Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - opensesame

Pages: [1]
1
What behaviour do you see when you try to log in through the GUI?
What are you seeing in /var/log/auth.log?

I usually use realmd and sssd to handle the configuration of clients, so my overall process is slightly different to what you are doing. But the additional steps I take are as follows.

Create /etc/lightdm/lightdm.conf.d/50-manual-login.conf:
Code: [Select]
[Seat:*]
greeter-hide-users=true
greeter-show-manual-login=true

Edit /etc/security/group.conf to specify what local groups domain users should be added to during a session. Example:
Code: [Select]
*;*;*;Al0000-2400;cdrom,dip,plugdev,lpadmin

Create /usr/share/pam-configs/groups-ldap with the following content:
(File must NOT have a trailing blank line)
Code: [Select]
Name: Activate /etc/security/group.conf
Default: no
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass

Enable the group settings and creation of the user's home directory on login:
Code: [Select]
$ sudo pam-auth-update
Make sure the following are enabled (do not disable others):
  Activate /etc/security/group.conf
  Create home directory on login

2
Using the link referenced above I have been able to get this working. I think it should operate without clashing with Zentyal for the most part.

Prepare the user and keytab:
Code: [Select]
$ sudo samba-tool user create dhcpduser --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
$ sudo samba-tool user setexpiry dhcpduser --noexpiry
$ sudo samba-tool group addmembers DnsAdmins dhcpduser

$ sudo samba-tool domain exportkeytab --principal=dhcpduser@INTERNAL.EXAMPLE.COM /etc/dhcp/dhcpduser.keytab
$ sudo chown dhcpd:dhcpd /etc/dhcp/dhcpduser.keytab
$ sudo chmod 400 /etc/dhcp/dhcpduser.keytab

Create the update script:
Code: [Select]
$ sudo mkdir -p /etc/dhcp/bin
$ sudo vi /etc/dhcp/bin/dhcp-dyndns.sh
[REFER TO ATTACHED FILE]
$ sudo chmod 755 /etc/dhcp/bin/dhcp-dyndns.sh

Zentyal recreates configuration files when modules are restarted. To make modifications to these files we need to create a hook script.
This script adds event statements to the dhcpd.conf that will call our update script, as well as AppArmor rules to give the dhcpd process access to everything the update script requires (note: I do not have much experience with AppArmor so these rules are very much just created with a view to just getting things working, and I welcome any suggestions for improvement).
Code: [Select]
$ sudo cp /etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/dhcp.postsetconf
$ sudo vi /etc/zentyal/hooks/dhcp.postsetconf
[REFER TO ATTACHED FILE]

Restart the DHCP module from the dashboard.

Forward mapping was working successfully at this point but the adding of reverse map entries was still failing. Example:
Code: [Select]
Aug 10 18:16:51 dc1 named[15482]: client 127.0.0.1#60469/key dhcpduser\@INTERNAL.EXAMPLE.COM: updating zone '1.168.192.in-addr.arpa/IN': update failed: rejected by secure update (REFUSED)
Aug 10 18:16:51 dc1 sh[1307]: update failed: REFUSED
Aug 10 18:16:51 dc1 dhcpd: DHCP-DNS Update failed: 02
Aug 10 18:16:51 dc1 dhcpd[1307]: execute: /etc/dhcp/bin/dhcp-dyndns.sh exit status 512

Add the reverse zone to Samba (it is currently defined in named.conf.local but the named.conf.local.mas file checks if it is in Samba already before adding the definition):
Code: [Select]
$ sudo samba-tool dns zonecreate dc1 1.168.192.in-addr.arpa -k yes

Restart the DNS module from the dashboard.

The dashboard reports that the module restart failed and suggests checking /var/log/zentyal/zentyal.log. However, PTR records are now successfully being created.

From /var/log/zentyal/zentyal.log:
Code: [Select]
2017/08/10 18:20:17 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -l -t 10 /var/lib/zentyal/tmp/yPKISOiEcj failed.
Error output: update failed: REFUSED

It is failing when trying to create PTR records for the static host entries defined in the DNS section of the web interface (eg. for dc1 itself).

This change is a bit of a hack and is likely to be overwritten by Zentyal at some point.
Code: [Select]
$ sudo cp -a /usr/share/perl5/EBox/DNS.pm /usr/share/perl5/EBox/DNS.pm.orig
$ sudo vi /usr/share/perl5/EBox/DNS.pm
$ diff -u /usr/share/perl5/EBox/DNS.pm.orig /usr/share/perl5/EBox/DNS.pm
--- /usr/share/perl5/EBox/DNS.pm.orig   2017-07-21 21:06:40.000000000 +1000
+++ /usr/share/perl5/EBox/DNS.pm        2017-08-11 14:15:33.022140698 +1000
@@ -1520,7 +1520,7 @@
     my ($self, $fh, $reverse) = @_;

     my $auth = $reverse ? '-l' : '-g';
-    my $cmd = NS_UPDATE_CMD . " $auth -t 10 " . $fh->filename();
+    my $cmd = NS_UPDATE_CMD . " -g -t 10 " . $fh->filename();
     $self->{nsupdateCmds} = [] unless exists $self->{nsupdateCmds};
     push (@{$self->{nsupdateCmds}}, $cmd);
     $fh->unlink_on_destroy(0);

Restarting the DNS module from the dashboard continues to fail, but it works after restarting the server. Reverse lookups for static DNS entries will now work.

