Hi everybody,
i've successfully installed an samba4 AD with Version 4.1.9 and bind 9.9.4. On the client side i've a windows7 sp1 machine. The only trouble i have is an ddns update denied message in /var/log/messages. But after the denied message the forward and reverse lookup zone will be aktualized successfully.
Could it be that windows 7 first try to do an unsecure ddns update and if this is not possible it would try a secure update? A Win 8.1 client seems to update only on the system start...
above my current configuration from my test-configuration:
/etc/named.conf
Code:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
listen-on port 53 { 127.0.0.1;192.168.178.130; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.178.0/24; };
forwarders { 192.168.178.254; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
/usr/local/samba/private/named.conf
Code:
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/private/named.conf";
zone "winnet.local." IN {
type master;
file "/usr/local/samba/private/dns/winnet.local.zone";
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
include "/usr/local/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.123.0/24:
zone "178.168.192.in-addr.arpa" in {
type master;
file "/usr/local/samba/private/dns/192.168.178.rev";
update-policy {
grant *.LOCAL wildcard *.178.168.192.in-addr.arpa. PTR;
};
};
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.8 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
/usr/local/samba/private/named.conf.update
Code:
/* this file is auto-generated - do not edit */
update-policy {
grant WINNET.LOCAL ms-self * A AAAA;
grant Administrator@WINNET.LOCAL wildcard * A AAAA SRV CNAME;
grant SERVER1$@winnet.local wildcard * A AAAA SRV CNAME;
};
winnet.local.zone
Code:
$ORIGIN .
$TTL 604800 ; 1 week
winnet.local IN SOA Server1.winnet.local. hostmaster.winnet.local. (
2014080222 ; serial
172800 ; refresh (2 days)
14400 ; retry (4 hours)
3628800 ; expire (6 weeks)
604800 ; minimum (1 week)
)
NS Server1.winnet.local.
A 192.168.178.130
$ORIGIN winnet.local.
_kerberos TXT "WINNET.LOCAL"
$ORIGIN _msdcs.winnet.local.
d0ceae4f-5e5a-4970-a16e-0fec149712ea CNAME Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.e8d61e3f-b9d2-4516-9cde-c96ca1059b11.domains SRV 0 100 389 Server1.winnet.local.
gc A 192.168.178.130
$ORIGIN gc._msdcs.winnet.local.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 Server1.winnet.local.
_ldap._tcp SRV 0 100 3268 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.pdc SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.winnet.local.
_gc SRV 0 100 3268 Server1.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.winnet.local.
_gc SRV 0 100 3268 Server1.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_kerberos-master SRV 0 100 88 Server1.winnet.local.
_kpasswd SRV 0 100 464 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _udp.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_kerberos-master SRV 0 100 88 Server1.winnet.local.
_kpasswd SRV 0 100 464 Server1.winnet.local.
$ORIGIN winnet.local.
$TTL 1200 ; 20 minutes
client1 A 192.168.178.200
client2 A 192.168.178.203
$TTL 604800 ; 1 week
Server1 A 192.168.178.130
192.168.178.rev
Code:
$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
178.168.192.in-addr.arpa IN SOA Server1.winnet.local. hostmaster.178.168.192.in-addr.arpa. (
1406996332 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS Server1.winnet.local.
$ORIGIN 178.168.192.in-addr.arpa.
130 PTR Server1.winnet.local.
$TTL 1200 ; 20 minutes
200 PTR client1.winnet.local.
201 PTR client2.winnet.local.
202 PTR client2.winnet.local.
203 PTR client2.winnet.local.
