[Samba] DNS Updates after upgrade [SOLVED]

L.P.H. van Belle belle at bazuin.nl
Fri Jul 3 07:51:53 UTC 2020


Hai Christian,  

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Naumer via samba
> Verzonden: donderdag 2 juli 2020 9:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS Updates after upgrade [SOLVED]
> 
> Hello all,
> to answer this question myself. The Problem was in front of 
> the computer...

Thats one big problem we all face  ;-) 

> 
> While copying the commands from my notes I missed one line of the
> firewall configuration. So port 53/tcp was still blocked.
> 
> So I learned that DNS still works as this is udp which was 
> not blocked.
> Also local updates by samba_dnsupdate work as the firewall 
> does not play
> a role there.
> But my other questions are still open:
> 
> 
> Am 29.06.20 um 12:31 schrieb Christian Naumer via samba:
> > So here are my questions:
> > 
> > -- On two of the new joins I did. the KCC Objects appeared 
> only after
> > running samba_kcc. Is this normal or should I have waited a 
> bit longre?

Yes, its normal, i just reboot my DC's with a 5min waiting between it 
So it has chance to replicate. Stop/Start should also help, but i prefer a reboot. 

> > 
> > -- Do any of you manually add NS records for all DCs into 
> all your zones
> > (specificall the reverse zones) or should this be done by samba?
I did add manualy, but .. That was in 4.4-4.6 when i did that. 
Verifying the NS and PTR entries is always good, not everything is added by samba.
But again, i need an update on this, which im going todo soon now.. 

> > 
> > -- Is the file 
> "/var/lib/samba/bind-dns/named.conf.update.static" still
> > needed? I needed this to get DNS updates from the clients 
> working with Samba 4.4 (when this Domain was provisioned the current version). 
> > I > > moved it from the private dir to bind-dns dir. But named.conf.update
> > does not get created (on all DCs).

Hm, good one, if i look into that file, i also still have them, i only makes sure
The server needed users has the needed rights by policy. 

I would keep it, but maybe Rowland has an better answer here. 


> 
> > Here are the relevant configs:

Config looks fine. 

Greetz, 

Louis



> > 
> > ---smb.conf---
> > [global]
> >         netbios name = DC1
> >         realm = AD.DOMAIN.DE
> >         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> >         workgroup = DOMAIN-02
> >         log level =  1 auth_audit:4 dsdb_password_audit:5
> > dsdb_transaction_audit:5 dsdb_group_audit:5
> >         #log level = 10
> >         logging =syslog
> >         server role = active directory domain controller
> >         dns zone scavenging = yes
> >         prefork children = 8
> >         idmap_ldb:use rfc2307 = yes
> >         template shell = /bin/bash
> >         template homedir = /home/%U
> >         #ntlm auth = yes
> >         ntlm auth = mschapv2-and-ntlmv2-only
> >         disable netbios = yes
> >         smb ports = 445
> >         server min protocol = SMB2
> >         client min protocol = SMB2
> >         tls enabled  = yes
> >         tls keyfile  = tls/server_de.key
> >         tls certfile = tls/server.pem
> >         tls cafile   = tls/ca.pem
> >         kerberos method = secrets and keytab
> >         dedicated keytab file = /etc/krb5.keytab
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts
> >         read only = No
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > 
> > ----/etc/named.conf------
> > # Global BIND configuration options
> > include "/var/lib/samba/bind-dns/named.conf";
> > options {
> >     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> >     minimal-responses yes;
> >     auth-nxdomain yes;
> >     directory "/var/named";
> >     notify no;
> >     empty-zones-enable no;
> > 
> >     allow-query {
> >         127.0.0.1;
> >         10.0.8.0/24;
> >         # add other networks you want to allow to query your DNS
> >     };
> > 
> >     allow-recursion {
> >         10.0.8.0/24;
> >         # add other networks you want to allow to do 
> recursive queries
> >     };
> > 
> >     forwarders {
> >         # Google public DNS server here - replace with your 
> own if necessary
> >         8.8.8.8;
> >     };
> > 
> >     allow-transfer {
> >         # this config is for a single master DNS server
> >         none;
> >     };
> > 
> > };
> > # Root servers (required zone for recursive queries)
> > zone "." {
> >    type hint;
> >    file "named.root";
> > };
> > 
> > # Required localhost forward-/reverse zones
> > zone "localhost" {
> >     type master;
> >     file "master/localhost.zone";
> > };
> > 
> > zone "0.0.127.in-addr.arpa" {
> >     type master;
> >     file "master/0.0.127.zone";
> > };
> > 
> > ---/var/lib/samba/bind-dns/named.conf---
> > dlz "AD DNS Zone" {
> >     # For BIND 9.8.x
> >     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
> > 
> >     # For BIND 9.9.x
> >     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
> > 
> >     # For BIND 9.10.x
> >     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
> > 
> >     # For BIND 9.11.x
> >      database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
> >     # For BIND 9.12.x
> >     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";
> > };
> > 
> > 
> > ---/etc/krb5.conf---
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> > 
> > [libdefaults]
> > default_realm = AD.DOMAIN.DE
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> > 
> > 
> > Thanks for any help!
> > 
> > Regards
> > 
> > Christian
> > 
> > 
> > --
> > 
> 
> -- 
> Dr. Christian Naumer
> Unit Head Bioprocess Development
> 
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
> 
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
> Manfred Bender, Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list