[Samba] Problems with internal DNS

Rowland penny rpenny at samba.org
Tue Oct 22 15:27:54 UTC 2019 

On 22/10/2019 16:18, Thomas Schweikle wrote:
>
> On Tue, Oct 22, 2019 at 5:07 PM Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
>     On 22/10/2019 15:52, Thomas Schweikle wrote:
>     >
>     > On Mon, Oct 21, 2019 at 5:03 PM Rowland penny via samba
>     > <samba at lists.samba.org <mailto:samba at lists.samba.org>
>     <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>> wrote:
>     >
>     >     On 21/10/2019 15:47, Thomas Schweikle via samba wrote:
>     >     > Hi!
>     >     >
>     >     > Samba server set up for domain rufus.ada.de
>     <http://rufus.ada.de>
>     >     <http://rufus.ada.de> a proxy is reachable in
>     >     > proxy.ada.de <http://proxy.ada.de> <http://proxy.ada.de>.
>     >
>     >     How are you running Samba ?
>     >
>     > As ADDC.
>     >
>     >     Please post your smb.conf.
>     >
>     > OK. Here it is:
>     >
>     > [global]
>     >         netbios name = AD01
>     >         realm = RUFUS.ADA.DE <http://RUFUS.ADA.DE>
>     <http://RUFUS.ADA.DE>
>     >         server role = active directory domain controller
>     >         workgroup = RUFUS
>     >         idmap_ldb:use rfc2307 = yes
>     >         allow dns updates = secure only
>     >         dns forwarder = 172.18.8.1
>     >
>     > [sysvol]
>     >         path = /var/lib/samba/sysvol
>     >         read only = No
>     >
>     > [netlogon]
>     >         path = /var/lib/samba/sysvol/rodos.bfs.de/scripts
>     <http://rodos.bfs.de/scripts>
>     > <http://rodos.bfs.de/scripts>
>     >         read only = No
>
>     First problem, netlogon says your dns domain is 'rodos.bfs.de
>     <http://rodos.bfs.de>' but your
>     REALM is 'RUFUS.ADA.DE <http://RUFUS.ADA.DE>', ignoring the case,
>     they must be the same.
>
>
> Ahm yes. This was a mistake made by copy and paste ... I've corrected 
> it. It now reads:
>   path = /var/lib/samba/sysvol/rufus.ada.de/scripts 
> <http://rodos.bfs.de/scripts>
I sort of thought it was something like that, but I have seen stranger 
things than that posted on here, talking of that:
>
>     Next, your AD DC must be Authoritative for the AD dns domain and
>     your AD
>     clients must use the DC as their first nameserver and anything it
>     doesn't know, it asks its forwarder.
>
>     Your /etc/resolv.conf file on the DC should be:
>
>     search <your actual dns domain>
>     nameserver <your DCs ipaddress>
>
>
> Does "localhost" work?
NO, set it as shown, this works, though there is nothing to stop the 
forwarder being the proxy server. Your clients need to easily find a DC
> search ada.de <http://ada.de>.
> domain ada.de <http://ada.de>
'search' & 'domain' are mutually exclusive and last one wins and it 
needs to be search
> nameserver localhost
>
> Or does it have to be the extern reachable address?
>
> If I look at
> samba   1500 root   47u  IPv6  26355      0t0  TCP *:53 (LISTEN)
> samba   1500 root   49u  IPv6  26356      0t0  UDP *:53
> samba   1500 root   50u  IPv4  26357      0t0  TCP *:53 (LISTEN)
> samba   1500 root   51u  IPv4  26358      0t0  UDP *:53
>
> samba binds to "*" aka "all addresses". But does it mean it does not 
> answer to localhost incoming queries?
Using 'localhost is not going to work, use the DCs ipaddress.

Rowland

More information about the samba mailing list