Remove DNS entry DEFINITELY

Hi all,

On my UCS Master DC I got 2 net interfaces (The first for everything except DHCP, the second for everything AND DHCP)

The problem is that I don’t want the second net interfaces to be list in the DNS (causes error when joining machines from outside the second network)

When I remove the second net interface address from DNS it respawn again, and again, I’ve tried via Web Management, univention-directory-manager console line command

How can I remove this entry DEFINITELY ?

Rgds,

Valentin

1 Like

Hi Valentin,

there are some interconnections between the dns and the dhcp daemons, so first let’s check out your relevant configuration:

root@ucs: ~# ucr search --brief ^interfaces/

and the dhcp config:

[code]root@ucs: ~# udm dhcp/service list

root@ucs: ~# udm dhcp/host list --superordinate $(udm dhcp/service list | sed -ne ‘s/DN: //p’)
[/code]

Maybe there is also a hint in the ‘/var/log/daemon.log’ →something like: ‘…[named] … dns update’

Hi Valentin,

I’m guessing your master is a samba4 ad dc.
If so samba is interfering with your desired dns settings by automatically re-adding the dns entries.

You can try to exclude the second interface by adding it to the ucr variable “samba/register/exclude/interfaces”
(don’t forget to restart samba afterwards by executing “service samba restart”)

If you remove the dns entries they shouldn’t reappear.

Regards,
Gronkdalonka

Hi stoeckigt and Gronkdalonka,

First, thanks to you two for answering my question.

I’ve set samba/register/exclude/interfaces to eth1 which is my secondary interface.

But now my DNS set the entry with a random ip

[code]dig mlk-srv-ucs01

; <<>> DiG 9.8.3-P1 <<>> mlk-srv-ucs01
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32817
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 2

;; QUESTION SECTION:
;mlk-srv-ucs01. IN A

;; ANSWER SECTION:
mlk-srv-ucs01. 900 IN A 172.17.42.1 // Unwanted IP address
mlk-srv-ucs01. 900 IN A 192.168.0.115
[/code]

Rgds,

Valentin

samba/register/exclude/interfaces: <your unwanted interface> This variable defines network interfaces which are ignored by samba (e.g. eth0). Multiple values need to be separated by blanks.

Setting a “whitelist”

[code]samba/interfaces/bindonly:
If this variable is set to ‘yes’, Samba only listens to requests on the network interfaces specified in the variable ‘samba/interfaces’. If the variable is unset, Samba listens on all interfaces.
Categories: service-samba

samba/interfaces:
If the variable ‘samba/interfaces/bindonly’ is set to ‘yes’, Samba only binds to the interfaces listed in this variable. Multiple entries need to be separated by blanks.
Categories: service-samba[/code]

Usage:

[code]# ucr set samba/interfaces=‘lo <some_interface> <some_other_interface>’

ucr set samba/interfaces/bindonly=‘yes’[/code]

I would advice to test this in a testing environment, especially the configuration with samba - bindonly. Restart samba afterwards:

# service samba restart

Hi all,

I was on the good way but forgot some unwanted interfaces.

The ip 172.17.42.1 is the docker0 interface.

After excluded it

ucr set samba/register/exclude/interfaces='eth1 docker0'
service samba restart

It works like a charm.

Thanks all,

Rgds

Valentin

Is there any chance to make this ucr value write/change protected?
After every now and then my change gets rejected and I need to exclude my unwanted interface again.

There’s no mechanism to mark UCR variables read-only.

At my company and a couple of our clients we use system management tools such as SaltStack and Ansible to manage fleets of Linux servers, including Univention servers. I use these tools in order to have certain UCR variables set to certain values; the whole set of rules is applied automatically & regularly. That might be an alternative for your use-case, too.

Mastodon