samba - May 2016 - ISC's dhcp server, radvd and bind9 now adding samba as an AD DC

I had left my config alone for now and dhcp still writes to
DOMAIN1.SUBDOMAIN.TLD.  But samba has been complaining about not being able
to write to bind in its zone.

[2016/05/27 07:30:06.738434,  0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_UNSUCCESSFUL

If you are right about it using kerberos I think I am missing a bit more
configuration to allow bind to use kerberos. I have a place for it to use
the key but nothing in it about kerberos and how to verify that.

On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at
gmail.com>
wrote:
> Hi,
>
> Why modifying a working conf when you can build your DC on others systems
> (VM)? That could be really nice to learn but you add a lot of complexity in
> your process, I think.
> Why not using DLZ to access your AD zones? I expect Bind to be able to mix
> its behaviour: flat file for some zone, DLZ for others...
>
> Now regarding:
> update-policy {
>                 grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>                 grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard *
A
> AAAA SRV CNAME;
>                 grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
> SRV CNAME;
> };
> For me this means:
> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
> Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to
> modify A and AAAA it owns (ms-self) from any host (*).
>
> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV
CNAME;
> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything on
> any A AAAA SRV CNAME from any host
>
> same for last one.
>
> I'm really a new comer to DNS world, these thoughts come from
> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>
> These lines should make your Bind to use Kerberos. At least I do hope the
> authentication is Kerberos (that's AD!). If it is kerberos
authentication,
> I expect you can rely on it as almost the whole world rely on Kerberos
> these days : )
>
> A last thing regarding ISC's key method:
> https://bugzilla.samba.org/show_bug.cgi?id=11520
> I don't meant this bug as something to do with what you want to
achieve,
> simply it could be a good thing to read if you understand anything to
ISC's
> key method (that I don't), perhaps you could find some leads to follow
or
> some information to avoid that configuration.
>
> Sorry not to help more. Have a nice day,
>
> mathias
>
>
>
> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at
gmail.com>:
>
>> So I had dhcp, radvd and bind working together nicely and now I threw
in a
>> wrench of setting up an AD DC
>>
>> I want to change my dhcp server setting to put client's into the
new AD
>> Domain but am a little hesitant as it is all working so nicely with
DDNS
>>
>> I'm starting to think all I need to do is edit just my dhcpd.conf
and
>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to AD.DOMAIN2.SUBDOMAIN.TLD
>> A little touch up of db.self and comment out and eventually remove
DOMAIN1
>> entries as everything is working as I like.
>>
>> My concern is moving from
>>         allow-update { key rndc-key; };
>>         notify yes;
>> to
>>         update-policy {
>>                 grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>                 grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>> AAAA SRV CNAME;
>>                 grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA
>> SRV CNAME;
>>         };
>>
>> The latter being produced when I created the domain in the example
configs
>> that I copied into mine.
>> I think what that is saying is let the domain controller by name have
>> access to the domain's entries
>> I'm a little concerned about verification as I know the key method
is safe
>> and I'm not so sure about the grant method.
>>
>> Is there a way to have samba use ISC's key method?
>> Anyone have any suggestions?
>>
>> My current setup is as below.
>>
>> My server name is the same as DOMAIN2 it has a ipv4 address of
192.168.1.1
>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>> It's outside addresses are dhcp from my ISP I do ip masquerade on
both
>> ipv4
>> and ipv6
>>
>>
>> My dhcpd.conf looks as follows
>> #================START======================>> ddns-updates on;
>> ddns-update-style interim;
>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>> ddns-rev-domainname "in-addr.arpa.";
>> ignore client-updates;
>> option domain-search-order code 119 = string;
>> include "/etc/rndc.key";
>> zone DOMAIN1.SUBDOMAIN.TLD {
>>  primary 192.168.1.1;
>>  key rndc-key;
