Rick Hollinbeck
2020-Apr-18 21:53 UTC
[Samba] Any advice for installing Samba as an AD server on Raspbian Buster with BIND9 and ISC DHCP?
Sorry about the HTML in the last email - I'm attempting to resend (with fingers crossed that my mailer doesn't throw in a bunch of HTML this time...) ----> I've taken the good suggestions and made some progress getting a bind-dhcp-samba server running on the Pi with Raspbian Buster. Rowland wrote:> The best way would be to find whatever is rewriting /etc/resolv.conf > (dnsmasq ?) and stop it.I disabled dnsmasq and dhcpcd and set up a manual ip configuration in /etc/network/interfaces.d/eth0 instead: ----------- auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.0.24 netmask 255.255.255.0 gateway 192.168.0.22 #dns-nameservers 192.168.0.6 # Old Windows 2008 DC dns-nameservers 192.168.0.24 # New Samba 4.11 DC on Pi dns-search office.example.com iface eth0 inet6 static address fd55:5555:5555:5555::24 netmask 64 gateway fd55:5555:5555:5555::22 ------------ It turns out that even with dynmasq and dhcpcd disabled, /etc/resolv.conf was still getting rewritten by the dns-nameservers and dns-search options above. When I ran the JOIN with samba-tool, I had dns-nameservers point to the old Windows DC that I wanted to join. Once the join finished, I changed this option to the ip of the Samba Pi itself. Now, /etc/resolv.conf has the correct entries. I'm in the final stretches of getting a bind9-dhcpd-samba AD DC server working. But (at least) 2 things still aren't working. 1. Replication back from the new Pi DC to one of the Windows DC's ACTS like its working (samba-tool drs showrepl says it is successful). But, if I look at the contents of, say, the office.example.com container in DNS Manager, a computer name PTR record has not been deleted on the old DC, even though it was deleted (by me) on the Pi DC (and it does not show up there in DNS Manager). I even tried to manually replicate as mentioned in the samba wiki with: sudo samba-tool drs replicate olddc2 pidc2 dc=office,dc=example,dc=com No error is shown, but olddc2 still does not reflect the deleted computer name on pidc2. (It's still shown) 2. This might be related to #1... I cannot get the dynamic dns updates to work with ISC dhcpd. It's not even updating on the Pi DC itself, where dhcpd is also running. I followed the directions from the samba wiki making the dhcpd-dyndns.sh script. The daemon.log file shows this attempt to add a new DNS entry when a client DHCP request is made: Apr 17 12:12:11 PiDC2 dhcpd[818]: Commit: IP: 192.168.0.151 DHCID: 08:62:66:e0:80:0e Name: ASUS-W10-LAPTOP Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[1] = add Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[2] = 192.168.0.151 Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[3] = 08:62:66:e0:80:0e Apr 17 12:12:11 PiDC2 dhcpd[818]: execute_statement argv[4] = ASUS-W10-LAPTOP Apr 17 12:12:12 PiDC2 dhcpd[818]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 2816 Apr 17 12:12:12 PiDC2 dhcpd[818]: DHCPREQUEST for 192.168.0.151 from 08:62:66:e0:80:0e (ASUS-W10-LAPTOP) via eth0 Apr 17 12:12:12 PiDC2 dhcpd[818]: DHCPACK on 192.168.0.151 to 08:62:66:e0:80:0e (ASUS-W10-LAPTOP) via eth0 I couldn't figure out what the '2816' exit status meant, so I tried running the script's command manually: sudo /usr/local/bin/dhcp-dyndns.sh add 192.168.0.151 08:62:66:e0:80:0e ASUS-W10-LAPTOP &>dhcp-dyndns.txt Here is the output file dhcp-dyndns.txt: ------------------- Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61443 ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ASUS-W10-LAPTOP.OFFICE.EXAMPLE.COM. IN SOA ;; AUTHORITY SECTION: office.EXAMPLE.com. 0 IN SOA pidc2.office.EXAMPLE.com. hostmaster.office.EXAMPLE.com. 16192552 900 600 86400 3600 Found zone name: office.EXAMPLE.com The master is: pidc2.office.EXAMPLE.com start_gssrequest send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48000 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;4271396648.sig-pidc2.office.EXAMPLE.com. ANY TKEY ;; ADDITIONAL SECTION: 4271396648.sig-pidc2.office.EXAMPLE.com. 0 ANY TKEY gss-tsig. 1587145838 1587145838 3 NOERROR 1498 YIIF1gYGKwYBBQUCoIIFyjCCBcagDTALBgkqhki$ recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48000 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4271396648.sig-pidc2.office.EXAMPLE.com. ANY TKEY response to GSS-TSIG query was unsuccessful Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26565 ;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9 ;; QUESTION SECTION: ;0.168.192.in-addr.arpa. IN SOA ;; ANSWER SECTION: 0.168.192.in-addr.arpa. 3600 IN SOA pidc2.office.EXAMPLE.com. hostmaster.office.EXAMPLE.com. 954 900 600 86400 3600 ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 3600 IN NS pidc2.office.EXAMPLE.com. 0.168.192.in-addr.arpa. 3600 IN NS dc2.office.EXAMPLE.com. 0.168.192.in-addr.arpa. 3600 IN NS pe2600.office.EXAMPLE.com. 0.168.192.in-addr.arpa. 3600 IN NS servi.office.EXAMPLE.com. ;; ADDITIONAL SECTION: pe2600.office.EXAMPLE.com. 3600 IN A 192.168.0.7 servi.office.EXAMPLE.com. 3600 IN A 192.168.0.6 dc2.office.EXAMPLE.com. 3600 IN A 192.168.0.10 pidc2.office.EXAMPLE.com. 900 IN A 192.168.0.24 pe2600.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555::7 pe2600.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555:8683:a47e:9c6f:5f8c servi.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555:1e49:bc2a:e195:69bc servi.office.EXAMPLE.com. 3600 IN AAAA fd55:5555:5555:5555::6 pidc2.office.EXAMPLE.com. 900 IN AAAA fd55:5555:5555:5555::24 Found zone name: 0.168.192.in-addr.arpa The master is: pidc2.office.EXAMPLE.com start_gssrequest send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12460 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3053225212.sig-pidc2.office.EXAMPLE.com. ANY TKEY ;; ADDITIONAL SECTION: 3053225212.sig-pidc2.office.EXAMPLE.com. 0 ANY TKEY gss-tsig. 1587145838 1587145838 3 NOERROR 1498 YIIF1gYGKwYBBQUCoIIFyjCCBcagDTALBgkqhki$ recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12460 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3053225212.sig-pidc2.office.EXAMPLE.com. ANY TKEY response to GSS-TSIG query was unsuccessful ------------------ I followed the instructions in the Samba wiki to set up the dhcpduser account and key, etc. I also added the additional suggestions into the script for reverse dns updating on Raspbian Jessie mentioned in the wiki (even though I am on Buster). But this does still look like some issue with GSS-TSIG (whatever that is) when nsupdate is run from the script. Any idea what my problem might be? Or some new logging options I could try? Thanks for the advice and help!
Maybe Matching Threads
- Any advice for installing Samba as an AD server on Raspbian Buster with BIND9 and ISC DHCP?
- bind9 and isc-dhcp-Server for dynamic DNS-updates Error
- DDNS with bind9 and isc-dhcp-server
- bind9 and isc-dhcp-Server for dynamic DNS-updates Error
- bind9 and isc-dhcp-Server for dynamic DNS-updates Error