems less violent so less risky than switching
> > > dns-backend...
> > > - how frequent are DNS updates? Is it every X minutes ? After
each Site
> > > modification + at every samba start?
> > >
> > > As you see I completely lost into Samba DNS and help would be
welcomed.
> > >
> > > Cheers,
> > >
> > > mathias
> >
> > it is actually 'nsupdate' (a bind tool) that updates your DNS
records, I
> > have been using a combination of Samba4 AD, bind9 and dhcp since 2012
> > and find it quite amusing seeing all the problems people have and that
I
> > have never had.
> >
> > Start by having a look here:
> >
> > http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-
> > updates-against-secure-microsoft-dns/
> >
> > If, after reading that, you think this is what you need, I will
refresh
> > my notes and send you a copy, but note, I use debian.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hai mathias, 

You welkom, always happy to help out and nice too hear you got it working. 

I must ask..  
Did you reboot the servers after you added the second server to the DNS?
And especialy in order, DC_with_FSMO, wait until its up again, then DC2. 
This often fixes the repliction problem and as far as i know, this only happend
just after the install of a extra DC.


Greetz, 

Louis