Il giorno mar, 25/04/2017 alle 14.36 +0100, Rowland Penny via samba ha scritto:> > However I would like to enable also the DHCP service, and think > > it's right to activate it on this server. > > > > What is the best way to do so? > > Well you could always do it the way I have been doing it for the last > 5 years, see here: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9I have setup dhcp like howto say, and this is the result: Problem 1: On fedora the script put into /etc/dhcp/bin cannot work: # ls -ld /etc/ /etc/dhcp /etc/dhcp/bin/ drwxr-xr-x. 93 root root 8192 25 apr 19.46 /etc/ drwxr-x---. 4 root root 119 25 apr 16.13 /etc/dhcp drwxr-xr-x 2 root root 28 25 apr 16.06 /etc/dhcp/bin/ Because the dhcpd daemon do not have the right to access to /etc/dhcp folder Solution 1: I have move the bin directory to /etc/samba and modify the dhcpd.conf. Problem 2: At line 46 the Script test -f /etc/dhcp/dhcpduser.keytab but do not can access to it for the previous problem (inaccessible /etc/dhcp/ dir), then at line 47 show an mistaken error message "Required keytab /etc/dhcpduser.keytab not found," Solution 2: I have move dhcpduser.keytab file to /etc/samba and modify the script (see attachment). Problem 3: For strange reason the krbcc ticket cache /tmp/dhcp-dyndns.cc is not readable from dhcpd user, have owner root:root and 600 access. Solution 3: I have add into shell a specific error message and manually remove it Problem 4: The new ticket cache is not generate because user dhcpd cannot execute kinit:> # su - dhcpd -s /bin/bash > -bash-4.3$ kinit -F -k -t /etc/samba/dhcpduser.keytab -c '/tmp/dhcp- > dyndns.cc' 'dhcpduser at SOLINOS.LOC' > kinit: Permission denied while initializing Kerberos 5 library > -bash-4.3$This problem is caused from access denied to /etc/krb5.conf https://wiki.ncsa.illinois.edu/display/ITS/Kerberos+Troubleshooting+for+Unix#KerberosTroubleshootingforUnix-general # ll /etc/krb5.conf lrwxrwxrwx. 1 root root 32 25 apr 08.27 /etc/krb5.conf -> /var/lib/samba/private/krb5.conf # ll /var/lib/samba/private/krb5.conf -rw-r--r--. 1 root root 92 25 apr 08.26 /var/lib/samba/private/krb5.conf # ll /var/lib/samba/private/ -d drwxr-x---. 8 root named 4096 26 apr 00.48 /var/lib/samba/private/ Solution 4: I have remove symbolic link and copy the samba krb5.conf directly to /etc Now, after this change the dhcp script work, can add the new DNS record A and bind the new name to assigned IP. apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: Commit: IP: 10.11.12.100 DHCID: 1:52:54:0:93:83:52 Name: centos7 apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[0] = /etc/samba/bin/dhcp-dyndns.sh apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[1] = add apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[2] = 10.11.12.100 apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[3] = 1:52:54:0:93:83:52 apr 26 00:58:21 fedora-addc.solinos.loc dhcpd[1499]: execute_statement argv[4] = centos7 apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: starting transaction on zone solinos.loc apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: allowing update of signer=dhcpduser\@SOLINOS.LOC name=centos7.solinos.loc tcpaddr=127.0.0.1 type=A key=3307522444.sig-fedora-addc.solinos.loc/160/0 apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: allowing update of signer=dhcpduser\@SOLINOS.LOC name=centos7.solinos.loc tcpaddr=127.0.0.1 type=A key=3307522444.sig-fedora-addc.solinos.loc/160/0 apr 26 00:58:21 fedora-addc.solinos.loc named[901]: client 127.0.0.1#33191/key dhcpduser\@SOLINOS.LOC: updating zone 'solinos.loc/NONE': deleting rrset at 'centos7.solinos.loc' A apr 26 00:58:21 fedora-addc.solinos.loc named[901]: client 127.0.0.1#33191/key dhcpduser\@SOLINOS.LOC: updating zone 'solinos.loc/NONE': adding an RR at 'centos7.solinos.loc' A 10.11.12.100 apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: added rdataset centos7.solinos.loc 'centos7.solinos.loc. 3600 IN A 10.11.12.100' apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: subtracted rdataset solinos.loc 'solinos.loc. 3600 IN SOA fedora-addc.solinos.loc. hostmaster.solinos.loc. 9 900 600 86400 3600' apr 26 00:58:21 fedora-addc.solinos.loc named[901]: samba_dlz: added rdataset solinos.loc 'solinos.loc. 3600 IN SOA fedora-addc.solinos.loc. hostmaster.solinos.loc. 10 900 600 86400 3600' apr 26 00:58:22 fedora-addc.solinos.loc named[901]: samba_dlz: committed transaction on