Well on my quest to have a really overly complicated home network configuration I've completed the DHCP portion. Though after hours of trial and error and research I got it to work. I actually thought I wasn't going to be able to do it...I was going in the wrong direction in the beginning.

You can skip this paragraph if you just care about the DHCP configuration...

My home network consists of 5 computers and all are dual boot except for my SuSE 10.1 server and another server running Windows Server 2003 R2. I want to run separate networks for each OS using the same physical network. When users are booted into Linux I want to authenticate against the Linux side and vice versa. I also want to share resources between them and I want it to be a SSO solution. So my plan is use DHCP to get an IP address that is a different network depending on which OS you are in. My network is small but I didn't want to configure static addresses for each OS. Depending on which OS you are in authentication would then take place on the respectable server. I should be able to access the other side because of a cross realm trust setup between MIT Kerberos running on Linux and Active Directory. This way will require me to separately maintain the passwords for each realm. Since I don't have that many users I don't see this as a problem. DNS will be configured as follows. BIND will be running on SuSE and Microsoft DNS on Windows Server 2003. The reason for separate networks is because of DNS requirements. AD uses dynamic updates and uses a proprietary (I don't think a standard exists) way of doing secure updates which is not supported by BIND. BIND can accept DDNS updates just not securely from AD. Since the DDNS update is handled in a single UDP packet it would be easy to spoof. DNSSEC is not fully supported on Windows Server 2003 either. I'd also like to keep zone data integrated with AD. But other than that the version of BIND that I'm using supports the rest of the my requirements, including incremental (IXFR) zone transfer (which if you don't setup bind to request IXFR it will always use a full zone transfer (AXFR)). It also supports fast transfers (many answers, and I think compression but I haven't seen it use any) so that multiple DNS entries are in a single packet vs having each entry sent separately (you must turn off BIND secondaries for this to work). SRV records are also necessary so that Microsoft clients are able to locate the domain controller and other services (Kerberos, Global Catalog). I would use use BIND primarily except for the issue with secure dynamic updates. Also zone transfers are not encrypted which would require a VPN if they were running across the Internet. I will probably set this up in the future even though everything is internal so that I can learn more about it. Continuing on, I was originally going to have BIND as primary and MS DNS as secondaries but I wanted DDNS to work for AD. So I created separate sub domains for _msdcs, _sites, _tcp, _udp, DomainDnsZones, and ForestDnsZones. That way AD can take care of the specific DDNS entries it needs to modify. This requires you to disable netlogon from registering DNS A records or you will get errors in your logs. Since the realm names where the same at the time and because I didn't want to disable the registering of DNS A records I decided instead to make active directory its own sub domain. But I am still having error logs where AD is trying to perform DDNS updates on my BIND server I don't quite understand why its even trying to update the parent domain. My attempts so far at cross realm trust has failed. I have followed the directions on setting up a trust between them but it doesn't seem to be working correctly. Ethereal shows the server or workstation directly accessing the trusted domain without attempting to contact the AD KDC. But thats another topic. Now for the part that is actually related to the topic.

My DHCP requirements are that I want to separate known and unknown clients by MAC address which give bogus information to all unknown clients. Then depending on the dhcp-client-identifier it will get a different static IP address. More specifically the way I have it setup is that if it isn't specifically requesting a IP address with the client identifier “windows” then it will obtain the alternate static IP. At first I wasn't sure how to match more than one condition and the man page was lacking examples. Using if statements seemed to be my best bet. I was also incorrectly trying to use classes that contained host or group declarations. I also tried nested if statements which also didn't work. Each time I was trying to include a host or group declaration. I finally found an example with more than one match condition which started pointing me in the right direction. I knew that fixed-address can only be included in host declarations. I kept reading and reading eventually I noticed that you can have multiple host declarations even with the same hardware ethernet address (I think you can also have multiple hardware ethernet inside host declarations). You can also have a host declaration match the client identifier. I ended up making a group that contained both a Linux and Windows host declaration. This didn't work and I can understand why now but at the time it didn't make much sense. Then I read that you can also have multiple IP addresses on the fixed-address declaration. It's suppose to be smart and choose which IP based on the network you are using and if it doesn't match any of the networks you are on then it won't match that host declaration. But I have a multi-homed machine so both interfaces have to be able to accept DHCP requests from both networks. So that wouldn't work for my configuration. At last I stumbled on to shared-network which allows my subnets to share the same physical network. So I added both subnets to it and created two groups with static addresses for each subnet. I figured that since the match statement supplied the options for the network it was suppose to go on that it would be smart enough to pick the correct fixed-address. This didn't work and I decided to try one last thing. I added the dhcp-client-identifier inside the host declaration for Windows clients. Now it works really well!

