Hi Rowland,
Just as a test, I installed the dhcp server in the DC ( in the lab). Then
configured the dhcp as per the wiki
This is what I see. And again the forward zone update despite the errors but the
reverse doesn't
When releasing the lease
Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[1] = delete
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[2] =
192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[3] =
00:50:56:9b:37:9b
Jun 27 10:55:07 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh:
Permission denied
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 32256
Jun 27 10:55:07 server5-ad kernel: [ 1396.188371] audit: type=1400
audit(1561596907.856:94): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd"
name="/usr/local/bin/dhcp-dyndns.sh" pid=2557
comm="dhcp-dyndns.sh" requested_mask="r"
denied_mask="r" fsuid=112 ouid=0
Jun 27 10:55:07 server5-ad dhcpd[2525]: DHCPRELEASE of 192.168.14.198 from
00:50:56:9b:37:9b (WIN7VM01) via ens160 (found)
Jun 27 10:55:07 server5-ad dhcpd[2525]: Removed reverse map on
198.14.168.192.in-addr.arpa.
Jun 27 10:55:09 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group
Jun 27 10:55:09 server5-ad named[1097]: client @0x7efc58052610
192.168.14.198#50682: update 'lin.group/IN' denied
When renewing the lease
Jun 27 10:55:09 server5-ad dhcpd[2525]: DHCPDISCOVER from 00:50:56:9b:37:9b via
ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPOFFER on 192.168.14.198 to
00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: Client 0:50:56:9b:37:9b requests
1:f:3:6:2c:2e:2f:1f:21:79:f9:2b - MSFT 5.0 - #001
Jun 27 10:55:10 server5-ad dhcpd[2525]: vendor-class-id: MSFT 5.0
Jun 27 10:55:10 server5-ad dhcpd[2525]: dhcp-client-identifier: #001
Jun 27 10:55:10 server5-ad dhcpd[2525]: hardware: 0:50:56:9b:37:9b
Jun 27 10:55:10 server5-ad dhcpd[2525]: 1:0:50:56
Jun 27 10:55:10 server5-ad dhcpd[2525]: Commit: IP: 192.168.14.198 DHCID:
00:50:56:9b:37:9b Name: WIN7VM01
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[1] = add
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[2] =
192.168.14.198
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[3] =
00:50:56:9b:37:9b
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[4] = WIN7VM01
Jun 27 10:55:10 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh:
Permission denied
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 32256
Jun 27 10:55:10 server5-ad kernel: [ 1399.297689] audit: type=1400
audit(1561596910.964:95): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd"
name="/usr/local/bin/dhcp-dyndns.sh" pid=2558
comm="dhcp-dyndns.sh" requested_mask="r"
denied_mask="r" fsuid=112 ouid=0
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPREQUEST for 192.168.14.198
(192.168.14.10) from 00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPACK on 192.168.14.198 to
00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: Added reverse map from
198.14.168.192.in-addr.arpa. to WIN7VM01.lin.group
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group
Jun 27 10:55:16 server5-ad named[1097]: client @0x7efc580a60e0
192.168.14.198#63157: update 'lin.group/IN' denied
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: cancelling transaction on
zone lin.group
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group
Before that I had removed the reverse zone and added it using
samba-tool dns zonecreate server5-ad.lin.group 14.168.192.in-addr.arpa -U
administrator
I've added the apparmor bits in usr.sbin.dhcp
-rwxr-xr-x 1 root root 4117 Jun 27 10:54 dhcp-dyndns.sh
Regards,
Praveen Ghimire
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Praveen
Ghimire via samba
Sent: Thursday, 27 June 2019 8:24 AM
To: 'Rowland penny'
Cc: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS
Hi Rowland,
I've gone through it a few times. The situation is different in our case
- The server with DHCP is not the AD DC
- The server doesn't have Samba
- The server is not in the same AD DC domain
- The server is a standalone Ubuntu box with other functionalities
The question I have is why is it failing to update the reverse zone when it
updates the forward zone, despite the errors in the syslog?
Regards,
Praveen Ghimire
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny
via samba
Sent: Wednesday, 26 June 2019 10:56 PM
To: sambalist
Subject: Re: [Samba] Reverse DNS
On 26/06/2019 11:32, Praveen Ghimire wrote:> Hi Rowland,
>
> I have tried putting the whole rev-domain name. The following is the
> dhcpd.conf zone definition
>
> subnet 192.168.14.0 netmask 255.255.255.0 {
> authoritative;
> ddns-update-style standard;
> option netbios-name-servers 192.168.14.10; #14.10 is the AD box
> option netbios-dd-server 192.168.14.10;
> option netbios-node-type 8;
> option domain-name-servers 192.168.14.10;
> ddns-rev-domainname "14.168.192.in-addr.arpa.";
> option broadcast-address 192.168.14.255;
> option routers 192.168.14.254;
> option domain-name "lin.group"; #AD DOMAIN
> ddns-domainname "lin.group";
> ddns-updates on;
> update-optimization off;
> update-static-leases on;
> allow client-updates;
> pool
> {
> .......
> }
>
> I have removed and re-created the reverse zone a few times , selecting
> secure and nosecure also with and without storing the info in AD. The
> only time I have seen it being populated is when I assign static IPs
>
Have you read this wiki page:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________