Hai Praveen,> -----Oorspronkelijk bericht----- > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > Verzonden: donderdag 27 juni 2019 13:46 > Aan: samba at lists.samba.org > CC: 'L.P.H. van Belle' > Onderwerp: RE: [Samba] Reverse DNS > > Hi Guys, > > Thank you for your emails. Here is the info > > /etc/apparmor.d/local/usr.sbin.dhcp > > /etc/dhcp/ r, > /etc/dhcp/** r, > /etc/dhcpd{,6}.conf r, > /etc/dhcpd{,6}_ldap.conf r, > /usr/local/bin/dhcp-dyndns.sh ix,Try /usr/local/bin/dhcp-dyndns.sh rix,> /bin/grep rix, > /usr/sbin/samba rix, > /usr/bin/gawk rix, > /bin/hostname rix, > /usr/bin/wbinfo rix, > /usr/bin/heimtools rix, > /usr/bin/logger rix, > /usr/bin/kinit.heimdal rix, > /bin/date rix, > /dev/tty wr,> /dev/urandom w,^^ change that to wr> /proc/** r, > /usr/bin/kinit w, > /run/samba/winbindd/pipe wr, > > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root > 4117 Jun 27 10:54 dhcp-dyndns.sh > > I don't have the > /var/lib/samba/private/named.conf.update.static but have > /var/lib/samba/private/named.conf.update, which looks like > the following > > /* this file is auto-generated - do not edit */ > update-policy { > grant LIN.GROUP ms-self * A AAAA; > grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME; > grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; > };This part, grant SERVER5$@LIN.group So that would mean your hostname is SERVER5> > Please note: the hostname is SERVER5-AD but it is also called > SERVER5 as some of the old shares are pointing to > SERVER5(have entries for both in DNS and hosts file)No No.. A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A and PTR record. For example there can only be ONE ptr record for an IP, the matching A is the REAL hostname. All others are aliasses and should be CNAMES in the DNS. Now, your resolving is failing / not correctly setup. That a point to fix and this is the primary thing you should look at first.> > Louis, the machine has full control over it's forward DNS > record . However the machine is not domain\machine but just > "WIN7VM01$"Thats fine also, as long as the computer as full access its ok.> > The reverse DNS doesn't exist so I manually added one using > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 > PTR WIN7VM01.lin.group. It creates the record but the machine > has no access.Thats because you created it, not the computer.> The thing to note is here is if I add an A record using the > DNS manager and select the option to create the associated > pointer record, it only creates the forward one. I am logged > into the machine with RSAT using the domain administrator accountYes, thats know with RSAT, create the PTR manualy in that case.> > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with > full permission in the rev record I just created. > > After the reboot the forward DNS record now shows permissions > for ADDOM\WIN7VM01$ instead of just WIN7VM01$ > Is "Register this connection's address in DNS " checked? It is tickedGood.> > In ipconfig /all , the details looks correct. The DNS suffix > is pointing to the domain. It has the correct DHCP and DNS details > > I still see the permission denied error about the > dhcp-dyndns.sh and also client @0x7efc5809bfd0 > 192.168.14.198#51947: update 'lin.group/IN' deniedThis is correct, thats attempt one, the second should be with bind_dlz and succeede.> > As you can gather I am in completely different timezone (AUS) > as you, so it might be a while before I can respond to > emails. Hence I am providing as much info as I can while I can.No problems, we all need to sleep sometime. ;-)> > Regards, > > PraveenGreetz, Louis
