samba - Jan 2019 - Dynamic DNS tips? (Samba 4.8.x + Bind9_DLZ)

On Tue, Jan 1, 2019 at 4:19 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Tue, 1 Jan 2019 01:02:48 -0800
> Kris Lou via samba <samba at lists.samba.org> wrote:
>
> > What's the recommended method for handling dynamic DNS updates? 
via
> > Kerberos, DHCP scripts, or both?
> >
> > I'm currently doing both (I think), but Windows 2012R2 clients
> > sometimes complain about not being able to update since it's been
> > done by the DHCP script (and the DNS record is owned by the DHCP
> > user).  However, a bigger issue is that I've seen the scripts
REMOVE
> > an entry upon update, but not add it back.
> >
> > I'd like to have Clients update their own records, especially
since I
> > have some static Windows machines.  But I'd also like to have
other
> > network devices in DNS (UPS/Printers, etc.).   Any tips to make this
> > happen?
> >
DHCP reservations are my friend. Get the MAC address of the devices,
load them for particular IP addresses in your local DHCP servers, and
publish DNS records to go with them.  Devices that are not registered
get into a much smaller DHCP pool, which can be audited for
unregistered devices and notify our faithful narrator to hunt them
down and identify them.
> If you want your clients to update their own records, then let them,
> but be aware that any Unix clients will not even try.
Well, they can try. It takes some configuration and thought to do so
reliably and securely.
> Static dns records are just that, static and they usually do not get
> updated, they are also usually outside the dhcp pool.
>
> I do not know what dhcp script you are using, but, if you are using a
> script, you must stop windows clients trying to update their own
> records.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 1 Jan 2019 09:50:45 -0500
Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> > If you want your clients to update their own records, then let them,
> > but be aware that any Unix clients will not even try.
> 
> Well, they can try. It takes some configuration and thought to do so
> reliably and securely.
Just how do you configure the dhcp client software to upgrade the dns
records in AD ?

Rowland

On Tue, Jan 1, 2019 at 10:08 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Tue, 1 Jan 2019 09:50:45 -0500
> Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>
> > > If you want your clients to update their own records, then let
them,
> > > but be aware that any Unix clients will not even try.
> >
> > Well, they can try. It takes some configuration and thought to do so
> > reliably and securely.
>
> Just how do you configure the dhcp client software to upgrade the dns
> records in AD ?
>
> Rowland
I can't discuss the most recent time I dealt with this. The time
before *that*, I walked my way through Red Hat's notes at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-dyndns
.Doing it through sssd is... well it's overkill. The time before
*that*, I got the AD administrator to allow "non-secure DNS updates"
that were compatible with the RHEL 5 systems I was dealing with. That
wasn't ideal, but I was having enough difficulty negotiating
configurations with the AD administrators that I could only achieve so
much.