[Samba] Question about domain name with BIND9_DLZ
Daniel Carrasco Marín
danielmadrid19 at gmail.com
Sat Apr 18 08:37:09 MDT 2015
2015-04-18 15:54 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 18/04/15 14:42, Daniel Carrasco Marín wrote:
>
>> Thanks!!
>>
>> I've restored the server, i've installed all from backports to start in a
>> clean configuration, and I've tried the suggestions but i've got the same
>> result. The Windows machine is using the router dhcp server, but dns are
>> configured manually to use the server as dns.
>>
>
> If the windows machines are setup to use the router for dhcp, but you are
> overriding the dns server on each windows box, I have to ask, why bother
> with dhcp at all ? just set an ipaddress etc on each window box and forget
> dhcp.
>
>
>> Anyway I can live with that because I can log using HOME\User and works
>> fine. Only was curiosity.
>>
>
> AD depends on DNS, if this gets out of sync, you are in trouble, it would
> be better to choose one system, either set all machines etc as static dns,
> or use dhcp and set it up correctly. You could always do what I do, turn
> off dhcp on the router and run dhcp on the AD server.
>
Thanks for the suggestion. I only use the router as dhcp on my test machine
because is a personal computer with virtual machines and i don't need a
real dhcp server. On production network we have 3 servers to do all the
work:
- DHCP server
- DNS server
- Domain server
I want to migrate the DNS server (Bind 9.8) and Domain server (Samba 3.6)
to a new machine upgrading both to latest versions (Samba4 and Bind 9.9),
of course pointing the dns entrie in dhcp server to the new domain/dns
server.
Greetings!!
> Rowland
>
>>
>> Greetings!!
>>
>> 2015-04-18 14:31 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>>
>> On 18/04/15 13:03, Daniel Carrasco Marín wrote:
>>
>> Thanks for you answer.
>>
>> My OS are Debian 7u8 as server, and Windows 7 as client.
>>
>>
>> If you enable wheezy backports, you can install bind9.9.5 and will
>> not have to compile it yourself.
>>
>>
>> I'm doing the test on virtual machines and the dhcp server is
>> a simple router. Anyway i'm using a static IP:
>> iface eth0 inet static
>> address 192.168.1.100
>> netmask 255.255.255.0
>> network 192.168.1.0
>> broadcast 192.168.1.255
>> gateway 192.168.1.1
>> dns-nameservers 192.168.1.100 8.8.8.8
>> dns-search home.red
>>
>>
>> Yes, but what are the windows clients being given by dhcp ?
>>
>>
>> and /etc/resolv.conf
>> domain HOME
>> search HOME
>> nameserver 192.168.1.100
>> nameserver 8.8.8.8
>>
>>
>>
>> And there is one of of your problems (well several actually)
>> remove the domain line, 'domain' & 'search' are mutually exclusive
>> in resolv.conf, the last one wins.
>> Your dns domain name is not 'HOME', that is your windows
>> workgroup/domain name, replace it with 'home.red'
>> remove the 'nameserver 8.8.8.8' line, it belongs in
>> /etc/bind/named.conf.options as a forwarder.
>>
>>
>> The bind9 config is not setted, because i did some tests on my
>> work with a configured bind9 server and the result was the
>> same, then i've not tried to set a better configuration:
>> include "/usr/local/samba/private/named.conf";
>> include "/etc/bind/rndc.key";
>>
>> controls {
>> inet 127.0.0.1 port 953
>> allow { 127.0.0.1; 192.168.1.100; } keys { "rndc-key"; };
>> };
>>
>> options {
>> directory "/var/local/cache/bind";
>> allow-new-zones yes;
>> transfers-in 500;
>> empty-zones-enable yes;
>> //forwarders { 8.8.8.8; 8.8.4.4; };
>> recursion yes;
>> //allow-transfer {"none";};
>> allow-query { any; };
>> allow-recursion { any; };
>>
>> dnssec-validation auto;
>>
>> auth-nxdomain no; # conform to RFC1035
>> listen-on-v6 { any; };
>>
>> rate-limit {
>> responses-per-second 5;
>> #window 5;
>> #log-only yes;
>> };
>> };
>>
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>>
>>
>> OK, put the bind9 config files back to what they were.