>> }
>> zone 1.168.192.in-addr.arpa. {
>>  primary 192.168.1.1;
>>  key rndc-key;
>> }
>> default-lease-time 100000;
>> max-lease-time 1000000;
>> subnet 192.168.1.0 netmask 255.255.255.0 {
>>  range 192.168.1.10 192.168.1.200;
>>  option routers 192.168.1.1;
>>  option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>>  option domain-name-servers 192.168.1.1;
>>  option domain-search-order
>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>>  next-server 192.168.1.1;
>>  filename "/pxelinux.0";
>>  allow unknown-clients;
>> }
>> #================END========================>>
>> My radvd.conf looks like so
>> #================START======================>> interface eth0
>> {
>>  AdvSendAdvert on;
>>  prefix fc00:1::/64
>>  {
>>   AdvOnLink on;
>>   AdvAutonomous on;
>>  };
>>  RDNSS fc00:1::1111:1111:1111:1111 {};
>> };
>> #================END========================>>
>> My named.conf after adding my samba looks like so
>> #================START======================>> options {
>>         listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>>         listen-on-v6 port 53 { ::1; };
>>         directory       "/var/named";
>>         dump-file       "/var/named/data/cache_dump.db";
>>         statistics-file "/var/named/data/named_stats.txt";
>>         memstatistics-file
"/var/named/data/named_mem_stats.txt";
>>         allow-query     { localhost; 192.168.1.0/16; };
>>         recursion yes;
>>         dnssec-enable yes;
>>         dnssec-validation yes;
>>         dnssec-lookaside auto;
>>         bindkeys-file "/etc/named.iscdlv.key";
>>         managed-keys-directory "/var/named/dynamic";
>>         pid-file "/run/named/named.pid";
>>         session-keyfile "/run/named/session.key";
>> };
>> logging {
>>         channel default_debug {
>>                 file "data/named.run";
>>                 severity dynamic;
>>         };
>> };
>> zone "." IN {
>>         type hint;
>>         file "named.ca";
>> };
>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>>         type master;
>>         file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>>         allow-update { key rndc-key; };
>>         notify yes;
>> };
>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>>         type master;
>>         file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>>         allow-update { key rndc-key; };
>>         notify yes;
>> };
>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>>         type master;
>>         file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>>         update-policy {
>>                 grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>                 grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>> AAAA SRV CNAME;
>>                 grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA
>> SRV CNAME;
>>         };
>>         check-names ignore;
>> };
>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file
"db.self"; };
>> #================END========================>>
>> content of db.self
>> #================START======================>> $TTL 604800     ;
1 week
>> @           IN SOA  ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>>                                 2014092401 ; serial
>>                                 604800     ; refresh (1 week)
>>                                 86400      ; retry (1 day)
>>                                 2419200    ; expire (4 weeks)
>>                                 604800     ; minimum (1 week)
>>                                 )
>>                         NS      ns.DOMAIN1.SUBDOMAIN.TLD.
>> @       IN      A       192.168.1.252
>> @       IN      MX      10      DOMAIN2.SUBDOMAIN.TLD.
>> @       IN      TXT     "v=spf1 mx a -all"
>> #================END========================>>
>> my smb.conf looks like
>> #================START======================>> [global]
>>         netbios name = DOMAIN2
>>         realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>>         workgroup = AD
>>         server role = active directory domain controller
>>         idmap_ldb:use rfc2307 = yes
>> [netlogon]
>>         path = /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>>         read only = No
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>> #================END========================>>
>>
>> my krb5.conf looks like
>> #================START======================>> [libdefaults]
>>         default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>> #================END========================>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

