This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Directory and Authentication / Re: Unable to Joing an Ubuntu 16.04 Desktop to my Domain
« on: August 21, 2017, 06:36:08 am »
What behaviour do you see when you try to log in through the GUI?
What are you seeing in /var/log/auth.log?
I usually use realmd and sssd to handle the configuration of clients, so my overall process is slightly different to what you are doing. But the additional steps I take are as follows.
Create /etc/lightdm/lightdm.conf.d/50-manual-login.conf:
Edit /etc/security/group.conf to specify what local groups domain users should be added to during a session. Example:
Create /usr/share/pam-configs/groups-ldap with the following content:
(File must NOT have a trailing blank line)
Enable the group settings and creation of the user's home directory on login:
Activate /etc/security/group.conf
Create home directory on login
What are you seeing in /var/log/auth.log?
I usually use realmd and sssd to handle the configuration of clients, so my overall process is slightly different to what you are doing. But the additional steps I take are as follows.
Create /etc/lightdm/lightdm.conf.d/50-manual-login.conf:
Code: [Select]
[Seat:*]
greeter-hide-users=true
greeter-show-manual-login=true
Edit /etc/security/group.conf to specify what local groups domain users should be added to during a session. Example:
Code: [Select]
*;*;*;Al0000-2400;cdrom,dip,plugdev,lpadmin
Create /usr/share/pam-configs/groups-ldap with the following content:
(File must NOT have a trailing blank line)
Code: [Select]
Name: Activate /etc/security/group.conf
Default: no
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
Enable the group settings and creation of the user's home directory on login:
Code: [Select]
$ sudo pam-auth-update
Make sure the following are enabled (do not disable others):Activate /etc/security/group.conf
Create home directory on login
2
Directory and Authentication / Re: Configuring DNS updates for all DHCP leases (not just domain members)?
« on: August 11, 2017, 07:32:20 am »
Using the link referenced above I have been able to get this working. I think it should operate without clashing with Zentyal for the most part.
Prepare the user and keytab:
Create the update script:
Zentyal recreates configuration files when modules are restarted. To make modifications to these files we need to create a hook script.
This script adds event statements to the dhcpd.conf that will call our update script, as well as AppArmor rules to give the dhcpd process access to everything the update script requires (note: I do not have much experience with AppArmor so these rules are very much just created with a view to just getting things working, and I welcome any suggestions for improvement).
Restart the DHCP module from the dashboard.
Forward mapping was working successfully at this point but the adding of reverse map entries was still failing. Example:
Add the reverse zone to Samba (it is currently defined in named.conf.local but the named.conf.local.mas file checks if it is in Samba already before adding the definition):
Restart the DNS module from the dashboard.
The dashboard reports that the module restart failed and suggests checking /var/log/zentyal/zentyal.log. However, PTR records are now successfully being created.
From /var/log/zentyal/zentyal.log:
It is failing when trying to create PTR records for the static host entries defined in the DNS section of the web interface (eg. for dc1 itself).
This change is a bit of a hack and is likely to be overwritten by Zentyal at some point.
Restarting the DNS module from the dashboard continues to fail, but it works after restarting the server. Reverse lookups for static DNS entries will now work.
TODO: the /var/log/zentyal/zentyal.log file is full of parser warnings from where it encounters the dhcpd event statements while looking for dhcp lease definitions.
Prepare the user and keytab:
Code: [Select]
$ sudo samba-tool user create dhcpduser --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
$ sudo samba-tool user setexpiry dhcpduser --noexpiry
$ sudo samba-tool group addmembers DnsAdmins dhcpduser
$ sudo samba-tool domain exportkeytab --principal=dhcpduser@INTERNAL.EXAMPLE.COM /etc/dhcp/dhcpduser.keytab
$ sudo chown dhcpd:dhcpd /etc/dhcp/dhcpduser.keytab
$ sudo chmod 400 /etc/dhcp/dhcpduser.keytab
Create the update script:
Code: [Select]
$ sudo mkdir -p /etc/dhcp/bin
$ sudo vi /etc/dhcp/bin/dhcp-dyndns.sh
[REFER TO ATTACHED FILE]
$ sudo chmod 755 /etc/dhcp/bin/dhcp-dyndns.sh
Zentyal recreates configuration files when modules are restarted. To make modifications to these files we need to create a hook script.
This script adds event statements to the dhcpd.conf that will call our update script, as well as AppArmor rules to give the dhcpd process access to everything the update script requires (note: I do not have much experience with AppArmor so these rules are very much just created with a view to just getting things working, and I welcome any suggestions for improvement).