>> change /etc/bind/named.conf to match this:
>>
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/private/named.conf";
>>
>> NOTE: you will probably have to change the last line because you
>> have compiled samba4 yourself
>>
>> change /etc/bind/named.conf.options to match this:
>>
>> options {
>> directory "/var/cache/bind";
>>
>> // If there is a firewall between you and nameservers you want
>> // to talk to, you may need to fix the firewall to allow
>> multiple
>> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>>
>> // If your ISP provided one or more IP addresses for stable
>> // nameservers, you probably want to use them as forwarders.
>> // Uncomment the following block, and insert the addresses
>> replacing
>> // the all-0's placeholder.
>>
>> forwarders { 8.8.8.8; 8.8.4.4; };
>> // 0.0.0.0;
>> // };
>>
>>
>> //========================================================================
>> // If BIND logs error messages about the root key being
>> expired,
>> // you will need to update your keys. See
>> https://www.isc.org/bind-keys
>>
>> //========================================================================
>> dnssec-validation no;
>>
>> auth-nxdomain no; # conform to RFC1035
>> listen-on-v6 { any; };
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>>
>> Again, you will have to change the 'tkey-gssapi-keytab' line.
>>
>> The above is taken from my working machine.
>>
>> In the client machine i've configured as DNS the Samba server
>>
>>
>> Good
>>
>>
>> Greetings!!
>>
>>
>> 2015-04-18 13:25 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>>
>> <mailto:rowlandpenny at googlemail.com>>>:
>>
>>
>> On 18/04/15 12:11, Daniel Carrasco Marín wrote:
>>
>> Hi, first of all i'm sorry for my english.
>>
>> I'm doing some tests to migrate a Samba3 domain to
>> Samba4 with
>> BIND9_DLZ,
>> but the Domain name in Windows information is not
>> correct. Is
>> not a problem
>> because all works as expected, but i wan't to know if i'm
>> doing something
>> wrong that can cause problems in future.
>>
>> I've done the tests with this command:
>>
>> samba-tool domain provision --use-rfc2307 --realm=home.red
>> --domain=HOME
>> --adminpass="Pass" --server-role=dc
>> --dns-backend=BIND9_DLZ
>> If i use the samba internal backend then the Domain
>> Name in
>> Windows is
>> right (HOME) and machine don't change (machine), but
>> if I use
>> the BIND9_DLZ
>> backend then the domain name is changed (home.red) and the
>> machine name too
>> (machine.home.red).
>>
>> Samba version is 4.2.1 stable compiled from git, and
>> bind is
>> the 9.9.7
>> compiled from source.
>> I've used this options to compile:
>> Samba
>> ./configure --sysconfdir=/etc/samba --bindir=/usr/bin
>> --sbindir=/usr/sbin
>> --with-winbind
>>
>> Bind:
>> ./configure --with-gssapi=/usr/include/gssapi
>> --with-openssl=/usr
>> --enable-largefile --with-dlopen=yes
>> --sysconfdir=/etc/bind
>> --bindir=/usr/bin --sbindir=/usr/sbin --enable-threads
>> --enable-rrl
>>
>> and of course i've included the link to "include
>> "/usr/local/samba/private/named.conf";" in BIND9
>> named.conf,
>> and i've
>> uncommented the right version in that file.
>> The command "smbclient -L localhost -U%" shows the
>> right info.
>>
>> I'm doing something wrong?.
>> Can be problematic on future?.
>> Is there any way to fix it?.
>>
>> Thanks!!
>>
>>
>> What OS ?
>>
>> Do your windows clients get their ipaddresses via dhcp ?
>> and if so, is the dhcp server supplying the domain name ?
>>
>> How have you set up bind9 ?
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list