[Samba] Find/delete bad DNS Entry
Rowland Penny
rpenny at samba.org
Tue Apr 24 09:36:48 UTC 2018
On Tue, 24 Apr 2018 09:50:10 +0200
Denis Cardon via samba <samba at lists.samba.org> wrote:
> A more expeditive way is to delete and recreate the zone using the
> samba-tool dns zonedelete / zonecreate. The SRV entries are recreated
> when the server restart. You should just be careful about having your
> kerberos configuration properly so it does not needs DNS to find its
> KDC (you can take a look at krb5.conf file in [1] for inspiration).
> Then you'll have to recreate your DNS entries in that clean'ed up
> zone.
>
Hi Dennis, DNS is an integral part of Active Directory, so if the
machine you are trying to join as a DC cannot find the KDC via dns,
then it is likely to have problems later. You must have working dns
before the join.
I have read your join howto and have the following comments, based on
my experience.
I would also install libpam_winbind and libpam_krb5
/etc/krb5.conf needs to be only this:
[libdefaults]
default_realm = MONDOMAINE.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
I would stop smbd, nmbd, winbind before the join
I would run the join command like this:
samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307 = yes' --option='dns forwarder = 8.8.8.8'
if you copy netlogon and sysvol from the first DC, you really also need to copy idmap.ldb
Please do not do this: ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
If you must do it, then do this instead: cp /var/lib/samba/private/krb5.conf to /etc/krb5.conf
But it will just replace what is there, with the same content, if it has been set as suggested above.
Finally, I would have set up NTP before the join and ensured the time was the same as on the DC.
Rowland
More information about the samba
mailing list