On 03/31/2012 06:59 PM, Anton Aylward wrote:
lynn said the following on 03/31/2012 11:36 AM:
Do I need a PTR for each computer on the lan? I can imagine circumstance where the answer to that is 'no' but I suspect those circumstances don't apply to you.
If you had ddns working then it would be done 'auto-magically'. OK. Well, we have ddns with a (re) writeable forward zone handled by Samba4. You can see the IP it has been assigned by DHCP on the server as it issues Kerberos tickets for the fileserver and such. I suppose the test would be to remove the 127.0.1.1 hostname.fqdn hostname entry in /etc/hosts on the client and see if we can still authenticate.
There are two ways to can get their reverse addresses to work. The first is to use 'dynamic dns' where the DHCP server tells the DNS server that it has assigned an address and supplies the details which the DNS server can now had out in response to queries. Yes. That's what we have. that's what the samba4 guys added to bind9 to Was it the Samba guys? I thought DDNS (RFC2136 et al [3007, 4033, 4034, 4035]) dates back to 1997 and was out of ISC edited by the proverbial Mr Vixie :-)
Yes, Microsoft and Ad integrated DDNS and brought in the modified version of kerberos, but that still doesn't make it a SAMBA initiative.
You can experiment manually adding records from the CLI with 'nsupdate'. They were the ones who put he dlz code into bind to make it work against AD.
get it to do the dynamic updates. We have our win7 and linux clients using the dhcp server. That's the server running under Linux? 12.1 server running the Samba4 AD implementation to serve both win7 and Linux clients.
It works ok but coming back to the original point, we have to put 127.0.1.1 in /etc/hosts on the client to get a name over to the server. What is the server in need of? The FQDN? The FQDN should come from the unique IP address of the client. That's why I keep talking about the reverse DNS.
I assume we're still talking about something that DHCP-driven?
Either the name is hard-coded or its supplied by the DHCP server and the DHCP server tells the DNS server (via the DDNS protocol) to create the forward and reverse records.
I _suspect_ that because there is no reverse record it falls back to 127.0.0.1 and that's what your faced with. I've not used kerberos in this context; my last venture using it was with AIX/SPSS .... The server needs the fqdn of the Linux client (to do e.g. Kerberized nfs mounts). Under windows this happens automagically whether the win7 box has a dhcp address or not. Under Linux I have to either have a fixed IP or, if I want DHCP have to use the 127.0.1.1 workaround. I'm hoping your reverse lookups will solve this.
The IPv6 stuff come straight out of a default openSUSE bind install. I don't want it. It just gets put here. NASTY!
In the screens you show at the bloc ... opensuse-using-yast-to-setup-dns.html there is the option to delete the IPV6 entry and the option to enable DDNS Yes. I'll do the delete. That sould get rid of it. As I say, we already have ddns handled outside the Yast configuration with an externally generated tsig key so I would only use that option if I had created the forward zone myself. As it is, the forward zone is created for me by the Samba4 server.
listen-on-v6 { any; };
WHOA! listen-on-v6 turns on BIND to listen for IPv6 queries. If you're not running IPv6 then you want "none" rather than "any". This may account for one error :-) Yes it does. Again, it is default openSUSE. I think its up to you to delete what isn't wanted and to enable what is wanted. Point taken. I should not blame the tools, rather he bad workman. My fault.
No that's fine. The only error now is here: Mar 31 17:25:44 hh3 named[2483]: starting BIND 9.8.1-P1 -u named Info not err
Mar 31 17:25:44 hh3 named[2483]: built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-libtool' '--enable-runidn' '--with-libxml2' '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-fomit-frame-pointer -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -DNO_VERSION_DATE -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib' Info not err
Mar 31 17:25:44 hh3 named[2483]: adjusted limit on open files from 4096 to 1048576 Mar 31 17:25:44 hh3 named[2483]: found 1 CPU, using 1 worker thread Mar 31 17:25:44 hh3 named[2483]: using up to 4096 sockets Mar 31 17:25:44 hh3 named[2483]: loading configuration from '/etc/named.conf' Info not err
Mar 31 17:25:44 hh3 named[2483]: reading built-in trusted keys from file '/etc/bind.keys' Yes but I recall there isn't actual a key, there , is there?
Building the key and including it in DNS/DHCP was an option on those screens at the blog which you didn't take. Perhaps you should have ..