Hi Louis, I've have tested some more and have come up with the following Test1; DHCP server: - Not Joined to the AD domain - Installed Samba and also setup dhcpd.conf to run the dhcp-dydns script. The script failed as it couldn't use kinit so I don't think it will work Results: - The forward updates but the reverse doesn't Dhcp logs Jul 4 05:17:43 server-fw sh[10300]: /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not found Jul 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : Getting new ticket, old one has expired Jul 4 05:17:43 server-fw sh[10300]: /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not found Jul 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : dhcpd kinit for dynamic DNS failed Jul 4 05:17:43 server-fw dhcpd[10300]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 256 Test2; DHCP server: - Not Joined to the AD domain - Installed Samba and also setup dhcpd.conf to NOT run the script Results: - The forward updates but the reverse doesn't Test2: Same setup in DHCP server i.e not running the scripts In the Windows machine, ticked the Use this connection's DNS suffix in DNS registration under the Advanced DNS settings(IPV4) Results Both forward and reverse works Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa tcpaddr=192.168.14.150 type=PTR key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa tcpaddr=192.168.14.150 type=PTR key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 Jul 4 06:16:03 server5 named[90]: client @0x7fb51811e370 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone '14.168.192.in-addr.arpa/NONE': deleting rrset at '150.14.168.192.in-addr.arpa' PTR Jul 4 06:16:03 server5 named[90]: samba_dlz: failed to modify DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=lin,DC=group - WERR_GEN_FAILURE Jul 4 06:16:03 server5 named[90]: samba_dlz: cancelling transaction on zone 14.168.192.in-addr.arpa Jul 4 06:16:03 server5 named[90]: resolver priming query complete In all of the subsequent tests, the only time I got a consistent reverse entry in DNS is when ticking the above. Even when I installed DHCP in the actual samba box, the above setting ensured the reverse entry Regards, Praveen Ghimire -----Original Message----- From: L.P.H. van Belle [mailto:belle at bazuin.nl] Sent: Thursday, 27 June 2019 10:03 PM To: samba at lists.samba.org Cc: Praveen Ghimire Subject: RE: [Samba] Reverse DNS Hai Praveen,> -----Oorspronkelijk bericht----- > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > Verzonden: donderdag 27 juni 2019 13:46 > Aan: samba at lists.samba.org > CC: 'L.P.H. van Belle' > Onderwerp: RE: [Samba] Reverse DNS > > Hi Guys, > > Thank you for your emails. Here is the info > > /etc/apparmor.d/local/usr.sbin.dhcp > > /etc/dhcp/ r, > /etc/dhcp/** r, > /etc/dhcpd{,6}.conf r, > /etc/dhcpd{,6}_ldap.conf r, > /usr/local/bin/dhcp-dyndns.sh ix,Try /usr/local/bin/dhcp-dyndns.sh rix,> /bin/grep rix, > /usr/sbin/samba rix, > /usr/bin/gawk rix, > /bin/hostname rix, > /usr/bin/wbinfo rix, > /usr/bin/heimtools rix, > /usr/bin/logger rix, > /usr/bin/kinit.heimdal rix, > /bin/date rix, > /dev/tty wr,> /dev/urandom w,^^ change that to wr> /proc/** r, > /usr/bin/kinit w, > /run/samba/winbindd/pipe wr, > > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root > 4117 Jun 27 10:54 dhcp-dyndns.sh > > I don't have the > /var/lib/samba/private/named.conf.update.static but have > /var/lib/samba/private/named.conf.update, which looks like the > following > > /* this file is auto-generated - do not edit */ update-policy { > grant LIN.GROUP ms-self * A AAAA; > grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME; > grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; };This part, grant SERVER5$@LIN.group So that would mean your hostname is SERVER5> > Please note: the hostname is SERVER5-AD but it is also called > SERVER5 as some of the old shares are pointing to SERVER5(have entries > for both in DNS and hosts file)No No.. A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A and PTR record. For example there can only be ONE ptr record for an IP, the matching A is the REAL hostname. All others are aliasses and should be CNAMES in the DNS. Now, your resolving is failing / not correctly setup. That a point to fix and this is the primary thing you should look at first.> > Louis, the machine has full control over it's forward DNS > record . However the machine is not domain\machine but just > "WIN7VM01$"Thats fine also, as long as the computer as full access its ok.