[Samba] Changing IP Scope on a Samba DC

Rowland penny rpenny at samba.org
Sat Sep 5 08:01:33 UTC 2020


On 05/09/2020 07:46, Peter Pollock wrote:
> I FINALLY DID IT!!!!!
>
> After following Louis van Belle's walk-through to create a new DC, and 
> having problems at the end, I realized there was nothing in the walk 
> through about modifying /var/lib/samba/bind-dns/named.conf to let 
> Samba know the Bind version so I did that and Voila!
>
> We have name resolution, can create kerberos tickets, just 
> successfully connected a windows workstation to the domain and seem to 
> be rocking and rolling!
>
> Thank you for all your help everyone. Especially Rowland. I have a 
> long way to go this weekend, but this is a good start!
>
> On Fri, Sep 4, 2020 at 10:02 PM Peter Pollock 
> <peter.pollock at kingschristian.org 
> <mailto:peter.pollock at kingschristian.org>> wrote:
>
>     OK.. after school ended today, I poked around and found nothing so
>     I started all over again. Followed Louis' instructions at
>     https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
>     all the way through but at the end, the resolver is not working -
>     and kinit cannot find a KDC (I'm guessing because the resolver is
>     not working!)
>
>     This is the only server on the network and has an IP address of
>     192.168.4.5 (the gateway is at 192.168.4.1)
>
>     "Service named status" gives me:
>
>     ● named.service - BIND Domain Name Server
>          Loaded: loaded (/lib/systemd/system/named.service; enabled;
>     vendor preset: enabled)
>          Active: active (running) since Fri 2020-09-04 21:41:41 PDT;
>     10min ago
>            Docs: man:named(8)
>        Main PID: 528 (named)
>           Tasks: 14 (limit: 2282)
>          Memory: 61.9M
>          CGroup: /system.slice/named.service
>                  └─528 /usr/sbin/named -f -u bind
>
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:2d::d#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:1::53#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:9f::42#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:503:ba3e::2:30#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:a8::e#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:200::b#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:500:2f::f#53
>     Sep 04 21:52:22 dc01 named[528]: network unreachable resolving
>     'kcs/DS/IN': 2001:503:c27::2:30#53
>     Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
>     'dc01.internal.kcs/A/IN': 8.8.8.8#53
>     Sep 04 21:52:22 dc01 named[528]: broken trust chain resolving
>     '_ldap._tcp.dc01.internal.kcs/SRV/IN': 8.8.8.8#53
>
>     I do not know where to start.
>
>     I took copious notes as I followed Louis' walkthrough, which I'll
>     send if they interest you, but it's many pages!
>
>
>
>     On Fri, Sep 4, 2020 at 7:20 AM Rowland penny <rpenny at samba.org
>     <mailto:rpenny at samba.org>> wrote:
>
>         On 04/09/2020 15:05, Peter Pollock wrote:
>         > This is brand new. Created following Louis' instructions
>         (although in
>         > my install of Ubuntu 20.04, it gets a little tricky with
>         installing
>         > packages because it claims one or more don't exist after
>         adding Louis'
>         > repository and doing an apt update).
>         Please don't do that, say something doesn't exist without
>         telling us
>         what 'something' is ;-)
>         >
>         > Totally separate network from my Zentyal installs, on a ProxMox
>         > virtual server, if that makes any difference.
>         No, good idea really, it doesn't matter if it is separate, it
>         allows you
>         to destroy it easily if need be.
>         >
>         > I know the admin password, I just removed it from this
>         email, I just
>         > cannot figure out why I can't initiate a kticket.
>         OK, if you know the password, no need to start again, but
>         kinit should
>         work. Did you check if the first nameserver in
>         /etc/resolv.conf is the
>         DC's IP ? did you run the kinit command as root and like this
>         'kinit
>         Administrator' ?
>         >
>         > I can wipe it and start again, that's not a problem at all.
>         I was just
>         > so close...
>
>         No, there is no need, it was just the lack of the
>         Administrator password
>         that was throwing me ;-)
>
>         Rowland
>
>
Isn't it great when it all works :-)

I installed a DC on 20.04 server, to see if their was a problem.

I removed snaps and cloud-init.

I also used Louis's repo to get 4.12.6

I followed Louis's 18.04 howto to a certain extent (one thing I didn't 
do was to create the ntp_signd dir, Samba does that for you)

Everything seemed to work until it came to resolving, it didn't!!

I traced this down to two things, one was the Samba named conf wasn't 
set (it doesn't know about Bind 9.16) and  /etc/hosts. Even though the 
install (when setting a fixed IP) asks you for the dns domain name, it 
doesn't put it into /etc/hosts. If you examine /etc/hosts, you will find 
this:

127.0.1.1 <dc_short_hostname>

When it should be:

127.0.1.1 <dc_fqdn> <dc_short_hostname>

Once these were fixed, everything now works.

Rowland






More information about the samba mailing list