On 27/05/16 14:37, Jeff Sadowski wrote:
> I had left my config alone for now and dhcp still writes to
> DOMAIN1.SUBDOMAIN.TLD.  But samba has been complaining about not being able
> to write to bind in its zone.
>
> [2016/05/27 07:30:06.738434,  0]
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
> NT_STATUS_UNSUCCESSFUL
>
> If you are right about it using kerberos I think I am missing a bit more
> configuration to allow bind to use kerberos. I have a place for it to use
> the key but nothing in it about kerberos and how to verify that.
>
> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at
gmail.com>
> wrote:
>
>> Hi,
>>
>> Why modifying a working conf when you can build your DC on others
systems
>> (VM)? That could be really nice to learn but you add a lot of
complexity in
>> your process, I think.
>> Why not using DLZ to access your AD zones? I expect Bind to be able to
mix
>> its behaviour: flat file for some zone, DLZ for others...
>>
>> Now regarding:
>> update-policy {
>>                  grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>                  grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>> AAAA SRV CNAME;
>>                  grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A
AAAA
>> SRV CNAME;
>> };
>> For me this means:
>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>> Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD) to
>> modify A and AAAA it owns (ms-self) from any host (*).
>>
>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA SRV
CNAME;
>> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do anything
on
>> any A AAAA SRV CNAME from any host
>>
>> same for last one.
>>
>> I'm really a new comer to DNS world, these thoughts come from
>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>>
>> These lines should make your Bind to use Kerberos. At least I do hope
the
>> authentication is Kerberos (that's AD!). If it is kerberos
authentication,
>> I expect you can rely on it as almost the whole world rely on Kerberos
>> these days : )
>>
>> A last thing regarding ISC's key method:
>> https://bugzilla.samba.org/show_bug.cgi?id=11520
>> I don't meant this bug as something to do with what you want to
achieve,
>> simply it could be a good thing to read if you understand anything to
ISC's
>> key method (that I don't), perhaps you could find some leads to
follow or
>> some information to avoid that configuration.
>>
>> Sorry not to help more. Have a nice day,
>>
>> mathias
>>
>>
>>
>> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at
gmail.com>:
>>
>>> So I had dhcp, radvd and bind working together nicely and now I
threw in a
>>> wrench of setting up an AD DC
>>>
>>> I want to change my dhcp server setting to put client's into
the new AD
>>> Domain but am a little hesitant as it is all working so nicely with
DDNS
>>>
>>> I'm starting to think all I need to do is edit just my
dhcpd.conf and
>>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to
AD.DOMAIN2.SUBDOMAIN.TLD
>>> A little touch up of db.self and comment out and eventually remove
DOMAIN1
>>> entries as everything is working as I like.
>>>
>>> My concern is moving from
>>>          allow-update { key rndc-key; };
>>>          notify yes;
>>> to
>>>          update-policy {
>>>                  grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>>                  grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>>> AAAA SRV CNAME;
>>>                  grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard *
A AAAA
>>> SRV CNAME;
>>>          };
>>>
>>> The latter being produced when I created the domain in the example
configs
>>> that I copied into mine.
>>> I think what that is saying is let the domain controller by name
have
>>> access to the domain's entries
>>> I'm a little concerned about verification as I know the key
method is safe
>>> and I'm not so sure about the grant method.
>>>
>>> Is there a way to have samba use ISC's key method?
>>> Anyone have any suggestions?
>>>
>>> My current setup is as below.
>>>
>>> My server name is the same as DOMAIN2 it has a ipv4 address of
192.168.1.1
>>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>>> It's outside addresses are dhcp from my ISP I do ip masquerade
on both
>>> ipv4
>>> and ipv6
>>>
>>>
>>> My dhcpd.conf looks as follows
>>> #================START======================>>>
ddns-updates on;
>>> ddns-update-style interim;
>>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>>> ddns-rev-domainname "in-addr.arpa.";
>>> ignore client-updates;
>>> option domain-search-order code 119 = string;
>>> include "/etc/rndc.key";
>>> zone DOMAIN1.SUBDOMAIN.TLD {
>>>   primary 192.168.1.1;
>>>   key rndc-key;
>>> }
>>> zone 1.168.192.in-addr.arpa. {
>>>   primary 192.168.1.1;
>>>   key rndc-key;
>>> }
>>> default-lease-time 100000;
>>> max-lease-time 1000000;