> > The reverse DNS doesn't exist so I manually added one using > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 > PTR WIN7VM01.lin.group. It creates the record but the machine > has no access.Thats because you created it, not the computer.> The thing to note is here is if I add an A record using the > DNS manager and select the option to create the associated > pointer record, it only creates the forward one. I am logged > into the machine with RSAT using the domain administrator accountYes, thats know with RSAT, create the PTR manualy in that case.> > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with > full permission in the rev record I just created. > > After the reboot the forward DNS record now shows permissions > for ADDOM\WIN7VM01$ instead of just WIN7VM01$ > Is "Register this connection's address in DNS " checked? It is tickedGood.> > In ipconfig /all , the details looks correct. The DNS suffix > is pointing to the domain. It has the correct DHCP and DNS details > > I still see the permission denied error about the > dhcp-dyndns.sh and also client @0x7efc5809bfd0 > 192.168.14.198#51947: update 'lin.group/IN' deniedThis is correct, thats attempt one, the second should be with bind_dlz and succeede.> > As you can gather I am in completely different timezone (AUS) > as you, so it might be a while before I can respond to > emails. Hence I am providing as much info as I can while I can.No problems, we all need to sleep sometime. ;-)> > Regards, > > PraveenGreetz, Louis ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On the server with the dhcp script. apt install krb5-user Should be sufficient, then try again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > Verzonden: donderdag 4 juli 2019 8:39 > Aan: 'L.P.H. van Belle'; samba at lists.samba.org > Onderwerp: RE: [Samba] Reverse DNS > > Hi Louis, > > I've have tested some more and have come up with the following > > Test1; > DHCP server: > - Not Joined to the AD domain > - Installed Samba and also setup dhcpd.conf to run the > dhcp-dydns script. The script failed as it couldn't use kinit > so I don't think it will work > Results: > - The forward updates but the reverse doesn't > Dhcp logs > > Jul 4 05:17:43 server-fw sh[10300]: > /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not found > Jul 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : > Getting new ticket, old one has expired > Jul 4 05:17:43 server-fw sh[10300]: > /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not found > Jul 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : > dhcpd kinit for dynamic DNS failed > Jul 4 05:17:43 server-fw dhcpd[10300]: execute: > /usr/local/bin/dhcp-dyndns.sh exit status 256 > > > Test2; > DHCP server: > - Not Joined to the AD domain > - Installed Samba and also setup dhcpd.conf to NOT run the script > Results: > - The forward updates but the reverse doesn't > > > > Test2: > Same setup in DHCP server i.e not running the scripts > In the Windows machine, ticked the Use this connection's DNS > suffix in DNS registration under the Advanced DNS settings(IPV4) > Results > Both forward and reverse works > > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update > of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa > tcpaddr=192.168.14.150 type=PTR > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update > of signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa > tcpaddr=192.168.14.150 type=PTR > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 > Jul 4 06:16:03 server5 named[90]: client @0x7fb51811e370 > 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone > '14.168.192.in-addr.arpa/NONE': deleting rrset at > '150.14.168.192.in-addr.arpa' PTR > Jul 4 06:16:03 server5 named[90]: samba_dlz: failed to > modify > DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=lin,DC=group - WERR_GEN_FAILURE> Jul 4 06:16:03 server5 named[90]: samba_dlz: cancelling > transaction on zone 14.168.192.in-addr.arpa > Jul 4 06:16:03 server5 named[90]: resolver priming query complete > > > In all of the subsequent tests, the only time I got a > consistent reverse entry in DNS is when ticking the above. > Even when I installed DHCP in the actual samba box, the above > setting ensured the reverse entry > > > Regards, > Praveen Ghimire > > > > > -----Original Message----- > From: L.P.H. van Belle [mailto:belle at bazuin.nl] > Sent: Thursday, 27 June 2019 10:03 PM > To: samba at lists.samba.org > Cc: Praveen Ghimire > Subject: RE: [Samba] Reverse DNS > > Hai Praveen, > > > > -----Oorspronkelijk bericht----- > > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > > Verzonden: donderdag 27 juni 2019 13:46 > > Aan: samba at lists.samba.org > > CC: 'L.P.H. van Belle' > > Onderwerp: RE: [Samba] Reverse DNS > > > > Hi Guys, > > > > Thank you for your emails. Here is the info > > > > /etc/apparmor.d/local/usr.sbin.dhcp > > > > /etc/dhcp/ r, > > /etc/dhcp/** r, > > /etc/dhcpd{,6}.conf r, > > /etc/dhcpd{,6}_ldap.conf r, > > /usr/local/bin/dhcp-dyndns.sh ix, > > Try /usr/local/bin/dhcp-dyndns.sh rix, > > > > /bin/grep rix, > > /usr/sbin/samba rix, > > /usr/bin/gawk rix, > > /bin/hostname rix, > > /usr/bin/wbinfo rix, > > /usr/bin/heimtools rix, > > /usr/bin/logger rix, > > /usr/bin/kinit.heimdal rix, > > /bin/date rix, > > /dev/tty wr, > > > /dev/urandom w, > ^^ change that to wr > > > > /proc/** r, > > /usr/bin/kinit w, > > /run/samba/winbindd/pipe wr, > > > > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root > > 4117 Jun 27 10:54 dhcp-dyndns.sh > > > > I don't have the > > /var/lib/samba/private/named.conf.update.static but have > > /var/lib/samba/private/named.conf.update, which looks like the > > following > > > > /* this file is auto-generated - do not edit */ update-policy { > > grant LIN.GROUP ms-self * A AAAA; > > grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME; > > grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; }; > > This part, > grant SERVER5$@LIN.group > So that would mean your hostname is SERVER5 > > > > > > Please note: the hostname is SERVER5-AD but it is also called > > SERVER5 as some of the old shares are pointing to > SERVER5(have entries > > for both in DNS and hosts file) > No No.. > > A computer (ip) has only ONE hostname ( as in host.dom.tld ) > as in A and PTR record. > For example there can only be ONE ptr record for an IP, the > matching A is the REAL hostname. > > All others are aliasses and should be CNAMES in the DNS. > Now, your resolving is failing / not correctly setup. > That a point to fix and this is the primary thing you should > look at first. > > > > > > Louis, the machine has full control over it's forward DNS > > record . However the machine is not domain\machine but just > > "WIN7VM01$" > > Thats fine also, as long as the computer as full access its ok. > > > > > The reverse DNS doesn't exist so I manually added one using > > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 > > PTR WIN7VM01.lin.group. It creates the record but the machine > > has no access. > Thats because you created it, not the computer. > > > > The thing to note is here is if I add an A record using the > > DNS manager and select the option to create the associated > > pointer record, it only creates the forward one. I am logged > > into the machine with RSAT using the domain administrator account > Yes, thats know with RSAT, create the PTR manualy in that case. > > > > > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with > > full permission in the rev record I just created. > > > > After the reboot the forward DNS record now shows permissions > > for ADDOM\WIN7VM01$ instead of just WIN7VM01$ > > Is "Register this connection's address in DNS " checked? It > is ticked > Good. > > > > In ipconfig /all , the details looks correct. The DNS suffix > > is pointing to the domain. It has the correct DHCP and DNS details > > > > I still see the permission denied error about the > > dhcp-dyndns.sh and also client @0x7efc5809bfd0 > > 192.168.14.198#51947: update 'lin.group/IN' denied > This is correct, thats attempt one, the second should be with > bind_dlz and succeede. > > > > > As you can gather I am in completely different timezone (AUS) > > as you, so it might be a while before I can respond to > > emails. Hence I am providing as much info as I can while I can. > > No problems, we all need to sleep sometime. ;-) > > > > Regards, > > > > Praveen > > Greetz, > > Louis > > ______________________________________________________________________ > This email has been scanned by the Symantec Email > Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > >
Hi Louis, I can do that but does it mean we'll have to setup a GPO to enable the machines to update their DNS? Regards, Praveen Ghimire -----Original Message----- From: L.P.H. van Belle [mailto:belle at bazuin.nl] Sent: Thursday, 4 July 2019 4:47 PM To: samba at lists.samba.org Cc: Praveen Ghimire Subject: RE: [Samba] Reverse DNS On the server with the dhcp script. apt install krb5-user Should be sufficient, then try again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > Verzonden: donderdag 4 juli 2019 8:39 > Aan: 'L.P.H. van Belle'; samba at lists.samba.org > Onderwerp: RE: [Samba] Reverse DNS > > Hi Louis, > > I've have tested some more and have come up with the following > > Test1; > DHCP server: > - Not Joined to the AD domain > - Installed Samba and also setup dhcpd.conf to run the dhcp-dydns > script. The script failed as it couldn't use kinit so I don't think it > will work > Results: > - The forward updates but the reverse doesn't Dhcp logs > > Jul 4 05:17:43 server-fw sh[10300]: > /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not found Jul > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : > Getting new ticket, old one has expired Jul 4 05:17:43 server-fw > sh[10300]: > /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not found Jul > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : > dhcpd kinit for dynamic DNS failed > Jul 4 05:17:43 server-fw dhcpd[10300]: execute: > /usr/local/bin/dhcp-dyndns.sh exit status 256 > > > Test2; > DHCP server: > - Not Joined to the AD domain > - Installed Samba and also setup dhcpd.conf to NOT run the script > Results: > - The forward updates but the reverse doesn't > > > > Test2: > Same setup in DHCP server i.e not running the scripts In the Windows > machine, ticked the Use this connection's DNS suffix in DNS > registration under the Advanced DNS settings(IPV4) Results Both > forward and reverse works > > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa > tcpaddr=192.168.14.150 type=PTR > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa > tcpaddr=192.168.14.150 type=PTR > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 > Jul 4 06:16:03 server5 named[90]: client @0x7fb51811e370 > 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone > '14.168.192.in-addr.arpa/NONE': deleting rrset at > '150.14.168.192.in-addr.arpa' PTR Jul 4 06:16:03 server5 named[90]: > samba_dlz: failed to modify > DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=lin,DC=group - WERR_GEN_FAILURE> Jul 4 06:16:03 server5 named[90]: samba_dlz: cancelling transaction > on zone 14.168.192.in-addr.arpa Jul 4 06:16:03 server5 named[90]: > resolver priming query complete > > > In all of the subsequent tests, the only time I got a consistent > reverse entry in DNS is when ticking the above. > Even when I installed DHCP in the actual samba box, the above setting > ensured the reverse entry > > > Regards, > Praveen Ghimire > > > > > -----Original Message----- > From: L.P.H. van Belle [mailto:belle at bazuin.nl] > Sent: Thursday, 27 June 2019 10:03 PM > To: samba at lists.samba.org > Cc: Praveen Ghimire > Subject: RE: [Samba] Reverse DNS > > Hai Praveen, > > > > -----Oorspronkelijk bericht----- > > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > > Verzonden: donderdag 27 juni 2019 13:46 > > Aan: samba at lists.samba.org > > CC: 'L.P.H. van Belle' > > Onderwerp: RE: [Samba] Reverse DNS > > > > Hi Guys, > > > > Thank you for your emails. Here is the info > > > > /etc/apparmor.d/local/usr.sbin.dhcp > > > > /etc/dhcp/ r, > > /etc/dhcp/** r, > > /etc/dhcpd{,6}.conf r, > > /etc/dhcpd{,6}_ldap.conf r, > > /usr/local/bin/dhcp-dyndns.sh