Rowland Penny
2019-Mar-18 13:28 UTC
[Samba] How to automatically store the macAddress in AD
On Mon, 18 Mar 2019 09:16:01 +0100 Denis Cardon via samba <samba at lists.samba.org> wrote:> Hi Pierre, > > > Does someone know a way to automatically store the hwaddress in the > > AD? I'm using Veyon in my school to manage the students PCs and if > > the hwadress is populated in the AD, the Room configuration can be > > set with AD otherwise i have to manage rooms manually. > > I'm using samba4 with bind and isc-dhcp-server are on the same > > server. Can we use scripts or some ways? > > There is nothing to do that directly integrated in Samba-AD. If you > have WAPT installed on your network, you should check the following > thread on the WAPT mailing list, the exact same topic on configuring > Veyon and macAddress was covered with a simple solution (as long as > you have WAPT installed): > https://lists.tranquil.it/pipermail/wapt/2019-January/003034.html > > Cheers, > > DenisHi Denis, The only problem with your method is that it will only work for Windows clients, having said that, if you only have Windows clients, then it isn't a problem ;-) If you are using Bind9 and updating dns via the script found here: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 You can extend it to do the same thing and this will update all domain members, Linux and Windows. All you need to do is, replace the last line 'exit ${result}' with this: Hostname=$(hostname -s) # For this to work, you must add 'dhcpduser' to the 'Domain Admins' group Computer_Object=$(ldbsearch -k yes -H ldap://"$Hostname" "(&(objectclass=computer)(objectclass=ieee802Device)(cn=$name))" | grep -v '#' | grep -v 'ref:') if [ -z "$Computer_Object" ]; then # Computer object not found with the 'ieee802Device' objectclass, # does the computer actually exist, it should if it is joined to the domain. Computer_Object=$(ldbsearch -k yes -H ldap://"$Hostname" "(&(objectclass=computer)(cn=$name))" | grep -v '#' | grep -v 'ref:') if [ -z "$Computer_Object" ]; then logger "Computer '$name' not found. Exiting." result="${result}68" exit "${result}" else DN=$(echo "$Computer_Object" | grep 'dn:') objldif="$DN changetype: modify add: objectclass objectclass: ieee802Device" attrldif="$DN changetype: modify add: macAddress macAddress: $DHCID" # add the ldif echo "$objldif" | ldbmodify -k yes -H ldap://"$Hostname" ret="$?" if [ "$ret" -ne 0 ]; then logger "Error modifying Computer objectclass $name in AD." result="${result}${ret}" exit "${result}" fi sleep 2 echo "$attrldif" | ldbmodify -k yes -H ldap://"$Hostname" ret="$?" if [ "$ret" -ne 0 ]; then logger "Error modifying Computer attribute $name in AD." result="${result}${ret}" exit "${result}" fi unset objldif unset attrldif logger "Successfully modified Computer $name in AD" fi else DN=$(echo "$Computer_Object" | grep 'dn:') attrldif="$DN changetype: modify replace: macAddress macAddress: $DHCID" echo "$attrldif" | ldbmodify -k yes -H ldap://"$Hostname" ret="$?" if [ "$ret" -ne 0 ]; then logger "Error modifying Computer attribute $name in AD." result="${result}${ret}" exit "${result}" fi unset attrldif logger "Successfully modified Computer $name in AD" result="${result}0" fi exit ${result} Add 'dhcpduser' to the 'Domain Admins' group and it should just work. There are a couple of 'gotchas', it will (obviously) only work for clients that get their IP via DHCP and then only if they are joined to the domain. Finally, somebody should tell Veyon that their documentation is wrong, there is a standard AD attribute to store a MAC address in. Rowland
Pierre, BRIEC
2019-Mar-20 13:40 UTC
[Samba] How to automatically store the macAddress in AD
Thanks Rowland for your modification.
