Jeff Sadowski
2016-May-27 16:11 UTC
[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
helped me find that I needed to add
options {
[...]
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
[...]
};
That seems to have fixed my errors with DNS
On Fri, May 27, 2016 at 9:26 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 27/05/16 14:37, Jeff Sadowski wrote:
>
>> I had left my config alone for now and dhcp still writes to
>> DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about not being
>> able
>> to write to bind in its zone.
>>
>> [2016/05/27 07:30:06.738434, 0]
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
>> NT_STATUS_UNSUCCESSFUL
>>
>> If you are right about it using kerberos I think I am missing a bit
more
>> configuration to allow bind to use kerberos. I have a place for it to
use
>> the key but nothing in it about kerberos and how to verify that.
>>
>> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne <infractory at
gmail.com>
>> wrote:
>>
>> Hi,
>>>
>>> Why modifying a working conf when you can build your DC on others
systems
>>> (VM)? That could be really nice to learn but you add a lot of
complexity
>>> in
>>> your process, I think.
>>> Why not using DLZ to access your AD zones? I expect Bind to be able
to
>>> mix
>>> its behaviour: flat file for some zone, DLZ for others...
>>>
>>> Now regarding:
>>> update-policy {
>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD
wildcard
>>> * A
>>> AAAA SRV CNAME;
>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard *
A
>>> AAAA
>>> SRV CNAME;
>>> };
>>> For me this means:
>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA;
>>> Grant any authenticated user (from domain AD.DOMAIN2.SUBDOMAIN.TLD)
to
>>> modify A and AAAA it owns (ms-self) from any host (*).
>>>
>>> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA
SRV
>>> CNAME;
>>> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD to do
anything
>>> on
>>> any A AAAA SRV CNAME from any host
>>>
>>> same for last one.
>>>
>>> I'm really a new comer to DNS world, these thoughts come from
>>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm
>>>
>>> These lines should make your Bind to use Kerberos. At least I do
hope the
>>> authentication is Kerberos (that's AD!). If it is kerberos
>>> authentication,
>>> I expect you can rely on it as almost the whole world rely on
Kerberos
>>> these days : )
>>>
>>> A last thing regarding ISC's key method:
>>> https://bugzilla.samba.org/show_bug.cgi?id=11520
>>> I don't meant this bug as something to do with what you want to
achieve,
>>> simply it could be a good thing to read if you understand anything
to
>>> ISC's
>>> key method (that I don't), perhaps you could find some leads to
follow or
>>> some information to avoid that configuration.
>>>
>>> Sorry not to help more. Have a nice day,
>>>
>>> mathias
>>>
>>>
>>>
>>> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski <jeff.sadowski at
gmail.com>:
>>>
>>> So I had dhcp, radvd and bind working together nicely and now I
threw in
>>>> a
>>>> wrench of setting up an AD DC
>>>>
>>>> I want to change my dhcp server setting to put client's
into the new AD
>>>> Domain but am a little hesitant as it is all working so nicely
with DDNS
>>>>
>>>> I'm starting to think all I need to do is edit just my
dhcpd.conf and
>>>> change occurrences of DOMAIN1.SUBDOMAIN.TLD to
AD.DOMAIN2.SUBDOMAIN.TLD
>>>> A little touch up of db.self and comment out and eventually
remove
>>>> DOMAIN1
>>>> entries as everything is working as I like.
>>>>
>>>> My concern is moving from
>>>> allow-update { key rndc-key; };
>>>> notify yes;
>>>> to
>>>> update-policy {
>>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A
AAAA;
>>>> grant Administrator at
AD.DOMAIN2.SUBDOMAIN.TLD wildcard
>>>> * A
>>>> AAAA SRV CNAME;
>>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>>>> AAAA
>>>> SRV CNAME;
>>>> };
>>>>
>>>> The latter being produced when I created the domain in the
example
>>>> configs
>>>> that I copied into mine.
>>>> I think what that is saying is let the domain controller by
name have
>>>> access to the domain's entries
>>>> I'm a little concerned about verification as I know the key
method is
>>>> safe
>>>> and I'm not so sure about the grant method.
