[Samba] DNS Updates after upgrade [SOLVED]

Christian Naumer cn at brain-biotech.de
Thu Jul 2 07:45:47 UTC 2020 

Hello all,
to answer this question myself. The Problem was in front of the computer...

While copying the commands from my notes I missed one line of the
firewall configuration. So port 53/tcp was still blocked.

So I learned that DNS still works as this is udp which was not blocked.
Also local updates by samba_dnsupdate work as the firewall does not play
a role there.
But my other questions are still open:


Am 29.06.20 um 12:31 schrieb Christian Naumer via samba:
> So here are my questions:
> 
> -- On two of the new joins I did. the KCC Objects appeared only after
> running samba_kcc. Is this normal or should I have waited a bit longre?
> 
> -- Do any of you manually add NS records for all DCs into all your zones
> (specificall the reverse zones) or should this be done by samba?
> 
> -- Is the file "/var/lib/samba/bind-dns/named.conf.update.static" still
> needed? I needed this to get DNS updates from the clients working with
> Samba 4.4 (when this Domain was provisioned the current version). I
> moved it from the private dir to bind-dns dir. But named.conf.update
> does not get created (on all DCs).

> Here are the relevant configs:
> 
> ---smb.conf---
> [global]
>         netbios name = DC1
>         realm = AD.DOMAIN.DE
>         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = DOMAIN-02
>         log level =  1 auth_audit:4 dsdb_password_audit:5
> dsdb_transaction_audit:5 dsdb_group_audit:5
>         #log level = 10
>         logging =syslog
>         server role = active directory domain controller
>         dns zone scavenging = yes
>         prefork children = 8
>         idmap_ldb:use rfc2307 = yes
>         template shell = /bin/bash
>         template homedir = /home/%U
>         #ntlm auth = yes
>         ntlm auth = mschapv2-and-ntlmv2-only
>         disable netbios = yes
>         smb ports = 445
>         server min protocol = SMB2
>         client min protocol = SMB2
>         tls enabled  = yes
>         tls keyfile  = tls/server_de.key
>         tls certfile = tls/server.pem
>         tls cafile   = tls/ca.pem
>         kerberos method = secrets and keytab
>         dedicated keytab file = /etc/krb5.keytab
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> 
> ----/etc/named.conf------
> # Global BIND configuration options
> include "/var/lib/samba/bind-dns/named.conf";
> options {
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>     minimal-responses yes;
>     auth-nxdomain yes;
>     directory "/var/named";
>     notify no;
>     empty-zones-enable no;
> 
>     allow-query {
>         127.0.0.1;
>         10.0.8.0/24;
>         # add other networks you want to allow to query your DNS
>     };
> 
>     allow-recursion {
>         10.0.8.0/24;
>         # add other networks you want to allow to do recursive queries
>     };
> 
>     forwarders {
>         # Google public DNS server here - replace with your own if necessary
>         8.8.8.8;
>     };
> 
>     allow-transfer {
>         # this config is for a single master DNS server
>         none;
>     };
> 
> };
> # Root servers (required zone for recursive queries)
> zone "." {
>    type hint;
>    file "named.root";
> };
> 
> # Required localhost forward-/reverse zones
> zone "localhost" {
>     type master;
>     file "master/localhost.zone";
> };
> 
> zone "0.0.127.in-addr.arpa" {
>     type master;
>     file "master/0.0.127.zone";
> };
> 
> ---/var/lib/samba/bind-dns/named.conf---
> dlz "AD DNS Zone" {
>     # For BIND 9.8.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
> 
>     # For BIND 9.9.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
> 
>     # For BIND 9.10.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
> 
>     # For BIND 9.11.x
>      database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
>     # For BIND 9.12.x
>     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";
> };
> 
> 
> ---/etc/krb5.conf---
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = AD.DOMAIN.DE
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> 
> 
> Thanks for any help!
> 
> Regards
> 
> Christian
> 
> 
> --
> 

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Manfred Bender, Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list