The process is working fine as the information is added but is wrong
ex:
Mar 20 14:21:12 yoda2 named[382]: samba_dlz: committed transaction on zone
stetherese.lan
Mar 20 14:21:12 yoda2 root: DHCP-DNS Update failed: 01
Mar 20 14:21:14 yoda2 root: Successfully modified Computer STHE-C-PROFS06
in AD
Mar 20 14:21:14 yoda2 dhcpd[6961]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 2560
Mar 20 14:21:14 yoda2 dhcpd[6961]: reuse_lease: lease age 7 (secs) under
25% threshold, reply with unaltered, existing lease for 172.16.7.16
Mar 20 14:21:14 yoda2 dhcpd[6961]: DHCPREQUEST for 172.16.7.16 from
90:1b:0e:bb:12:8a (STHE-C-PROFS06) via eth0
Mar 20 14:21:14 yoda2 dhcpd[6961]: DHCPACK on 172.16.7.16 to
90:1b:0e:bb:12:8a (STHE-C-PROFS06) via eth0
Mar 20 14:21:14 yoda2 dhcpd[6961]: Commit: IP: 172.16.7.16 DHCID:
1:90:1b:e:bb:12:8a Name: STHE-C-PROFS06
Mar 20 14:21:14 yoda2 dhcpd[6961]: execute_statement argv[0]
/usr/local/bin/dhcp-dyndns.sh
Mar 20 14:21:14 yoda2 dhcpd[6961]: execute_statement argv[1] = add
Mar 20 14:21:14 yoda2 dhcpd[6961]: execute_statement argv[2] = 172.16.7.16
Mar 20 14:21:14 yoda2 dhcpd[6961]: execute_statement argv[3] 1:90:1b:e:bb:12:8a
Mar 20 14:21:14 yoda2 dhcpd[6961]: execute_statement argv[4] STHE-C-PROFS06
Mar 20 14:21:14 yoda2 named[382]: samba_dlz: starting transaction on zone
stetherese.lan
the macaddress from DHCPREQUEST is 90:1b:0e:bb:12:8a
and the macaddress in AD is: 1:90:1b:e:bb:12:8a (have you noticed the
missing 0 and 1: is added at the beginning)
another example:
Mar 20 14:33:09 yoda2 dhcpd[6961]: Commit: IP: 172.16.7.194 DHCID:
1:c8:1f:66:b0:cb:c9 Name: STHE-C-MULTI29
Mar 20 14:33:09 yoda2 dhcpd[6961]: execute_statement argv[0]
/usr/local/bin/dhcp-dyndns.sh
Mar 20 14:33:09 yoda2 dhcpd[6961]: execute_statement argv[1] = add
Mar 20 14:33:09 yoda2 dhcpd[6961]: execute_statement argv[2] = 172.16.7.194
Mar 20 14:33:09 yoda2 dhcpd[6961]: execute_statement argv[3] 1:c8:1f:66:b0:cb:c9
Mar 20 14:33:09 yoda2 dhcpd[6961]: execute_statement argv[4] STHE-C-MULTI29
Mar 20 14:33:10 yoda2 named[382]: samba_dlz: starting transaction on zone
stetherese.lan
Mar 20 14:33:10 yoda2 named[382]: samba_dlz: allowing update of
signer=dhcpduser\@STETHERESE.LAN name=STHE-C-MULTI29.stetherese.lan
tcpaddr=127.0.0.1 type=A key=1688105298.sig-yoda2.stetherese.l
an/160/0
Mar 20 14:33:10 yoda2 named[382]: samba_dlz: allowing update of
signer=dhcpduser\@STETHERESE.LAN name=STHE-C-MULTI29.stetherese.lan
tcpaddr=127.0.0.1 type=A key=1688105298.sig-yoda2.stetherese.l
an/160/0
Mar 20 14:33:10 yoda2 named[382]: client 127.0.0.1#45293/key
dhcpduser\@STETHERESE.LAN: updating zone 'stetherese.lan/NONE': deleting
rrset at 'STHE-C-MULTI29.stetherese.lan' A
Mar 20 14:33:10 yoda2 named[382]: samba_dlz: subtracted rdataset
STHE-C-MULTI29.stetherese.lan
'STHE-C-MULTI29.stetherese.lan.#0113600#011IN#011A#011172.16.7.194'
Mar 20 14:33:10 yoda2 named[382]: client 127.0.0.1#45293/key
dhcpduser\@STETHERESE.LAN: updating zone 'stetherese.lan/NONE': adding
an
RR at 'STHE-C-MULTI29.stetherese.lan' A 172.16.7.194
Mar 20 14:33:10 yoda2 named[382]: samba_dlz: added rdataset
STHE-C-MULTI29.stetherese.lan
'STHE-C-MULTI29.stetherese.lan.#0113600#011IN#011A#011172.16.7.194'
Mar 20 14:33:10 yoda2 named[382]: samba_dlz: committed transaction on zone
stetherese.lan
Mar 20 14:33:10 yoda2 root: DHCP-DNS Update failed: 01
Mar 20 14:33:11 yoda2 root: Successfully modified Computer STHE-C-MULTI29
in AD
Mar 20 14:33:11 yoda2 dhcpd[6961]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 2560