>>>>
>>>> Is there a way to have samba use ISC's key method?
>>>> Anyone have any suggestions?
>>>>
>>>> My current setup is as below.
>>>>
>>>> My server name is the same as DOMAIN2 it has a ipv4 address of
>>>> 192.168.1.1
>>>> and a ipv6 address of fc00:1::1111:1111:1111:1111
>>>> It's outside addresses are dhcp from my ISP I do ip
masquerade on both
>>>> ipv4
>>>> and ipv6
>>>>
>>>>
>>>> My dhcpd.conf looks as follows
>>>> #================START======================>>>>
ddns-updates on;
>>>> ddns-update-style interim;
>>>> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD.";
>>>> ddns-rev-domainname "in-addr.arpa.";
>>>> ignore client-updates;
>>>> option domain-search-order code 119 = string;
>>>> include "/etc/rndc.key";
>>>> zone DOMAIN1.SUBDOMAIN.TLD {
>>>> primary 192.168.1.1;
>>>> key rndc-key;
>>>> }
>>>> zone 1.168.192.in-addr.arpa. {
>>>> primary 192.168.1.1;
>>>> key rndc-key;
>>>> }
>>>> default-lease-time 100000;
>>>> max-lease-time 1000000;
>>>> subnet 192.168.1.0 netmask 255.255.255.0 {
>>>> range 192.168.1.10 192.168.1.200;
>>>> option routers 192.168.1.1;
>>>> option domain-name "DOMAIN1.SUBDOMAIN.TLD.";
>>>> option domain-name-servers 192.168.1.1;
>>>> option domain-search-order
>>>> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD.";
>>>> next-server 192.168.1.1;
>>>> filename "/pxelinux.0";
>>>> allow unknown-clients;
>>>> }
>>>> #================END========================>>>>
>>>> My radvd.conf looks like so
>>>> #================START======================>>>>
interface eth0
>>>> {
>>>> AdvSendAdvert on;
>>>> prefix fc00:1::/64
>>>> {
>>>> AdvOnLink on;
>>>> AdvAutonomous on;
>>>> };
>>>> RDNSS fc00:1::1111:1111:1111:1111 {};
>>>> };
>>>> #================END========================>>>>
>>>> My named.conf after adding my samba looks like so
>>>> #================START======================>>>>
options {
>>>> listen-on port 53 { 127.0.0.1; 192.168.1.1; };
>>>> listen-on-v6 port 53 { ::1; };
>>>> directory "/var/named";
>>>> dump-file
"/var/named/data/cache_dump.db";
>>>> statistics-file
"/var/named/data/named_stats.txt";
>>>> memstatistics-file
"/var/named/data/named_mem_stats.txt";
>>>> allow-query { localhost; 192.168.1.0/16; };
>>>> recursion yes;
>>>> dnssec-enable yes;
>>>> dnssec-validation yes;
>>>> dnssec-lookaside auto;
>>>> bindkeys-file "/etc/named.iscdlv.key";
>>>> managed-keys-directory "/var/named/dynamic";
>>>> pid-file "/run/named/named.pid";
>>>> session-keyfile "/run/named/session.key";
>>>> };
>>>> logging {
>>>> channel default_debug {
>>>> file "data/named.run";
>>>> severity dynamic;
>>>> };
>>>> };
>>>> zone "." IN {
>>>> type hint;
>>>> file "named.ca";
>>>> };
>>>> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" {
>>>> type master;
>>>> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD";
>>>> allow-update { key rndc-key; };
>>>> notify yes;
>>>> };
>>>> zone "DOMAIN1.SUBDOMAIN.TLD" IN {
>>>> type master;
>>>> file "zones/db.DOMAIN1.SUBDOMAIN.TLD";
>>>> allow-update { key rndc-key; };
>>>> notify yes;
>>>> };
>>>> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN {
>>>> type master;
>>>> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD";
>>>> update-policy {
>>>> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A
AAAA;
>>>> grant Administrator at
AD.DOMAIN2.SUBDOMAIN.TLD wildcard
>>>> * A
>>>> AAAA SRV CNAME;
>>>> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD
wildcard * A
>>>> AAAA
>>>> SRV CNAME;
>>>> };
>>>> check-names ignore;
>>>> };
>>>> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file
"db.self"; };
>>>> #================END========================>>>>
>>>> content of db.self
>>>> #================START======================>>>>
$TTL 604800 ; 1 week
>>>> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. (
>>>> 2014092401 ; serial
>>>> 604800 ; refresh (1 week)
>>>> 86400 ; retry (1 day)
>>>> 2419200 ; expire (4 weeks)
>>>> 604800 ; minimum (1 week)
>>>> )
>>>> NS ns.DOMAIN1.SUBDOMAIN.TLD.
