Can't change AD IP address

jlibster · February 6, 2017, 2:29pm

NethServer Version: 7.3 RC3 with all updates
**Module:**sssd and AD?

Folks, we changed red to our ISP and the green to from 192.168.2.x to 192.168.1.1 to match our machines. We can’t change Accounts provider bridge IP address. Please help. We are so close on this. Thanks all!

Jonah

davidep · February 6, 2017, 2:35pm

Changing the IP address of an Active Directory controller is dangerous. We have a procedure for nethserver-dc but I don’t know if it works. Please read the links to Samba documentation carefully before applying it to a production server!

http://docs.nethserver.org/projects/nethserver-devel/en/v7rc/nethserver-dc.html#changing-the-ip-address-of-dc

BTW, why did you change the green network? Was it really needed?

jlibster · February 6, 2017, 2:52pm

Yes It WAS really needed because we couldn’t take the whole network Internet down and we had to validate the functionality safely. This I would think is a basic operation. I understanding not changing the name of the server but to not be able to change the IP of the server will make many enterprise prospects think twice before using it. To gain acceptance in the mainstream that will need to be addressed. I’ve found a few things on templates. It shouldn’t be a big deal for people to change the following settings for the dnsmasq.conf configurations (which I can’t change in the file directly due to templating system):

server=192.168.2.2 (should be able to change these ti these in question) (we have 3 entries 2 out of 3 are correct). Need to change one to the new WAN IP and the other to the new internal ip of 192.168.1.1.

#
# 50sssd -- the Samba Domain controller is
# the authoritative DNS for our realm/domain
#
server=/(domain name)/192.168.x.x

Would need to change this to the a new reserved internal IP.

If this can be set up in a wizard (like on installation) why can’t you use a similar process to reconfigure the IPs rather than reinstall the ENTIRE operating system. I Realize it may be a work in progress but this will be important to gain serious acceptance over, say, ClearOS or similar established SMB servers.

Anyway, thanks for the info. I’ve looked up some of the templates as well. I understand the design, but many have said in many ways it’s not straight forward for some. Again, thanks for the speedy response.

jlibster · February 6, 2017, 3:03pm

Going through your instructions. A point of clarification.

The instructions here:

Example, change the network address (“122” becomes “101”):
domain dpnet.nethesis.it, realm DPNET.NETHESIS.IT
bridge is br0
current host IP: 192.168.122.7
current gateway IP: 192.168.122.1
current nsdc container IP: 192.168.122.77
new host IP: 192.168.101.7
new gateway IP: 192.168.101.1
new nsdc container IP: 192.168.101.77

There are referring to the GREEN interface right?

davidep · February 6, 2017, 3:12pm

Yep! [Confirmed]

jlibster · February 6, 2017, 3:31pm

Okay, we have partial success. We’ve changed the settings as suggested (skipped the Kerebos file step as we didnt’ use kerebos on the DC). The message in red “Account provider error: invalid DN. Check Base DN, Groups DN and Users DN in Accounts provider configuration” is still there and there are long delays in getting back data from some of the web admins as well as ssh to the machine. I believe it has to do with the settings in the dnsmasq.conf generated by the wizard. I see this entry still in the /etc/dnsmasq.conf:

./dnsmasq.conf:server=/intimateinteractive.int/192.168.2.10

Why isn’t this changed? I believe the problem now is the dnsmasq.conf has nothing changed in. Any ideas how to get this part to work properly?

jlibster · February 6, 2017, 3:38pm

Here is the entire /etc/dnsmasq.conf file (with minor private data removed):

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l. 
# http://www.nethesis.it - support@nethesis.it
# 
#
# 10base
#



# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts" 
domain=(domainname).int


#
# 20dns
#

# Never forward plain names (without a dot or domain part)
domain-needed


domain-needed

# Never forward addresses in the non-routed address spaces.
bogus-priv


# Domain is automatically added to simple names in a hosts-file.
expand-hosts

cache-size=4000
#
# 25NameServers
#

# Don't read /etc/resolv.conf. Get upstream servers only from the
# command line or the dnsmasq configuration file.
no-resolv

# Specify IP address of upstream servers directly. Setting this flag
# does not suppress reading of /etc/resolv.conf, use "no-resolv" to do
# that.

server=192.168.1.1 (this should be our red interface static IP I believe)
server=8.8.8.8
server=192.168.2.2 (this is no longer in the network, this should be the new internal (green) IP, 192.168.1.1)


# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers to are  known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
strict-order