ix, > > Try /usr/local/bin/dhcp-dyndns.sh rix, > > > > /bin/grep rix, > > /usr/sbin/samba rix, > > /usr/bin/gawk rix, > > /bin/hostname rix, > > /usr/bin/wbinfo rix, > > /usr/bin/heimtools rix, > > /usr/bin/logger rix, > > /usr/bin/kinit.heimdal rix, > > /bin/date rix, > > /dev/tty wr, > > > /dev/urandom w, > ^^ change that to wr > > > > /proc/** r, > > /usr/bin/kinit w, > > /run/samba/winbindd/pipe wr, > > > > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root > > 4117 Jun 27 10:54 dhcp-dyndns.sh > > > > I don't have the > > /var/lib/samba/private/named.conf.update.static but have > > /var/lib/samba/private/named.conf.update, which looks like the > > following > > > > /* this file is auto-generated - do not edit */ update-policy { > > grant LIN.GROUP ms-self * A AAAA; > > grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME; > > grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; }; > > This part, > grant SERVER5$@LIN.group > So that would mean your hostname is SERVER5 > > > > > > Please note: the hostname is SERVER5-AD but it is also called > > SERVER5 as some of the old shares are pointing to > SERVER5(have entries > > for both in DNS and hosts file) > No No.. > > A computer (ip) has only ONE hostname ( as in host.dom.tld ) as in A > and PTR record. > For example there can only be ONE ptr record for an IP, the matching A > is the REAL hostname. > > All others are aliasses and should be CNAMES in the DNS. > Now, your resolving is failing / not correctly setup. > That a point to fix and this is the primary thing you should look at > first. > > > > > > Louis, the machine has full control over it's forward DNS record . > > However the machine is not domain\machine but just "WIN7VM01$" > > Thats fine also, as long as the computer as full access its ok. > > > > > The reverse DNS doesn't exist so I manually added one using > > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 PTR > > WIN7VM01.lin.group. It creates the record but the machine has no > > access. > Thats because you created it, not the computer. > > > > The thing to note is here is if I add an A record using the DNS > > manager and select the option to create the associated pointer > > record, it only creates the forward one. I am logged into the > > machine with RSAT using the domain administrator account > Yes, thats know with RSAT, create the PTR manualy in that case. > > > > > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with full > > permission in the rev record I just created. > > > > After the reboot the forward DNS record now shows permissions for > > ADDOM\WIN7VM01$ instead of just WIN7VM01$ Is "Register this > > connection's address in DNS " checked? It > is ticked > Good. > > > > In ipconfig /all , the details looks correct. The DNS suffix is > > pointing to the domain. It has the correct DHCP and DNS details > > > > I still see the permission denied error about the dhcp-dyndns.sh and > > also client @0x7efc5809bfd0 > > 192.168.14.198#51947: update 'lin.group/IN' denied > This is correct, thats attempt one, the second should be with bind_dlz > and succeede. > > > > > As you can gather I am in completely different timezone (AUS) as > > you, so it might be a while before I can respond to emails. Hence I > > am providing as much info as I can while I can. > > No problems, we all need to sleep sometime. ;-) > > > > Regards, > > > > Praveen > > Greetz, > > Louis > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud > service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > >______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
