[Samba] Samba, AD, 'short' name resolving...
L.P.H. van Belle
belle at bazuin.nl
Mon Jun 11 15:31:24 UTC 2018
Hai Marco,
What i see below is correct.
You useing a dhcp outside the network and thats ok.
The windows pc that joined the domain automaticly register A and PTR.
So that correct also.
> c) seems to use some ''random'' AD DNS, not the one in the site, for
> example.
Yes that is correct. ( The DC Locator Process does that )
If you dont want that, you can assign by GPO a preffered server.
You can set it as preffered server per site in the GPO. ( note, a pc needs 2 reboots )
Set the variable logon server in a GPO.
Thats one of the options.
And try this setting.
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
See how far you get.
Hint:
https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication
Net Logon
;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: maandag 11 juni 2018 14:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving...
>
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > If the primary domain is set in windows, which is after
> domain join, it used that.
> > Ipconfig /all and see primary DNS suffix.
> > The dns suffix and first dns search list should be the same.
> > Yes, other settings are possible, but stick to this for now.
>
> Ok, i canconfirm that: the AD domain dns name are the dns suffix and
> the first search, see my previous post.
>
>
> > The Primay DNS suffix is used for the register of the IP in
> the DNS.
>
> Ok. i make a note. I'm not using DNS/DHCP integration, eg: i'm NOT
> using:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
>
> simply i've keeped the old setup in place.
>
>
> > The DHCP Service User MUST be a member of the DNSAdmins.
> > The DHCP service User SHOULD NOT have the kerberos auth
> requirement (disable pre-kerberos auth), and disable password
> changes.
>
> ?! I've not 'DHCP Service' user in my AD. I've no windows servers.
>
>
> > In my lan i use pc's with DHCP and static ips, all register
> within the DNS zone they should.
> > I reviewed my logs and compaired them to yours. That looks
> the same execpt i dont have message like :
> > >> request has invalid signature: TSIG
> 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634
> (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)
>
> As stated in previous email, i'm suffering some connectivity trouble
> now, so some errors are expected; after some seconds, client register
> itself correctly.
>
>
> > A cause might be,
> > - 2 x pc with the same name.
> > - The rights op this object in the DNS are not correct and
> the "dhcp service" user is unable to update it.
> > - The pc joint with a static ip and now its dhcp, then the
> above line applies.
>
> No, none of the above.
>
> > Check you have have within the options section in
> name.conf.options.
> > auth-nxdomain yes; # conform to RFC1035 = no
>
> Ok, correct.
>
>
> > Make sure you have somewhere below options { .... } in
> name.conf.options.
> > include "/etc/bind/rndc.key";
> > controls {
> > inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
> > };
>
> I've not such stanza, and i've verified in samba wiki there's no
> mention about that.
>
> Clearly, i've instead:
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
>
> The point here is:
>
> a) even if dhcp auto registration is not enabled, windows
> client try to
> ''register'' itself on the dns; good.
>
> b) on opposite of what say Rowland, client correctly use a AD DNS to
> register itself.
>
> c) seems to use some ''random'' AD DNS, not the one in the site, for
> example.
>
>
> > See also :
> https://support.microsoft.com/en-us/help/909264/naming-convent
> ions-in-active-directory-for-computers-domains-sites-and
> > And this link is imo a must read before you install any AD.
> It really helps in preventing strang problems.
>
> Thanks for the link!
>
> --
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> http://www.lanostrafamiglia.it/
> Polo FVG - Via della Bontà , 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
>
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list