Code: [Select]
$ sudo cp /etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/dhcp.postsetconf
$ sudo vi /etc/zentyal/hooks/dhcp.postsetconf
[REFER TO ATTACHED FILE]
Restart the DHCP module from the dashboard.
Forward mapping was working successfully at this point but the adding of reverse map entries was still failing. Example:
Code: [Select]
Aug 10 18:16:51 dc1 named[15482]: client 127.0.0.1#60469/key dhcpduser\@INTERNAL.EXAMPLE.COM: updating zone '1.168.192.in-addr.arpa/IN': update failed: rejected by secure update (REFUSED)
Aug 10 18:16:51 dc1 sh[1307]: update failed: REFUSED
Aug 10 18:16:51 dc1 dhcpd: DHCP-DNS Update failed: 02
Aug 10 18:16:51 dc1 dhcpd[1307]: execute: /etc/dhcp/bin/dhcp-dyndns.sh exit status 512
Add the reverse zone to Samba (it is currently defined in named.conf.local but the named.conf.local.mas file checks if it is in Samba already before adding the definition):
Code: [Select]
$ sudo samba-tool dns zonecreate dc1 1.168.192.in-addr.arpa -k yes
Restart the DNS module from the dashboard.
The dashboard reports that the module restart failed and suggests checking /var/log/zentyal/zentyal.log. However, PTR records are now successfully being created.
From /var/log/zentyal/zentyal.log:
Code: [Select]
2017/08/10 18:20:17 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -l -t 10 /var/lib/zentyal/tmp/yPKISOiEcj failed.
Error output: update failed: REFUSED
It is failing when trying to create PTR records for the static host entries defined in the DNS section of the web interface (eg. for dc1 itself).
This change is a bit of a hack and is likely to be overwritten by Zentyal at some point.
Code: [Select]
$ sudo cp -a /usr/share/perl5/EBox/DNS.pm /usr/share/perl5/EBox/DNS.pm.orig
$ sudo vi /usr/share/perl5/EBox/DNS.pm
$ diff -u /usr/share/perl5/EBox/DNS.pm.orig /usr/share/perl5/EBox/DNS.pm
--- /usr/share/perl5/EBox/DNS.pm.orig 2017-07-21 21:06:40.000000000 +1000
+++ /usr/share/perl5/EBox/DNS.pm 2017-08-11 14:15:33.022140698 +1000
@@ -1520,7 +1520,7 @@
my ($self, $fh, $reverse) = @_;
my $auth = $reverse ? '-l' : '-g';
- my $cmd = NS_UPDATE_CMD . " $auth -t 10 " . $fh->filename();
+ my $cmd = NS_UPDATE_CMD . " -g -t 10 " . $fh->filename();
$self->{nsupdateCmds} = [] unless exists $self->{nsupdateCmds};
push (@{$self->{nsupdateCmds}}, $cmd);
$fh->unlink_on_destroy(0);
Restarting the DNS module from the dashboard continues to fail, but it works after restarting the server. Reverse lookups for static DNS entries will now work.
TODO: the /var/log/zentyal/zentyal.log file is full of parser warnings from where it encounters the dhcpd event statements while looking for dhcp lease definitions.
3
Directory and Authentication / [SOLVED] Configuring DNS updates for all DHCP leases (not just domain members)?
« on: August 09, 2017, 09:54:01 am »
Context: Zentyal 5.0, with the following roles selected during installation:-
- Domain Controller and File Sharing
- DNS Server
- DHCP Server
I have Zentyal running as a domain controller and I am happy with the configuration with the exception that I would like all hosts obtaining an IP address from the DHCP server to trigger a DNS update.
I should note that I have enabled Dynamic DNS and the 'Dynamic domain' and 'Static domain' settings have been configured.
However, it seems that only hosts that have joined the domain are able to trigger a DNS update. Furthermore, it is the host itself that is updating the DNS entries, rather than the DHCP server.
Example of a failed update (representative of both Windows, Linux, Android, other hosts):
Example of a successful update after the Windows host has joined the domain (note that the DHCP server is still trying to perform updates and these are still failing):
Is there a recommended way to have this work with Zentyal?
I have come across the approach described in the following link, which is probably worth investigating further. But I would like to avoid fighting against Zentyal too much if I can avoid it.
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
- Domain Controller and File Sharing
- DNS Server
- DHCP Server
I have Zentyal running as a domain controller and I am happy with the configuration with the exception that I would like all hosts obtaining an IP address from the DHCP server to trigger a DNS update.
I should note that I have enabled Dynamic DNS and the 'Dynamic domain' and 'Static domain' settings have been configured.
