[Samba] DRS stopped working after upgrade from debian Jessie to Stretch

L.P.H. van Belle belle at bazuin.nl
Wed Jun 21 12:08:43 UTC 2017 

Bit off topic.

*(debian Stretch) 
man systemd-networkd
man systemd.network

       Domains=
           A list of domains which should be resolved using the DNS servers on this link. Each item in the list should be a domain name, optionally prefixed with a tilde ("~"). The domains with the
           prefix are called "routing-only domains". The domains without the prefix are called "search domains" and are first used as search suffixes for extending single-label host names (host names
           containing no dots) to become fully qualified domain names (FQDNs). If a single-label host name is resolved on this interface, each of the specified search domains are appended to it in
           turn, converting it into a fully qualified domain name, until one of them may be successfully resolved.

           Both "search" and "routing-only" domains are used for routing of DNS queries: look-ups for host names ending in those domains (hence also single label names, if any "search domains" are
           listed), are routed to the DNS servers configured for this interface. The domain routing logic is particularly useful on multi-homed hosts with DNS servers serving particular private DNS
           zones on each interface.

           The "routing-only" domain "~."  (the tilde indicating definition of a routing domain, the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) has special
           effect. It causes all DNS traffic which does not match another configured domain routing entry to be routed to DNS servers specified for this interface. This setting is useful to prefer a
           certain set of DNS servers if a link on which they are connected is available.

           This setting is read by systemd-resolved.service(8). "Search domains" correspond to the domain and search entries in resolv.conf(5). Domain name routing has no equivalent in the traditional
           glibc API, which has no concept of domain name servers limited to a specific link.

And 
       UseDomains=
           Takes a boolean argument, or the special value "route". When true, the domain name received from the DHCP server will be used as DNS search domain over this link, similar to the effect of
           the Domains= setting. If set to "route", the domain name received from the DHCP server will be used for routing DNS queries only, but not for searching, similar to the effect of the Domains=
           setting when the argument is prefixed with "~". Defaults to false.

           It is recommended to enable this option only on trusted networks, as setting this affects resolution of all host names, in particular of single-label names. It is generally safer to use the
           supplied domain only as routing domain, rather than as search domain, in order to not have it affect local resolution of single-label names.

           When set to true, this setting corresponds to the 'domain' option in resolv.conf(5).



Even if they are mutally exclusive, some programs look for the "domain" setting and not search. 

And understand me right.. , its not that i want to be right here, that i dont care. 
Im just saying, that if the system installer puts in both, keep both and debian uses both.. 

That the only reason to keep both in resolv.conf ( for debian then ). 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 21 juni 2017 13:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DRS stopped working after upgrade from 
> debian Jessie to Stretch
> 
> On Wed, 21 Jun 2017 12:41:52 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai,
> > 
> > Before you start,
> > 
> > Backup, /etc/  /var/lib/samba  better safe than sorry.. 
> > 
> > Stop samba and related services ( check it at least nmbd 
> smbd winbind 
> > samba samba-ad-dc)
> > 
> 
> > 
> > Well here is a choice, i preffer to keep the debian settings, which 
> > would be : ( and yes Rowland i know.. ;-) domain/search ) domain 
> > net.lyc-guillaume-fichet.ac-grenoble.fr
> > search net.lyc-guillaume-fichet.ac-grenoble.fr
> > nameserver 172.16.0.20
> > 
> 
> This wouldn't be the first stupid thing that Debian has done ;-)
> 
> From 'man resolv.conf' :
> 
>        The domain and search keywords are mutually exclusive.
>        If more than one instance  of  these  keywords  is
>        present, the last instance wins.
> 
> So there is absolutely no point in adding the domain line, 
> but you go ahead and add it Louis, it is after all your computer ;-)
> 
> > > 
> > > hosts:          files mdns4_minimal [NOTFOUND=return] dns
> > This can cause problems, change to : 
> > hosts:          files dns  mdns4_minimal [NOTFOUND=return]
> > ( or remove avahi-daemon and remove the part mdns4.. [NOT.. )
> 
> Totally agree, this should be changed and if you are forced 
> to use '.local' you definitely should remove Avahi.
> 
> > > KEYTABS
> > > I have now have three version of the machine keytab. Each one was 
> > > put in /var/lib/samba/private/secrets.keytab but never solve the 
> > > problem.
> 
> OK, /etc/krb5.keytab != /var/lib/samba/private/secrets.keytab
> 
> They are used for different things, so unless you have 
> something that requires /etc/krb5.keytab, you can remove it.
> 
> Not sure if this help, but you could try checking the 
> 'msDS-SupportedEncryptionTypes' attribute of your computers in AD.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list