[Samba] DNS (bind_dlz) forwarding not working

Elias Pereira empbilly at gmail.com
Tue May 16 20:04:26 UTC 2017 

>
> Not so much forgetting but not understanding ;-)


- Internal DNS that responds to our services (site, moodle, etc) -
ns.myinstitution.edu (registered in registro.br)
- Samba DNS answering for samba stuff - addc.myinstitution.edu

Maybe it's better to use SAMBA_INTERNAL instead of BIND_DLZ?

On Tue, May 16, 2017 at 4:29 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 16 May 2017 15:12:38 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I provisioned an samba AD with the bind_dlz option. So far so
> > good. Followed the samba wiki.
> >
> > I have a DNS for our external access services (website, moodle, etc)
> > and I'm using it as a forwarder to AD but it is not working.
> >
> > In a win7 I configured the AD IP as primary DNS and put it in the
> > domain. When I try to access, for example, "wiki.samba.org" it opens
> > normally, but when I try to access our site "www.myinstitution.edu"
> > it does not open.
> >
> > I have reviewed the bind and samba settings several times and do not
> > show any errors.
> >
> > *Note: All services (www, dns, moodle, etc) and user computers have
> > public IP.*
> >
> > *Here are my settings:*
> >
> > *named.conf*
> >
> > include "/etc/bind/named.conf.options";
> > include "/etc/bind/named.conf.local";
> > include "/etc/bind/named.conf.default-zones";
> > include "/var/lib/samba/private/named.conf";
> > include "/etc/bind/named.conf.log";
> >
> > *db.local*
> > ;
> > ; BIND data file for local loopback interface
> > ;
> > $TTL    604800
> > @       IN      SOA     localhost. root.localhost. (
> >                               2         ; Serial
> >                          604800         ; Refresh
> >                           86400         ; Retry
> >                         2419200         ; Expire
> >                          604800 )       ; Negative Cache TTL
> > ;
> > @       IN      NS      localhost.
> > @       IN      A       127.0.0.1
> > @       IN      AAAA    ::1
> > addc    IN      A       xxx.xxx.xxx.6
> >
> > _kerberos._udp.myinstitution.edu. IN SRV 0 100 88 addc
> > _ldap._tcp.myinstitution.edu. IN SRV 0 100 389 addc
> > _kpasswd._udp.myinstitution.edu. IN SRV 0 100 464 addc
> >
> > *named.conf.options*
> >
> > acl clientes {
> >         127.0.0.1;
> >         mylocalsubnets; # public IP subnets
> > };
> >
> > options {
> >         directory "/var/cache/bind";
> >
> >         recursion yes;
> >         allow-query {
> >                 clientes;
> >         };
> >
> >         forwarders {
> >                 xxx.xxx.xxx.10; # Our DNS
> >         };
> >         forward only;
> >
> >         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >
> >         dnssec-validation auto;
> >
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on-v6 { any; };
> >         listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.6; };
> > };
> > xxx.xxx.xxx.6 -> Ip of AD
> >
> > *smb.conf*
> >
> > # Global parameters
> > [global]
> >         netbios name = ADDC
> >         realm = MYINSTITUTION.EDU
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = MYINSTITUTION
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >
> > [netlogon]
> >         path = /var/lib/samba/sysvol/myinstitution.edu/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> >
> > Am I forgetting something?
> >
>
> Not so much forgetting but not understanding ;-)
>
> Your dns for AD should be in AD, all of it, these are my named files:
>
> named.conf
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> named.conf.options
>
> options {
>         directory "/var/cache/bind";
>         version "0.0.7";
>         notify no;
>         empty-zones-enable no;
>         allow-query { 127.0.0.1; 192.168.0.0/24; };
>         allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>         forwarders { 8.8.8.8; };
>         allow-transfer { none; };
>         dnssec-validation no;
>         dnssec-enable no;
>
>         listen-on-v6 { none; };
>         listen-on port 53 { 192.168.0.2; 127.0.0.1; };
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> };
>
> named.conf.local
>
> include "/usr/local/samba/private/named.conf";
>
> // prime the server with knowledge of the root servers
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
>
> /etc/resolv.conf
>
> search samdom.example.com
> nameserver 192.168.0.2
> nameserver 192.168.0.7
>
> My dns domain is samdom.example.com and the two DCs are 192.168.0.2 and
> 192.168.0.7
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Elias Pereira

More information about the samba mailing list