zone solinos.loc apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1946]: DHCP-DNS Update failed: 02 apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: execute: /etc/samba/bin/dhcp-dyndns.sh exit status 512 apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: DHCPREQUEST for 10.11.12.100 from 52:54:00:93:83:52 (centos7) via ens3 apr 26 00:58:22 fedora-addc.solinos.loc dhcpd[1499]: DHCPACK on 10.11.12.100 to 52:54:00:93:83:52 (centos7) via ens3 [root at fedora-addc ~]# host centos7.solinos.loc centos7.solinos.loc has address 10.11.12.100 [root at fedora-addc ~]# host 10.11.12.100 Host 100.12.11.10.in-addr.arpa. not found: 3(NXDOMAIN) But the procedure fail to add the PTR record for new IP. Seem I have a DNS problem with reverse zone. # host 10.11.12.200 #(AD-DC IP) Host 200.12.11.10.in-addr.arpa. not found: 3(NXDOMAIN) # samba-tool dns zonelist $(hostname) 2 zone(s) found pszZoneName : solinos.loc Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.solinos.loc pszZoneName : _msdcs.solinos.loc Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.solinos.loc I have try to create the missing reverse zone: # samba-tool dns zonecreate $(hostname) 12.11.10.in-addr.arpa Zone 12.11.10.in-addr.arpa created successfully But now the error when dhcp update dns is: apr 26 01:31:35 fedora-addc.solinos.loc named[901]: client 127.0.0.1#36099/key dhcpduser\@SOLINOS.LOC: updating zone '10.IN-ADDR.ARPA/IN': update failed: not authoritative for update zone (NOTAUTH) Can someone help me to find what is the problem and how to resolve it? Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)
On Wed, 26 Apr 2017 01:55:16 +0200 Dario Lesca via samba <samba at lists.samba.org> wrote: Your problem is that you need to find out just who dhcpd runs as on fedora. On Devuan it is root and everything just works.> > But the procedure fail to add the PTR record for new IP. > > Seem I have a DNS problem with reverse zone. > > # host 10.11.12.200 #(AD-DC IP) > Host 200.12.11.10.in-addr.arpa. not found: 3(NXDOMAIN) > # samba-tool dns zonelist $(hostname) > 2 zone(s) found > > pszZoneName : solinos.loc > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE ZoneType : > DNS_ZONE_TYPE_PRIMARY Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : > DomainDnsZones.solinos.loc > > pszZoneName : _msdcs.solinos.loc > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE ZoneType : > DNS_ZONE_TYPE_PRIMARY Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : > ForestDnsZones.solinos.loc >You didn't have a reversezone> > I have try to create the missing reverse zone: > > # samba-tool dns zonecreate $(hostname) 12.11.10.in-addr.arpa > Zone 12.11.10.in-addr.arpa created successfully > > But now the error when dhcp update dns is: > apr 26 01:31:35 fedora-addc.solinos.loc named[901]: client > 127.0.0.1#36099/key dhcpduser\@SOLINOS.LOC: updating zone > '10.IN-ADDR.ARPA/IN': update failed: not authoritative for update > zone (NOTAUTH) >Whilst you seem to have created the '12.11.10.in-addr.arpa' reversezone, it seems to be trying to update the '10.IN-ADDR.ARPA' reversezone. Can you check what zones you have now. Rowland
Il giorno mer, 26/04/2017 alle 07.27 +0100, Rowland Penny via samba ha scritto:> On Wed, 26 Apr 2017 01:55:16 +0200 > Dario Lesca via samba <samba at lists.samba.org> wrote: > > Your problem is that you need to find out just who dhcpd runs as on > fedora. On Devuan it is root and everything just works.Yes, on Debian work. And with this patch: [root at fedora-addc ~]# diff -Nau /etc/samba/bin/dhcp-dyndns.sh.old /etc/samba/bin/dhcp-dyndns.sh --- /etc/samba/bin/dhcp-dyndns.sh.old 2017-04-26 11:06:30.930347314 +0200 +++ /etc/samba/bin/dhcp-dyndns.sh 2017-04-26 11:45:16.072373036 +0200 @@ -1,6 +1,6 @@ #!/bin/bash -# /etc/bin/dhcp-dyndns.sh +# /etc/samba/bin/dhcp-dyndns.sh # This script is for secure DDNS updates on Samba 4 # Version: 0.8.8 @@ -24,6 +24,12 @@ # krbcc ticket cache export KRB5CCNAME="/tmp/dhcp-dyndns.cc" +if [ -f "$KRB5CCNAME" -a ! -r "$KRB5CCNAME" ] +then + echo "File krbcc ticket cache $KRB5CCNAME is not readable. Remove it with 'rm -f $KRB5CCNAME'" + exit 1 +fi + # Kerberos principal SETPRINCIPAL="dhcpduser@${REALM}" # Kerberos keytab @@ -43,13 +49,15 @@ fi # Check for Kerberos keytab -if [ ! -f /etc/dhcp/dhcpduser.keytab ]; then - echo "Required keytab /etc/dhcpduser.keytab not found, it needs to be created." +dhcpduser_keytab='/etc/samba/dhcpduser.keytab' +#dhcpduser_keytab=/etc/dhcp/dhcpduser.keytab +if [ ! -f $dhcpduser_keytab ]; then + echo "Required keytab $dhcpduser_keytab not found, it needs to be created." echo "Use the following commands as root" - echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL} /etc/dhcpduser.keytab" - echo "chown XXXX:XXXX /etc/dhcpduser.keytab" + echo "samba-tool domain exportkeytab --principal=${SETPRINCIPAL} $dhcpduser_keytab" + echo "chown XXXX:XXXX $dhcpduser_keytab" echo "Replace 'XXXX:XXXX' with the user & group that dhcpd runs as on your distro" - echo "chmod 400 /etc/dhcpduser.keytab" + echo "chmod 400 $dhcpduser_keytab" exit 1 fi @@ -75,12 +83,13 @@ # Check for valid kerberos ticket #logger "${test} [dyndns] : Running check for valid kerberos ticket" -klist -c /tmp/dhcp-dyndns.cc -s +klist -c "$KRB5CCNAME" -s if [ "$?" != "0" ]; then - logger "${test} [dyndns] : Getting new ticket, old one has expired" - kinit -F -k -t /etc/dhcp/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc "${SETPRINCIPAL}" + logger "${test} [dyndns] : Getting new ticket, old one has expired." + cmd="kinit -F -k -t $dhcpduser_keytab -c '$KRB5CCNAME' '${SETPRINCIPAL}'" + eval $cmd if [ "$?" != "0" ]; then - logger "${test} [dyndns] : dhcpd kinit for dynamic DNS failed" + logger "${test} [dyndns] : dhcpd kinit for dynamic DNS failed [$cmd]" exit 1; fi fi can work also on Centos and Fedora. On more system that script work, more person can use it.> Whilst you seem to have created the '12.11.10.in-addr.arpa' > reversezone, it seems to be trying to update the '10.IN-ADDR.ARPA' > reversezone. Can you check what zones you have now.Now This is my zones: # samba-tool dns zonelist $(hostname) 3 zone(s) found pszZoneName : 12.11.10.in-addr.arpa Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.solinos.loc pszZoneName : solinos.loc Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.solinos.loc pszZoneName : _msdcs.solinos.loc Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.solinos.loc Yesterday I have also try to force the use of this zone into shell ,> nsupdate -g ${NSUPDFLAGS} << UPDATE > server 127.0.0.1 > realm ${REALM} > zone 12.11.10.in-addr.arpa <---<<< > update delete ${ptr} 3600 PTR > update add ${ptr} 3600 PTR ${name}.${domain} > send > UPDATEbut none is changed, the error log is the same. Furthermore this morning after I have start my AD-DC server test kinit not work anymore: # kinit -F -k -t /etc/samba/dhcpduser.keytab -c '/tmp/dhcp-dyndns.cc' 'dhcpduser at SOLINOS.LOC' kinit: Cannot contact any KDC for realm 'SOLINOS.LOC' while getting initial credentials then the dhcpd script not work anymore The rest work as expected : [root at fedora-addc ~]# wbinfo --ping-dc checking the NETLOGON for domain[SOLINOS] dc connection to "fedora-addc.solinos.loc" succeeded [root at fedora-addc ~]# id ospite uid=3000017(SOLINOS\ospite) gid=100(users) gruppi=100(users),3000017(SOLINOS\ospite),3000009(BUILTIN\users) [root at fedora-addc ~]# !smbcl:p smbclient //$(hostname)/netlogon -Uospite%P at ssw0rd -c 'cd test;mkdir ospite' [root at fedora-addc ~]# smbclient //$(hostname)/netlogon -Uospite%P at ssw0rd -c 'ls' Domain=[SOLINOS] OS=[Windows 6.1] Server=[Samba 4.5.8] . D 0 Tue Apr 25 09:31:16 2017 .. D 0 Tue Apr 25 08:25:55 2017 test D 0 Tue Apr 25 09:31:16 2017 2291712 blocks of size 1024. 603824 blocks available this is AD final config files: [root at fedora-addc ~]# cat /etc/krb5.conf [libdefaults] default_realm = SOLINOS.LOC dns_lookup_realm = false dns_lookup_kdc = true [root at fedora-addc ~]# cat /etc/samba/smb.conf # Global parameters [global] netbios name = FEDORA-ADDC realm = SOLINOS.LOC server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SOLINOS server role = active directory domain controller idmap_ldb:use rfc2307 = yes template shell = /bin/bash template homedir = /home/%U [netlogon] path = /var/lib/samba/sysvol/solinos.loc/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No obviously on the member server something not work: [root at fed-build-addc ~]# kinit administrator at SOLINOS.LOC kinit: Cannot contact any KDC for realm 'SOLINOS.LOC' while getting initial credentials [root at fed-build-addc ~]# wbinfo --ping-dc checking the NETLOGON for domain[SOLINOS] dc connection to "" failed wbcPingDc2(SOLINOS): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) What kind of problem is this? Thanks for reply some suggest. -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)