Ubuntu 12.04 Ultimate Server Guide

Part 10: Secondary Server – DHCP & DNS

It’s now time to consider adding a secondary server into the mix to provide DHCP, DNS, LDAP and Kerberos services in the event of failure/maintenance of the primary server. In this case a stock install of 12.04 server is being used with the hostname morpehus.danbishop.org

First ensure that you have set a static IP address for the secondary server. This is done by editing /etc/network/interfaces like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.3
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Now would be a good time to tell the primary server (neo) about the secondary server (morpehus). As morpheus won’t be requesting its IP address using DHCP, it won’t automatically be mapped to DNS. We can change this by adding the following line to the bottom of /etc/dnsmasq.conf on neo.

# DNS for secondary server           
ptr-record=3.0.168.192.in-addr.arpa.,"morpheus.danbishop.org"
address=/morpheus.danbishop.org/192.168.0.3

We should also add morpheus as a secondary DNS server by modifying the DNS section of that file like so:

#DNS Settings
server=/#/192.168.0.2
server=/#/192.168.0.3
server=/#/8.8.8.8
server=/#/8.8.4.4

Notice that we’ve changed from server=/localnet/ to server=/#/ for our two local DNS servers. Using the localnet parameter meant that dnsmasq would only check /etc/hosts and DHCP clients, now however, some DHCP clients are being handled by one server and some by the other, therefore, it’s essential that both servers check each other for local clients.

By default, dnsmasq only provides one DNS server to DHCP clients, that being itself. We want it to provide both itself and the new secondary server so we’ll also add the line:

#provide dhcp clients with both primary and secondary dns 
dhcp-option=6,0.0.0.0,192.168.0.3

This means that neo’s /etc/dnsmasq.conf file now looks like this:

#Use dnsmasq specific hosts file
no-hosts
addn-hosts=/etc/hosts.dnsmasq
#DNS Settings
server=/#/192.168.0.2
server=/#/192.168.0.3
server=/#/8.8.8.8
server=/#/8.8.4.4
#provide dhcp clients with both primary and secondary dns 
dhcp-option=6,0.0.0.0,192.168.0.3
#
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
dhcp-option=19,0           # option ip-forwarding off
dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS ser$
dhcp-option=45,0.0.0.0     # netbios datagram distribution server
dhcp-option=46,8           # netbios node type
#
domain=danbishop.org                            #sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h       #sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1           #sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative                              #makes this the authoritative (in this case ONLY) DHCP server on the network
#
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org"
address=/neo.danbishop.org/192.168.0.2
#
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic 😀
address=/kerberos.danbishop.org/192.168.0.2
address=/ldap.danbishop.org/192.168.0.2
#
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
#
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389
#
# DNS for secondary server
ptr-record=3.0.168.192.in-addr.arpa.,"morpheus.danbishop.org"
address=/morpheus.danbishop.org/192.168.0.3

Secondary DHCP

There are several possible approaches to this, the enterprise-style approach would involve ditching dnsmasq and setting up ISC BIND and DHCP… however, this is very complicated and total overkill for a home/small business setup. Instead, we’re going for the simple approach. Two, equally authoritative DHCP servers serving different IP ranges. If you’ve been following this guide from the beginning, your primary server (neo) will be serving up IPs in the range 192.168.0.50-192.168.0.150, therefore we’ll set the secondary server (morpheus) to serve from 192.168.0.151-192.168.0.250

When both servers are up, it doesn’t matter which provides a new machine with its IP address first. If only one server is running, all new machines will be served IPs from only that server’s range.

sudo apt-get install dnsmasq

Now we’ll configure dnsmasq in the exact same way as neo, with the ip range changed as discussed and also dhcp option 6 set to provide neo as the primary dns server and morpheus as a backup.

sudo nano /etc/dnsmasq.conf
#Use dnsmasq specific hosts file
no-hosts
addn-hosts=/etc/hosts.dnsmasq
#DNS Settings
server=/#/192.168.0.2
server=/#/192.168.0.3
server=/#/8.8.8.8
server=/#/8.8.4.4
#provide dhcp clients with both primary and secondary dns 
dhcp-option=6,192.168.0.2,0.0.0.0
#
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
dhcp-option=19,0           # option ip-forwarding off
dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS ser$
dhcp-option=45,0.0.0.0     # netbios datagram distribution server
dhcp-option=46,8           # netbios node type
#
domain=danbishop.org                            #sets the domain name you're going to use
dhcp-range=192.168.0.151,192.168.0.250,12h       #sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1           #sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative                              #makes this the authoritative (in this case ONLY) DHCP server on the network
#
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org"
address=/neo.danbishop.org/192.168.0.2
#
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic 😀
address=/kerberos.danbishop.org/192.168.0.2
address=/ldap.danbishop.org/192.168.0.2
#
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
#
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389
#
# DNS for secondary server
ptr-record=3.0.168.192.in-addr.arpa.,"morpheus.danbishop.org"
address=/morpheus.danbishop.org/192.168.0.3

Don’t forget to create /etc/dnsmasq.hosts on the secondary server to stop /etc/hosts interfering with DNS:

sudo touch /etc/hosts.dnsmasq
  • Christian Oswald

    Hello,
    it’s a very useful tutorial and I learned a lot from it.
    I had also the problem with “Error adding group domainusers to LDAP” and in my case I solved it with switches TLS off in the LDAP-Server. I made it with webmin because I can’t find the correct place for it in the configuration files. I think it depends from the defaults of the ubuntu installation (in my case 14.04).
    But I have also a problem with the kerberos authentification. It works nice on the server (kadmin.local runs, kinit brings a ticket …) but from a client I get all times the error “kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface”.
    I have reinstalled all, checked the configuration file of dnsmasq, krb5 … nothing helps, no firewall runs …
    I have tested a lot – ping, nslookup works and give the correct server. But nmap said that only port 749 is open on the server but in the kdc.conf is written that port 750 and 88 is used. I don’t if it’s important.
    Has anyone any idea for the reason of this error?

    Thanks,
    Christian

  • Jezzirolk

    hey Dan, i have used your guides a few times and they are great. Still work with 14.04 i dont think there was any tweaking i really had to do. i have a question though, is there a reason you disabled cache_credntials. Not saying there arent possible security reasons but i was more curious if there were other technical reasons becasue when connecting a laptop it is providing to make this a bit harder.

    –jezzirolk

    • danbishop88

      Hi Jezzirolk,

      I believe my reason for this was to do with: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1039151

      Basically, without it SSSD tends to come up before your network connection. This forces it into “offline” mode and it won’t even try to reconnect to your ldap/kerberos server until two minutes have elapsed. This prevents anyone from logging in for the full two minutes.

      A better workaround is listed in that thread, which is forcing the login screen to wait for the network to come up before appearing. I intend to move to that if I ever get round to finishing my 14.04 guide.

      Hope that helps…

      Dan

      • Jezzirolk

        Hey Dan,
        this still doesn’t really solve the issues i think, waiting for the network doesn’t do much for my case of a laptop. if i am off site it still wont connect properly unless you try to use cached credentials. Are we saying use cached credentials and then wait for network as to prevent the false negative of can not connect to ldap server? if that’s the case that might work.

        i guess the better question is if i log in off line. how does reconnecting once we end up back on a network with access to the server?

        Any thoughts on this and how to deal with the NFS mounts with laptop or systems that end up off site.

        –jezzirolk