>>>> @ IN A 192.168.1.252
>>>> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD.
>>>> @ IN TXT "v=spf1 mx a -all"
>>>> #================END========================>>>>
>>>> my smb.conf looks like
>>>> #================START======================>>>>
[global]
>>>> netbios name = DOMAIN2
>>>> realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc,
>>>> drepl,
>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>> workgroup = AD
>>>> server role = active directory domain controller
>>>> idmap_ldb:use rfc2307 = yes
>>>> [netlogon]
>>>> path =
/var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts
>>>> read only = No
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>> #================END========================>>>>
>>>>
>>>> my krb5.conf looks like
>>>> #================START======================>>>>
[libdefaults]
>>>> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> #================END========================>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
> You are going about this the wrong way, you do not setup dhcp and bind
> then add a Samba4 AD DC, you setup the AD DC with bind9 and then add the
> dhcp server.
>
>
Your right now I will try adding dhcp to that same rule set
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland penny
2016-May-27 16:23 UTC
[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
On 27/05/16 17:11, Jeff Sadowski wrote:> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD helped > me find that I needed to add > > options { > [...] > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > [...] > }; > That seems to have fixed my errors with DNS > > On Fri, May 27, 2016 at 9:26 AM, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 27/05/16 14:37, Jeff Sadowski wrote: > > I had left my config alone for now and dhcp still writes to > DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about > not being able > to write to bind in its zone. > > [2016/05/27 07:30:06.738434, 0] > ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) > ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - > NT_STATUS_UNSUCCESSFUL > > If you are right about it using kerberos I think I am missing > a bit more > configuration to allow bind to use kerberos. I have a place > for it to use > the key but nothing in it about kerberos and how to verify that. > > On Mon, May 23, 2016 at 10:35 AM, mathias dufresne > <infractory at gmail.com <mailto:infractory at gmail.com>> > wrote: > > Hi, > > Why modifying a working conf when you can build your DC on > others systems > (VM)? That could be really nice to learn but you add a lot > of complexity in > your process, I think. > Why not using DLZ to access your AD zones? I expect Bind > to be able to mix > its behaviour: flat file for some zone, DLZ for others... > > Now regarding: > update-policy { > grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * > A AAAA; > grant > Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A > AAAA SRV CNAME; > grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD > wildcard * A AAAA > SRV CNAME; > }; > For me this means: > grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; > Grant any authenticated user (from domain > AD.DOMAIN2.SUBDOMAIN.TLD) to > modify A and AAAA it owns (ms-self) from any host (*). > > grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A > AAAA SRV CNAME; > Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD > to do anything on > any A AAAA SRV CNAME from any host > > same for last one. > > I'm really a new comer to DNS world, these thoughts come from > http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm > > These lines should make your Bind to use Kerberos. At > least I do hope the > authentication is Kerberos (that's AD!). If it is kerberos > authentication, > I expect you can rely on it as almost the whole world rely > on Kerberos > these days : ) > > A last thing regarding ISC's key method: > https://bugzilla.samba.org/show_bug.cgi?id=11520 > I don't meant this bug as something to do with what you > want to achieve, > simply it could be a good thing to read if you understand > anything