[Samba] How to Properly Configure Samba's Internal DNS
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 1 08:39:08 UTC 2021
As long i dont see the debug output of the script,
I and Rowland (and others) are having a hard time to help out here.
The debugscript i made does show us almost all we need.
Now what you can do with it.
Run in it on all you AD-DC's and find the differences.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
if you post the output to the list, dont attach the files and anonymize it where needed.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco
> Shmerykowsky via samba
> Verzonden: zondag 31 januari 2021 4:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] How to Properly Configure Samba's Internal DNS
>
> On 2021-01-30 6:33 pm, Marco Shmerykowsky via samba wrote:
> > On 2021-01-30 11:09 am, Rowland penny via samba wrote:
> >> On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:
> >>>
> >>> On 2021-01-30 10:59 am, Rowland penny via samba wrote:
> >>>> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote:
> >>>>>
> >>>>> On 2021-01-30 10:35 am, Rowland penny via samba wrote:
> >>>>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote:
> >>>>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote:
> >>>>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote:
> >>>>>>>>> I have what though was a working Samba4 AD setup.
> >>>>>>>>> However, in trying to troubleshoot a user's issues while
> >>>>>>>>> connecting via a VPN, I begun to question if DNS
> >>>>>>>>> is properly setup up.
> >>>>>>>>>
> >>>>>>>>> Each linux server has the following entries in
> >>>>>>>>> resolv.conf:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> What do mean by 'linux server' ? are you referring to a Unix
> >>>>>>>> domain
> >>>>>>>> member or a Samba AD DC ?
> >>>>>>>
> >>>>>>> Two Samba AD DC's
> >>>>>>> Two Samba Domain Member Servers
> >>>>>>>
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> search ad-domain.company.com
> >>>>>>>>> nameserver ip-of-FSMO-server
> >>>>>>>>
> >>>>>>>> I would list all Samba AD DC's on the Unix domain members and
> >>>>>>>> set each
> >>>>>>>> DC to use itself.
> >>>>>>>
> >>>>>>> I'll make the change and see what results
> >>>>>>>
> >>>>>>>>>
> >>>>>>>>> Each linux server has a hosts file with an entry:
> >>>>>>>>>
> >>>>>>>>> unique-ip-address machine#.ad-doamin.company.com machine#
> >>>>>>>>>
> >>>>>>>>> However, if I do nnslookup -> set type=SRV ->
> >>>>>>>>> _ldap._tcp.ad-domain.company.com.
> >>>>>>>>>
> >>>>>>>>> instead of getting the results shown here:
> >>>>>>>>>
> >>>>>>>>>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resol
> ving_SRV_Records
> >>>>>>>>> I get:
> >>>>>>>>>
> >>>>>>>>> Server: ip-of-FSMO-server
> >>>>>>>>> Address: ip-of-FSMO-server#53
> >>>>>>>>>
> >>>>>>>>> _ldap._tcp.ad-domain.company.com service = 0 100 389
> >>>>>>>>> machine1.ad-domain.company.com.
> >>>>>>>>> _ldap._tcp.ad-domain.company.com service = 0 100 389
> >>>>>>>>> machine1.ad-domain.company.com.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I get something similar, only my difference is that mine lists
> >>>>>>>> both of
> >>>>>>>> my DC's, yours should list all your DC's
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only
> >>>>>>>>> get positive
> >>>>>>>>> results on 3 of 4 of my servers:
> >>>>>>>>>
> >>>>>>>>> ping ad-domain.company.com -> success
> >>>>>>>>>
> >>>>>>>>> ping machine1.ad-domain.company.com -> success
> >>>>>>>>> ping machine2.ad-domain.company.com -> success
> >>>>>>>>> ping machine3.ad-domain.company.com -> success
> >>>>>>>>> ping machine4 -> fails with unknown host
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> They should all work, you seem to have dns problems.
