thr3ads.net - samba - [Samba] Reverse DNS [Jun 2019]

If this information is useful, please help other people find it:
Share via:

Praveen Ghimire

2019-Jun-27 01:06 UTC

[Samba] Reverse DNS

Hi Rowland,

Just as a test, I installed the dhcp server in the DC ( in the lab). Then
configured the dhcp as per the wiki

This is what I see. And again the forward zone update despite the errors but the
reverse doesn't

When releasing the lease

Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[1] = delete
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[2] =
192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[3] =
00:50:56:9b:37:9b
Jun 27 10:55:07 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh:
Permission denied
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 32256
Jun 27 10:55:07 server5-ad kernel: [ 1396.188371] audit: type=1400
audit(1561596907.856:94): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd"
name="/usr/local/bin/dhcp-dyndns.sh" pid=2557
comm="dhcp-dyndns.sh" requested_mask="r"
denied_mask="r" fsuid=112 ouid=0
Jun 27 10:55:07 server5-ad dhcpd[2525]: DHCPRELEASE of 192.168.14.198 from
00:50:56:9b:37:9b (WIN7VM01) via ens160 (found)
Jun 27 10:55:07 server5-ad dhcpd[2525]: Removed reverse map on
198.14.168.192.in-addr.arpa.
Jun 27 10:55:09 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group
Jun 27 10:55:09 server5-ad named[1097]: client @0x7efc58052610
192.168.14.198#50682: update 'lin.group/IN' denied

When renewing the lease

Jun 27 10:55:09 server5-ad dhcpd[2525]: DHCPDISCOVER from 00:50:56:9b:37:9b via
ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPOFFER on 192.168.14.198 to
00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: Client 0:50:56:9b:37:9b requests
1:f:3:6:2c:2e:2f:1f:21:79:f9:2b - MSFT 5.0 - #001
Jun 27 10:55:10 server5-ad dhcpd[2525]: vendor-class-id: MSFT 5.0
Jun 27 10:55:10 server5-ad dhcpd[2525]: dhcp-client-identifier: #001
Jun 27 10:55:10 server5-ad dhcpd[2525]: hardware: 0:50:56:9b:37:9b
Jun 27 10:55:10 server5-ad dhcpd[2525]: 1:0:50:56
Jun 27 10:55:10 server5-ad dhcpd[2525]: Commit: IP: 192.168.14.198 DHCID:
00:50:56:9b:37:9b Name: WIN7VM01
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[1] = add
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[2] =
192.168.14.198
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[3] =
00:50:56:9b:37:9b
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute_statement argv[4] = WIN7VM01
Jun 27 10:55:10 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh:
Permission denied
Jun 27 10:55:10 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 32256
Jun 27 10:55:10 server5-ad kernel: [ 1399.297689] audit: type=1400
audit(1561596910.964:95): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd"
name="/usr/local/bin/dhcp-dyndns.sh" pid=2558
comm="dhcp-dyndns.sh" requested_mask="r"
denied_mask="r" fsuid=112 ouid=0
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPREQUEST for 192.168.14.198
(192.168.14.10) from 00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: DHCPACK on 192.168.14.198 to
00:50:56:9b:37:9b (WIN7VM01) via ens160
Jun 27 10:55:10 server5-ad dhcpd[2525]: Added reverse map from
198.14.168.192.in-addr.arpa. to WIN7VM01.lin.group
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group
Jun 27 10:55:16 server5-ad named[1097]: client @0x7efc580a60e0
192.168.14.198#63157: update 'lin.group/IN' denied
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: cancelling transaction on
zone lin.group
Jun 27 10:55:16 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group


Before that I had removed the reverse zone and added it using
samba-tool dns zonecreate server5-ad.lin.group 14.168.192.in-addr.arpa -U
administrator

I've added the apparmor bits in usr.sbin.dhcp
-rwxr-xr-x  1 root root 4117 Jun 27 10:54 dhcp-dyndns.sh


Regards,
Praveen Ghimire






-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Praveen
Ghimire via samba
Sent: Thursday, 27 June 2019 8:24 AM
To: 'Rowland penny'
Cc: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

Hi Rowland,

I've gone through it a few times. The situation is different in our case
- The server with DHCP is not the AD DC
- The server doesn't have Samba
- The server is not in the same AD DC domain
- The server is a standalone Ubuntu box with other functionalities

The question I have is why is it failing to update the reverse zone when it
updates the forward zone, despite the errors in the syslog?