>>> subnet 192.168.1.0 netmask 255.255.255.0 {
>>>   range 192.168.1.10 192.168.1.200;
>>>   option routers 192.168.1.1;
>>>   option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>>>   option domain-name-servers 192.168.1.1;
>>>   option domain-search-order
>>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>>>   next-server 192.168.1.1;
>>>   filename "/pxelinux.0";
>>>   allow unknown-clients;
>>> }
>>> #================END========================>>>
>>> My radvd.conf looks like so
>>> #================START======================>>> interface
eth0
>>> {
>>>   AdvSendAdvert on;
>>>   prefix fc00:1::/64
>>>   {
>>>    AdvOnLink on;
>>>    AdvAutonomous on;
>>>   };
>>>   RDNSS fc00:1::1111:1111:1111:1111 {};
>>> };
>>> #================END========================>>>
>>> My named.conf after adding my samba looks like so
>>> #================START======================>>> options {
>>>          listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>>>          listen-on-v6 port 53 { ::1; };
>>>          directory       "/var/named";
>>>          dump-file       "/var/named/data/cache_dump.db";
>>>          statistics-file
"/var/named/data/named_stats.txt";
>>>          memstatistics-file
"/var/named/data/named_mem_stats.txt";
>>>          allow-query     { localhost; 192.168.1.0/16; };
>>>          recursion yes;
>>>          dnssec-enable yes;
>>>          dnssec-validation yes;
>>>          dnssec-lookaside auto;
>>>          bindkeys-file "/etc/named.iscdlv.key";
>>>          managed-keys-directory "/var/named/dynamic";
>>>          pid-file "/run/named/named.pid";
>>>          session-keyfile "/run/named/session.key";
>>> };
>>> logging {
>>>          channel default_debug {
>>>                  file "data/named.run";
>>>                  severity dynamic;
>>>          };
>>> };
>>> zone "." IN {
>>>          type hint;
>>>          file "named.ca";
>>> };
>>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>>>          type master;
>>>          file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>>>          allow-update { key rndc-key; };
>>>          notify yes;
>>> };
>>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>>>          type master;
>>>          file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>>>          allow-update { key rndc-key; };
>>>          notify yes;
>>> };
>>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>>>          type master;
>>>          file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>>>          update-policy {
>>>                  grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>>                  grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>>> AAAA SRV CNAME;
>>>                  grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard *
A AAAA
>>> SRV CNAME;
>>>          };
>>>          check-names ignore;
>>> };
>>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file
"db.self"; };
>>> #================END========================>>>
>>> content of db.self
>>> #================START======================>>> $TTL
604800     ; 1 week
>>> @           IN SOA  ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>>>                                  2014092401 ; serial
>>>                                  604800     ; refresh (1 week)
>>>                                  86400      ; retry (1 day)
>>>                                  2419200    ; expire (4 weeks)
>>>                                  604800     ; minimum (1 week)
>>>                                  )
>>>                          NS      ns.DOMAIN1.SUBDOMAIN.TLD.
>>> @       IN      A       192.168.1.252
>>> @       IN      MX      10      DOMAIN2.SUBDOMAIN.TLD.
>>> @       IN      TXT     "v=spf1 mx a -all"
>>> #================END========================>>>
>>> my smb.conf looks like
>>> #================START======================>>> [global]
>>>          netbios name = DOMAIN2
>>>          realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
>>> winbindd, ntp_signd, kcc, dnsupdate
>>>          workgroup = AD
>>>          server role = active directory domain controller
>>>          idmap_ldb:use rfc2307 = yes
>>> [netlogon]
>>>          path =
/var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>>>          read only = No
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>> #================END========================>>>
>>>
>>> my krb5.conf looks like
>>> #================START======================>>>
[libdefaults]
>>>          default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>> #================END========================>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
You are going about this the wrong way, you do not setup dhcp and bind 
then add a Samba4 AD DC, you setup the AD DC with bind9 and then add the 
dhcp server.