to ISC's > key method (that I don't), perhaps you could find some > leads to follow or > some information to avoid that configuration. > > Sorry not to help more. Have a nice day, > > mathias > > > > 2016-05-18 18:13 GMT+02:00 Jeff Sadowski > <jeff.sadowski at gmail.com <mailto:jeff.sadowski at gmail.com>>: > > So I had dhcp, radvd and bind working together nicely > and now I threw in a > wrench of setting up an AD DC > > I want to change my dhcp server setting to put > client's into the new AD > Domain but am a little hesitant as it is all working > so nicely with DDNS > > I'm starting to think all I need to do is edit just my > dhcpd.conf and > change occurrences of DOMAIN1.SUBDOMAIN.TLD to > AD.DOMAIN2.SUBDOMAIN.TLD > A little touch up of db.self and comment out and > eventually remove DOMAIN1 > entries as everything is working as I like. > > My concern is moving from > allow-update { key rndc-key; }; > notify yes; > to > update-policy { > grant AD.DOMAIN2.SUBDOMAIN.TLD > ms-self * A AAAA; > grant > Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A > AAAA SRV CNAME; > grant > DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA > SRV CNAME; > }; > > The latter being produced when I created the domain in > the example configs > that I copied into mine. > I think what that is saying is let the domain > controller by name have > access to the domain's entries > I'm a little concerned about verification as I know > the key method is safe > and I'm not so sure about the grant method. > > Is there a way to have samba use ISC's key method? > Anyone have any suggestions? > > My current setup is as below. > > My server name is the same as DOMAIN2 it has a ipv4 > address of 192.168.1.1 > and a ipv6 address of fc00:1::1111:1111:1111:1111 > It's outside addresses are dhcp from my ISP I do ip > masquerade on both > ipv4 > and ipv6 > > > My dhcpd.conf looks as follows > #================START======================> ddns-updates on; > ddns-update-style interim; > ddns-domainname "DOMAIN1.SUBDOMAIN.TLD."; > ddns-rev-domainname "in-addr.arpa."; > ignore client-updates; > option domain-search-order code 119 = string; > include "/etc/rndc.key"; > zone DOMAIN1.SUBDOMAIN.TLD { > primary 192.168.1.1; > key rndc-key; > } > zone 1.168.192.in-addr.arpa. { > primary 192.168.1.1; > key rndc-key; > } > default-lease-time 100000; > max-lease-time 1000000; > subnet 192.168.1.0 netmask 255.255.255.0 { > range 192.168.1.10 192.168.1.200; > option routers 192.168.1.1; > option domain-name "DOMAIN1.SUBDOMAIN.TLD."; > option domain-name-servers 192.168.1.1; > option domain-search-order > "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD."; > next-server 192.168.1.1; > filename "/pxelinux.0"; > allow unknown-clients; > } > #================END========================> > My radvd.conf looks like so > #================START======================> interface eth0 > { > AdvSendAdvert on; > prefix fc00:1::/64 > { > AdvOnLink on; > AdvAutonomous on; > }; > RDNSS fc00:1::1111:1111:1111:1111 {}; > }; > #================END========================> > My named.conf after adding my samba looks like so > #================START======================> options { > listen-on port 53 { 127.0.0.1; 192.168.1.1; }; > listen-on-v6 port 53 { ::1; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file > "/var/named/data/named_stats.txt"; > memstatistics-file > "/var/named/data/named_mem_stats.txt"; > allow-query { localhost; 192.168.1.0/16 > <http://192.168.1.0/16>; }; > recursion yes; > dnssec-enable yes; > dnssec-validation yes; > dnssec-lookaside auto; > bindkeys-file "/etc/named.iscdlv.key"; > managed-keys-directory "/var/named/dynamic"; > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > }; > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > zone "." IN { > type hint; > file "named.ca <http://named.ca>"; > }; > zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" { > type master; > file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD"; > allow-update { key rndc-key; }; > notify yes; > }; > zone "DOMAIN1.SUBDOMAIN.TLD" IN { > type master; > file "zones/db.DOMAIN1.SUBDOMAIN.TLD"; > allow-update { key rndc-key; }; > notify yes; > }; > zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN { > type master; > file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD"; > update-policy { > grant AD.DOMAIN2.SUBDOMAIN.TLD > ms-self * A AAAA; > grant > Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A > AAAA SRV CNAME; > grant > DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA > SRV CNAME; > }; > check-names ignore; > }; > zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file > "db.self"; }; > #================END========================> > content of db.self > #================START======================> $TTL 604800 ; 1 week > @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. ( > 2014092401 <tel:2014092401> ; serial > 604800 ; refresh > (1 week) > 86400 ; retry (1 > day) > 2419200 ; expire > (4 weeks) > 604800 ; minimum > (1 week) > ) > NS ns.DOMAIN1.SUBDOMAIN.TLD. > @ IN A 192.168.1.252 > @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD. > @ IN TXT "v=spf1 mx a -all" > #================END========================> > my smb.conf looks like > #================START======================> [global] > netbios name = DOMAIN2 > realm = AD.DOMAIN2.SUBDOMAIN.TLD > server services = s3fs, rpc, nbt, wrepl, > ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = AD > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > [netlogon] > path > /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No > #================END========================> > > my krb5.conf looks like > #================START======================> [libdefaults] > default_realm = AD.DOMAIN2.SUBDOMAIN.TLD > dns_lookup_realm = false > dns_lookup_kdc = true > #================END========================> -- > To unsubscribe from this list go to the following URL > and read the > instructions: > https://lists.samba.org/mailman/options/samba > > > > You are going about this the wrong way, you do not setup dhcp and > bind then add a Samba4 AD DC, you setup the AD DC with bind9 and > then add the dhcp server. > > > Your right now I will try adding dhcp to that same rule set > >I will give you a few hints: 'on commit' 'on release' and 'on expiry' :-) Rowland PS: if you get stuck, I could always tell you how I have been doing it for nearly 4 years.
Jeff Sadowski
2016-May-27 17:07 UTC
[Samba] ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
On Fri, May 27, 2016 at 10:23 AM, Rowland penny <rpenny at samba.org> wrote:> On 27/05/16 17:11, Jeff Sadowski wrote: > >> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD >> helped me find that I needed to add >> >> options { >> [...] >> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; >> [...] >> }; >> That seems to have fixed my errors with DNS >> >> On Fri, May 27, 2016 at 9:26 AM, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 27/05/16 14:37, Jeff Sadowski wrote: >> >> I had left my config alone for now and dhcp still writes to >> DOMAIN1.SUBDOMAIN.TLD. But samba has been complaining about >> not being able >> to write to bind in its zone. >> >> [2016/05/27 07:30:06.738434, 0] >> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >> NT_STATUS_UNSUCCESSFUL >> >> If you are right about it using kerberos I think I am missing >> a bit more >> configuration to allow bind to use kerberos. I have a place >> for it to use >> the key but nothing in it about kerberos and how to verify that. >> >> On Mon, May 23, 2016 at 10:35 AM, mathias dufresne >> <infractory at gmail.com <mailto:infractory at gmail.com>> >> >> wrote: >> >> Hi, >> >> Why modifying a working conf when you can build your DC on >> others systems >> (VM)? That could be really nice to learn but you add a lot >> of complexity in >> your process, I think. >> Why not using DLZ to access your AD zones? I expect Bind >> to be able to mix >> its behaviour: flat file for some zone, DLZ for others... >> >> Now regarding: >> update-policy { >> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * >> A AAAA; >> grant >> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A >> AAAA SRV CNAME; >> grant DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD >> wildcard * A AAAA >> SRV CNAME; >> }; >> For me this means: >> grant AD.DOMAIN2.SUBDOMAIN.TLD ms-self * A AAAA; >> Grant any authenticated user (from domain >> AD.DOMAIN2.SUBDOMAIN.TLD) to >> modify A and AAAA it owns (ms-self) from any host (*). >> >> grant Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A >> AAAA SRV CNAME; >> Grant administrator from domain AD.DOMAIN2.SUBDOMAIN.TLD >> to do anything on >> any A AAAA SRV CNAME from any host >> >> same for last one. >> >> I'm really a new comer to DNS world, these thoughts come from >> >> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm >> >> These lines should make your Bind to use Kerberos. At >> least I do hope the >> authentication is Kerberos (that's AD!). If it is kerberos >> authentication, >> I expect you can rely on it as almost the whole world rely >> on Kerberos >> these days : ) >> >> A last thing regarding ISC's key method: >> https://bugzilla.samba.org/show_bug.cgi?id=11520 >> I don't meant this bug as something to do with what you >> want to achieve, >> simply it could be a good thing to read if you understand >> anything to ISC's >> key method (that I don't), perhaps you could find some >> leads to follow or >> some information to avoid that configuration. >> >> Sorry not to help more. Have a nice day, >> >> mathias >> >> >> >> 2016-05-18 18:13 GMT+02:00 Jeff Sadowski >> <jeff.sadowski at gmail.com <mailto:jeff.sadowski at gmail.com>>: >> >> >> So I had dhcp, radvd and bind working together nicely >> and now I threw in a >> wrench of setting up an AD DC >> >> I want to change my dhcp server setting to put >> client's into the new AD >> Domain but am a little hesitant as it is all working >> so nicely with DDNS >> >> I'm starting to think all I need to do is edit just my >> dhcpd.conf and >> change occurrences of DOMAIN1.SUBDOMAIN.TLD to >> AD.DOMAIN2.SUBDOMAIN.TLD >> A little touch up of db.self and comment out and >> eventually remove DOMAIN1 >> entries as everything is working as I like. >> >> My concern is moving from >> allow-update { key rndc-key; }; >> notify yes; >> to >> update-policy { >> grant AD.DOMAIN2.SUBDOMAIN.TLD >> ms-self * A AAAA; >> grant >> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A >> AAAA SRV CNAME; >> grant >> DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA >> SRV CNAME; >> }; >> >> The latter being produced when I created the domain in >> the example configs >> that I copied into mine. >> I think what that is saying is let the domain >> controller by name have >> access to the domain's entries >> I'm a little concerned about verification as I know >> the key method is safe >> and I'm not so sure about the grant method. >> >> Is there a way to have samba use ISC's key method? >> Anyone have any suggestions? >> >> My current setup is as below. >> >> My server name is the same as DOMAIN2 it has a ipv4 >> address of 192.168.1.1 >> and a ipv6 address of fc00:1::1111:1111:1111:1111 >> It's outside addresses are dhcp from my ISP I do ip >> masquerade on both >> ipv4 >> and ipv6 >> >> >> My dhcpd.conf looks as follows >> #================START======================>> ddns-updates on; >> ddns-update-style interim; >> ddns-domainname "DOMAIN1.SUBDOMAIN.TLD."; >> ddns-rev-domainname "in-addr.arpa."; >> ignore client-updates; >> option domain-search-order code 119 = string; >> include "/etc/rndc.key"; >> zone DOMAIN1.SUBDOMAIN.TLD { >> primary 192.168.1.1; >> key rndc-key; >> } >> zone 1.168.192.in-addr.arpa. { >> primary 192.168.1.1; >> key rndc-key; >> } >> default-lease-time 100000; >> max-lease-time 1000000; >> subnet 192.168.1.0 netmask 255.255.255.0 { >> range 192.168.1.10 192.168.1.200; >> option routers 192.168.1.1; >> option domain-name "DOMAIN1.SUBDOMAIN.TLD."; >> option domain-name-servers 192.168.1.1; >> option domain-search-order >> "DOMAIN1.SUBDOMAIN.TLD.,ipv6.DOMAIN1.SUBDOMAIN.TLD."; >> next-server 192.168.1.1; >> filename "/pxelinux.0"; >> allow unknown-clients; >> } >> #================END========================>> >> My radvd.conf looks like so >> #================START======================>> interface eth0 >> { >> AdvSendAdvert on; >> prefix fc00:1::/64 >> { >> AdvOnLink on; >> AdvAutonomous on; >> }; >> RDNSS fc00:1::1111:1111:1111:1111 {}; >> }; >> #================END========================>> >> My named.conf after adding my samba looks like so >> #================START======================>> options { >> listen-on port 53 { 127.0.0.1; 192.168.1.1; }; >> listen-on-v6 port 53 { ::1; }; >> directory "/var/named"; >> dump-file "/var/named/data/cache_dump.db"; >> statistics-file >> "/var/named/data/named_stats.txt"; >> memstatistics-file >> "/var/named/data/named_mem_stats.txt"; >> allow-query { localhost; 192.168.1.0/16 >> <http://192.168.1.0/16>; }; >> recursion yes; >> dnssec-enable yes; >> dnssec-validation yes; >> dnssec-lookaside auto; >> bindkeys-file "/etc/named.iscdlv.key"; >> managed-keys-directory "/var/named/dynamic"; >> pid-file "/run/named/named.pid"; >> session-keyfile "/run/named/session.key"; >> }; >> logging { >> channel default_debug { >> file "data/named.run"; >> severity dynamic; >> }; >> }; >> zone "." IN { >> type hint; >> file "named.ca <http://named.ca>"; >> >> }; >> zone "ipv6.DOMAIN1.SUBDOMAIN.TLD" { >> type master; >> file "zones/db.ipv6.DOMAIN1.SUBDOMAIN.TLD"; >> allow-update { key rndc-key; }; >> notify yes; >> }; >> zone "DOMAIN1.SUBDOMAIN.TLD" IN { >> type master; >> file "zones/db.DOMAIN1.SUBDOMAIN.TLD"; >> allow-update { key rndc-key; }; >> notify yes; >> }; >> zone "ad.DOMAIN2.SUBDOMAIN.TLD." IN { >> type master; >> file "zones/db.ad.DOMAIN2.SUBDOMAIN.TLD"; >> update-policy { >> grant AD.DOMAIN2.SUBDOMAIN.TLD >> ms-self * A AAAA; >> grant >> Administrator at AD.DOMAIN2.SUBDOMAIN.TLD wildcard * A >> AAAA SRV CNAME; >> grant >> DOMAIN2$@ad.DOMAIN2.SUBDOMAIN.TLD wildcard * A AAAA >> SRV CNAME; >> }; >> check-names ignore; >> }; >> zone "DOMAIN2.SUBDOMAIN.TLD" IN { type master; file >> "db.self"; }; >> #================END========================>> >> content of db.self >> #================START======================>> $TTL 604800 ; 1 week >> @ IN SOA ns.DOMAIN1.SUBDOMAIN.TLD MY.EMAIL. ( >> 2014092401 <tel:2014092401> ; serial >> >> 604800 ; refresh >> (1 week) >> 86400 ; retry (1 >> day) >> 2419200 ; expire >> (4 weeks) >> 604800 ; minimum >> (1 week) >> ) >> NS ns.DOMAIN1.SUBDOMAIN.TLD. >> @ IN A 192.168.1.252 >> @ IN MX 10 DOMAIN2.SUBDOMAIN.TLD. >> @ IN TXT "v=spf1 mx a -all" >> #================END========================>> >> my smb.conf looks like >> #================START======================>> [global] >> netbios name = DOMAIN2 >> realm = AD.DOMAIN2.SUBDOMAIN.TLD >> server services = s3fs, rpc, nbt, wrepl, >> ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> workgroup = AD >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> [netlogon] >> path >> /var/lib/samba/sysvol/ad.DOMAIN2.SUBDOMAIN.TLD/scripts >> read only = No >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> #================END========================>> >> >> my krb5.conf looks like >> #================START======================>> [libdefaults] >> default_realm = AD.DOMAIN2.SUBDOMAIN.TLD >> dns_lookup_realm = false >> dns_lookup_kdc = true >> #================END========================>> -- >> To unsubscribe from this list go to the following URL >> and read the >> instructions: >> https://lists.samba.org/mailman/options/samba >> >> >> >> You are going about this the wrong way, you do not setup dhcp and >> bind then add a Samba4 AD DC, you setup the AD DC with bind9 and >> then add the dhcp server. >> >> >> Your right now I will try adding dhcp to that same rule set >> >> >> > I will give you a few hints: 'on commit' 'on release' and 'on expiry' :-)This page http://www.zytrax.com/books/dns/ch9/dhcp.html makes it seem that I can replace the allow-update {key "ddns-a-rrs";}; # allowed key with update-policy {grant "ddns-a-ptr" self * A TXT DHCID;}; so I just added "grant rndc-key self * A TXT DHCID;" to my update policy> > Rowland > > PS: if you get stuck, I could always tell you how I have been doing it for > nearly 4 years. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC
- ISC's dhcp server, radvd and bind9 now adding samba as an AD DC