Mar 20 14:33:11 yoda2 dhcpd[6961]: reuse_lease: lease age 840 (secs) under
25% threshold, reply with unaltered, existing lease for 172.16.7.194
Mar 20 14:33:11 yoda2 dhcpd[6961]: DHCPREQUEST for 172.16.7.194 from
c8:1f:66:b0:cb:c9 (STHE-C-MULTI29) via eth0
Mar 20 14:33:11 yoda2 dhcpd[6961]: DHCPACK on 172.16.7.194 to
c8:1f:66:b0:cb:c9 (STHE-C-MULTI29) via eth0
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: starting transaction on zone
stetherese.lan
Mar 20 14:33:11 yoda2 named[382]: client 172.16.7.194#54309: update
'stetherese.lan/IN' denied
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: cancelling transaction on zone
stetherese.lan
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: starting transaction on zone
stetherese.lan
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: allowing update of
signer=STHE-C-MULTI29\$\@STETHERESE.LAN name=STHE-C-MULTI29.stetherese.lan
tcpaddr= type=AAAA key=1660-ms-7.2-d541c.c764b981-4b12-
11e9-c8a4-28b2bd47a60c/160/0
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: allowing update of
signer=STHE-C-MULTI29\$\@STETHERESE.LAN name=STHE-C-MULTI29.stetherese.lan
tcpaddr= type=A key=1660-ms-7.2-d541c.c764b981-4b12-11e
9-c8a4-28b2bd47a60c/160/0
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: allowing update of
signer=STHE-C-MULTI29\$\@STETHERESE.LAN name=STHE-C-MULTI29.stetherese.lan
tcpaddr= type=A key=1660-ms-7.2-d541c.c764b981-4b12-11e
9-c8a4-28b2bd47a60c/160/0
Mar 20 14:33:11 yoda2 named[382]: client 172.16.7.194#57206/key
STHE-C-MULTI29\$\@STETHERESE.LAN: updating zone 'stetherese.lan/NONE':
deleting rrset at 'STHE-C-MULTI29.stetherese.lan' AAAA
Mar 20 14:33:11 yoda2 named[382]: client 172.16.7.194#57206/key
STHE-C-MULTI29\$\@STETHERESE.LAN: updating zone 'stetherese.lan/NONE':
deleting rrset at 'STHE-C-MULTI29.stetherese.lan' A
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: subtracted rdataset
STHE-C-MULTI29.stetherese.lan
'STHE-C-MULTI29.stetherese.lan.#0113600#011IN#011A#011172.16.7.194'
Mar 20 14:33:11 yoda2 named[382]: client 172.16.7.194#57206/key
STHE-C-MULTI29\$\@STETHERESE.LAN: updating zone 'stetherese.lan/NONE':
adding an RR at 'STHE-C-MULTI29.stetherese.lan' A 172.16.7.
194
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: added rdataset
STHE-C-MULTI29.stetherese.lan
'STHE-C-MULTI29.stetherese.lan.#0111200#011IN#011A#011172.16.7.194'
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: subtracted rdataset
stetherese.lan
'stetherese.lan.#0113600#011IN#011SOA#011yoda2.stetherese.lan.
hostmaster.stetherese.lan. 28821 900 600 86400 3600
'
Mar 20 14:33:11 yoda2 named[382]: samba_dlz: added rdataset stetherese.lan
'stetherese.lan.#0113600#011IN#011SOA#011yoda2.stetherese.lan.
hostmaster.stetherese.lan. 28822 900 600 86400 3600'
Mar 20 14:33:12 yoda2 named[382]: samba_dlz: committed transaction on zone
stetherese.lan
is it the same for you?
thanks
Pierre
Le lun. 18 mars 2019 à 14:29, Rowland Penny via samba <samba at
lists.samba.org>
a écrit :
> On Mon, 18 Mar 2019 09:16:01 +0100
> Denis Cardon via samba <samba at lists.samba.org> wrote:
>
> > Hi Pierre,
> >
> > > Does someone know a way to automatically store the hwaddress in
the
> > > AD? I'm using Veyon in my school to manage the students PCs
and if
> > > the hwadress is populated in the AD, the Room configuration can
be
> > > set with AD otherwise i have to manage rooms manually.
> > > I'm using samba4 with bind and isc-dhcp-server are on the
same
> > > server. Can we use scripts or some ways?
