[Samba] DNS problems

Steve Campbell campbell at cnpapers.com
Fri May 30 08:13:01 MDT 2014 

On 5/30/2014 9:39 AM, Rowland Penny wrote:
> On 30/05/14 14:13, Steve Campbell wrote:
>>
>> On 5/30/2014 8:53 AM, Rowland Penny wrote:
>>> On 30/05/14 13:46, Steve Campbell wrote:
>>>>
>>>> On 5/30/2014 8:38 AM, Steve Campbell wrote:
>>>>>
>>>>> On 5/30/2014 8:36 AM, Steve Campbell wrote:
>>>>>>
>>>>>> On 5/30/2014 8:34 AM, Steve Campbell wrote:
>>>>>>>
>>>>>>> On 5/30/2014 7:54 AM, steve wrote:
>>>>>>>> On Fri, 2014-05-30 at 07:40 -0400, Steve Campbell wrote:
>>>>>>>>
>>>>>>>>> This in-between DNS server is set up as the server we forward 
>>>>>>>>> to on the
>>>>>>>>> Samba server. Our resolv.conf file has the following:
>>>>>>>>>
>>>>>>>>> search cnpapers.net
>>>>>>>>> nameserver 192.9.200.71
>>>>>>>>> nameserver 192.9.200.53
>>>>>>>>>
>>>>>>>>> 192.9.200.71 is the Samba server
>>>>>>>>> 192.9.200.53 is the in-between DNS server
>>>>>>>>>
>>>>>>>>> The in-between server forwards to our public DNS server where
>>>>>>>>> cnpapers.net lives.
>>>>>>>> Hi
>>>>>>>> Thinking out loud (bad on Fridays), the internal dns can't resolve
>>>>>>>> anything apart from its own domain so I think the config should 
>>>>>>>> be:
>>>>>>>> remove the ns:
>>>>>>>> nameserver 192.9.200.53
>>>>>>>> and let the internal server forward when it gets a request from 
>>>>>>>> outside:
>>>>>>>> dns forwarder = 192.9.200.53
>>>>>>>> It then doesn't matter what the 'in-between server' does with it.
>>>>>>>>
>>>>>>>>
>>>>>>> Steve,
>>>>>>>
>>>>>>> Just to be clear, are you saying resolv.conf should be:
>>>>>>>
>>>>>>> search cnpapers.net
>>>>>>> nameserver 192.9.200.71
>>>>>>> dns forwarder = 192.9.200.53
>>>>>>>
>>>>>>>
>>>>>>> steve
>>>>>> Too quick on the send:
>>>>>>
>>>>>> Just to be clear, are you saying resolv.conf should be:
>>>>>>
>>>>>> search cnpapers.net
>>>>>> nameserver 192.9.200.71
>>>>>> dns forwarder = 192.9.200.53
>>>>>>
>>>>>> or just rely on the smb.conf to have
>>>>>>
>>>>>> dns forwarder = 192.9.200.53
>>>>>>
>>>>>> steve
>>>>>>
>>>>> And addressed to Rowland not Steve
>>>> And addressed to Rowland AND Steve
>>>>
>>>> Let me clarify.
>>>>
>>>> cnpapers.net is our zone for our servers. We have many servers in 
>>>> this zone, including this samba DC. The entire zone lives on our 
>>>> public  DNS server(s) which serves the world asking about 
>>>> cnpapers.net.
>>>>
>>>> We created this samba server within the zone cnpapers.net, so the 
>>>> internal samba server must think it has some rights to resolve at 
>>>> least part of the cnpapers.net zone. I'm hoping I haven't 
>>>> underthought this and hope if a request is made about one of the 
>>>> other servers in cnpapers.net, it will forward on to 192.9.200.53. 
>>>> It appears that it doesn't forward on the request.
>>>>
>>>> I'll make the change and see what happens.
>>>>
>>>> Thanks all (easier than trying to keep track of who is responding)
>>>>
>>>> steve
>>> Oh Dear, I take it you missed this:
>>>
>>> If your website is example.com, the domain of your AD should be a 
>>> subdomain of it, like samdom.example.com (or ad.example.com, 
>>> corp.example.com). Avoid using example.com internally.
>>>
>>> From:
>>>
>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>>>
>>> Now I am not a DNS expert, but I think that your domain should be a 
>>> totally separate entity from your main domain otherwise you could 
>>> have problems.
>>>
>>> Rowland
>>>
>> So when we provision, we should have used cnfsp.cnpapers.net instead 
>> of cnpapers.net.
>>
>> We then would use in resolv.con
>> search cnfsp.cnpapers.net
>> nameserver 192.9.200.71
>
> This would work, but you would have to set the dns domain on the DC to 
> 'cnfsp.cnpapers.net' before the provision,
> i.e. the DC and all the machines joined to it should be in their own 
> subdomain.
>
>>
>> Or maybe made up a domain separate from cnpapers.net (for example 
>> cnpapersdc.net)?
> This would also work, but same 'but' as above, with another but, it 
> would be better to use the subdomain idea above ;-)
>
>>
>>
>> It's certainly not working the way it is now. If I remove the 
>> "nameserver 192.9.200.53" from resolv.conf, which is the intermediate 
>> DNS server, I can't find other cnpapers.net servers with nslookup 
>> (and probably dig). If I add that back, other servers resolve.
> This is because the members of 'cnpapers.net' are not in the DC's DNS 
> and the external DNS server.
>
>>
>> Sounds like we should re-provision?
>
> Probably wise.
>
> Rowland
>
>>
>> steve
>
Using another machine we've been testing on also:

The server has a hostname of testserver.somedomain.com (made up)
Provisioned with a Realm of ts.mydomain.com
All works now.

DNS shows a server of testserver.ts.mydomain.com

Starting to get the picture now. All forwarding seems to work.

Thanks

steve

More information about the samba mailing list