ad dc + dhcp + dynamic update dns

addc+dhcp+dns.md

AD DC

#Поднятие дополнительного контроллера в существующем домене: 
apt install acl attr samba winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils python3-setproctitle -y
rm /etc/samba/smb.conf
kinit domaindaminuser
samba-tool domain join domain.local DC

#Все пользователи:
wbinfo -u

#Чтобы не вводить юзера и пароль при работе с ресурсами дмомена (например при использовании samba-tool):
samba-tool domain exportkeytab --principal=user /etc/user.keytab
kinit -k -t /etc/user.keytab user

#Просмотр и передача fsmo:
samba-tool fsmo show
samba-tool fsmo transfer --role=all


#Синхронизация sysvol с помощью rbocopy:

#Сервер времени:

DHCP
apt install isc-dhcp-server

/etc/default/isc-dhcp-server:

  INTERFACESv4="eth0"

/etc/dhcp/dhcpd.conf:

option domain-name "domain.local";
option domain-name-servers 192.168.1.3;

default-lease-time 600;
max-lease-time 7200;
authoritative;
ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.181 192.168.1.200;
  option routers 192.168.1.1;
}

Настройка dyndns:

#Создание пользователя, от имени которого будут обновляться записи в DNS:
samba-tool user create dhcpduser --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
samba-tool user setexpiry dhcpduser --noexpiry
samba-tool group addmembers DnsAdmins dhcpduser

#Сохранение "пароля" пользователя для того, чтобы не требовалось его вводить при выполнении команд:
samba-tool domain exportkeytab --principal=dhcpduser/etc/dhcpduser.keytab
chmod 400  /etc/dhcpduser.keytab

#Скачивание скрипта, который будет обновлять записи в DNS при изменениях арендованных адресов:
wget https://gist.githubusercontent.com/rsyuzyov/a7509016cb7bc0a6e3bfea99d88c9c72/raw/c07a161cc98d46737ba9a86dac4d7cb123064293/dhcp-dyndns.sh -O /usr/local/bin/dhcp-dyndns.sh
chmod 755 /usr/local/bin/dhcp-dyndns.sh

#Добавление обраотчиков создания, обновления, удаления записей DHCP:
on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = concat (
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
);
set ClientName = pick-first-value(option host-name, config-option host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}

on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = concat (
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
);
log(concat("Release: IP: ", ClientIP));
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
# however the dhcp update script will obtain the short hostname.
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}

DNS

#Примеры:
samba-tool dns add srv-dc domain.local hostname A ipaddr -U user%pass
samba-tool dns delete srv-dc domain.local name A ipaddr
samba-tool dns query srv-dc domain.local @ A
Чтобы не вводить user%pass можно получить keytab пользователя и выполнить kinit