Regards,
Praveen Ghimire


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny
via samba
Sent: Wednesday, 26 June 2019 10:56 PM
To: sambalist
Subject: Re: [Samba] Reverse DNS

On 26/06/2019 11:32, Praveen Ghimire wrote:> Hi Rowland,
>
> I have tried putting the whole rev-domain name. The following is the 
> dhcpd.conf zone definition
>
>        subnet 192.168.14.0 netmask 255.255.255.0 {
>          authoritative;
>          ddns-update-style standard;
>          option netbios-name-servers 192.168.14.10; #14.10 is the AD box
>          option netbios-dd-server 192.168.14.10;
>          option netbios-node-type 8;
>          option domain-name-servers 192.168.14.10;
>          ddns-rev-domainname "14.168.192.in-addr.arpa.";
> 	 option broadcast-address 192.168.14.255;
>          option routers 192.168.14.254;
>          option domain-name "lin.group"; #AD DOMAIN
>          ddns-domainname "lin.group";
>          ddns-updates on;
>          update-optimization off;
>          update-static-leases on;
>          allow client-updates;
> pool
> {
> .......
> }
>
> I have removed and re-created the reverse zone a few times , selecting 
> secure and nosecure also with and without storing the info in AD. The 
> only time I have seen it being populated is when I assign static IPs
>Have you read this wiki page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

Rowland penny

2019-Jun-27 06:50 UTC

head link

[Samba] Reverse DNS

On 27/06/2019 02:06, Praveen Ghimire wrote:> Hi Rowland,
>
> Just as a test, I installed the dhcp server in the DC ( in the lab). Then
configured the dhcp as per the wiki
>
> This is what I see. And again the forward zone update despite the errors
but the reverse doesn't
>I think you will find that the DHCP server isn't updating anything, it 
is your clients updating their own records, but they are not setup to 
update their reverse record (I believe this is the default)

Rowland

L.P.H. van Belle

2019-Jun-27 08:54 UTC

head link

[Samba] Reverse DNS

Hai, 

A few things to add/check. 

For that test with that pc: this part from the previous mail. 
Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[1] = delete
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[2] =
192.168.14.198
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[3] =
00:50:56:9b:37:9b
Jun 27 10:55:07 server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh:
Permission denied
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 32256
Jun 27 10:55:07 server5-ad kernel: [ 1396.188371] audit: type=1400
audit(1561596907.856:94): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd"
name="/usr/local/bin/dhcp-dyndns.sh" pid=2557
comm="dhcp-dyndns.sh" requested_mask="r"
denied_mask="r" fsuid=112 ouid=0
Jun 27 10:55:07 server5-ad dhcpd[2525]: DHCPRELEASE of 192.168.14.198 from
00:50:56:9b:37:9b (WIN7VM01) via ens160 (found)
Jun 27 10:55:07 server5-ad dhcpd[2525]: Removed reverse map on
198.14.168.192.in-addr.arpa.
Jun 27 10:55:09 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group
Jun 27 10:55:09 server5-ad named[1097]: client @0x7efc58052610
192.168.14.198#50682: update 'lin.group/IN' denied

The apparmer profile, you added?  : /usr/local/bin/dhcp-dyndns.sh r  ? Or rx ? 
Can you show what you added? And where exact. 

Now can you check the following.
Open the windows DNS mannager, and goto the needed forward zone where WIN7VM01
exist.
Check its rights on that object? Do you see "WIN7VM01$(ADDOM\WIN7VM01$)
with full control?
And do the same for the reverse zone. Do you see on the reversi IP also
"WIN7VM01$(ADDOM\WIN7VM01$) with full control?
If that full control is missing, add it. 

Then reboot the pc, wait/login and check again. 
Then i also suggest, you check the output of ipconfig /all of the windows client
with the dhcp settings.
To make sure this is all correctly set. 

As in check if that matches with the needed settings for DDNS updates. 

