Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 19.03.2012 01:31, schrieb Amitay Isaacs: Hi Andreas, On Sun, Mar 18, 2012 at 7:06 AM, Matthieu Patou m...@samba.org wrote: On 03/17/2012 10:00 AM, Andreas Oster wrote: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I had it working with flat file backend. I think that the way dhcp and bind do their DDNS is different form the way windows do it's DDNS, as far as I know dlz_plugin only support the later one so far. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd You need to configure secure updates from dhcpd as dlz_bind9 plugin only supports secure dynamic updates. Following link might help to set up secure dynamic updates from dhcpd. http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki This should work automatically with the current master. But remember that if you update a DNS entry for windows machine through DHCP, then the windows machine itself may not be able to update its own entry because of the ACLs. Amitay. Hello Amitay, with your great work on the samba_upgradedns script I was able to move my flatfile bind9 config to the DLZ backend, but realized afterwards that I was no longer able to add DNS entries via dhcpd. Luckily I have found Charles Tryon's script on the web and managed to setup secure dynamic updates from dhcpd to bind9. To circumvent the problem with windows machines being unable to update their own records, I have modified the script to exclude those machines from being added to the DNS database by dhcpd. This was easy, because in our setup Windows machines are all named the same way DOMAIN+WS+NUMBER. Thanks best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 20.03.2012 19:20, schrieb Charles Tryon: Hi Andreas, Yes, I did a lot of work trying to get that script working (along with a bunch of other people on that discussion thread). I have it mostly functional, but have largely backed away from that approach, since it runs against what appears to be the more accepted policy of letting the machines (in particular, the Windows machines) do their own secure update of the DNS records. The unfortunate part is that the Linux clients don't seem to have a way to do this by default. I have no idea how the Mac machines handle their DNS once they get a DHCP response. Servers, which mostly use static IP assignments, are a moot point, since I can just manually create the DNS records and be done with it. The issue is the fact that DNS remembers who created (owns) the DNS record, and based on that ownership, who it will allow to change it. If it is created by some dhcpd initiated transaction, then the Windows client itself is not allowed to update the record in the future. My feeling at this point is to try to follow the Windows Way for the time being (since that's the bulk of the machines on the network), and handle the few Linux clients (oddballs like myself) as special cases. We also use DHCP reservations based on the machine's MAC address, so largely it's a non-issue. (Or, at least I've got bigger fish to fry first before I go back and make sure the DHCP/DLZ behavior is tidy.) On Sun, Mar 18, 2012 at 3:38 AM, Andreas Oster aos...@novanetwork.dewrote: Am 17.03.2012 21:06, schrieb Matthieu Patou: On 03/17/2012 10:00 AM, Andreas Oster wrote: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I had it working with flat file backend. I think that the way dhcp and bind do their DDNS is different form the way windows do it's DDNS, as far as I know dlz_plugin only support the later one so far. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki I put our DNS experts in direct copy maybe then can advise you better than I. Hello Mattieu, thank you for you answer. I searched the web allot, but the only useful stuff I found was a script by Michael Kuron which has been slightly modified by Charles Tryon but I have no clue how to integrate this with bind9 dlz, see: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ It would be great if someone could help me with the DDNS setup. best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hello Charles, first I would like to thank you for this great script. For our small network,50 or so clients, I modified your script just a little. I have added an additional name comparison to check if the name contains a special string ( in our case all Windows workstations are named like DOMAINNAME+WS+Number) and if it does just exit the script. This way I do not get the ownership issue. All other machines either do have static IPs or are not members in the AD. Thanks best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Hi Andreas, On Sun, Mar 18, 2012 at 7:06 AM, Matthieu Patou m...@samba.org wrote: On 03/17/2012 10:00 AM, Andreas Oster wrote: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I had it working with flat file backend. I think that the way dhcp and bind do their DDNS is different form the way windows do it's DDNS, as far as I know dlz_plugin only support the later one so far. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd You need to configure secure updates from dhcpd as dlz_bind9 plugin only supports secure dynamic updates. Following link might help to set up secure dynamic updates from dhcpd. http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki This should work automatically with the current master. But remember that if you update a DNS entry for windows machine through DHCP, then the windows machine itself may not be able to update its own entry because of the ACLs. Amitay. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 17.03.2012 18:00, schrieb Andreas Oster: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi all, finally I got it up and running. I am using the script by Charles Tryon http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Hi Andreas, Yes, I did a lot of work trying to get that script working (along with a bunch of other people on that discussion thread). I have it mostly functional, but have largely backed away from that approach, since it runs against what appears to be the more accepted policy of letting the machines (in particular, the Windows machines) do their own secure update of the DNS records. The unfortunate part is that the Linux clients don't seem to have a way to do this by default. I have no idea how the Mac machines handle their DNS once they get a DHCP response. Servers, which mostly use static IP assignments, are a moot point, since I can just manually create the DNS records and be done with it. The issue is the fact that DNS remembers who created (owns) the DNS record, and based on that ownership, who it will allow to change it. If it is created by some dhcpd initiated transaction, then the Windows client itself is not allowed to update the record in the future. My feeling at this point is to try to follow the Windows Way for the time being (since that's the bulk of the machines on the network), and handle the few Linux clients (oddballs like myself) as special cases. We also use DHCP reservations based on the machine's MAC address, so largely it's a non-issue. (Or, at least I've got bigger fish to fry first before I go back and make sure the DHCP/DLZ behavior is tidy.) On Sun, Mar 18, 2012 at 3:38 AM, Andreas Oster aos...