Jeff Sadowski
2016-May-18 16:13 UTC
[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
So I had dhcp, radvd and bind working together nicely and now I threw in a wrench of setting up an AD DC I want to change my dhcp server setting to put client's into the new AD Domain but am a little hesitant as it is all working so nicely with DDNS I'm starting to think all I need to do is edit just my dhcpd.conf and change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD A little touch up of db.self and comment out and eventually remove DOMAIN1 entries as everything is working as I like. My concern is moving from allow-update { key rndc-key; }; notify yes; to update-policy { grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; }; The latter being produced when I created the domain in the example configs that I copied into mine. I think what that is saying is let the domain controller by name have access to the domain's entries I'm a little concerned about verification as I know the key method is safe and I'm not so sure about the grant method. Is there a way to have samba use ISC's key method? Anyone have any suggestions? My current setup is as below. My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1 and a ipv6 address of fc00:1::1111:1111:1111:1111 It's outside addresses are dhcp from my ISP I do ip masquerade on both ipv4 and ipv6 My dhcpd.conf looks as follows #================START======================ddns-updates on; ddns-update-style interim; ddns-domainname "DOMAIN1.SUBDOMAIN.TLD."; ddns-rev-domainname "in-addr.arpa."; ignore client-updates; option domain-search-order code 119 = string; include "/etc/rndc.key"; zone DOMAIN1.SUBDOMAIN.TLD { primary 192.168.1.1; key rndc-key; } zone 1.168.192.in-addr.arpa. { primary 192.168.1.1; key rndc-key; } default-lease-time 100000; max-lease-time 1000000; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.200; option routers 192.168.1.1; option domain-name "DOMAIN1.SUBDOMAIN.TLD."; option domain-name-servers 192.168.1.1; option domain-search-order "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD."; next-server 192.168.1.1; filename "/pxelinux.0"; allow unknown-clients; } #================END======================== My radvd.conf looks like so #================START======================interface eth0 { AdvSendAdvert on; prefix fc00:1::/64 { AdvOnLink on; AdvAutonomous on; }; RDNSS fc00:1::1111:1111:1111:1111 {}; }; #================END======================== My named.conf after adding my samba looks like so #================START======================options { listen-on port 53 { 127.0.0.1; 192.168.1.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.1.0/16; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" { type master; file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD"; allow-update { key rndc-key; }; notify yes; }; zone "DOMAIN1.SUBDOMAIN.TLD" IN { type master; file "zones/db.DOMAIN1.SUBDOMAIN.TLD"; allow-update { key rndc-key; }; notify yes; }; zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN { type master; file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD"; update-policy { grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; }; check-names ignore; }; zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; }; #================END======================== content of db.self #================START======================$TTL 604800 ; 1 week @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. ( 2014092401 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) NS ns.DOMAIN1.SUBDOMAIN.TLD. @ IN A 192.168.1.252 @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD. @ IN TXT "v=spf1 mx a -all" #================END======================== my smb.conf looks like #================START======================[global] netbios name = DOMAIN2 realm = AD.DOMAIN2.SUBDOMAIN.TLD server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = AD server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No #================END======================== my krb5.conf looks like #================START======================[libdefaults] default_realm = AD.DOMAIN2.SUBDOMAIN.TLD dns_lookup_realm = false dns_lookup_kdc = true #================END=========================
mathias dufresne
2016-May-23 16:35 UTC
[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