The client will then request that the server update the PTR record by using the
FQDN.
The DHCP server is configured to register DNS records according to the
client's request, the client registers the following records:
The PTR record.
The A record that uses the name that is a concatenation of the computer name and
the primary DNS suffix.
The A record that uses the name that is a concatenation of the computer name and
the connection-specific DNS suffix.

And on the client check if this is set correctly.  
Then goto Control Panel, double-click Network Connections.
Right-click the connection that you want to configure, and then click
Properties.
Click Internet Protocol (TCP/IP), click Properties, and then click Advanced.
Click DNS. 
Is "Register this connection's address in DNS " checked? 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 27 juni 2019 8:50
> Aan: sambalist
> Onderwerp: Re: [Samba] Reverse DNS
> 
> On 27/06/2019 02:06, Praveen Ghimire wrote:
> > Hi Rowland,
> >
> > Just as a test, I installed the dhcp server in the DC ( in 
> the lab). Then configured the dhcp as per the wiki
> >
> > This is what I see. And again the forward zone update 
> despite the errors but the reverse doesn't
> >
> I think you will find that the DHCP server isn't updating 
> anything, it 
> is your clients updating their own records, but they are not setup to 
> update their reverse record (I believe this is the default)
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Christian Naumer

2019-Jun-27 08:59 UTC

head link

[Samba] Reverse DNS

How does your

/var/lib/samba/private/named.conf.update.static
/var/lib/samba/private/named.conf.update

Look like?

Path may vary depending how you installed samba.


Am 27.06.19 um 10:54 schrieb L.P.H. van Belle via samba:> Hai, 
> 
> A few things to add/check. 
> 
> For that test with that pc: this part from the previous mail. 
> Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[1] = delete
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[2] =
192.168.14.198
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[3] =
00:50:56:9b:37:9b
> Jun 27 10:55:07 server5-ad sh[2525]: /bin/bash:
/usr/local/bin/dhcp-dyndns.sh: Permission denied
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute:
/usr/local/bin/dhcp-dyndns.sh exit status 32256
> Jun 27 10:55:07 server5-ad kernel: [ 1396.188371] audit: type=1400
audit(1561596907.856:94): apparmor="DENIED" operation="open"
profile="/usr/sbin/dhcpd"
name="/usr/local/bin/dhcp-dyndns.sh" pid=2557
comm="dhcp-dyndns.sh" requested_mask="r"
denied_mask="r" fsuid=112 ouid=0
> Jun 27 10:55:07 server5-ad dhcpd[2525]: DHCPRELEASE of 192.168.14.198 from
00:50:56:9b:37:9b (WIN7VM01) via ens160 (found)
> Jun 27 10:55:07 server5-ad dhcpd[2525]: Removed reverse map on
198.14.168.192.in-addr.arpa.
> Jun 27 10:55:09 server5-ad named[1097]: samba_dlz: starting transaction on
zone lin.group
> Jun 27 10:55:09 server5-ad named[1097]: client @0x7efc58052610
192.168.14.198#50682: update 'lin.group/IN' denied
> 
> The apparmer profile, you added?  : /usr/local/bin/dhcp-dyndns.sh r  ? Or
rx ?
> Can you show what you added? And where exact. 
> 
> Now can you check the following.
> Open the windows DNS mannager, and goto the needed forward zone where
WIN7VM01 exist.
> Check its rights on that object? Do you see
"WIN7VM01$(ADDOM\WIN7VM01$) with full control?
> And do the same for the reverse zone. Do you see on the reversi IP also
"WIN7VM01$(ADDOM\WIN7VM01$) with full control?
> If that full control is missing, add it. 
> 
> Then reboot the pc, wait/login and check again. 
> Then i also suggest, you check the output of ipconfig /all of the windows
client with the dhcp settings.
> To make sure this is all correctly set. 
> 
> As in check if that matches with the needed settings for DDNS updates. 
> 
> The client will then request that the server update the PTR record by using
the FQDN.
> The DHCP server is configured to register DNS records according to the
client's request, the client registers the following records:
> The PTR record.
> The A record that uses the name that is a concatenation of the computer
name and the primary DNS suffix.
> The A record that uses the name that is a concatenation of the computer
name and the connection-specific DNS suffix.
> 
> And on the client check if this is set correctly.  
> Then goto Control Panel, double-click Network Connections.
> Right-click the connection that you want to configure, and then click
Properties.
> Click Internet Protocol (TCP/IP), click Properties, and then click
Advanced.
> Click DNS. 
> Is "Register this connection's address in DNS " checked? 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Rowland penny via samba
>> Verzonden: donderdag 27 juni 2019 8:50
>> Aan: sambalist
>> Onderwerp: Re: [Samba] Reverse DNS
>>
>> On 27/06/2019 02:06, Praveen Ghimire wrote:
>>> Hi Rowland,
>>>
>>> Just as a test, I installed the dhcp server in the DC ( in 
>> the lab). Then configured the dhcp as per the wiki
>>>
>>> This is what I see. And again the forward zone update 
>> despite the errors but the reverse doesn't
>>>
>> I think you will find that the DHCP server isn't updating 
>> anything, it 
>> is your clients updating their own records, but they are not setup to 
>> update their reverse record (I believe this is the default)
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
> 
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

Rowland penny

2019-Jun-27 09:04 UTC

head link

[Samba] Reverse DNS

On 27/06/2019 09:54, L.P.H. van Belle via samba wrote:> Hai,
>
> A few things to add/check.
>
> For that test with that pc: this part from the previous mail.
> Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[1] = delete
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[2] =
192.168.14.198
> Jun 27 10:55:07 server5-ad dhcpd[2525]: execute_statement argv[3] =
00:50:56:9b:37:9b
> Jun 27 10:55:07 server5-ad sh[2525]: /bin/bash:
/usr/local/bin/dhcp-dyndns.sh: Permission deniedHere it seems that you are using 'dhcp-dyndns.sh' or rather not using 
it, did you make the script executable ?

Rowland

Praveen Ghimire

2019-Jun-27 11:45 UTC

head link

[Samba] Reverse DNS

Hi Guys,

Thank you for your emails. Here is the info

/etc/apparmor.d/local/usr.sbin.dhcp

/etc/dhcp/ r,
/etc/dhcp/** r,
/etc/dhcpd{,6}.conf r,
/etc/dhcpd{,6}_ldap.conf r,
/usr/local/bin/dhcp-dyndns.sh ix,
/bin/grep rix,
/usr/sbin/samba rix,
/usr/bin/gawk rix,
/bin/hostname rix,
/usr/bin/wbinfo rix,
/usr/bin/heimtools rix,
/usr/bin/logger rix,
/usr/bin/kinit.heimdal rix,
/bin/date rix,
/dev/tty wr,
/dev/urandom w,
/proc/** r,
/usr/bin/kinit w,
/run/samba/winbindd/pipe wr,

The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x  1 root root 4117 Jun 27 10:54
dhcp-dyndns.sh

I don't have the /var/lib/samba/private/named.conf.update.static but have
/var/lib/samba/private/named.conf.update, which looks like the following

/* this file is auto-generated - do not edit */
update-policy {
        grant LIN.GROUP ms-self * A AAAA;
        grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
        grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME;
};

Please note: the hostname is SERVER5-AD but it is also called SERVER5 as some of
the old shares are pointing to SERVER5(have entries for both in DNS and hosts
file)

Louis, the machine has full control over it's forward DNS record . However
the machine is not domain\machine but just "WIN7VM01$"

The reverse DNS doesn't exist so I manually added one using samba-tool dns
add 192.168.14.10 14.168.192.in-addr.arpa 198 PTR WIN7VM01.lin.group. It creates
the record but the machine has no access.
The thing to note is here is if I add an A record using the DNS manager and
select the option to create the associated pointer record, it only creates the
forward one. I am logged into the machine with RSAT using the domain
administrator account

Back to the reverse one. I setup the ADDOM\WIN7VM01$ with full permission in the
rev record I just created.

After the reboot the forward DNS record now shows permissions for
ADDOM\WIN7VM01$ instead of just WIN7VM01$
Is "Register this connection's address in DNS " checked? It is
ticked

In ipconfig /all , the details looks correct. The DNS suffix is pointing to the
domain. It has the correct DHCP and DNS details

I still see the permission denied error about the dhcp-dyndns.sh and also client
@0x7efc5809bfd0 192.168.14.198#51947: update 'lin.group/IN' denied

As you can gather I am in completely different timezone (AUS) as you,  so it
might be a while before I can respond to emails. Hence I am providing as much
info as I can while I can.

Regards,

Praveen

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van
Belle via samba
Sent: Thursday, 27 June 2019 6:54 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

Hai, 

A few things to add/check. 

For that test with that pc: this part from the previous mail. 
Jun 27 10:55:07 server5-ad dhcpd[2525]: Release: IP: 192.168.14.198 Jun 27
10:55:07 server5-ad dhcpd[2525]: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh Jun 27 10:55:07 server5-ad dhcpd[2525]:
execute_statement argv[1] = delete Jun 27 10:55:07 server5-ad dhcpd[2525]:
execute_statement argv[2] = 192.168.14.198 Jun 27 10:55:07 server5-ad
dhcpd[2525]: execute_statement argv[3] = 00:50:56:9b:37:9b Jun 27 10:55:07
server5-ad sh[2525]: /bin/bash: /usr/local/bin/dhcp-dyndns.sh: Permission denied
Jun 27 10:55:07 server5-ad dhcpd[2525]: execute: /usr/local/bin/dhcp-dyndns.sh
exit status 32256 Jun 27 10:55:07 server5-ad kernel: [ 1396.188371] audit:
type=1400 audit(1561596907.856:94): apparmor="DENIED"
operation="open" profile="/usr/sbin/dhcpd"
name="/usr/local/bin/dhcp-dyndns.sh" pid=2557
comm="dhcp-dyndns.sh" requested_mask="r"
denied_mask="r" fsuid=112 ouid=0 Jun 27 10:55:07 server5-ad
dhcpd[2525]: DHCPRELEASE of 192.168.14.198 from 00:50:56:9b:37:9b (WIN7VM01) via
ens160 (found) Jun 27 10:55:07 server5-ad dhcpd[2525]: Removed reverse map on
198.14.168.192.in-addr.arpa.
Jun 27 10:55:09 server5-ad named[1097]: samba_dlz: starting transaction on zone
lin.group Jun 27 10:55:09 server5-ad named[1097]: client @0x7efc58052610
192.168.14.198#50682: update 'lin.group/IN' denied

The apparmer profile, you added?  : /usr/local/bin/dhcp-dyndns.sh r  ? Or rx ? 
Can you show what you added? And where exact. 

Now can you check the following.
Open the windows DNS mannager, and goto the needed forward zone where WIN7VM01
exist.
Check its rights on that object? Do you see "WIN7VM01$(ADDOM\WIN7VM01$)
with full control?
And do the same for the reverse zone. Do you see on the reversi IP also
"WIN7VM01$(ADDOM\WIN7VM01$) with full control?
If that full control is missing, add it. 

Then reboot the pc, wait/login and check again. 
Then i also suggest, you check the output of ipconfig /all of the windows client
with the dhcp settings.
To make sure this is all correctly set. 

As in check if that matches with the needed settings for DDNS updates. 

The client will then request that the server update the PTR record by using the
FQDN.
The DHCP server is configured to register DNS records according to the
client's request, the client registers the following records:
The PTR record.
The A record that uses the name that is a concatenation of the computer name and
the primary DNS suffix.
The A record that uses the name that is a concatenation of the computer name and
the connection-specific DNS suffix.

And on the client check if this is set correctly.  
Then goto Control Panel, double-click Network Connections.
Right-click the connection that you want to configure, and then click
Properties.
Click Internet Protocol (TCP/IP), click Properties, and then click Advanced.
Click DNS. 
Is "Register this connection's address in DNS " checked? 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny 
> via samba
> Verzonden: donderdag 27 juni 2019 8:50
> Aan: sambalist
> Onderwerp: Re: [Samba] Reverse DNS
> 
> On 27/06/2019 02:06, Praveen Ghimire wrote:
> > Hi Rowland,
> >
> > Just as a test, I installed the dhcp server in the DC ( in
> the lab). Then configured the dhcp as per the wiki
> >
> > This is what I see. And again the forward zone update
> despite the errors but the reverse doesn't
> >
> I think you will find that the DHCP server isn't updating anything, it 
> is your clients updating their own records, but they are not setup to 
> update their reverse record (I believe this is the default)
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