The default windows settings should be sufficient.> -----Oorspronkelijk bericht----- > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > Verzonden: dinsdag 9 juli 2019 8:27 > Aan: 'L.P.H. van Belle'; samba at lists.samba.org > Onderwerp: RE: [Samba] Reverse DNS > > Hi Louis, > > I can do that but does it mean we'll have to setup a GPO to > enable the machines to update their DNS? > > > Regards, > Praveen Ghimire > > > -----Original Message----- > From: L.P.H. van Belle [mailto:belle at bazuin.nl] > Sent: Thursday, 4 July 2019 4:47 PM > To: samba at lists.samba.org > Cc: Praveen Ghimire > Subject: RE: [Samba] Reverse DNS > > On the server with the dhcp script. > > apt install krb5-user > Should be sufficient, then try again. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > > Verzonden: donderdag 4 juli 2019 8:39 > > Aan: 'L.P.H. van Belle'; samba at lists.samba.org > > Onderwerp: RE: [Samba] Reverse DNS > > > > Hi Louis, > > > > I've have tested some more and have come up with the following > > > > Test1; > > DHCP server: > > - Not Joined to the AD domain > > - Installed Samba and also setup dhcpd.conf to run the dhcp-dydns > > script. The script failed as it couldn't use kinit so I > don't think it > > will work > > Results: > > - The forward updates but the reverse doesn't Dhcp logs > > > > Jul 4 05:17:43 server-fw sh[10300]: > > /usr/local/bin/dhcp-dyndns.sh: line 82: klist: command not > found Jul > > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : > > Getting new ticket, old one has expired Jul 4 05:17:43 server-fw > > sh[10300]: > > /usr/local/bin/dhcp-dyndns.sh: line 85: kinit: command not > found Jul > > 4 05:17:43 server-fw dhcpd: 04-07-19 05:17:43 [dyndns] : > > dhcpd kinit for dynamic DNS failed > > Jul 4 05:17:43 server-fw dhcpd[10300]: execute: > > /usr/local/bin/dhcp-dyndns.sh exit status 256 > > > > > > Test2; > > DHCP server: > > - Not Joined to the AD domain > > - Installed Samba and also setup dhcpd.conf to NOT run the script > > Results: > > - The forward updates but the reverse doesn't > > > > > > > > Test2: > > Same setup in DHCP server i.e not running the scripts In > the Windows > > machine, ticked the Use this connection's DNS suffix in DNS > > registration under the Advanced DNS settings(IPV4) Results Both > > forward and reverse works > > > > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of > > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa > > tcpaddr=192.168.14.150 type=PTR > > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 > > Jul 4 06:16:03 server5 named[90]: samba_dlz: allowing update of > > signer=BW10\$\@lin.GROUP name=150.14.168.192.in-addr.arpa > > tcpaddr=192.168.14.150 type=PTR > > key=1264-ms-7.4-aaefc.307cfafe-9e22-11e9-65a7-9a9237443f23/160/0 > > Jul 4 06:16:03 server5 named[90]: client @0x7fb51811e370 > > 192.168.14.150#64300/key BW10\$\@lin.GROUP: updating zone > > '14.168.192.in-addr.arpa/NONE': deleting rrset at > > '150.14.168.192.in-addr.arpa' PTR Jul 4 06:16:03 server5 > named[90]: > > samba_dlz: failed to modify > > DC=150,DC=14.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDns > Zones,DC=lin,DC=group - WERR_GEN_FAILURE > > Jul 4 06:16:03 server5 named[90]: samba_dlz: cancelling > transaction > > on zone 14.168.192.in-addr.arpa Jul 4 06:16:03 server5 named[90]: > > resolver priming query complete > > > > > > In all of the subsequent tests, the only time I got a consistent > > reverse entry in DNS is when ticking the above. > > Even when I installed DHCP in the actual samba box, the > above setting > > ensured the reverse entry > > > > > > Regards, > > Praveen Ghimire > > > > > > > > > > -----Original Message----- > > From: L.P.H. van Belle [mailto:belle at bazuin.nl] > > Sent: Thursday, 27 June 2019 10:03 PM > > To: samba at lists.samba.org > > Cc: Praveen Ghimire > > Subject: RE: [Samba] Reverse DNS > > > > Hai Praveen, > > > > > > > -----Oorspronkelijk bericht----- > > > Van: Praveen Ghimire [mailto:PGhimire at sundata.com.au] > > > Verzonden: donderdag 27 juni 2019 13:46 > > > Aan: samba at lists.samba.org > > > CC: 'L.P.H. van Belle' > > > Onderwerp: RE: [Samba] Reverse DNS > > > > > > Hi Guys, > > > > > > Thank you for your emails. Here is the info > > > > > > /etc/apparmor.d/local/usr.sbin.dhcp > > > > > > /etc/dhcp/ r, > > > /etc/dhcp/** r, > > > /etc/dhcpd{,6}.conf r, > > > /etc/dhcpd{,6}_ldap.conf r, > > > /usr/local/bin/dhcp-dyndns.sh ix, > > > > Try /usr/local/bin/dhcp-dyndns.sh rix, > > > > > > > /bin/grep rix, > > > /usr/sbin/samba rix, > > > /usr/bin/gawk