Hi there, thanks for your reply. Probably I should add that: a) I'm running Centos7 on the RPi3. b) Compiled and installed samba 4.7.2 from source (packaged AD samba not available for CentOS) c) I haven't managed an AD before this thing landed in my lap, much less a Samba AD :) On 30 November 2017 at 15:45, Rowland Penny via samba <samba at lists.samba.org> wrote:> > > Basically, I followd this set of instructions: > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_ > Existing_Active_Directory > > I have run into several problems. > > > > 1. The new DCs were not automatically added to the master zone A > > record, i.e. "host -t A samdom.example.com localhost" would only > > return the original host. all of the other records (including GUIDS) > > were inserted fine. I ended up adding these manually. > > It is probably down to the version of Samba running on the rpi's, later > versions should do this. >Original DC samba version is 4.5.0, also compiled from source Possibly the issue was that the original DC01 had its record manually inserted nin the dns, at least, the dns viewer flagged it as 'static'> > > 2. The SOA record for my dns zones seem to have migrated to point > > to the last DC that I set up. New zones get the orignal one (the one > > with the master token). I am unsure what this means, but from what I > > can tell, dnsupdate contacts the host in the SOA record to make > > updates. What is the recommended practice here? Does it matter > > which of my now three redundant DNS hosts is the SOA? How can I > > change it? > > Again, later versions of Samba will make all Samba DCs authoritative. >Running 4.7.2. What does that mean, can a zone have more than one SOA record? Using the DNS Manager tool on windows, the "properties" of a zone has only one "Primary server" in the SOA. The pre-existing zones seem to have all migrated to DC03 (the last one where i installed the AD). Is it ok to have different DCs as primary server for a zone? How does this affect redundancy if one DC goes offline?> > >3. I was unable to the dynamic DNS updates from DHCPD to > > work without adding an "allow-update {any;};" clause (or similar) to > > named.conf. This was not documented anywhere and caused me a lot of > > headaches, particularly since this setting was in the original DC and > > so dynamic updates would work or not, based on the SOA record for the > > zones. What is the recommended practice here? > You shouldn't need that line, at least, I never have. > It might help if you post your bind conf files. >Sure, this is what I'm using. It's the default one for Centos7 rpm bind, modified for AD: // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 127.0.0.1; 192.168.0.0/16; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; # changes for BIND for AD #allow-query { localhost; any; }; allow-query { localhost; 192.168.0.0/16;}; allow-recursion { localhost; 192.168.0.0/16;}; auth-nxdomain yes; notify no; empty-zones-enable no; allow-transfer { none; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* option from /usr/local/samba/private/named.txt */ tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; allow-update { localhost; any; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; /* the include file for samba support */ include "/usr/local/samba/private/named.conf";> > > > > > > I was unable to find on the samba wiki an overview over a recommended > > setup of the combination of SambaAD/BIND/DHCP which is sort of a > > minimum to maintain a site. Particularly how they interact. > > From what I can tell, Samba AD and BIND always go hand in hand, but > > there are at most two DHCPD servers on the net, running on two of the > > DCs. Is this correct? > > Can I suggest you read again the Samba wikipage that you couldn't > find: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_ > DNS_records_with_BIND9 > > it changed yesterday because of a bug. > > Thanks, that's exactly the page I followed when it came to this. I hadalready fixed the problems with the read access to /etc/dhcp, (chgrp dhcpd /etc/dhcp) and setting the right path in the script.> > > > Finally, dynamic NDS updates from the DHCP server seem to take some 8 > > or nine seconds, during which time a cliend does not get a DHCPD ack. > > Sometimes the client gives up waiting. > > I'm currently looking into this, but here is a log: > > I feel this must be down to the rpi's, less than a second on my DCs > > I'm sure you are right. I'm having problems with IO performance on thisparticular machine. I probably should replace the SD card. However, a considerable time in the script (after analysis) is spent on doing checking, particularly the wbinfo -u call, which can take anything from .17 seconds to 5 seconds in my case. "wbinfo -i dhcpduser" is consistently faster. I will continue to investigate. I"ll remove the redundant wbinfo call in my install, since it is only there for prolem diagnostics. Cheers! - K
See inline comments: On Thu, 30 Nov 2017 16:25:25 +0000 Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:> Hi there, thanks for your reply. Probably I should add that: > a) I'm running Centos7 on the RPi3.Where did you get that from ?> b) Compiled and installed samba 4.7.2 from source (packaged AD samba > not available for CentOS)Not yet, but it is coming to Fedora and then ultimately Centos, but probably Centos 8 (this is just a guess)> c) I haven't managed an AD before this thing landed in my lap, much > less a Samba AD :) >It gets easier after the first year or two ;-)> > On 30 November 2017 at 15:45, Rowland Penny via samba > <samba at lists.samba.org > > wrote: > > > > > > Basically, I followd this set of instructions: > > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_ > > Existing_Active_Directory > > > I have run into several problems. > > > > > > 1. The new DCs were not automatically added to the master zone > > > A record, i.e. "host -t A samdom.example.com localhost" would only > > > return the original host. all of the other records (including > > > GUIDS) were inserted fine. I ended up adding these manually. > > > > It is probably down to the version of Samba running on the rpi's, > > later versions should do this. > > > Original DC samba version is 4.5.0, also compiled from source > Possibly the issue was that the original DC01 had its record manually > inserted nin the dns, at least, the dns viewer flagged it as 'static'I have the feeling that your rpi's are getting their IP's via DHCP, if that is the case, give them a static IP, using DHCP on an AD DC is only going to end in tears.