[Samba] Find/delete bad DNS Entry

Denis Cardon dcardon at tranquil.it
Tue Apr 24 11:07:58 UTC 2018 

Hi Rowland,

>> A more expeditive way is to delete and recreate the zone using the
>> samba-tool dns zonedelete / zonecreate. The SRV entries are recreated
>> when the server restart. You should just be careful about having your
>> kerberos configuration properly so it does not needs DNS to find its
>> KDC (you can take a look at krb5.conf file in [1] for inspiration).
>> Then you'll have to recreate your DNS entries in that clean'ed up
>> zone.
>>
>
> Hi Dennis, DNS is an integral part of Active Directory, so if the
> machine you are trying to join as a DC cannot find the KDC via dns,
> then it is likely to have problems later. You must have working dns
> before the join.

Thanks for you input. It is indeed important to stress out how important 
is DNS in an AD environment. My point just above underline that if we 
have wiped out the DNS zone, then using dns_lookup_kdc=true won't work 
anymore, so it will be necessary to give a hint to the local machine to 
authenticate to "find itself".

Once the DNS zone has been recreated with all the proper SRV entries, 
then one can switch back to dns_lookup_kdc=true. But actually, even on a 
properly setup domain, I advocate to make an explicit configuration of 
KDC in /etc/krb5.conf. And actually it is a must have in a large 
multi-site setup with slow VPN and strict firewall rules.

> I have read your join howto and have the following comments, based on
> my experience.
>
> I would also install libpam_winbind and libpam_krb5

we are limiting at much as possible shell connection to the AD (a 
compromission on your AD is a compromission of your whole network). So 
we don't enable this kind of authentication on DC. SSH key exchange for 
the lucky few that manage the AD is much better suited IMHO.

> /etc/krb5.conf  needs to be only this:
>
> [libdefaults]
>     default_realm = MONDOMAINE.LAN
>     dns_lookup_realm = false
>     dns_lookup_kdc = true

see above

> I would stop smbd, nmbd, winbind before the join

Indeed that might be cleaner, even if it does change much in the present 
case. Debian behavior of starting daemon just after installation is 
sometime awkward.

> I would run the join command like this:
> samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307  = yes' --option='dns forwarder = 8.8.8.8'

we are trying to get people out of RFC2307. It is almost never really 
needed and it may create issues when people forget to setup a UID/GID 
for a user or if there are duplicate (there is no pool for UID like 
there is for RID, and there is no unique index on that value).

By the way, 8.8.8.8 is a easy to remember ip address, but it is a PITA 
in the long run with internal DNS. Google does throttling and since 
internal DNS does no caching, one very fast non answered queries and 
angry users on any moderate size site.

That is why we advocate for using Bind-DLZ, even if it is awkward to 
setup. You can take a look at the page 
https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9

> if you copy netlogon and sysvol from the first DC, you really also need to copy idmap.ldb

it is really helpful if you have GPO delegation. Otherwise a simple 
samba-tool ntacl sysvolreset will do it like it is mentioned in the 
documentation. Maintaining replication of idmap.ldb is not easy either 
in the long run. It would be great to have a RID xid mapping for domain 
controllers too!

> Please do not do this: ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
> If you must do it, then do this instead: cp /var/lib/samba/private/krb5.conf to /etc/krb5.conf

It is important to have both file in sync, since some processes are 
using one or the other. So symlink is a must IMHO. And since 
/var/lib/samba/private is not readable for everyone, the best thing is 
to have a symlink like stated in our wiki page [1] you are referring to.

By the way, those small details are the result of more than 250 
migrations or domain fixing in the last 5 years... So even though it 
might not be perfect, it is field tested.

> But it will just replace what is there, with the same content, if it has been set as suggested above.
>
> Finally, I would have set up NTP before the join and ensured the time was the same as on the DC.

An ntpdate might be of use before the join indeed. But since the NTP is 
connecting to a UNIX socket instanciated by Samba, I prefer to start it 
afterward.

Thanks for you input,

Cheers,

Denis

[1] 
https://dev.tranquil.it/wiki/SAMBA_-_Installation_samba4_comme_DC_secondaire

>
> Rowland
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list