[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom at DOM) unknown

Sven Schwedas sven.schwedas at tao.at
Mon Sep 11 07:11:52 UTC 2017 

We mainly use it for stuff that's not AD related (aliases for external
domains to avoid NAT loopback e.g., something that's a royal pain in the
ass with AD DNS); caching is just a secondary benefit, and if it doesn't
work for SRV records, meh. ¯\_(ツ)_/¯

On 2017-09-10 15:25, Rowland Penny via samba wrote:
> On Fri, 8 Sep 2017 14:31:21 +0200
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> 
>> On 2017-09-08 14:21, Rowland Penny via samba wrote:
>>> OK, you have convinced me ;-)
>>
>> If you know any other part of AD DNS that is tricky, I'd be interested
>> to know before AD blows up again. ;-)
>>
>>> Seeing how you seem to know the required 'magic', do you feel up to
>>> sharing it, if you do I will add a page to the Samba wiki.
>>
>> What magic? How to set up dnsmasq as caching proxy? Sure, I can make a
>> commented example config file.
>>
> 
> Hi Sven, I have been playing around with dnsmasq on a Unix domain
> member running in a VM and I just don't understand the value of it in
> a Samba AD.
> 
> I run two DCs in my small test domain, both using Bind9 instead of the
> internal DNS server.
> 
> As far as I can see, dnsmasq on the test Unix domain member does not
> cache the AD SRV records, it requests them from a DC every time. I
> have found that you can add the SRV records to the dnsmasq conf file,
> but that, in my opinion, defeats the whole point of using dnsmasq as
> a caching nameserver.
> 
> Bind9 on the DCs also acts a caching nameserver, if I 'dig'
> www.google.com on the Unix domain member (not using dnsmasq) I get:
> ';; Query time: 105 msec' the first time I run it and:
> ';; Query time: 8 msec' the second time onwards 
> 
> If I 'dig' for the AD domain, I get a similar time as the 'cached'
> google record.
> 
> So, I cannot actually see any point in running dnsmasq on a Unix domain
> member if you are using Bind9 on the DC and, if you are using multiple
> DCs, you are probably better off running Bind9  on the DCs.
> 
> Rowland 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

More information about the samba mailing list