Feel free to correct me on anything that is messed up and if you have any better ideas about network ideas let me know. Yes I do realize that this topic could be called “Idiot reads man page with success!”. Now for my dhcp.conf...

authoritative;
ddns-update-style none;

class "linux" {
match if (
(substring (hardware, 1, 6) = XX:XX:XX:XX:XX:01) and
not (option dhcp-client-identifier = "windows") or
(substring (hardware, 1, 6) = XX:XX:XX:XX:XX:02) and
not (option dhcp-client-identifier = "windows") or
(substring (hardware, 1, 6) = XX:XX:XX:XX:XX:03) and
not (option dhcp-client-identifier = "windows") );
option domain-name "example.com";
option domain-name-servers 192.168.0.1;
option ip-forwarding off;
option netbios-name-servers 192.168.0.1;
option netbios-node-type 8;
option routers 192.168.0.1;
default-lease-time 604800;
max-lease-time 604800;
}

class "windows" {
match if (
(substring (hardware, 1, 6) = XX:XX:XX:XX:XX:01) and
(option dhcp-client-identifier = "windows") or
(substring (hardware, 1, 6) = XX:XX:XX:XX:XX:02) and
(option dhcp-client-identifier = "windows") or
(substring (hardware, 1, 6) = XX:XX:XX:XX:XX:03) and
(option dhcp-client-identifier = "windows") );
option domain-name "example.com";
option domain-name-servers 10.0.0.1;
option ip-forwarding off;
option netbios-name-servers 10.0.0.1;
option netbios-node-type 8;
option routers 10.0.0.1;
default-lease-time 604800;
max-lease-time 604800;
}

group {
host host-1 {
fixed-address 192.168.0.2;
hardware ethernet XX:XX:XX:XX:XX:01;
}
host host-2 {
fixed-address 192.168.0.3;
hardware ethernet XX:XX:XX:XX:XX:02;
}
host host-3 {
fixed-address 192.168.0.4;
hardware ethernet XX:XX:XX:XX:XX:03;
}
}

group {
host win-host-1 {
option dhcp-client-identifier "windows";
fixed-address 10.0.0.2;
hardware ethernet XX:XX:XX:XX:XX:01;
}
host win-host-2 {
option dhcp-client-identifier "windows";
fixed-address 10.0.0.3;
hardware ethernet XX:XX:XX:XX:XX:02;
}
host win-host-3 {
option dhcp-client-identifier "windows";
fixed-address 10.0.0.4;
hardware ethernet XX:XX:XX:XX:XX:03;
}
}

shared-network example.com {
subnet 10.0.0.0 netmask 255.0.0.0 {
pool {
option default-ip-ttl 1;
option default-tcp-ttl 1;
option domain-name "bogus.net";
option domain-name-servers 127.0.0.1;
option ip-forwarding off;
option routers 127.0.0.1;
default-lease-time 300;
max-lease-time 300;
range 10.123.123.1 10.123.123.254;
}
}
subnet 192.168.0.0 netmask 255.255.255.0 {
pool {
option default-ip-ttl 1;
option default-tcp-ttl 1;
option domain-name "bugus.net";
option domain-name-servers 127.0.0.1;
option ip-forwarding off;
option routers 127.0.0.1;
default-lease-time 300;
max-lease-time 300;
range 192.168.0.100 192.168.0.109;
}
}
}