[Samba] samba dlz. bind9 nslookup is wrong
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 5 09:31:19 UTC 2019
If i may.
Rowland is right, below is not going to work as you want it to work.
Bind9_flatfile with samba will be removed soon, because.. Its not supported.
Read : https://wiki.samba.org/index.php/The_Samba_AD_DNS_Back_Ends
Which states.
Do not use the BIND9_FLATFILE DNS back end. It is not supported and will be removed in the future.
And then this part.
[router-logs]
path = /var/log-router
read only = yes
guest ok = yes
writable = no
browseable = yes
force user = root
follow symlinks = yes
wide links = yes
That is asking for problems, and again, wide links and follow symlinks are very dangerus to use.
And especialy when you force user root.
Your on debian buster.
Enforce your logging to root:staff or root:adm
Which is debian default on most logs, setup your logrotate for that also.
And use the group(s) to allow access for the samba share.
But thats what i would do.
Ps, run my debugscript, anonimize it where needed and we know if there is more off in your setup.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Patrik via samba
> Verzonden: maandag 5 augustus 2019 11:14
> Aan: Rowland penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba dlz. bind9 nslookup is wrong
>
> I am not using flatfiles and i using BIND_DLZ it shows in my
> log and i do
> not use flatfiles. BIND_DLZ only.
> as you can see it is pure bind and it just generates a weird
> ip address
> (192.168.81.120, 2001:470:1f1b:5b5:eeaa:a0ff:fe1b:4d84) this
> ip addresses
> cannot be pinged, missing this client.
> you can see in smb.conf i do not use dnsupdate either.
> and it is rotating and sometimes giving the wrong ip address
> for windows
> and linux. i am on debian buster.
>
> *My bind settings is correct as well (i wanna use enp1s0f3):*
> root at server:/# cat /etc/bind/named.conf.local
> view "internal-enp1s0f3" {
> match-clients { "internal-enp1s0f3"; };
> match-recursive-only yes;
> recursion yes;
> allow-recursion { "internal-enp1s0f3"; };
>
> notify yes;
> allow-update { none; };
> allow-query { any; };
> allow-transfer { xfer; };
> include "/etc/bind/named.conf.default-zones";
>
> zone "patrikx3.com" {
> type master;
> file "/etc/bind/zones/enp1s0f3/patrikx3.com";
>
> * include "/var/lib/samba/private/named.conf.update"; * };
>
> zone "corifeus.com" {
> type master;
> file "/etc/bind/zones/enp1s0f3/corifeus.com";
> };
>
> zone "gitlist.tk" {
> type master;
> file "/etc/bind/zones/enp1s0f3/gitlist.tk";
> };
>
> zone "albafructus.eu" {
> type master;
> file "/etc/bind/zones/enp1s0f3/albafructus.eu";
> };
>
>
> zone "fruitinfo.hu" {
> type master;
> file "/etc/bind/zones/enp1s0f3/fruitinfo.hu";
> };
>
>
> zone "venyimgyumolcse.hu" {
> type master;
> file "/etc/bind/zones/enp1s0f3/venyimgyumolcse.hu";
> };
>
>
> * include "/var/lib/samba/private/named.conf";*};
>
> view "internal-enp1s0f2" {
> match-clients { "internal-enp1s0f2"; };
> match-recursive-only yes;
> recursion yes;
> allow-recursion { "internal-enp1s0f2"; };
> notify yes;
> allow-update { none; };
> allow-query { any; };
> allow-transfer { xfer; };
>
> include "/etc/bind/named.conf.default-zones";
>
> zone "patrikx3.com" {
> type master;
> file "/etc/bind/zones/enp1s0f2/patrikx3.com";
> };
>
> zone "corifeus.com" {
> type master;
> file "/etc/bind/zones/enp1s0f2/corifeus.com";
> };
>
> zone "gitlist.tk" {
> type master;
> file "/etc/bind/zones/enp1s0f2/gitlist.tk";
> };
>
> zone "albafructus.eu" {
> type master;
> file "/etc/bind/zones/enp1s0f2/albafructus.eu";
> };
>
> zone "fruitinfo.hu" {
> type master;
> file "/etc/bind/zones/enp1s0f2/fruitinfo.hu";
> };
>
>
> zone "venyimgyumolcse.hu" {
> type master;
> file "/etc/bind/zones/enp1s0f2/venyimgyumolcse.hu";
> };
>
> };
>
>
> view "external" {
> match-clients { any; };
>
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> // allow-transfer { any; }; // temporarily allowed for
> debugging purposes
> allow-transfer { none; };
>
> // zone "namesystem.tk" IN {
> // type master;
> // file "/etc/bind/zones/external.namesystem.tk";
> // };
> };
>
> *My samba looks like this:*
> # Global parameters
> [global]
>
> *bind interfaces only = yes*# if this is turned on, always perfect
> # interfaces = lo 192.168.78.20 2001:470:1f1b:5b3:21b:21ff:fea6:ce93
> # interfaces = lo 192.168.78.20 2001:470:1f1b:5b3:21b:21ff:fea6:ce93
> 192.168.81.20 2001:470:1f1b:5b5:21b:21ff:fea6:ce92
> # interfaces = lo 192.168.81.20
> 2001:470:1f1b:5b5:21b:21ff:fea6:ce92
> # if all interfaces known, order is important, the last is
> the required
> # interfaces = lo 192.168.78.20 192.168.81.20
>
> # you can see it is should only allow on enp1s0f3 which is above
>
> *interfaces = lo enp1s0f3*netbios name = SERVER
> realm = P3X-DC.PATRIKX3.COM <http://p3x-dc.patrikx3.com/>
> # server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd,
> ntp_signd, kcc
> workgroup = P3X-DC
> allow insecure wide links = Yes
> # before was working
> unix extensions = no
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> comment =
> # log level = 3
> template shell = /bin/bash
> template homedir = /home/%U
>
> [netlogon]
> path = /var/lib/samba/sysvol/p3x-dc.patrikx3.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [media]
> path = /media
> read only = no
> guest ok = no
> force group = media
> writable = yes
>
> [mounts]
> path = /mnt
> read only = no
> guest ok = no
> force group = mount
> writable = yes
>
> [router-logs]
> path = /var/log-router
> read only = yes
> guest ok = yes
> writable = no
> browseable = yes
> # valid users = router
> force user = root
> follow symlinks = yes
> wide links = yes
>
> *Patrik*
> WWW <https://patrikx3.com> | GitHub
> <https://github.com/patrikx3/> | NPM
> <https://www.npmjs.com/~patrikx3> | Corifeus
> <https://corifeus.com> | +36
> 20 342 8046
>
>
>
>
>
> On Mon, Aug 5, 2019 at 11:10 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
> > On 05/08/2019 09:55, Patrik via samba wrote:
> > > the dig is wrong as well, it adds an additional ip
> address, which i have
> > > not request to use other interfaces:
> > > root at server:/# dig p3x-dc.patrikx3.com
> > >
> > Patrik, I have told you what your problem is, refusing to
> accept that
> > you have setup Bind9 incorrectly is no reason for opening a
> new thread.
> >
> > Just in case you missed it, or misunderstood it:
> >
> > You need to decide which network card you want to use with
> Samba and set
> > up smb.conf accordingly.
> >
> > You need to stop use 'flatfiles' with Samba and use
> BIND_DLZ instead.
> >
> > As I said, once you accept your setup is incorrect, I am prepared to
> > help you set it up correctly.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list