#
# 30dhcp
#

# Enable the DHCP server. Addresses will be given out from the range
# <start-addr> to <end-addr> and from statically defined addresses
# given in dhcp-host options. 
# See db configuration getprop dnsmasq DhcpStatus

dhcp-range=set:br0,192.168.1.100,192.168.1.180,255.255.255.0,86400

dhcp-option=tag:br0,option:router,192.168.1.1
dhcp-lease-max=82


# Should be set when dnsmasq is definitely the only DHCP server on a
# network.
dhcp-authoritative

# Read dhcp reservations from dhcp-hostsfile. 
# See dhcp-hosts option for more informations.
dhcp-hostsfile=/etc/dnsmasq-dhcp-hosts

#
# 35NetbiosNameServers
#
# disabled

#
# 40bind
#

except-interface=enp2s0
except-interface=virbr0

#
# 50sssd -- the Samba Domain controller is
# the authoritative DNS for our realm/domain
# 
server=/(domainname).int/192.168.2.10 (this should be 192.168.1.5)

#
# 80tftp
#
enable-tftp
tftp-root=/var/lib/tftpboot
dhcp-option=66,"192.168.1.1"
#
# 80xmpp_srv_records
#
srv-host=_xmpp-client._tcp.(domainname).int,dc2.(domainname).int,5222,0,5
srv-host=_xmpp-server._tcp.(domainname).int,dc2..(domainname).int,5269,0,5

So I how do I get the proper changes stick here. Yes, know about the custom template , but given this should be the BASE configuration, is there another more straightforward/intuitive way to get this settings to be properly generated in this file?

davidep · February 6, 2017, 4:01pm

Please paste the output of

config show sssd
config show nsdc

The following command reconfigures dnsmasq with values from esmith DB:

signal-event nethserver-dnsmasq-save

jlibster · February 6, 2017, 4:05pm

Okay, tried that last step with the with the krb5.conf file. I added this entry:

[realms]
(domainname) = {
kdc = 192.168.1.5
}

and I ran the samba_dnsupdate. Here is what I got:

Looking for DNS entry A nsdc-dc2.(domainname) 192.168.1.5 as nsdc-dc2.(domainname).
Failed to find matching DNS entry A nsdc-dc2.(domainname) 192.168.1.5
need update: A nsdc-dc2.(domainname) 192.168.1.5
Looking for DNS entry A (domainname) 192.168.1.5 as (domainname).
Failed to find matching DNS entry A (domainname) 192.168.1.5
need update: A (domainname) 192.168.1.5
Looking for DNS entry SRV _ldap._tcp.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.dc._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.1937ac0b-e18f-47d3-a7a5-e1d2407e9c25.domains._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.1937ac0b-e18f-47d3-a7a5-e1d2407e9c25.domains._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.1937ac0b-e18f-47d3-a7a5-e1d2407e9c25.domains._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _kerberos._tcp.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kerberos._udp.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._udp.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._udp.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.dc._msdcs.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kpasswd._tcp.(domainname) nsdc-dc2.(domainname) 464 as _kpasswd._tcp.(domainname).
Checking 0 100 464 nsdc-dc2.(domainname). against SRV _kpasswd._tcp.(domainname) nsdc-dc2.(domainname) 464
Looking for DNS entry SRV _kpasswd._udp.(domainname) nsdc-dc2.(domainname) 464 as _kpasswd._udp.(domainname).
Checking 0 100 464 nsdc-dc2.(domainname). against SRV _kpasswd._udp.(domainname) nsdc-dc2.(domainname) 464
Looking for DNS entry CNAME abeb7b7a-7973-4f5f-a30b-b51d492965a5._msdcs.(domainname) nsdc-dc2.(domainname) as abeb7b7a-7973-4f5f-a30b-b51d492965a5._msdcs.(domainname).
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.Default-First-Site-Name._sites.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname).
Checking 0 100 88 nsdc-dc2.(domainname). against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.(domainname) nsdc-dc2.(domainname) 88
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.pdc._msdcs.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.pdc._msdcs.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry A gc._msdcs.(domainname) 192.168.1.5 as gc._msdcs.(domainname).
Failed to find matching DNS entry A gc._msdcs.(domainname) 192.168.1.5
need update: A gc._msdcs.(domainname) 192.168.1.5
Looking for DNS entry SRV _gc._tcp.(domainname) nsdc-dc2.(domainname) 3268 as _gc._tcp.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _gc._tcp.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268 as _ldap._tcp.gc._msdcs.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _ldap._tcp.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 3268 as _gc._tcp.Default-First-Site-Name._sites.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _gc._tcp.Default-First-Site-Name._sites.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.(domainname).
Checking 0 100 3268 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.(domainname) nsdc-dc2.(domainname) 3268
Looking for DNS entry A DomainDnsZones.(domainname) 192.168.1.5 as DomainDnsZones.(domainname).
Failed to find matching DNS entry A DomainDnsZones.(domainname) 192.168.1.5
need update: A DomainDnsZones.(domainname) 192.168.1.5
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.DomainDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry A ForestDnsZones.(domainname) 192.168.1.5 as ForestDnsZones.(domainname).
Failed to find matching DNS entry A ForestDnsZones.(domainname) 192.168.1.5
need update: A ForestDnsZones.(domainname) 192.168.1.5
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.ForestDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.(domainname).
Checking 0 100 389 nsdc-dc2.(domainname). against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.(domainname) nsdc-dc2.(domainname) 389
Looking for DNS entry A nsdc-dc2.(domainname) 192.168.2.10 as nsdc-dc2.(domainname).
need delete: A nsdc-dc2.(domainname) 192.168.2.10
Looking for DNS entry A (domainname) 192.168.2.10 as (domainname).
need delete: A (domainname) 192.168.2.10
Looking for DNS entry A gc._msdcs.(domainname) 192.168.2.10 as gc._msdcs.(domainname).
need delete: A gc._msdcs.(domainname) 192.168.2.10
Looking for DNS entry A DomainDnsZones.(domainname) 192.168.2.10 as DomainDnsZones.(domainname).
need delete: A DomainDnsZones.(domainname) 192.168.2.10
Looking for DNS entry A ForestDnsZones.(domainname) 192.168.2.10 as ForestDnsZones.(domainname).
need delete: A ForestDnsZones.(domainname) 192.168.2.10
5 DNS updates and 5 DNS deletes needed
Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 631, in <module>
    get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 123, in get_credentials
    raise e
RuntimeError: kinit for NSDC-DC2$@(domainname) failed (Cannot contact any KDC for requested realm)