Rowland

https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
helped me find that I needed to add

options {
     [...]
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
     [...]
};

That seems to have fixed my errors with DNS

On Fri, May 27, 2016 at 9:26 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 27/05/16 14:37, Jeff Sadowski wrote:
>
>> I had left my config alone for now and dhcp still writes to
>> DOMAIN1.SUBDOMAIN.TLD.  But samba has been complaining about not being
>> able
>> to write to bind in its zone.
>>
>> [2016/05/27 07:30:06.738434,  0]
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
>> NT_STATUS_UNSUCCESSFUL
>>
>> If you are right about it using kerberos I think I am missing a bit
more
>> configuration to allow bind to use kerberos. I have a place for it to
use
>> the key but nothing in it about kerberos and how to verify that.
>>
>> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at
gmail.com>
>> wrote:
>>
>> Hi,
>>>
>>> Why modifying a working conf when you can build your DC on others
systems
>>> (VM)? That could be really nice to learn but you add a lot of
complexity
>>> in
>>> your process, I think.
>>> Why not using DLZ to access your AD zones? I expect Bind to be able
to
>>> mix
>>> its behaviour: flat file for some zone, DLZ for others...
>>>
>>> Now regarding:
>>> update-policy {
>>>                  grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>>                  grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
wildcard
>>> * A
>>> AAAA SRV CNAME;
>>>                  grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard *
A
>>> AAAA
>>> SRV CNAME;
>>> };
>>> For me this means:
>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>> Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD)
to
>>> modify A and AAAA it owns (ms-self) from any host (*).
>>>
>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV
>>> CNAME;
>>> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do
anything
>>> on
>>> any A AAAA SRV CNAME from any host
>>>
>>> same for last one.
>>>
>>> I'm really a new comer to DNS world, these thoughts come from
>>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>>>
>>> These lines should make your Bind to use Kerberos. At least I do
hope the
>>> authentication is Kerberos (that's AD!). If it is kerberos
>>> authentication,
>>> I expect you can rely on it as almost the whole world rely on
Kerberos
>>> these days : )
>>>
>>> A last thing regarding ISC's key method:
>>> https://bugzilla.samba.org/show_bug.cgi?id=11520
>>> I don't meant this bug as something to do with what you want to
achieve,
>>> simply it could be a good thing to read if you understand anything
to
>>> ISC's
>>> key method (that I don't), perhaps you could find some leads to
follow or
>>> some information to avoid that configuration.
>>>
>>> Sorry not to help more. Have a nice day,
>>>
>>> mathias
>>>
>>>
>>>
>>> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at
gmail.com>:
>>>
>>> So I had dhcp, radvd and bind working together nicely and now I
threw in
>>>> a
>>>> wrench of setting up an AD DC
>>>>
>>>> I want to change my dhcp server setting to put client's
into the new AD
>>>> Domain but am a little hesitant as it is all working so nicely
with DDNS
>>>>
>>>> I'm starting to think all I need to do is edit just my
dhcpd.conf and
>>>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to
AD.DOMAIN2.SUBDOMAIN.TLD
>>>> A little touch up of db.self and comment out and eventually
remove
>>>> DOMAIN1
>>>> entries as everything is working as I like.
>>>>
>>>> My concern is moving from
>>>>          allow-update { key rndc-key; };
>>>>          notify yes;
>>>> to
>>>>          update-policy {
>>>>                  grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A
AAAA;
>>>>                  grant Administrator at
AD.DOMAIN2.SUBDOMAIN.TLD wildcard
>>>> * A
>>>> AAAA SRV CNAME;
>>>>                  grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>>>> AAAA
>>>> SRV CNAME;
>>>>          };
>>>>
>>>> The latter being produced when I created the domain in the
example
>>>> configs
>>>> that I copied into mine.
>>>> I think what that is saying is let the domain controller by
name have
>>>> access to the domain's entries
>>>> I'm a little concerned about verification as I know the key
method is
>>>> safe
>>>> and I'm not so sure about the grant method.
>>>>
>>>> Is there a way to have samba use ISC's key method?
>>>> Anyone have any suggestions?
>>>>
>>>> My current setup is as below.
>>>>
>>>> My server name is the same as DOMAIN2 it has a ipv4 address of
>>>> 192.168.1.1
>>>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>>>> It's outside addresses are dhcp from my ISP I do ip
masquerade on both
>>>> ipv4
>>>> and ipv6
>>>>
>>>>
>>>> My dhcpd.conf looks as follows
>>>> #================START======================>>>>
ddns-updates on;
>>>> ddns-update-style interim;
>>>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>>>> ddns-rev-domainname "in-addr.arpa.";
>>>> ignore client-updates;
>>>> option domain-search-order code 119 = string;
>>>> include "/etc/rndc.key";
>>>> zone DOMAIN1.SUBDOMAIN.TLD {
>>>>   primary 192.168.1.1;
>>>>   key rndc-key;
>>>> }
>>>> zone 1.168.192.in-addr.arpa. {
>>>>   primary 192.168.1.1;