Hi, Why modifying a working conf when you can build your DC on others systems (VM)? That could be really nice to learn but you add a lot of complexity in your process, I think. Why not using DLZ to access your AD zones? I expect Bind to be able to mix its behaviour: flat file for some zone, DLZ for others... Now regarding: update-policy { grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; }; For me this means: grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to modify A and AAAA it owns (ms-self) from any host (*). grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything on any A AAAA SRV CNAME from any host same for last one. I'm really a new comer to DNS world, these thoughts come from http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm These lines should make your Bind to use Kerberos. At least I do hope the authentication is Kerberos (that's AD!). If it is kerberos authentication, I expect you can rely on it as almost the whole world rely on Kerberos these days : ) A last thing regarding ISC's key method: https://bugzilla.samba.org/show_bug.cgi?id=11520 I don't meant this bug as something to do with what you want to achieve, simply it could be a good thing to read if you understand anything to ISC's key method (that I don't), perhaps you could find some leads to follow or some information to avoid that configuration. Sorry not to help more. Have a nice day, mathias 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:> So I had dhcp, radvd and bind working together nicely and now I threw in a > wrench of setting up an AD DC > > I want to change my dhcp server setting to put client's into the new AD > Domain but am a little hesitant as it is all working so nicely with DDNS > > I'm starting to think all I need to do is edit just my dhcpd.conf and > change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD > A little touch up of db.self and comment out and eventually remove DOMAIN1 > entries as everything is working as I like. > > My concern is moving from > allow-update { key rndc-key; }; > notify yes; > to > update-policy { > grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; > grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A > AAAA SRV CNAME; > grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA > SRV CNAME; > }; > > The latter being produced when I created the domain in the example configs > that I copied into mine. > I think what that is saying is let the domain controller by name have > access to the domain's entries > I'm a little concerned about verification as I know the key method is safe > and I'm not so sure about the grant method. > > Is there a way to have samba use ISC's key method? > Anyone have any suggestions? > > My current setup is as below. > > My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1 > and a ipv6 address of fc00:1::1111:1111:1111:1111 > It's outside addresses are dhcp from my ISP I do ip masquerade on both ipv4 > and ipv6 > > > My dhcpd.conf looks as follows > #================START======================> ddns-updates on; > ddns-update-style interim; > ddns-domainname "DOMAIN1.SUBDOMAIN.TLD."; > ddns-rev-domainname "in-addr.arpa."; > ignore client-updates; > option domain-search-order code 119 = string; > include "/etc/rndc.key"; > zone DOMAIN1.SUBDOMAIN.TLD { > primary 192.168.1.1; > key rndc-key; > } > zone 1.168.192.in-addr.arpa. { > primary 192.168.1.1; > key rndc-key; > } > default-lease-time 100000; > max-lease-time 1000000; > subnet 192.168.1.0 netmask 255.255.255.0 { > range 192.168.1.10 192.168.1.200; > option routers 192.168.1.1; > option domain-name "DOMAIN1.SUBDOMAIN.TLD."; > option domain-name-servers 192.168.1.1; > option domain-search-order > "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD."; > next-server 192.168.1.1; > filename "/pxelinux.0"; > allow unknown-clients; > } > #================END========================> > My radvd.conf looks like so > #================START======================> interface eth0 > { > AdvSendAdvert on; > prefix fc00:1::/64 > { > AdvOnLink on; > AdvAutonomous on; > }; > RDNSS fc00:1::1111:1111:1111:1111 {}; > }; > #================END========================> > My named.conf after adding my samba looks like so > #================START======================> options { > listen-on port 53 { 127.0.0.1; 192.168.1.1; }; > listen-on-v6 port 53 { ::1; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > allow-query { localhost; 192.168.1.0/16; }; > recursion yes; > dnssec-enable yes; > dnssec-validation yes; > dnssec-lookaside auto; > bindkeys-file "/etc/named.iscdlv.key"; > managed-keys-directory "/var/named/dynamic"; > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > }; > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > zone "." IN { > type hint; > file "named.ca"; > }; > zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" { > type master; > file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD"; > allow-update { key rndc-key; }; > notify yes; > }; > zone "DOMAIN1.SUBDOMAIN.TLD" IN { > type master; > file "zones/db.DOMAIN1.SUBDOMAIN.TLD"; > allow-update { key rndc-key; }; > notify yes; > }; > zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN { > type master; > file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD"; > update-policy { > grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; > grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A > AAAA SRV CNAME; > grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA > SRV CNAME; > }; > check-names ignore; > }; > zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; }; > #================END========================> > content of db.self > #================START======================> $TTL 604800 ; 1 week > @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. ( > 2014092401 ; serial > 604800 ; refresh (1 week) > 86400 ; retry (1 day) > 2419200 ; expire (4 weeks) > 604800 ; minimum (1 week) > ) > NS ns.DOMAIN1.SUBDOMAIN.TLD. > @ IN A 192.168.1.252 > @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD. > @ IN TXT "v=spf1 mx a -all" > #================END========================> > my smb.conf looks like > #================START======================> [global] > netbios name = DOMAIN2 > realm = AD.DOMAIN2.SUBDOMAIN.TLD > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = AD > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > [netlogon] > path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No > #================END========================> > > my krb5.conf looks like > #================START======================> [libdefaults] > default_realm = AD.DOMAIN2.SUBDOMAIN.TLD > dns_lookup_realm = false > dns_lookup_kdc = true > #================END========================> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Jeff Sadowski
2016-May-27 13:37 UTC
[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
I had left my config alone for now and dhcp still writes to DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about not being able to write to bind in its zone. [2016/05/27 07:30:06.738434, 0] ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - NT_STATUS_UNSUCCESSFUL If you are right about it using kerberos I think I am missing a bit more configuration to allow bind to use kerberos. I have a place for it to use the key but nothing in it about kerberos and how to verify that. On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at gmail.com> wrote:> Hi, > > Why modifying a working conf when you can build your DC on others systems > (VM)? That could be really nice to learn but you add a lot of complexity in > your process, I think. > Why not using DLZ to access your AD zones? I expect Bind to be able to mix > its behaviour: flat file for some zone, DLZ for others... > > Now regarding: > update-policy { > grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; > grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A > AAAA SRV CNAME; > grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA > SRV CNAME; > }; > For me this means: > grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; > Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to > modify A and AAAA it owns (ms-self) from any host (*). > > grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV CNAME; > Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything on > any A AAAA SRV CNAME from any host > > same for last one. > > I'm really a new comer to DNS world, these thoughts come from > http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm > > These lines should make your Bind to use Kerberos. At least I do hope the > authentication is Kerberos (that's AD!). If it is kerberos authentication, > I expect you can rely on it as almost the whole world rely on Kerberos > these days : ) > > A last thing regarding ISC's key method: > https://bugzilla.samba.org/show_bug.cgi?id=11520 > I don't meant this bug as something to do with what you want to achieve, > simply it could be a good thing to read if you understand anything to ISC's > key method (that I don't), perhaps you could find some leads to follow or > some information to avoid that configuration. > > Sorry not to help more. Have a nice day, > > mathias > > > > 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>: > >> So I had dhcp, radvd and bind working together nicely and now I threw in a >> wrench of setting up an AD DC >> >> I want to change my dhcp server setting to put client's into the new AD >> Domain but am a little hesitant as it is all working so nicely with DDNS >> >> I'm starting to think all I need to do is edit just my dhcpd.conf and >> change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD >> A little touch up of db.self and comment out and eventually remove DOMAIN1 >> entries as everything is working as I like. >> >> My concern is moving from >> allow-update { key rndc-key; }; >> notify yes; >> to >> update-policy { >> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; >> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A >> AAAA SRV CNAME; >> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA >> SRV CNAME; >> }; >> >> The latter being produced when I created the domain in the example configs >> that I copied into mine. >> I think what that is saying is let the domain controller