[Samba] Invalid PTR record in reverse lookup zone

Rowland penny rpenny at samba.org
Mon Nov 11 17:27:03 UTC 2019

On 11/11/2019 16:47, andi wrote:
> On Sun, Nov 10, 2019 at 07:19:40PM +0000, Rowland penny via samba wrote:
>> On 10/11/2019 17:49, andi via samba wrote:
>>> Maybe one thing in advance: I'm using a typical DSL wallbox which is doing
>>> telephone, dhcp and dns (.183.1 address) I have setup its internal DNS so that
>>> ad.home.arpa, .ad.home.arpa and 183.168.192.in-addr.arpa are forwarded
>>> to the DC (.183.5 address)
>> Similar to my setup, except I have turned off dhcp etc.
>> The problem is that whilst dhcp on the router will work with your Windows
>> and Linux clients, it will not update dns records in AD and linux clients
>> will not attempt to update their records in AD, but Windows clients will.
> I'm using fixed assignments in DHCP, so effecively IP's are constant.
Can I recommend you give the DC a static IP on the DC.
>>> Here is the output for the server:
>>> Collected config  --- 2019-11-10-18:30 -----------
>>> Hostname: kronos
>>> DNS Domain: ad.home.arpa
>>> FQDN: kronos.ad.home.arpa
>>> ipaddress: 2003:e3:570b:9400:f6xx:xxff:fexx:xxxx 2003:e3:5705:5200:f6xx:xxff:fexx:xxxxxx fd1f:6d10:24a0:1:f6xx:xxff:fexx:xxxx
>>> -----------
>>> Kerberos SRV _kerberos._tcp.ad.home.arpa record verified ok, sample output:
>>> Server:
>>> Address:
>>> _kerberos._tcp.ad.home.arpa	service = 0 100 88 kronos.ad.home.arpa.
>>> Samba is running as an AD DC
>> Interesting, the kerberos record should point to the DC, it seems to be
>> pointing to the router.
> Why? Kronos is the DC. So it should be fine.
The IP above is, yet the IP for kronos (the DC) is, so it will not be fine.
>> The AD DC should be authoritative for the AD dns domain.
>>> -----------
>>>          Checking file: /etc/hosts
>>>	localhost
>> Please tell me that your DC isn't getting its IP from DHCP, if it is, then
>> change it to a fixed IP, it must have a fixed IP and there should be a line
>> in /etc/hosts similar to this:
>> kronos.ad.home.arpa kronos
> It is assigned its IP by DHCP, but the IP is fixed in DHCP server, so
> should be fine right?. If I add the line to /etc/hosts will it fix the
> issue with the wrong PTR record in DNS?
It will fix a lot, but only if give your DC a static IP and stop using 
DHCP on the DC, I would add the line.
>>> # The following lines are desirable for IPv6 capable hosts
>>> ::1     localhost ip6-localhost ip6-loopback
>>> ff02::1 ip6-allnodes
>>> ff02::2 ip6-allrouters
>>> -----------
>>>          Checking file: /etc/resolv.conf
>>> domain ad.home.arpa
>>> search ad.home.arpa
>>> nameserver
>> Remove the 'domain' line
>> The 'nameserver' should point to the AD DCs ipaddress, not the router
> I'll try.
>> If you wish  your users to log into the DC, replace 'sss' with 'winbind' in
>> the 'passwd' & 'group' lines, remove 'sss' from the other lines and
>> 'sudoers' will work from ldap if you install sudo-ldap. You should also run
>> 'apt-get purge sssd', you cannot use sssd with Samba >= 4.8.0
> Well, since I'm just typing this email in a session of an domain account
> on a Linux-Client this seems to be curious to me. Can you point me why this
> wont work with sssd? Will the winbind module support the Road-Warrior
> usecase? (Some of the machines are linux-notebooks which dont have access to the
> AD all the time)

You must use winbind with Samba >= 4.8.0 and this means you cannot sssd 
any more. If you want to use the DC as a fileserver (not recommended) 
either use idmap.ldb (the default) or nslcd.

It might appear to work, but you are loading sssd variants of winbind 
libaries and they will conflict.

Adding 'winbind offline logon = yes' to smb.conf will allow your laptops 
to work when away from the domain.

>> Remove 'krb5-kdc' & 'krb5-kdc-ldap', your Samba AD DC uses heimdal, so you
>> shouldn't have another kdc.
> oJust a leftover from linux only tests. Service are actually disabled.
>> Create /etc/samba/user.map containing this:
>> !root = OLYMP\Administrator
>> The above uses the 'rid' backend, but if you have added rfc2307 attributes
>> and want to use the 'ad' backend, then see here:
>> https://wiki.samba.org/index.php/Idmap_config_ad
> Yes, the domain was provisioned with rfc2307
That is not what I said, provisioning with RFC2307 only adds various OUs 
etc in AD, it does not add any of the RFC2307 attributes and you need 
these for the winbind 'ad' backend to work. If you haven't added any 
RFC2307 attributes to AD, then use 'rid' on the Unix domain members

Can I point out that your set up is very like mine and everything works 
for me, I use the router as just that, everything else is done by the 
DCs. I suggest you read these:




More information about the samba mailing list