The only reason I created an empty file at /var/lib/named/dyn/managed-keys.bind was to get rid of the managed-keys file not found error when starting bind.
Mar 31 17:25:44 hh3 named[2483]: using default UDP/IPv4 port range: [1024, 65535] Mar 31 17:25:44 hh3 named[2483]: using default UDP/IPv6 port range: [1024, 65535] Mar 31 17:25:44 hh3 named[2483]: listening on IPv6 interfaces, port 53 Mar 31 17:25:44 hh3 named[2483]: listening on IPv4 interface lo, 127.0.0.1#53 Mar 31 17:25:44 hh3 named[2483]: listening on IPv4 interface eth1, 192.168.1.3#53 Info not err
Mar 31 17:25:44 hh3 named[2483]: generating session key for dynamic DNS Mar 31 17:25:44 hh3 named[2483]: sizing zone task pool based on 5 zones Mar 31 17:25:44 hh3 named[2483]: Loading 'AD DNS Zone' using driver dlopen Mar 31 17:25:47 hh3 named[2483]: samba_dlz: started for DN DC=hh3,DC=site Mar 31 17:25:47 hh3 named[2483]: samba_dlz: starting configure Mar 31 17:25:47 hh3 named[2483]: samba_dlz: configured writeable zone 'hh3.site' Mar 31 17:25:47 hh3 named[2483]: samba_dlz: configured writeable zone '_msdcs.hh3.site' Mar 31 17:25:47 hh3 named[2483]: set up managed keys zone for view _default, file '/var/lib/named/dyn//managed-keys.bind' Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 10.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 16.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 17.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 18.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 19.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 20.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 21.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 22.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 23.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 24.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 25.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 26.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 27.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 28.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 29.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 30.172.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 31.172.IN-ADDR.ARPA That doesn't matter, its all info not err
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 168.192.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 0.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 127.IN-ADDR.ARPA
Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 254.169.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: D.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 8.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 9.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: A.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: B.E.F.IP6.ARPA Mar 31 17:25:47 hh3 named[2483]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA You really should disable IPv6 if you're not using it.
Will do.
Mar 31 17:25:47 hh3 named[2483]: command channel listening on 127.0.0.1#953 Info, but its the local IP address that counts :-
Mar 31 17:25:47 hh3 named[2483]: couldn't add command channel ::1#953: address not available More IPv6 stuff you can do without.
Mar 31 17:25:47 hh3 named[2483]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Mar 31 17:25:47 hh3 named[2483]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2012033101 Mar 31 17:25:47 hh3 named[2483]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42 Mar 31 17:25:47 hh3 named[2483]: zone localhost/IN: loaded serial 42 Mar 31 17:25:47 hh3 named[2483]: managed-keys-zone ./IN: loaded serial 0 Mar 31 17:25:47 hh3 named[2450]: Starting name server BIND ..done Mar 31 17:25:47 hh3 named[2483]: running
This is after changing ownership of /var/lib/named and after creating he managed-keys.bind file. Without those changes, bind will not start. The managed keys file isn't something you create by using 'touch'; it should contain the crypto keys you are using.
Again, an 'include' may alter things dramatically! Default again. named.conf.include is empty. OK .....
Notes: Changes made to the 12.1 bind to get rid of the startup errors: chown named:named /var/lib/named (working directory not writable) :-)
touch /var/lib/dyn/managed-keys.bind (file does not exist) No, that needs to contain the crypto key used by ddns.
Unless that file exists, it throws an error. Yes, but unless it contains the crypto key shared by DHCP and DNS then DDNS won't work. This should have been generated by YAST. Its one of the options, like deleting IPv6, that you should have set.
In my case, the ddns is handled elsewhere so no problem.
/etc/sysconfig/named NAMED_RUN_CHROOTED="no" (It's too much hassle transferring the samba dlz stuff to the jail) I can see that; I'm not going to harp on abut "basic security". I chroot so I know I can, but if you can justify not needing to then its "no harm, no foul". Yes. The samba include file must be readable. In the chroot it can't be read. I can't find a way of making it work in the chroot without including most of the samba stuff in there too. Yes, that's the point of chroot...
Meanwhile, one important one. I need to add a PTR for each machine on the lan? Yes.
As I said in a previous post; you can either use DDNS to let DHCP add and remove or you can 'cheat' and have them in there to match the same range as DHCP is going to hand out. The latter lets you micromanage the names.
Big thanks again from all here at lcb. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org