[Samba] Find/delete bad DNS Entry
rpenny at samba.org
Tue Apr 24 12:03:01 UTC 2018
On Tue, 24 Apr 2018 13:07:58 +0200
Denis Cardon <dcardon at tranquil.it> wrote:
> Hi Rowland,
> Thanks for you input. It is indeed important to stress out how
> important is DNS in an AD environment. My point just above underline
> that if we have wiped out the DNS zone, then using
> dns_lookup_kdc=true won't work anymore, so it will be necessary to
> give a hint to the local machine to authenticate to "find itself".
Not sure I understand what you are trying to say, we are discussing
joining a potential DC to a domain, so surely the DNS zone wont have
been 'wiped out'
> Once the DNS zone has been recreated with all the proper SRV entries,
> then one can switch back to dns_lookup_kdc=true.
No, sorry the DNS zone will not have been recreated, added to probably,
>But actually, even
> on a properly setup domain, I advocate to make an explicit
> configuration of KDC in /etc/krb5.conf. And actually it is a must
> have in a large multi-site setup with slow VPN and strict firewall
What you are saying is very probably true, but the basis of your howto
is how to join a computer to a domain as another DC, what you do after
the join has nothing to do with the join.
> > I have read your join howto and have the following comments, based
> > on my experience.
> > I would also install libpam_winbind and libpam_krb5
> we are limiting at much as possible shell connection to the AD (a
> compromission on your AD is a compromission of your whole network).
> So we don't enable this kind of authentication on DC. SSH key
> exchange for the lucky few that manage the AD is much better suited
Note that I said 'I would', doesn't mean you have to, I should also
probably point out that you can use ssh with kerberos and not require
passwords or SSH keys.
> > /etc/krb5.conf needs to be only this:
> > [libdefaults]
> > default_realm = MONDOMAINE.LAN
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> see above
I have ;-)
> > I would stop smbd, nmbd, winbind before the join
> Indeed that might be cleaner, even if it does change much in the
> present case. Debian behavior of starting daemon just after
> installation is sometime awkward.
> > I would run the join command like this:
> > samba-tool domain join mondomaine.lan DC -U administrator
> > --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use
> > rfc2307 = yes' --option='dns forwarder = 126.96.36.199'
> we are trying to get people out of RFC2307. It is almost never really
> needed and it may create issues when people forget to setup a UID/GID
> for a user or if there are duplicate (there is no pool for UID like
> there is for RID, and there is no unique index on that value).
There are pools for UID & GID, Samba just decided not to use them.
> By the way, 188.8.131.52 is a easy to remember ip address, but it is a
> PITA in the long run with internal DNS. Google does throttling and
> since internal DNS does no caching, one very fast non answered
> queries and angry users on any moderate size site.
Then why did you use it in your howto ?
> That is why we advocate for using Bind-DLZ, even if it is awkward to
> setup. You can take a look at the page
It is not awkward to set up, unless you do it wrong, I have never used
the internal dns server myself, I always use Bind9
> > if you copy netlogon and sysvol from the first DC, you really also
> > need to copy idmap.ldb
> it is really helpful if you have GPO delegation. Otherwise a simple
> samba-tool ntacl sysvolreset will do it like it is mentioned in the
> documentation. Maintaining replication of idmap.ldb is not easy
> either in the long run. It would be great to have a RID xid mapping
> for domain controllers too!
The problem is that sysvolreset is broken if you add any GPOs, it does
not set the correct ACES.
> > Please do not do this: ln
> > -s /etc/krb5.conf /var/lib/samba/private/krb5.conf If you must do
> > it, then do this instead: cp /var/lib/samba/private/krb5.conf
> > to /etc/krb5.conf
> It is important to have both file in sync, since some processes are
> using one or the other. So symlink is a must IMHO. And since
> /var/lib/samba/private is not readable for everyone, the best thing
> is to have a symlink like stated in our wiki page  you are
> referring to.
I take it that you unaware that the private dir is only accessible
by 'root' from 4.7.0
> By the way, those small details are the result of more than 250
> migrations or domain fixing in the last 5 years... So even though it
> might not be perfect, it is field tested.
> > But it will just replace what is there, with the same content, if
> > it has been set as suggested above.
> > Finally, I would have set up NTP before the join and ensured the
> > time was the same as on the DC.
> An ntpdate might be of use before the join indeed. But since the NTP
> is connecting to a UNIX socket instanciated by Samba, I prefer to
> start it afterward.
Again, I did say that it was what I would do and I also said to ensure
the time was the same as on the Domain DC.
More information about the samba