> > > > > > > 2. The SOA record for my dns zones seem to have migrated to > > > point to the last DC that I set up. New zones get the orignal > > > one (the one with the master token). I am unsure what this > > > means, but from what I can tell, dnsupdate contacts the host in > > > the SOA record to make updates. What is the recommended practice > > > here? Does it matter which of my now three redundant DNS hosts > > > is the SOA? How can I change it? > > > > Again, later versions of Samba will make all Samba DCs > > authoritative. > > > Running 4.7.2. > What does that mean, can a zone have more than one SOA record? Using > the DNS Manager tool on windows, the "properties" of a zone has only > one "Primary server" in the SOA. > The pre-existing zones seem to have all migrated to DC03 (the last one > where i installed the AD). Is it ok to have different DCs as primary > server for a zone? How does this affect redundancy if one DC goes > offline?All AD DCs that run a dns server are authoritative for the dns domain, this means that if you ask a DC for its SOA, it will claim it is itself. All DCs carry the AD records, this includes the dns records. A program called 'samba_dnsupdate' is run at Samba startup and then at frequent intervals, this uses a file 'dns_update_list' and checks and updates the records found in that file.> > > > > >3. I was unable to the dynamic DNS updates from DHCPD to > > > work without adding an "allow-update {any;};" clause (or similar) > > > to named.conf. This was not documented anywhere and caused me a > > > lot of headaches, particularly since this setting was in the > > > original DC and so dynamic updates would work or not, based on > > > the SOA record for the zones. What is the recommended practice > > > here? > > You shouldn't need that line, at least, I never have. > > It might help if you post your bind conf files. > > > > Sure, this is what I'm using. It's the default one for Centos7 rpm > bind, modified for AD:This is mine (actually the three debian ones in one file): options { directory "/var/cache/bind"; version "0.0.7"; notify no; empty-zones-enable no; allow-query { 127.0.0.1; 192.168.0.0/24; }; allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; forwarders { 8.8.8.8; 8.8.4.4; }; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; listen-on-v6 { none; }; listen-on port 53 { 192.168.0.7; 127.0.0.1; }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; }; // adding the Samba dlopen ( Bind DLZ ) module include "/usr/local/samba/private/named.conf"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; It has worked for me for the last 5 years ;-)> > > > > > I was unable to find on the samba wiki an overview over a > > > recommended setup of the combination of SambaAD/BIND/DHCP which > > > is sort of a minimum to maintain a site. Particularly how they > > > interact. From what I can tell, Samba AD and BIND always go hand > > > in hand, but there are at most two DHCPD servers on the net, > > > running on two of the DCs. Is this correct? > > > > Can I suggest you read again the Samba wikipage that you couldn't > > find: > > > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_ > > DNS_records_with_BIND9 > > > > it changed yesterday because of a bug. > > > > Thanks, that's exactly the page I followed when it came to this. I > > had > already fixed the problems with the read access to /etc/dhcp, (chgrp > dhcpd /etc/dhcp) and setting the right path in the script. > > > > > > > > > Finally, dynamic NDS updates from the DHCP server seem to take > > > some 8 or nine seconds, during which time a cliend does not get a > > > DHCPD ack. Sometimes the client gives up waiting. > > > I'm currently looking into this, but here is a log: > > > > I feel this must be down to the rpi's, less than a second on my DCs > > > > I'm sure you are right. I'm having problems with IO performance on > > this > particular machine. I probably should replace the SD card. > However, a considerable time in the script (after analysis) is spent > on doing checking, particularly the wbinfo -u call, which can take > anything from .17 seconds to 5 seconds in my case. > "wbinfo -i dhcpduser" is consistently faster.Good point, never thought of that (don't use wbinfo much), I will test it and update the wiki page again, if it makes it faster. Rowland
On 30 November 2017 at 17:00, Rowland Penny via samba <samba at lists.samba.org> wrote:> > > Hi there, thanks for your reply. Probably I should add that: > > a) I'm running Centos7 on the RPi3. > > Where did you get that from ? >It's been around for a few months. https://wiki.centos.org/SpecialInterestGroup/AltArch/Arm32/RaspberryPi3 It is completely stable, and it has the entire base rpm and selected stuff from EPEL. But there isn't an ARM epel repo yet and some packages are missing. Since most of the linux infrasructure I manage is using CentOS it seemed like a good idea. I'm trying to set up a cheap and reliable infrastructure with redundancy. the RPi3 should theoretically work well in this scenario. Its main bottleneck seems to be the SD card. external discs could be used but again the RPi is USB2 only and shares the usb bus with the network interface... I havent run the experiment to compare the two. Anyway, there are ways to speed these up.> > > I have the feeling that your rpi's are getting their IP's via DHCP, if > that is the case, give them a static IP, using DHCP on an AD DC is only > going to end in tears. > > No, actually I did assign them static ips, and give them initial staticdns entries in the AD before starting the install.> > > > > All AD DCs that run a dns server are authoritative for the dns domain, > this means that if you ask a DC for its SOA, it will claim it is > itself. All DCs carry the AD records, this includes the dns records. A > program called 'samba_dnsupdate' is run at Samba startup and then at > frequent intervals, this uses a file 'dns_update_list' and checks and > updates the records found in that file. >Thanks, this is useful info. Like I said, the wiki is a bit hard to navicate. Would be cool to have an overview page with AD specific topics, and something explaining the architecture and how these three things work together. Also, how to run dhcp on a machine separate from the DC... Would to be set up as an AD member?> > Sure, this is what I'm using. It's the default one for Centos7 rpm > > bind, modified for AD: > > This is mine (actually the three debian ones in one file): > > Thanks. Will run some experiments and report back.Kristján