[Samba] Samba, AD, 'short' name resolving...

Mon Jun 11 12:38:34 UTC 2018

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> If the primary domain is set in windows, which is after domain join, it used that. 
> Ipconfig /all and see primary DNS suffix. 
> The dns suffix and first dns search list should be the same.
> Yes, other settings are possible, but stick to this for now. 

Ok, i canconfirm that: the AD domain dns name are the dns suffix and
the first search, see my previous post.

> The Primay DNS suffix is used for the register of the IP in the DNS. 

Ok. i make a note. I'm not using DNS/DHCP integration, eg: i'm NOT
using:
	https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

simply i've keeped the old setup in place.

> The DHCP Service User MUST be a member of the DNSAdmins. 
> The DHCP service User SHOULD NOT have the kerberos auth requirement (disable pre-kerberos auth), and disable password changes. 

?! I've not 'DHCP Service' user in my AD. I've no windows servers.

> In my lan i use pc's with DHCP and static ips, all register within the DNS zone they should. 
> I reviewed my logs and compaired them to yours. That looks the same execpt i dont have message like : 
> >> request has invalid signature: TSIG 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634 (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)

As stated in previous email, i'm suffering some connectivity trouble
now, so some errors are expected; after some seconds, client register
itself correctly.

> A cause might be, 
> - 2 x pc with the same name.
> - The rights op this object in the DNS are not correct and the "dhcp service" user is unable to update it. 
> - The pc joint with a static ip and now its dhcp, then the above line applies. 

No, none of the above.

> Check you have have within the options section in name.conf.options. 
> auth-nxdomain yes;    # conform to RFC1035 = no 

Ok, correct.

> Make sure you have somewhere below options { .... }  in name.conf.options.
> include "/etc/bind/rndc.key";
>     controls {
>      inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
> };

I've not such stanza, and i've verified in samba wiki there's no
mention about that.

Clearly, i've instead:
	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

The point here is:

a) even if dhcp auto registration is not enabled, windows client try to
 ''register'' itself on the dns; good.

b) on opposite of what say Rowland, client correctly use a AD DNS to
 register itself.

c) seems to use some ''random'' AD DNS, not the one in the site, for
 example.

> See also : https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and 
> And this link is imo a must read before you install any AD. It really helps in preventing strang problems. 

Thanks for the link!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)