> >
> > There is nothing to do that directly integrated in Samba-AD. If you
> > have WAPT installed on your network, you should check the following
> > thread on the WAPT mailing list, the exact same topic on configuring
> > Veyon and macAddress was covered with a simple solution (as long as
> > you have WAPT installed):
> > https://lists.tranquil.it/pipermail/wapt/2019-January/003034.html
> >
> > Cheers,
> >
> > Denis
>
> Hi Denis,
> The only problem with your method is that it will only work for
> Windows clients, having said that, if you only have Windows clients,
> then it isn't a problem ;-)
>
> If you are using Bind9 and updating dns via the script found here:
>
>
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
> You can extend it to do the same thing and this will update all domain
> members, Linux and Windows.
>
> All you need to do is, replace the last line 'exit ${result}' with
this:
>
> Hostname=$(hostname -s)
>
> # For this to work, you must add 'dhcpduser' to the 'Domain
Admins' group
> Computer_Object=$(ldbsearch -k yes -H ldap://"$Hostname"
>
"(&(objectclass=computer)(objectclass=ieee802Device)(cn=$name))" |
grep -v
> '#' | grep -v 'ref:')
> if [ -z "$Computer_Object" ]; then
> # Computer object not found with the 'ieee802Device'
objectclass,
> # does the computer actually exist, it should if it is joined to the
> domain.
> Computer_Object=$(ldbsearch -k yes -H ldap://"$Hostname"
> "(&(objectclass=computer)(cn=$name))" | grep -v '#' |
grep -v 'ref:')
> if [ -z "$Computer_Object" ]; then
> logger "Computer '$name' not found. Exiting."
> result="${result}68"
> exit "${result}"
> else
> DN=$(echo "$Computer_Object" | grep 'dn:')
> objldif="$DN
> changetype: modify
> add: objectclass
> objectclass: ieee802Device"
>
> attrldif="$DN
> changetype: modify
> add: macAddress
> macAddress: $DHCID"
>
> # add the ldif
> echo "$objldif" | ldbmodify -k yes -H
ldap://"$Hostname"
> ret="$?"
> if [ "$ret" -ne 0 ]; then
> logger "Error modifying Computer objectclass $name in
AD."
> result="${result}${ret}"
> exit "${result}"
> fi
> sleep 2
> echo "$attrldif" | ldbmodify -k yes -H
ldap://"$Hostname"
> ret="$?"
> if [ "$ret" -ne 0 ]; then
> logger "Error modifying Computer attribute $name in
AD."
> result="${result}${ret}"
> exit "${result}"
> fi
> unset objldif
> unset attrldif
> logger "Successfully modified Computer $name in AD"
> fi
> else
> DN=$(echo "$Computer_Object" | grep 'dn:')
> attrldif="$DN
> changetype: modify
> replace: macAddress
> macAddress: $DHCID"
>
> echo "$attrldif" | ldbmodify -k yes -H
ldap://"$Hostname"
> ret="$?"
> if [ "$ret" -ne 0 ]; then
> logger "Error modifying Computer attribute $name in AD."
> result="${result}${ret}"
> exit "${result}"
> fi
> unset attrldif
> logger "Successfully modified Computer $name in AD"
> result="${result}0"
> fi
>
> exit ${result}
>
> Add 'dhcpduser' to the 'Domain Admins' group and it should
just work.
>
> There are a couple of 'gotchas', it will (obviously) only work for
> clients that get their IP via DHCP and then only if they are joined to
> the domain.
>
> Finally, somebody should tell Veyon that their documentation is wrong,
> there is a standard AD attribute to store a MAC address in.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Rowland Penny
2019-Mar-20 14:27 UTC
[Samba] How to automatically store the macAddress in AD
On Wed, 20 Mar 2019 14:40:22 +0100 "Pierre, BRIEC via samba" <samba at lists.samba.org> wrote:> Thanks Rowland for your modification. > > The process is working fine as the information is added but is wrong > > > the macaddress from DHCPREQUEST is 90:1b:0e:bb:12:8a > and the macaddress in AD is: 1:90:1b:e:bb:12:8a (have you noticed the > missing 0 and 1: is added at the beginning) >No I hadn't, but I don't think it has anything to do with script, I think DHCP is sending the wrong data: Commit: IP: 192.168.0.88 DHCID: 1:ec:8:6b:c:cb:c2 Name: devstation But, the request shows this: DHCPREQUEST for 192.168.0.88 from ec:08:6b:0c:cb:c2 (devstation) via eth0 1:ec:8:6b:c:cb:c2 != ec:08:6b:0c:cb:c2 Let me look into this, I could be some time ;-) It doesn't really matter for the scripts original purpose, but it does for your purpose. Rowland