jlibster · February 6, 2017, 4:06pm

as requested:

config show sssd
sssd=service
AdDns=192.168.1.5
LdapURI=
Provider=ad
status=enabled

jlibster · February 6, 2017, 4:06pm

config show nsdc
nsdc=service
IpAddress=192.168.1.5
bridge=br0
status=enabled

davidep · February 6, 2017, 4:11pm

Something does not match… Did you execute both signal-event at step 5?

jlibster · February 6, 2017, 4:11pm

I think the problem is that this DC has no kerberos configured so this step doesn’t apply. But we do still need to change the DSN entries for the domain where they exist…Sorry if the message here are frequent, just trying to give all possible relevant information.

jlibster · February 6, 2017, 4:16pm

Did a grep for the IP address that needs to be changed recursively in /var/lib/machines/nsdc and here is what found:

/var/lib/machines/nsdc/var/lib/samba/private/dns_update_cache:A nsdc-dc2.(domainname).int 192.168.2.10
/var/lib/machines/nsdc/var/lib/samba/private/dns_update_cache:A (domainname).int 192.168.2.10
/var/lib/machines/nsdc/var/lib/samba/private/dns_update_cache:A gc._msdcs.(domainname).int 192.168.2.10
/var/lib/machines/nsdc/var/lib/samba/private/dns_update_cache:A DomainDnsZones.(domainname).int 192.168.2.10
/var/lib/machines/nsdc/var/lib/samba/private/dns_update_cache:A ForestDnsZones.(domainname).int 192.168.2.10

jlibster · February 6, 2017, 4:19pm

Yes I did. Weird. I’ll try it again.

jlibster · February 6, 2017, 4:21pm

Here are the screen output results:

# signal-event interface-update

Broadcast message from nut@dc2.(domainname).int (Mon Feb  6 11:19:41 2017):

Communications with UPS UPS@127.0.0.1 lost

Broadcast message from nut@dc2.(domainname).int (Mon Feb  6 11:19:46 2017):

Communications with UPS UPS@127.0.0.1 established

# signal-event nethserver-dnsmasq-save
(no output)

jlibster · February 6, 2017, 4:27pm

Rechecked the file in an attempt to manual reconfigure because I figured, if it wasn’t changing my settings, this should cause no issues and found this entry updated:

#
# 50sssd -- the Samba Domain controller is
# the authoritative DNS for our realm/domain
#
server=/(domainname).int/192.168.1.5

But the old server entry: server=192.168.2.2 is still there which is invalid. How do we get that out.

(kind of weird how it didn’t seem to alter it the first time I ran this and rebooted to be sure the changes fully took effect…could be me I suppose, but I’m sure I said the UPS entries the first 2 times I ran it)

jlibster · February 6, 2017, 4:29pm

Oh, there was a typo in my entry. should have read “192.168.1.5” not “192.168.1.5”. I edited the posting. Sorry about that…

davidep · February 6, 2017, 4:37pm

Is it your upstream DNS? Please check page “Network > DNS servers”

Samba DC is compiled with builtin heimdal kerberos. Should work…

jlibster · February 6, 2017, 4:43pm

No, we added no entries in the DNS interface. It isn’t in there. Hosts and Server aliases are empty Also we have some headway, different error message in the upper red banner:

AccountProvider_Error_113