[Samba] Samba, AD, 'short' name resolving...
Marco Gaiarin
gaio at sv.lnf.it
Mon Jun 11 12:38:34 UTC 2018
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> If the primary domain is set in windows, which is after domain join, it used that.
> Ipconfig /all and see primary DNS suffix.
> The dns suffix and first dns search list should be the same.
> Yes, other settings are possible, but stick to this for now.
Ok, i canconfirm that: the AD domain dns name are the dns suffix and
the first search, see my previous post.
> The Primay DNS suffix is used for the register of the IP in the DNS.
Ok. i make a note. I'm not using DNS/DHCP integration, eg: i'm NOT
using:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
simply i've keeped the old setup in place.
> The DHCP Service User MUST be a member of the DNSAdmins.
> The DHCP service User SHOULD NOT have the kerberos auth requirement (disable pre-kerberos auth), and disable password changes.
?! I've not 'DHCP Service' user in my AD. I've no windows servers.
> In my lan i use pc's with DHCP and static ips, all register within the DNS zone they should.
> I reviewed my logs and compaired them to yours. That looks the same execpt i dont have message like :
> >> request has invalid signature: TSIG 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634 (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)
As stated in previous email, i'm suffering some connectivity trouble
now, so some errors are expected; after some seconds, client register
itself correctly.
> A cause might be,
> - 2 x pc with the same name.
> - The rights op this object in the DNS are not correct and the "dhcp service" user is unable to update it.
> - The pc joint with a static ip and now its dhcp, then the above line applies.
No, none of the above.
> Check you have have within the options section in name.conf.options.
> auth-nxdomain yes; # conform to RFC1035 = no
Ok, correct.
> Make sure you have somewhere below options { .... } in name.conf.options.
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
> };
I've not such stanza, and i've verified in samba wiki there's no
mention about that.
Clearly, i've instead:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
The point here is:
a) even if dhcp auto registration is not enabled, windows client try to
''register'' itself on the dns; good.
b) on opposite of what say Rowland, client correctly use a AD DNS to
register itself.
c) seems to use some ''random'' AD DNS, not the one in the site, for
example.
> See also : https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
> And this link is imo a must read before you install any AD. It really helps in preventing strang problems.
Thanks for the link!
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list