[Samba] Find/delete bad DNS Entry

Rowland Penny rpenny at samba.org
Tue Apr 24 12:03:01 UTC 2018

On Tue, 24 Apr 2018 13:07:58 +0200
Denis Cardon <dcardon at tranquil.it> wrote:

> Hi Rowland,
> Thanks for you input. It is indeed important to stress out how
> important is DNS in an AD environment. My point just above underline
> that if we have wiped out the DNS zone, then using
> dns_lookup_kdc=true won't work anymore, so it will be necessary to
> give a hint to the local machine to authenticate to "find itself".

Not sure I understand what you are trying to say, we are discussing
joining a potential DC to a domain, so surely the DNS zone wont have
been 'wiped out'

> Once the DNS zone has been recreated with all the proper SRV entries, 
> then one can switch back to dns_lookup_kdc=true. 

No, sorry the DNS zone will not have been recreated, added to probably,
recreated, no.

>But actually, even
> on a properly setup domain, I advocate to make an explicit
> configuration of KDC in /etc/krb5.conf. And actually it is a must
> have in a large multi-site setup with slow VPN and strict firewall
> rules.

What you are saying is very probably true, but the basis of your howto
is how to join a computer to a domain as another DC, what you do after
the join has nothing to do with the join.

> > I have read your join howto and have the following comments, based
> > on my experience.
> >
> > I would also install libpam_winbind and libpam_krb5
> we are limiting at much as possible shell connection to the AD (a 
> compromission on your AD is a compromission of your whole network).
> So we don't enable this kind of authentication on DC. SSH key
> exchange for the lucky few that manage the AD is much better suited

Note that I said 'I would', doesn't mean you have to, I should also
probably point out that you can use ssh with kerberos and not require
passwords or SSH keys.

> > /etc/krb5.conf  needs to be only this:
> >
> > [libdefaults]
> >     default_realm = MONDOMAINE.LAN
> >     dns_lookup_realm = false
> >     dns_lookup_kdc = true
> see above

I have ;-)

> > I would stop smbd, nmbd, winbind before the join
> Indeed that might be cleaner, even if it does change much in the
> present case. Debian behavior of starting daemon just after
> installation is sometime awkward.
> > I would run the join command like this:
> > samba-tool domain join mondomaine.lan DC -U administrator
> > --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use
> > rfc2307  = yes' --option='dns forwarder ='
> we are trying to get people out of RFC2307. It is almost never really 
> needed and it may create issues when people forget to setup a UID/GID 
> for a user or if there are duplicate (there is no pool for UID like 
> there is for RID, and there is no unique index on that value).

There are pools for UID & GID, Samba just decided not to use them.

> By the way, is a easy to remember ip address, but it is a
> PITA in the long run with internal DNS. Google does throttling and
> since internal DNS does no caching, one very fast non answered
> queries and angry users on any moderate size site.

Then why did you use it in your howto ?

> That is why we advocate for using Bind-DLZ, even if it is awkward to 
> setup. You can take a look at the page 
> https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9

It is not awkward to set up, unless you do it wrong, I have never used
the internal dns server myself, I always use Bind9
> > if you copy netlogon and sysvol from the first DC, you really also
> > need to copy idmap.ldb
> it is really helpful if you have GPO delegation. Otherwise a simple 
> samba-tool ntacl sysvolreset will do it like it is mentioned in the 
> documentation. Maintaining replication of idmap.ldb is not easy
> either in the long run. It would be great to have a RID xid mapping
> for domain controllers too!

The problem is that sysvolreset is broken if you add any GPOs, it does
not set the correct ACES. 

> > Please do not do this: ln
> > -s /etc/krb5.conf /var/lib/samba/private/krb5.conf If you must do
> > it, then do this instead: cp /var/lib/samba/private/krb5.conf
> > to /etc/krb5.conf
> It is important to have both file in sync, since some processes are 
> using one or the other. So symlink is a must IMHO. And since 
> /var/lib/samba/private is not readable for everyone, the best thing
> is to have a symlink like stated in our wiki page [1] you are
> referring to.

I take it that you unaware that the private dir is only accessible
by 'root' from 4.7.0
> By the way, those small details are the result of more than 250 
> migrations or domain fixing in the last 5 years... So even though it 
> might not be perfect, it is field tested.
> > But it will just replace what is there, with the same content, if
> > it has been set as suggested above.
> >
> > Finally, I would have set up NTP before the join and ensured the
> > time was the same as on the DC.
> An ntpdate might be of use before the join indeed. But since the NTP
> is connecting to a UNIX socket instanciated by Samba, I prefer to
> start it afterward.

Again, I did say that it was what I would do and I also said to ensure
the time was the same as on the Domain DC.


More information about the samba mailing list