>>>>   key rndc-key;
>>>> }
>>>> default-lease-time 100000;
>>>> max-lease-time 1000000;
>>>> subnet 192.168.1.0 netmask 255.255.255.0 {
>>>>   range 192.168.1.10 192.168.1.200;
>>>>   option routers 192.168.1.1;
>>>>   option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>>>>   option domain-name-servers 192.168.1.1;
>>>>   option domain-search-order
>>>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>>>>   next-server 192.168.1.1;
>>>>   filename "/pxelinux.0";
>>>>   allow unknown-clients;
>>>> }
>>>> #================END========================>>>>
>>>> My radvd.conf looks like so
>>>> #================START======================>>>>
interface eth0
>>>> {
>>>>   AdvSendAdvert on;
>>>>   prefix fc00:1::/64
>>>>   {
>>>>    AdvOnLink on;
>>>>    AdvAutonomous on;
>>>>   };
>>>>   RDNSS fc00:1::1111:1111:1111:1111 {};
>>>> };
>>>> #================END========================>>>>
>>>> My named.conf after adding my samba looks like so
>>>> #================START======================>>>>
options {
>>>>          listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>>>>          listen-on-v6 port 53 { ::1; };
>>>>          directory       "/var/named";
>>>>          dump-file      
"/var/named/data/cache_dump.db";
>>>>          statistics-file
"/var/named/data/named_stats.txt";
>>>>          memstatistics-file
"/var/named/data/named_mem_stats.txt";
>>>>          allow-query     { localhost; 192.168.1.0/16; };
>>>>          recursion yes;
>>>>          dnssec-enable yes;
>>>>          dnssec-validation yes;
>>>>          dnssec-lookaside auto;
>>>>          bindkeys-file "/etc/named.iscdlv.key";
>>>>          managed-keys-directory "/var/named/dynamic";
>>>>          pid-file "/run/named/named.pid";
>>>>          session-keyfile "/run/named/session.key";
>>>> };
>>>> logging {
>>>>          channel default_debug {
>>>>                  file "data/named.run";
>>>>                  severity dynamic;
>>>>          };
>>>> };
>>>> zone "." IN {
>>>>          type hint;
>>>>          file "named.ca";
>>>> };
>>>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>>>>          type master;
>>>>          file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>>>>          allow-update { key rndc-key; };
>>>>          notify yes;
>>>> };
>>>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>>>>          type master;
>>>>          file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>>>>          allow-update { key rndc-key; };
>>>>          notify yes;
>>>> };
>>>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>>>>          type master;
>>>>          file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>>>>          update-policy {
>>>>                  grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A
AAAA;
>>>>                  grant Administrator at
AD.DOMAIN2.SUBDOMAIN.TLD wildcard
>>>> * A
>>>> AAAA SRV CNAME;
>>>>                  grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>>>> AAAA
>>>> SRV CNAME;
>>>>          };
>>>>          check-names ignore;
>>>> };
>>>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file
"db.self"; };
>>>> #================END========================>>>>
>>>> content of db.self
>>>> #================START======================>>>>
$TTL 604800     ; 1 week
>>>> @           IN SOA  ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>>>>                                  2014092401 ; serial
>>>>                                  604800     ; refresh (1 week)
>>>>                                  86400      ; retry (1 day)
>>>>                                  2419200    ; expire (4 weeks)
>>>>                                  604800     ; minimum (1 week)
>>>>                                  )
>>>>                          NS      ns.DOMAIN1.SUBDOMAIN.TLD.
>>>> @       IN      A       192.168.1.252
>>>> @       IN      MX      10      DOMAIN2.SUBDOMAIN.TLD.
>>>> @       IN      TXT     "v=spf1 mx a -all"
>>>> #================END========================>>>>
>>>> my smb.conf looks like
>>>> #================START======================>>>>
[global]
>>>>          netbios name = DOMAIN2
>>>>          realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc,
>>>> drepl,
>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>>          workgroup = AD
>>>>          server role = active directory domain controller
>>>>          idmap_ldb:use rfc2307 = yes
>>>> [netlogon]
>>>>          path =
/var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>>>>          read only = No
>>>> [sysvol]
>>>>          path = /var/lib/samba/sysvol
>>>>          read only = No
>>>> #================END========================>>>>
>>>>
>>>> my krb5.conf looks like
>>>> #================START======================>>>>
[libdefaults]
>>>>          default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>>          dns_lookup_realm = false
>>>>          dns_lookup_kdc = true
>>>> #================END========================>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
> You are going about this the wrong way, you do not setup dhcp and bind
> then add a Samba4 AD DC, you setup the AD DC with bind9 and then add the
> dhcp server.
>
>
Your right now I will try adding dhcp to that same rule set

> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>