However, it seems that only hosts that have joined the domain are able to trigger a DNS update. Furthermore, it is the host itself that is updating the DNS entries, rather than the DHCP server.
Example of a failed update (representative of both Windows, Linux, Android, other hosts):
Code: [Select]
Aug 8 16:51:29 dc1 dhcpd[1335]: DHCPACK on 192.168.1.10 to aa:bb:cc:dd:ee:ff via eth0
Aug 8 16:51:29 dc1 named[1474]: samba_dlz: starting transaction on zone internal.example.com
Aug 8 16:51:29 dc1 named[1474]: samba_dlz: spnego update failed
Aug 8 16:51:29 dc1 named[1474]: client 127.0.0.1#31281/key internal.example.com: updating zone 'internal.example.com/NONE': update failed: rejected by secure update (REFUSED)
Aug 8 16:51:29 dc1 named[1474]: samba_dlz: cancelling transaction on zone internal.example.com
Aug 8 16:51:29 dc1 dhcpd[1335]: Unable to add forward map from tst-linux.internal.example.com. to 192.168.1.10: REFUSED
Example of a successful update after the Windows host has joined the domain (note that the DHCP server is still trying to perform updates and these are still failing):
Code: [Select]
Aug 8 18:54:26 dc1 named[1474]: client 127.0.0.1#31281/key internal.example.com: updating zone '1.168.192.in-addr.arpa/IN': deleting rrset at '110.1.168.192.in-addr.arpa' PTR
Aug 8 18:54:26 dc1 named[1474]: client 127.0.0.1#31281/key internal.example.com: updating zone '1.168.192.in-addr.arpa/IN': adding an RR at '110.1.168.192.in-addr.arpa' PTR wintst.internal.example.com.
Aug 8 18:54:26 dc1 dhcpd[1335]: DHCPREQUEST for 192.168.1.110 from 11:22:33:44:55:66 (wintst) via eth0
Aug 8 18:54:26 dc1 dhcpd[1335]: DHCPACK on 192.168.1.110 to 11:22:33:44:55:66 (wintst) via eth0
Aug 8 18:54:26 dc1 dhcpd[1335]: Added reverse map from 110.1.168.192.in-addr.arpa. to wintst.internal.example.com
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: starting transaction on zone internal.example.com
Aug 8 18:54:35 dc1 named[1474]: client 192.168.1.110#59072: update 'internal.example.com/IN' denied
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: cancelling transaction on zone internal.example.com
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: starting transaction on zone internal.example.com
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: allowing update of signer=WINTST\$\@INTERNAL.EXAMPLE.COM name=wintst.internal.example.com tcpaddr= type=AAAA key=892-ms-7.1-608e.11111111-2222-3333-4444-555555555555/160/0
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: allowing update of signer=WINTST\$\@INTERNAL.EXAMPLE.COM name=wintst.internal.example.com tcpaddr= type=A key=892-ms-7.1-608e.11111111-2222-3333-4444-555555555555/160/0
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: allowing update of signer=WINTST\$\@INTERNAL.EXAMPLE.COM name=wintst.internal.example.com tcpaddr= type=A key=892-ms-7.1-608e.11111111-2222-3333-4444-555555555555/160/0
Aug 8 18:54:35 dc1 named[1474]: client 192.168.1.110#57633/key WINTST\$\@INTERNAL.EXAMPLE.COM: updating zone 'internal.example.com/NONE': deleting rrset at 'wintst.internal.example.com' AAAA
Aug 8 18:54:35 dc1 named[1474]: client 192.168.1.110#57633/key WINTST\$\@INTERNAL.EXAMPLE.COM: updating zone 'internal.example.com/NONE': deleting rrset at 'wintst.internal.example.com' A
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: subtracted rdataset wintst.internal.example.com 'wintst.internal.example.com.#0111200#011IN#011A#011192.168.1.110'
Aug 8 18:54:35 dc1 named[1474]: client 192.168.1.110#57633/key WINTST\$\@INTERNAL.EXAMPLE.COM: updating zone 'internal.example.com/NONE': adding an RR at 'wintst.internal.example.com' A 192.168.1.110
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: added rdataset wintst.internal.example.com 'wintst.internal.example.com.#0111200#011IN#011A#011192.168.1.110'
Aug 8 18:54:35 dc1 named[1474]: samba_dlz: committed transaction on zone internal.example.com
Is there a recommended way to have this work with Zentyal?
I have come across the approach described in the following link, which is probably worth investigating further. But I would like to avoid fighting against Zentyal too much if I can avoid it.
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
Pages: [1]