[Samba] DNS forwarding not working.

Rowland Penny rpenny at samba.org
Fri Apr 26 20:05:36 UTC 2019 

On Fri, 26 Apr 2019 13:35:45 -0600
durwin at mgtsciences.com wrote:

> > > I followed this url to set up Samba AD DC.
> > > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.  
> > 04-samba-AD_DC.txt  
> > > 
> > > I do have it working.  I am testing with a Windows 10 VM as a
> > > member of the domain.
> > > The machine joins the domain.  Also, as administrator, I can
> > > create and enforce
> > > Group Policies. from this Windows machine.
> > > 
> > > I have a Fedora 29 server which serves DHCP and DNS (and DDNS).
> > > This all works.
> > > When I installed Samba DC, I specified this DNS server as a
> > > forwarder.  
> > 
> > Is this dns server also authoritative for the same dns domain as
> > the AD domain ?  
> 
>  Yes, the Fedora29 server is authoritative.
> 
> >   
> > > 
> > > On the DC server (named dc0) I can enter command,  
> > > > dig other_machine_in_lan   
> > > and get correct response.
> > > If I enter this command,  
> > > > dig @localhost other_machine_in_lan   
> > > It fails.  Dig from domain member of course also fails.
> > > 
> > > I know you may need more information to diagnose, but there are so
> > > many files that could
> > > be part of the problem I do not know which to send.
> > >   
> > 
> > Lets start with the smb.conf from the DC, your DC's FQDN and
> > ipaddress (sanitised if you have to) and the same for your Fedora
> > dns server.  
> === DC server smb.conf ===
> Ubuntu18.04> less /etc/samba/smb.conf  
> # Global parameters
> [global]
>     netbios name = DC0
>     realm = company.COM
>     server role = active directory domain controller
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>     workgroup = company
>     idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/company.com/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> === END DC server smb.conf ===
> 
> DC FQDN - dc0.company.com (172.23.93.25)
> 
> Fedora server - zaphod.company.com (172.23.93.3)


So your DC is authoritative for the 'company.com' dns domain and holds
all the AD dns domain records.
zaphod is authoritative for 'company.com' dns domain and presumably
holds none of the AD dns domain records

Can you not not see what is wrong here and why forwarding doesn't work ?

You should have used a subdomain of 'company.com' for your AD dns
domain (perhaps ad.company.com)

When you ask your DC for 'dnsclient.company.com' (where 'dnsclient' is
not an AD domain member), your DC will not forward it anywhere because
it is authoritative for the 'company.com' dns domain, it will just
return 'not known' or words to that effect.

I, personally, would transfer all the dns & dhcp roles from zaphod to
your DC, or start again with a new subdomain on your DC.
 
Your forwarders need to be outside your AD dns domain.

Rowland

More information about the samba mailing list