TODO: the /var/log/zentyal/zentyal.log file is full of parser warnings from where it encounters the dhcpd event statements while looking for dhcp lease definitions.

3
Context: Zentyal 5.0, with the following roles selected during installation:-
 - Domain Controller and File Sharing
 - DNS Server
 - DHCP Server

I have Zentyal running as a domain controller and I am happy with the configuration with the exception that I would like all hosts obtaining an IP address from the DHCP server to trigger a DNS update.

I should note that I have enabled Dynamic DNS and the 'Dynamic domain' and 'Static domain' settings have been configured.

However, it seems that only hosts that have joined the domain are able to trigger a DNS update. Furthermore, it is the host itself that is updating the DNS entries, rather than the DHCP server.

Example of a failed update (representative of both Windows, Linux, Android, other hosts):
Code: [Select]
Aug  8 16:51:29 dc1 dhcpd[1335]: DHCPACK on 192.168.1.10 to aa:bb:cc:dd:ee:ff via eth0
Aug  8 16:51:29 dc1 named[1474]: samba_dlz: starting transaction on zone internal.example.com
Aug  8 16:51:29 dc1 named[1474]: samba_dlz: spnego update failed
Aug  8 16:51:29 dc1 named[1474]: client 127.0.0.1#31281/key internal.example.com: updating zone 'internal.example.com/NONE': update failed: rejected by secure update (REFUSED)
Aug  8 16:51:29 dc1 named[1474]: samba_dlz: cancelling transaction on zone internal.example.com
Aug  8 16:51:29 dc1 dhcpd[1335]: Unable to add forward map from tst-linux.internal.example.com. to 192.168.1.10: REFUSED

Example of a successful update after the Windows host has joined the domain (note that the DHCP server is still trying to perform updates and these are still failing):
Code: [Select]
Aug  8 18:54:26 dc1 named[1474]: client 127.0.0.1#31281/key internal.example.com: updating zone '1.168.192.in-addr.arpa/IN': deleting rrset at '110.1.168.192.in-addr.arpa' PTR
Aug  8 18:54:26 dc1 named[1474]: client 127.0.0.1#31281/key internal.example.com: updating zone '1.168.192.in-addr.arpa/IN': adding an RR at '110.1.168.192.in-addr.arpa' PTR wintst.internal.example.com.
Aug  8 18:54:26 dc1 dhcpd[1335]: DHCPREQUEST for 192.168.1.110 from 11:22:33:44:55:66 (wintst) via eth0
Aug  8 18:54:26 dc1 dhcpd[1335]: DHCPACK on 192.168.1.110 to 11:22:33:44:55:66 (wintst) via eth0
Aug  8 18:54:26 dc1 dhcpd[1335]: Added reverse map from 110.1.168.192.in-addr.arpa. to wintst.internal.example.com
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: starting transaction on zone internal.example.com
Aug  8 18:54:35 dc1 named[1474]: client 192.168.1.110#59072: update 'internal.example.com/IN' denied
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: cancelling transaction on zone internal.example.com
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: starting transaction on zone internal.example.com
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: allowing update of signer=WINTST\$\@INTERNAL.EXAMPLE.COM name=wintst.internal.example.com tcpaddr= type=AAAA key=892-ms-7.1-608e.11111111-2222-3333-4444-555555555555/160/0
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: allowing update of signer=WINTST\$\@INTERNAL.EXAMPLE.COM name=wintst.internal.example.com tcpaddr= type=A key=892-ms-7.1-608e.11111111-2222-3333-4444-555555555555/160/0
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: allowing update of signer=WINTST\$\@INTERNAL.EXAMPLE.COM name=wintst.internal.example.com tcpaddr= type=A key=892-ms-7.1-608e.11111111-2222-3333-4444-555555555555/160/0
Aug  8 18:54:35 dc1 named[1474]: client 192.168.1.110#57633/key WINTST\$\@INTERNAL.EXAMPLE.COM: updating zone 'internal.example.com/NONE': deleting rrset at 'wintst.internal.example.com' AAAA
Aug  8 18:54:35 dc1 named[1474]: client 192.168.1.110#57633/key WINTST\$\@INTERNAL.EXAMPLE.COM: updating zone 'internal.example.com/NONE': deleting rrset at 'wintst.internal.example.com' A
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: subtracted rdataset wintst.internal.example.com 'wintst.internal.example.com.#0111200#011IN#011A#011192.168.1.110'
Aug  8 18:54:35 dc1 named[1474]: client 192.168.1.110#57633/key WINTST\$\@INTERNAL.EXAMPLE.COM: updating zone 'internal.example.com/NONE': adding an RR at 'wintst.internal.example.com' A 192.168.1.110
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: added rdataset wintst.internal.example.com 'wintst.internal.example.com.#0111200#011IN#011A#011192.168.1.110'
Aug  8 18:54:35 dc1 named[1474]: samba_dlz: committed transaction on zone internal.example.com

Is there a recommended way to have this work with Zentyal?

I have come across the approach described in the following link, which is probably worth investigating further. But I would like to avoid fighting against Zentyal too much if I can avoid it.
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Pages: [1]