Hi Rowland, I don't want to to run an AD DC on firewall device, barely DHCP and maybe DNS. What you have pointed me to is similar to what I have in place: https://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ and which is working fine. NOW I want to switch DHCP from isc-dhcp-server 4.2.2 on Debian to DHCP on pfSense firewall (based on FreeBSD 11.2) which reports as below: pkg info | grep dhcp dhcp6-20080615.2?????????????? KAME DHCP6 client, server, and relay dhcpleases-0.3_1?????????????? read dhpcd.lease file and add it to hosts file dhcpleases6-0.1_2????????????? read dhpcd6.leases file and trigger command on modification isc-dhcp43-client-4.3.6P1????? The ISC Dynamic Host Configuration Protocol client isc-dhcp43-relay-4.3.6P1_1???? The ISC Dynamic Host Configuration Protocol relay isc-dhcp43-server-4.3.6P1_1??? ISC Dynamic Host Configuration Protocol server I've set it up and everything is working fine apart from DDNS integration. PfSense web GUI is limiting my config choices to the following: Dynamic DNS Enable: Check the box to enable registration of DHCP client names in DNS using an external (non-pfSense) DNS server. DDNS Domain: The domain name used for registering clients in DNS Primary DDNS Address: The DNS server used for registering clients in DNS DNS Domain Key: The encryption key used for DNS registration DNS Domain Key: Secret The secret for the key used for DNS registration Does it mean it's not going to work as it doesn't involve Kerberos authentication? Personally I would be happy with dynamic DNS updates being controlled by DHCP secured with a shared secret only. Regards, Adam On 20/06/19 12:33, Rowland penny via samba wrote:> You might want to read this: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 > > > Though why you want to run an AD DC on firewall device, beats me. > > Rowland > > >
On 20/06/2019 12:55, Adam Weremczuk wrote:> Hi Rowland, > > I don't want to to run an AD DC on firewall device, barely DHCP and > maybe DNS. > > What you have pointed me to is similar to what I have in place: > > https://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ >It would be, I based my script on the same webpage info> > and which is working fine. > > NOW I want to switch DHCP from isc-dhcp-server 4.2.2 on Debian to DHCP > on pfSense firewall (based on FreeBSD 11.2) which reports as below: > > pkg info | grep dhcp > dhcp6-20080615.2?????????????? KAME DHCP6 client, server, and relay > dhcpleases-0.3_1?????????????? read dhpcd.lease file and add it to > hosts file > dhcpleases6-0.1_2????????????? read dhpcd6.leases file and trigger > command on modification > isc-dhcp43-client-4.3.6P1????? The ISC Dynamic Host Configuration > Protocol client > isc-dhcp43-relay-4.3.6P1_1???? The ISC Dynamic Host Configuration > Protocol relay > isc-dhcp43-server-4.3.6P1_1??? ISC Dynamic Host Configuration Protocol > server > > I've set it up and everything is working fine apart from DDNS > integration.That is what made me think 'AD DC'> > PfSense web GUI is limiting my config choices to the following: > > Dynamic DNS > Enable: Check the box to enable registration of DHCP client names in > DNS using an external > (non-pfSense) DNS server. > DDNS Domain: The domain name used for registering clients in DNS > Primary DDNS Address: The DNS server used for registering clients in DNS > DNS Domain Key: The encryption key used for DNS registration > DNS Domain Key: Secret The secret for the key used for DNS registration > > Does it mean it's not going to work as it doesn't involve Kerberos > authentication?The problem is that Windows machines can update their own records in AD, but you need a separate user to update other users. This leads to the obvious question, do you have any Unix clients or are they all Windows clients ? You only need an update script if you have any Unix dhcp clients. The only way that I could get it to work is shown in the script I pointed you to, by using kerberos. Rowland
That's helpful. About half of our DHCP clients are Unixes. Maybe I'll find a way to make pfSense perform a Kerberos handshake with Samba for the sake of updating DNS. If not, I'll just install isc-dhcp-server on the Debian container running Samba AD. On 20/06/19 13:25, Rowland penny via samba wrote:> The problem is that Windows machines can update their own records in > AD, but you need a separate user to update other users. This leads to > the obvious question, do you have any Unix clients or are they all > Windows clients ? You only need an update script if you have any Unix > dhcp clients. > > The only way that I could get it to work is shown in the script I > pointed you to, by using kerberos. > > Rowland >