[Samba] Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname

Rowland Penny rpenny at samba.org
Sat Jan 12 14:00:49 UTC 2019

On Sat, 12 Jan 2019 10:35:59 +0100
Peter Tuharsky via samba <samba at lists.samba.org> wrote:

> Thank You, Luis, Rowland,
> for the initial hints. I checked them all.
> As of system, it is Debian Strech, Bind 9.10.3, Samba 4.5.12 (I know
> it is old, but is native for distribution, and should work in such
> simple setup I suppose). I used this howto:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

The problem with 4.5.12 is that it is, as far as Samba is concerned,
EOL. it will be even more EOL when 4.10.0 is released at the beginning
of March. The only Samba supported versions (at the moment) are 4.9.x,
4.8.x and 4.7.x. When 4.10.0 is released, 4.7.x will reach EOL.

This is easily fixed on Debian, see here:


> As of hosts.conf, there are only localhost and server itself, because 
> everything else should be resolved by DNS anyway...
>    localhost.interbronz.local    localhost

The above should just be:	localhost

You also shouldn't have used '.local', bit late now, so you should stop
Avahi from running.

> --------
> There is not much in named.conf and surroundings. This is Debian, so
> the config is scattered here and there, but if I put all includes
> together, we get this:
> options {
>      directory "/var/cache/bind";
>      // External DNS forwarder
>      forwarders {
> ;
>       };
>      dnssec-validation auto;
>      auth-nxdomain no;    # conform to RFC1035
>      listen-on-v6 { any; };
> };

This is my /etc/bind/named.conf.options:
options {
    directory "/var/cache/bind";
    version "0.0.7";
    notify no;
    empty-zones-enable no;
    allow-query {;; };
    allow-recursion {;; };
    forwarders {;; };
    allow-transfer { none; };

    dnssec-validation no;
    dnssec-enable no;
    dnssec-lookaside no;
    listen-on-v6 { none; };
    listen-on port 53 {;; };

    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

> --------------
> Since there is BIND DLZ in use, I assume that it is up to Samba DNS 
> module to resolve local domain issues for BIND, thus BIND config is
> of little interest here anyway, it simply gives whatever it takes
> from Samba. Correct?

Very Wrong.

> So, it would seem that if anything unusual, it should take place
> inside Samba DNS records. That is area I have no expertise in. When I
> do
> samba-tool dns query -U administrator interbronz.local @ ALL

The only problem with that is (as far as I am aware), samba-tool goes
direct to AD bypassing Bind9

> The question is, whether Samba even knows how to, or should it ever, 
> resolve FQDNs.

It does, or rather, Bind9 with AD does.

> I see there are more NS records for server itself, of whom some
> belong to interfaces no longer active. But still first 2 are valid,
> and the hostnames are resolved anyway, so that doesn't seem like the
> culprit.

If you have NS records that do not exist, you need to delete them.


More information about the samba mailing list