[Samba] Find/delete bad DNS Entry
Denis Cardon
dcardon at tranquil.it
Tue Apr 24 11:07:58 UTC 2018
Hi Rowland,
>> A more expeditive way is to delete and recreate the zone using the
>> samba-tool dns zonedelete / zonecreate. The SRV entries are recreated
>> when the server restart. You should just be careful about having your
>> kerberos configuration properly so it does not needs DNS to find its
>> KDC (you can take a look at krb5.conf file in [1] for inspiration).
>> Then you'll have to recreate your DNS entries in that clean'ed up
>> zone.
>>
>
> Hi Dennis, DNS is an integral part of Active Directory, so if the
> machine you are trying to join as a DC cannot find the KDC via dns,
> then it is likely to have problems later. You must have working dns
> before the join.
Thanks for you input. It is indeed important to stress out how important
is DNS in an AD environment. My point just above underline that if we
have wiped out the DNS zone, then using dns_lookup_kdc=true won't work
anymore, so it will be necessary to give a hint to the local machine to
authenticate to "find itself".
Once the DNS zone has been recreated with all the proper SRV entries,
then one can switch back to dns_lookup_kdc=true. But actually, even on a
properly setup domain, I advocate to make an explicit configuration of
KDC in /etc/krb5.conf. And actually it is a must have in a large
multi-site setup with slow VPN and strict firewall rules.
> I have read your join howto and have the following comments, based on
> my experience.
>
> I would also install libpam_winbind and libpam_krb5
we are limiting at much as possible shell connection to the AD (a
compromission on your AD is a compromission of your whole network). So
we don't enable this kind of authentication on DC. SSH key exchange for
the lucky few that manage the AD is much better suited IMHO.
> /etc/krb5.conf needs to be only this:
>
> [libdefaults]
> default_realm = MONDOMAINE.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
see above
> I would stop smbd, nmbd, winbind before the join
Indeed that might be cleaner, even if it does change much in the present
case. Debian behavior of starting daemon just after installation is
sometime awkward.
> I would run the join command like this:
> samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307 = yes' --option='dns forwarder = 8.8.8.8'
we are trying to get people out of RFC2307. It is almost never really
needed and it may create issues when people forget to setup a UID/GID
for a user or if there are duplicate (there is no pool for UID like
there is for RID, and there is no unique index on that value).
By the way, 8.8.8.8 is a easy to remember ip address, but it is a PITA
in the long run with internal DNS. Google does throttling and since
internal DNS does no caching, one very fast non answered queries and
angry users on any moderate size site.
That is why we advocate for using Bind-DLZ, even if it is awkward to
setup. You can take a look at the page
https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9
> if you copy netlogon and sysvol from the first DC, you really also need to copy idmap.ldb
it is really helpful if you have GPO delegation. Otherwise a simple
samba-tool ntacl sysvolreset will do it like it is mentioned in the
documentation. Maintaining replication of idmap.ldb is not easy either
in the long run. It would be great to have a RID xid mapping for domain
controllers too!
> Please do not do this: ln -s /etc/krb5.conf /var/lib/samba/private/krb5.conf
> If you must do it, then do this instead: cp /var/lib/samba/private/krb5.conf to /etc/krb5.conf
It is important to have both file in sync, since some processes are
using one or the other. So symlink is a must IMHO. And since
/var/lib/samba/private is not readable for everyone, the best thing is
to have a symlink like stated in our wiki page [1] you are referring to.
By the way, those small details are the result of more than 250
migrations or domain fixing in the last 5 years... So even though it
might not be perfect, it is field tested.
> But it will just replace what is there, with the same content, if it has been set as suggested above.
>
> Finally, I would have set up NTP before the join and ensured the time was the same as on the DC.
An ntpdate might be of use before the join indeed. But since the NTP is
connecting to a UNIX socket instanciated by Samba, I prefer to start it
afterward.
Thanks for you input,
Cheers,
Denis
[1]
https://dev.tranquil.it/wiki/SAMBA_-_Installation_samba4_comme_DC_secondaire
>
> Rowland
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba
mailing list