rix, > > > /bin/hostname rix, > > > /usr/bin/wbinfo rix, > > > /usr/bin/heimtools rix, > > > /usr/bin/logger rix, > > > /usr/bin/kinit.heimdal rix, > > > /bin/date rix, > > > /dev/tty wr, > > > > > /dev/urandom w, > > ^^ change that to wr > > > > > > > /proc/** r, > > > /usr/bin/kinit w, > > > /run/samba/winbindd/pipe wr, > > > > > > The /usr/local/bin/dhcp-dyndns.sh is -rwxr-xr-x 1 root root > > > 4117 Jun 27 10:54 dhcp-dyndns.sh > > > > > > I don't have the > > > /var/lib/samba/private/named.conf.update.static but have > > > /var/lib/samba/private/named.conf.update, which looks like the > > > following > > > > > > /* this file is auto-generated - do not edit */ update-policy { > > > grant LIN.GROUP ms-self * A AAAA; > > > grant Administrator at LIN.GROUP wildcard * A AAAA SRV CNAME; > > > grant SERVER5$@LIN.group wildcard * A AAAA SRV CNAME; }; > > > > This part, > > grant SERVER5$@LIN.group > > So that would mean your hostname is SERVER5 > > > > > > > > > > Please note: the hostname is SERVER5-AD but it is also called > > > SERVER5 as some of the old shares are pointing to > > SERVER5(have entries > > > for both in DNS and hosts file) > > No No.. > > > > A computer (ip) has only ONE hostname ( as in host.dom.tld > ) as in A > > and PTR record. > > For example there can only be ONE ptr record for an IP, the > matching A > > is the REAL hostname. > > > > All others are aliasses and should be CNAMES in the DNS. > > Now, your resolving is failing / not correctly setup. > > That a point to fix and this is the primary thing you > should look at > > first. > > > > > > > > > > Louis, the machine has full control over it's forward DNS > record . > > > However the machine is not domain\machine but just "WIN7VM01$" > > > > Thats fine also, as long as the computer as full access its ok. > > > > > > > > The reverse DNS doesn't exist so I manually added one using > > > samba-tool dns add 192.168.14.10 14.168.192.in-addr.arpa 198 PTR > > > WIN7VM01.lin.group. It creates the record but the machine has no > > > access. > > Thats because you created it, not the computer. > > > > > > > The thing to note is here is if I add an A record using the DNS > > > manager and select the option to create the associated pointer > > > record, it only creates the forward one. I am logged into the > > > machine with RSAT using the domain administrator account > > Yes, thats know with RSAT, create the PTR manualy in that case. > > > > > > > > Back to the reverse one. I setup the ADDOM\WIN7VM01$ with full > > > permission in the rev record I just created. > > > > > > After the reboot the forward DNS record now shows permissions for > > > ADDOM\WIN7VM01$ instead of just WIN7VM01$ Is "Register this > > > connection's address in DNS " checked? It > > is ticked > > Good. > > > > > > In ipconfig /all , the details looks correct. The DNS suffix is > > > pointing to the domain. It has the correct DHCP and DNS details > > > > > > I still see the permission denied error about the > dhcp-dyndns.sh and > > > also client @0x7efc5809bfd0 > > > 192.168.14.198#51947: update 'lin.group/IN' denied > > This is correct, thats attempt one, the second should be > with bind_dlz > > and succeede. > > > > > > > > As you can gather I am in completely different timezone (AUS) as > > > you, so it might be a while before I can respond to > emails. Hence I > > > am providing as much info as I can while I can. > > > > No problems, we all need to sleep sometime. ;-) > > > > > > Regards, > > > > > > Praveen > > > > Greetz, > > > > Louis > > > > > ______________________________________________________________________ > > This email has been scanned by the Symantec Email Security.cloud > > service. > > For more information please visit http://www.symanteccloud.com > > > ______________________________________________________________________ > > > > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email > Security.cloud service. > For more information please visit > http://www.symanteccloud.com > ______________________________________________________________________ > >