by name have >> access to the domain's entries >> I'm a little concerned about verification as I know the key method is safe >> and I'm not so sure about the grant method. >> >> Is there a way to have samba use ISC's key method? >> Anyone have any suggestions? >> >> My current setup is as below. >> >> My server name is the same as DOMAIN2 it has a ipv4 address of 192.168.1.1 >> and a ipv6 address of fc00:1::1111:1111:1111:1111 >> It's outside addresses are dhcp from my ISP I do ip masquerade on both >> ipv4 >> and ipv6 >> >> >> My dhcpd.conf looks as follows >> #================START======================>> ddns-updates on; >> ddns-update-style interim; >> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD."; >> ddns-rev-domainname "in-addr.arpa."; >> ignore client-updates; >> option domain-search-order code 119 = string; >> include "/etc/rndc.key"; >> zone DOMAIN1.SUBDOMAIN.TLD { >> primary 192.168.1.1; >> key rndc-key; >> } >> zone 1.168.192.in-addr.arpa. { >> primary 192.168.1.1; >> key rndc-key; >> } >> default-lease-time 100000; >> max-lease-time 1000000; >> subnet 192.168.1.0 netmask 255.255.255.0 { >> range 192.168.1.10 192.168.1.200; >> option routers 192.168.1.1; >> option domain-name "DOMAIN1.SUBDOMAIN.TLD."; >> option domain-name-servers 192.168.1.1; >> option domain-search-order >> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD."; >> next-server 192.168.1.1; >> filename "/pxelinux.0"; >> allow unknown-clients; >> } >> #================END========================>> >> My radvd.conf looks like so >> #================START======================>> interface eth0 >> { >> AdvSendAdvert on; >> prefix fc00:1::/64 >> { >> AdvOnLink on; >> AdvAutonomous on; >> }; >> RDNSS fc00:1::1111:1111:1111:1111 {}; >> }; >> #================END========================>> >> My named.conf after adding my samba looks like so >> #================START======================>> options { >> listen-on port 53 { 127.0.0.1; 192.168.1.1; }; >> listen-on-v6 port 53 { ::1; }; >> directory "/var/named"; >> dump-file "/var/named/data/cache_dump.db"; >> statistics-file "/var/named/data/named_stats.txt"; >> memstatistics-file "/var/named/data/named_mem_stats.txt"; >> allow-query { localhost; 192.168.1.0/16; }; >> recursion yes; >> dnssec-enable yes; >> dnssec-validation yes; >> dnssec-lookaside auto; >> bindkeys-file "/etc/named.iscdlv.key"; >> managed-keys-directory "/var/named/dynamic"; >> pid-file "/run/named/named.pid"; >> session-keyfile "/run/named/session.key"; >> }; >> logging { >> channel default_debug { >> file "data/named.run"; >> severity dynamic; >> }; >> }; >> zone "." IN { >> type hint; >> file "named.ca"; >> }; >> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" { >> type master; >> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD"; >> allow-update { key rndc-key; }; >> notify yes; >> }; >> zone "DOMAIN1.SUBDOMAIN.TLD" IN { >> type master; >> file "zones/db.DOMAIN1.SUBDOMAIN.TLD"; >> allow-update { key rndc-key; }; >> notify yes; >> }; >> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN { >> type master; >> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD"; >> update-policy { >> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; >> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A >> AAAA SRV CNAME; >> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA >> SRV CNAME; >> }; >> check-names ignore; >> }; >> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file "db.self"; }; >> #================END========================>> >> content of db.self >> #================START======================>> $TTL 604800 ; 1 week >> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. ( >> 2014092401 ; serial >> 604800 ; refresh (1 week) >> 86400 ; retry (1 day) >> 2419200 ; expire (4 weeks) >> 604800 ; minimum (1 week) >> ) >> NS ns.DOMAIN1.SUBDOMAIN.TLD. >> @ IN A 192.168.1.252 >> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD. >> @ IN TXT "v=spf1 mx a -all" >> #================END========================>> >> my smb.conf looks like >> #================START======================>> [global] >> netbios name = DOMAIN2 >> realm = AD.DOMAIN2.SUBDOMAIN.TLD >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> workgroup = AD >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> [netlogon] >> path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts >> read only = No >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> #================END========================>> >> >> my krb5.conf looks like >> #================START======================>> [libdefaults] >> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD >> dns_lookup_realm = false >> dns_lookup_kdc = true >> #================END========================>> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Reasonably Related Threads
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC