[Samba] DNS Updates after upgrade [SOLVED]
Christian Naumer
cn at brain-biotech.de
Thu Jul 2 07:45:47 UTC 2020
Hello all,
to answer this question myself. The Problem was in front of the computer...
While copying the commands from my notes I missed one line of the
firewall configuration. So port 53/tcp was still blocked.
So I learned that DNS still works as this is udp which was not blocked.
Also local updates by samba_dnsupdate work as the firewall does not play
a role there.
But my other questions are still open:
Am 29.06.20 um 12:31 schrieb Christian Naumer via samba:
> So here are my questions:
>
> -- On two of the new joins I did. the KCC Objects appeared only after
> running samba_kcc. Is this normal or should I have waited a bit longre?
>
> -- Do any of you manually add NS records for all DCs into all your zones
> (specificall the reverse zones) or should this be done by samba?
>
> -- Is the file "/var/lib/samba/bind-dns/named.conf.update.static" still
> needed? I needed this to get DNS updates from the clients working with
> Samba 4.4 (when this Domain was provisioned the current version). I
> moved it from the private dir to bind-dns dir. But named.conf.update
> does not get created (on all DCs).
> Here are the relevant configs:
>
> ---smb.conf---
> [global]
> netbios name = DC1
> realm = AD.DOMAIN.DE
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DOMAIN-02
> log level = 1 auth_audit:4 dsdb_password_audit:5
> dsdb_transaction_audit:5 dsdb_group_audit:5
> #log level = 10
> logging =syslog
> server role = active directory domain controller
> dns zone scavenging = yes
> prefork children = 8
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash
> template homedir = /home/%U
> #ntlm auth = yes
> ntlm auth = mschapv2-and-ntlmv2-only
> disable netbios = yes
> smb ports = 445
> server min protocol = SMB2
> client min protocol = SMB2
> tls enabled = yes
> tls keyfile = tls/server_de.key
> tls certfile = tls/server.pem
> tls cafile = tls/ca.pem
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>
> [netlogon]
> path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> ----/etc/named.conf------
> # Global BIND configuration options
> include "/var/lib/samba/bind-dns/named.conf";
> options {
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> minimal-responses yes;
> auth-nxdomain yes;
> directory "/var/named";
> notify no;
> empty-zones-enable no;
>
> allow-query {
> 127.0.0.1;
> 10.0.8.0/24;
> # add other networks you want to allow to query your DNS
> };
>
> allow-recursion {
> 10.0.8.0/24;
> # add other networks you want to allow to do recursive queries
> };
>
> forwarders {
> # Google public DNS server here - replace with your own if necessary
> 8.8.8.8;
> };
>
> allow-transfer {
> # this config is for a single master DNS server
> none;
> };
>
> };
> # Root servers (required zone for recursive queries)
> zone "." {
> type hint;
> file "named.root";
> };
>
> # Required localhost forward-/reverse zones
> zone "localhost" {
> type master;
> file "master/localhost.zone";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "master/0.0.127.zone";
> };
>
> ---/var/lib/samba/bind-dns/named.conf---
> dlz "AD DNS Zone" {
> # For BIND 9.8.x
> # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
>
> # For BIND 9.9.x
> # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
>
> # For BIND 9.10.x
> # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
>
> # For BIND 9.11.x
> database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
> # For BIND 9.12.x
> # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";
> };
>
>
> ---/etc/krb5.conf---
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = AD.DOMAIN.DE
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
>
> Thanks for any help!
>
> Regards
>
> Christian
>
>
> --
>
--
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Manfred Bender, Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
More information about the samba
mailing list