L.P.H. van Belle

2019-Jun-27 12:03 UTC

head link

[Samba] Reverse DNS

Hai Praveen, 
 
> -----Oorspronkelijk bericht-----
> Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] 
> Verzonden: donderdag 27 juni 2019 13:46
> Aan: samba at lists.samba.org
> CC: 'L.P.H. van Belle'
> Onderwerp: RE: [Samba] Reverse DNS
> 
> Hi Guys,
> 
> Thank you for your emails. Here is the info
> 
> /etc/apparmor.d/local/usr.sbin.dhcp
> 
> /etc/dhcp/ r,
> /etc/dhcp/** r,
> /etc/dhcpd{,6}.conf r,
> /etc/dhcpd{,6}_ldap.conf r,
> /usr/local/bin/dhcp-dyndns.sh ix,
Try /usr/local/bin/dhcp-dyndns.sh rix, 

> /bin/grep rix,
> /usr/sbin/samba rix,
> /usr/bin/gawk rix,
> /bin/hostname rix,
> /usr/bin/wbinfo rix,
> /usr/bin/heimtools rix,
> /usr/bin/logger rix,
> /usr/bin/kinit.heimdal rix,
> /bin/date rix,
> /dev/tty wr,
> /dev/urandom w,^^ change that to wr

> /proc/** r,
> /usr/bin/kinit w,
> /run/samba/winbindd/pipe wr,
> 
> The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x  1 root root 
> 4117 Jun 27 10:54 dhcp-dyndns.sh 
> 
> I don't have the 
> /var/lib/samba/private/named.conf.update.static but have 
> /var/lib/samba/private/named.conf.update, which looks like 
> the following
> 
> /* this file is auto-generated - do not edit */
> update-policy {
>         grant LIN.GROUP ms-self * A AAAA;
>         grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME;
>         grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME;
> };
This part, 
grant SERVER5$@LIN.group  
So that would mean your hostname is SERVER5 

> 
> Please note: the hostname is SERVER5-AD but it is also called 
> SERVER5 as some of the old shares are pointing to 
> SERVER5(have entries for both in DNS and hosts file)No No.. 

A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A and PTR
record.
For example there can only be ONE ptr record for an IP, the matching A is the
REAL hostname.

All others are aliasses and should be CNAMES in the DNS. 
Now, your resolving is failing / not correctly setup. 
That a point to fix and this is the primary thing you should look at first. 

> 
> Louis, the machine has full control over it's forward DNS 
> record . However the machine is not domain\machine but just 
> "WIN7VM01$" 
Thats fine also, as long as the computer as full access its ok. 
> 
> The reverse DNS doesn't exist so I manually added one using 
> samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 
> PTR WIN7VM01.lin.group. It creates the record but the machine 
> has no access.Thats because you created it, not the computer. 

> The thing to note is here is if I add an A record using the 
> DNS manager and select the option to create the associated 
> pointer record, it only creates the forward one. I am logged 
> into the machine with RSAT using the domain administrator accountYes, thats know with RSAT, create the PTR manualy in that case. 
> 
> Back to the reverse one. I setup the ADDOM\WIN7VM01$ with 
> full permission in the rev record I just created.
> 
> After the reboot the forward DNS record now shows permissions 
> for ADDOM\WIN7VM01$ instead of just WIN7VM01$
> Is "Register this connection's address in DNS " checked? It
is ticked
Good. > 
> In ipconfig /all , the details looks correct. The DNS suffix 
> is pointing to the domain. It has the correct DHCP and DNS details
> 
> I still see the permission denied error about the 
> dhcp-dyndns.sh and also client @0x7efc5809bfd0 
> 192.168.14.198#51947: update 'lin.group/IN' deniedThis is correct, thats attempt one, the second should be with bind_dlz and
succeede.
> 
> As you can gather I am in completely different timezone (AUS) 
> as you,  so it might be a while before I can respond to 
> emails. Hence I am providing as much info as I can while I can. 
No problems, we all need to sleep sometime. ;-) > 
> Regards,
> 
> Praveen
Greetz, 

Louis

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Jun 2019 - Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

[Samba] Reverse DNS

Apparently Analagous Threads