[Samba] DNS problems

Rowland Penny rowlandpenny at googlemail.com
Fri May 30 07:39:35 MDT 2014


On 30/05/14 14:13, Steve Campbell wrote:
>
> On 5/30/2014 8:53 AM, Rowland Penny wrote:
>> On 30/05/14 13:46, Steve Campbell wrote:
>>>
>>> On 5/30/2014 8:38 AM, Steve Campbell wrote:
>>>>
>>>> On 5/30/2014 8:36 AM, Steve Campbell wrote:
>>>>>
>>>>> On 5/30/2014 8:34 AM, Steve Campbell wrote:
>>>>>>
>>>>>> On 5/30/2014 7:54 AM, steve wrote:
>>>>>>> On Fri, 2014-05-30 at 07:40 -0400, Steve Campbell wrote:
>>>>>>>
>>>>>>>> This in-between DNS server is set up as the server we forward 
>>>>>>>> to on the
>>>>>>>> Samba server. Our resolv.conf file has the following:
>>>>>>>>
>>>>>>>> search cnpapers.net
>>>>>>>> nameserver 192.9.200.71
>>>>>>>> nameserver 192.9.200.53
>>>>>>>>
>>>>>>>> 192.9.200.71 is the Samba server
>>>>>>>> 192.9.200.53 is the in-between DNS server
>>>>>>>>
>>>>>>>> The in-between server forwards to our public DNS server where
>>>>>>>> cnpapers.net lives.
>>>>>>> Hi
>>>>>>> Thinking out loud (bad on Fridays), the internal dns can't resolve
>>>>>>> anything apart from its own domain so I think the config should be:
>>>>>>> remove the ns:
>>>>>>> nameserver 192.9.200.53
>>>>>>> and let the internal server forward when it gets a request from 
>>>>>>> outside:
>>>>>>> dns forwarder = 192.9.200.53
>>>>>>> It then doesn't matter what the 'in-between server' does with it.
>>>>>>>
>>>>>>>
>>>>>> Steve,
>>>>>>
>>>>>> Just to be clear, are you saying resolv.conf should be:
>>>>>>
>>>>>> search cnpapers.net
>>>>>> nameserver 192.9.200.71
>>>>>> dns forwarder = 192.9.200.53
>>>>>>
>>>>>>
>>>>>> steve
>>>>> Too quick on the send:
>>>>>
>>>>> Just to be clear, are you saying resolv.conf should be:
>>>>>
>>>>> search cnpapers.net
>>>>> nameserver 192.9.200.71
>>>>> dns forwarder = 192.9.200.53
>>>>>
>>>>> or just rely on the smb.conf to have
>>>>>
>>>>> dns forwarder = 192.9.200.53
>>>>>
>>>>> steve
>>>>>
>>>> And addressed to Rowland not Steve
>>> And addressed to Rowland AND Steve
>>>
>>> Let me clarify.
>>>
>>> cnpapers.net is our zone for our servers. We have many servers in 
>>> this zone, including this samba DC. The entire zone lives on our 
>>> public  DNS server(s) which serves the world asking about cnpapers.net.
>>>
>>> We created this samba server within the zone cnpapers.net, so the 
>>> internal samba server must think it has some rights to resolve at 
>>> least part of the cnpapers.net zone. I'm hoping I haven't 
>>> underthought this and hope if a request is made about one of the 
>>> other servers in cnpapers.net, it will forward on to 192.9.200.53. 
>>> It appears that it doesn't forward on the request.
>>>
>>> I'll make the change and see what happens.
>>>
>>> Thanks all (easier than trying to keep track of who is responding)
>>>
>>> steve
>> Oh Dear, I take it you missed this:
>>
>> If your website is example.com, the domain of your AD should be a 
>> subdomain of it, like samdom.example.com (or ad.example.com, 
>> corp.example.com). Avoid using example.com internally.
>>
>> From:
>>
>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>>
>> Now I am not a DNS expert, but I think that your domain should be a 
>> totally separate entity from your main domain otherwise you could 
>> have problems.
>>
>> Rowland
>>
> So when we provision, we should have used cnfsp.cnpapers.net instead 
> of cnpapers.net.
>
> We then would use in resolv.con
> search cnfsp.cnpapers.net
> nameserver 192.9.200.71

This would work, but you would have to set the dns domain on the DC to 
'cnfsp.cnpapers.net' before the provision,
i.e. the DC and all the machines joined to it should be in their own 
subdomain.

>
> Or maybe made up a domain separate from cnpapers.net (for example 
> cnpapersdc.net)?
This would also work, but same 'but' as above, with another but, it 
would be better to use the subdomain idea above ;-)

>
>
> It's certainly not working the way it is now. If I remove the 
> "nameserver 192.9.200.53" from resolv.conf, which is the intermediate 
> DNS server, I can't find other cnpapers.net servers with nslookup (and 
> probably dig). If I add that back, other servers resolve.
This is because the members of 'cnpapers.net' are not in the DC's DNS 
and the external DNS server.

>
> Sounds like we should re-provision?

Probably wise.

Rowland

>
> steve



More information about the samba mailing list