@novanetwork.dewrote: Am 17.03.2012 21:06, schrieb Matthieu Patou: On 03/17/2012 10:00 AM, Andreas Oster wrote: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I had it working with flat file backend. I think that the way dhcp and bind do their DDNS is different form the way windows do it's DDNS, as far as I know dlz_plugin only support the later one so far. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki I put our DNS experts in direct copy maybe then can advise you better than I. Hello Mattieu, thank you for you answer. I searched the web allot, but the only useful stuff I found was a script by Michael Kuron which has been slightly modified by Charles Tryon but I have no clue how to integrate this with bind9 dlz, see: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ It would be great if someone could help me with the DDNS setup. best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Charles Tryon _ “Risks are not to be evaluated in terms of the probability of success, but in terms of the value of the goal.” - Ralph D. Winter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 18.03.2012 16:19, schrieb steve: On 17/03/12 18:00, Andreas Oster wrote: I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi I'm not sure if his is what you mean but we have a lan of windows and linux clients under s4. Both win and Linux clients get their IP via dhcp. You can see the Kerberos dialogue reveal the IP when the box first connects. It is a different IP after each boot. So, if Linux counts as non windows, then yes, it works. We did nothing apart from adding the dlz stuff to bind. Cheers, Steve Hi all, does nobody have the same requirements regarding the dynamic DNS updates ? I know this setup would somehow circumvent the security efforts behind the kerberos stuff, but I personally prefer to have security at L2, with for example 802.1X, and allow the DHCP srver to update name records in the DNS database. kind regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 17.03.2012 21:06, schrieb Matthieu Patou: On 03/17/2012 10:00 AM, Andreas Oster wrote: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I had it working with flat file backend. I think that the way dhcp and bind do their DDNS is different form the way windows do it's DDNS, as far as I know dlz_plugin only support the later one so far. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki I put our DNS experts in direct copy maybe then can advise you better than I. Hello Mattieu, thank you for you answer. I searched the web allot, but the only useful stuff I found was a script by Michael Kuron which has been slightly modified by Charles Tryon but I have no clue how to integrate this with bind9 dlz, see: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ It would be great if someone could help me with the DDNS setup. best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
On 17/03/12 18:00, Andreas Oster wrote: I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi I'm not sure if his is what you mean but we have a lan of windows and linux clients under s4. Both win and Linux clients get their IP via dhcp. You can see the Kerberos dialogue reveal the IP when the box first connects. It is a different IP after each boot. So, if Linux counts as non windows, then yes, it works. We did nothing apart from adding the dlz stuff to bind. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
On Sun, Mar 18, 2012 at 11:19 AM, steve st...@steve-ss.com wrote: On 17/03/12 18:00, Andreas Oster wrote: I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi I'm not sure if his is what you mean but we have a lan of windows and linux clients under s4. Both win and Linux clients get their IP via dhcp. You can see the Kerberos dialogue reveal the IP when the box first connects. It is a different IP after each boot. So, if Linux counts as non windows, then yes, it works. We did nothing apart from adding the dlz stuff to bind. Cheers, Steve Unfortunately, this is a problematic configuration for public encryption key systems, namely HTTPS and SSH servers. In particular, there's nothing like two SSH servers (namely most Linux systems) migrating to the same IP address at differents to cause conniptions for the SSH clients who shriek AAA!!! I HAVE MISMATCHED PUBLIC HOSTKEYS FOR THAT ADDRESS AND NO TOOL EXCEPT YOUR MANUAL TEXT EDITOR TO CLEAR THEM!!! WAILL!!! SH-R-I-E-K-K-K The usual solution to this is to provide DHCP reservations with stable IP addresses for all available hosts. This is triviial with ISC DHCP, and requires manual intervention or some very clever scripting with AD based DHCP. It's also why it's often handy to put the vaguely stable Linux hosts in their own VLAN or address range: it makes the DHCP reservation management easier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 18.03.2012 16:19, schrieb steve: On 17/03/12 18:00, Andreas Oster wrote: I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi I'm not sure if his is what you mean but we have a lan of windows and linux clients under s4. Both win and Linux clients get their IP via dhcp. You can see the Kerberos dialogue reveal the IP when the box first connects. It is a different IP after each boot. So, if Linux counts as non windows, then yes, it works. We did nothing apart from adding the dlz stuff to bind. Cheers, Steve Hello Steve, maybe I did not understand the concept behind this secure dynamic DNS stuff between samba4 adn bind9 with bind_dlz module. I thought that the following bind9 config ( from samba4 howto) only allows principal dns-sambaserver to add/remove/modify DNS entries options { [...] tkey-gssapi-keytab /usr/local/samba/private/dns.keytab; [...] }; Also, from reading some postings, I got the impression that members of the domain (windows workstations, member servers) should be able to update their DNS entries. But what about network clients that get their IP via DHCP and which have no machine entry in the AD ? How can their names be added to the bind9 database dynamically ? How can I enable the dhcp daemon on another linux server to update the entries for these network clients ? Thank you for your kind help best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
On 03/17/2012 10:00 AM, Andreas Oster wrote: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I had it working with flat file backend. I think that the way dhcp and bind do their DDNS is different form the way windows do it's DDNS, as far as I know dlz_plugin only support the later one so far. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki I put our DNS experts in direct copy maybe then can advise you better than I. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba