[Samba] DNS Updates after upgrade [SOLVED]
L.P.H. van Belle
belle at bazuin.nl
Fri Jul 3 07:51:53 UTC 2020
Hai Christian,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian Naumer via samba
> Verzonden: donderdag 2 juli 2020 9:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS Updates after upgrade [SOLVED]
>
> Hello all,
> to answer this question myself. The Problem was in front of
> the computer...
Thats one big problem we all face ;-)
>
> While copying the commands from my notes I missed one line of the
> firewall configuration. So port 53/tcp was still blocked.
>
> So I learned that DNS still works as this is udp which was
> not blocked.
> Also local updates by samba_dnsupdate work as the firewall
> does not play
> a role there.
> But my other questions are still open:
>
>
> Am 29.06.20 um 12:31 schrieb Christian Naumer via samba:
> > So here are my questions:
> >
> > -- On two of the new joins I did. the KCC Objects appeared
> only after
> > running samba_kcc. Is this normal or should I have waited a
> bit longre?
Yes, its normal, i just reboot my DC's with a 5min waiting between it
So it has chance to replicate. Stop/Start should also help, but i prefer a reboot.
> >
> > -- Do any of you manually add NS records for all DCs into
> all your zones
> > (specificall the reverse zones) or should this be done by samba?
I did add manualy, but .. That was in 4.4-4.6 when i did that.
Verifying the NS and PTR entries is always good, not everything is added by samba.
But again, i need an update on this, which im going todo soon now..
> >
> > -- Is the file
> "/var/lib/samba/bind-dns/named.conf.update.static" still
> > needed? I needed this to get DNS updates from the clients
> working with Samba 4.4 (when this Domain was provisioned the current version).
> > I > > moved it from the private dir to bind-dns dir. But named.conf.update
> > does not get created (on all DCs).
Hm, good one, if i look into that file, i also still have them, i only makes sure
The server needed users has the needed rights by policy.
I would keep it, but maybe Rowland has an better answer here.
>
> > Here are the relevant configs:
Config looks fine.
Greetz,
Louis
> >
> > ---smb.conf---
> > [global]
> > netbios name = DC1
> > realm = AD.DOMAIN.DE
> > server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = DOMAIN-02
> > log level = 1 auth_audit:4 dsdb_password_audit:5
> > dsdb_transaction_audit:5 dsdb_group_audit:5
> > #log level = 10
> > logging =syslog
> > server role = active directory domain controller
> > dns zone scavenging = yes
> > prefork children = 8
> > idmap_ldb:use rfc2307 = yes
> > template shell = /bin/bash
> > template homedir = /home/%U
> > #ntlm auth = yes
> > ntlm auth = mschapv2-and-ntlmv2-only
> > disable netbios = yes
> > smb ports = 445
> > server min protocol = SMB2
> > client min protocol = SMB2
> > tls enabled = yes
> > tls keyfile = tls/server_de.key
> > tls certfile = tls/server.pem
> > tls cafile = tls/ca.pem
> > kerberos method = secrets and keytab
> > dedicated keytab file = /etc/krb5.keytab
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/AD.DOMAIN.de/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> > ----/etc/named.conf------
> > # Global BIND configuration options
> > include "/var/lib/samba/bind-dns/named.conf";
> > options {
> > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > minimal-responses yes;
> > auth-nxdomain yes;
> > directory "/var/named";
> > notify no;
> > empty-zones-enable no;
> >
> > allow-query {
> > 127.0.0.1;
> > 10.0.8.0/24;
> > # add other networks you want to allow to query your DNS
> > };
> >
> > allow-recursion {
> > 10.0.8.0/24;
> > # add other networks you want to allow to do
> recursive queries
> > };
> >
> > forwarders {
> > # Google public DNS server here - replace with your
> own if necessary
> > 8.8.8.8;
> > };
> >
> > allow-transfer {
> > # this config is for a single master DNS server
> > none;
> > };
> >
> > };
> > # Root servers (required zone for recursive queries)
> > zone "." {
> > type hint;
> > file "named.root";
> > };
> >
> > # Required localhost forward-/reverse zones
> > zone "localhost" {
> > type master;
> > file "master/localhost.zone";
> > };
> >
> > zone "0.0.127.in-addr.arpa" {
> > type master;
> > file "master/0.0.127.zone";
> > };
> >
> > ---/var/lib/samba/bind-dns/named.conf---
> > dlz "AD DNS Zone" {
> > # For BIND 9.8.x
> > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
> >
> > # For BIND 9.9.x
> > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
> >
> > # For BIND 9.10.x
> > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
> >
> > # For BIND 9.11.x
> > database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so";
> > # For BIND 9.12.x
> > # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_12.so";
> > };
> >
> >
> > ---/etc/krb5.conf---
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = AD.DOMAIN.DE
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> >
> >
> > Thanks for any help!
> >
> > Regards
> >
> > Christian
> >
> >
> > --
> >
>
> --
> Dr. Christian Naumer
> Unit Head Bioprocess Development
>
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
> Manfred Bender, Ludger Roedder
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list