> >>>>>>>
> >>>>>>> Agreed. I never noticed it because GPO's and Drive Shares have
> >>>>>>> been working well for two years. I just noticed something was
> >>>>>>> amiss when we deployed a VPN.
> >>>>>>>
> >>>>>>> DNS is being provided by Samba. How should I trouble shoot this?
> >>>>>>>
> >>>>>>>>
> >>>>>>>> Rowland
> >>>>>>>
> >>>>>> are you using Bind9 ?
> >>>>>>
> >>>>>> if so, it could be the dns.keytab problem (it isn't created in the
> >>>>>> bind-dns dir when you join a DC)
> >>>>>
> >>>>> No. SAMBA_INTERNAL
> >>>>>
> >>>> Pity, it easy to fix bind9 ????
> >>>
> >>> Should I switch?
> >>
> >>
> >> Entirely up to you, do you need Bind9 ?
> >
> > I do not have the expertise to say. However, I have a simple network
> > with 2 Samba AD's, 3 or 4 domain member file servers, about
> > 24 windows10 desktops and a Covid-VPN - I'd imagine SAMBA_INTERNAL
> > is good enough.
> >
> >>
> >>
> >>>
> >>>> You will just have to double check everything ????
> >>>
> >>> Other than hostname, hosts and resolv.conf, what should I check?
> >>>
> >> The actual records in AD, are they all there for each DC ?
> >>
> >> Does a forward & reverse record exist for all computers in AD ?
> >>
> >> Is replication working correctly ?
> >
> > I believe so. I get the following on both servers:
> >
> > 'dig ad-domain.company.com NS +short' returns:
> >
> > AD1.ad-domain.company.com.
> > AD2.ad-domain.company.com.
> >
> > 'dig ad-domain.company.com NS +short' returns:
> >
> > 192.168.1.1
> > 192.168.1.2
> >
> > 'nslookup AD1.ad-domain.company.com' returns
> >
> > Server: 192.168.1.1
> > Address: 192.168.1.1#53
> >
> > Name: AD1.ad-domain.company.com
> > Address: 192.168.1.1
> >
> > 'nslookup AD2.ad-domain.company.com' returns
> > Server: 192.168.1.1
> > Address: 192.168.1.1#53
> >
> > Name: AD2.ad-domain.company.com
> > Address: 192.168.1.2
> >
> > 'samba-tool dns zonelist ad-domain.company.com -Uadministrator' returns
> >
> > pszZoneName : ad-domain.company.com
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> > DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.ad-domain.company.com
> >
> > pszZoneName : 1.168.192.in-addr.arpa
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> > DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : DomainDnsZones.ad-domain.company.com
> >
> > pszZoneName : _msdcs.ad-domain.company.com
> > Flags : DNS_RPC_ZONE_DSINTEGRATED
> > DNS_RPC_ZONE_UPDATE_SECURE
> > ZoneType : DNS_ZONE_TYPE_PRIMARY
> > Version : 50
> > dwDpFlags : DNS_DP_AUTOCREATED
> > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> > pszDpFqdn : ForestDnsZones.ad-domain.company.com
> >
> > 'nslookup 192.168.1.1' returns:
> >
> > 1.1.168.192.in-addr.arpa name = AD1.ad-domain.company.com
> >
> > 'nslookup 192.168.1.2' returns:
> >
> > 2.1.168.192.in-addr.arpa name = AD2.ad-domain.company.com
> >
> > In addition, during the course of checking all this I made the
> > following changes:
> > * Found Bind running on one AD. Disabled it. I'm hoping this was the
> > cause
> > of the problem for the VPN user. Not sure how it was installed in the
> > first place
> > * removed 'resolvconf' on the domain member servers
> > * removed/deactivated 'avahi-daemon' on the AD's and members servers
> >
> > I'm using NetworkManager to manage the interface settings. Other than
> > one machine losing the settings on reboot, all the correct settings
> > appear to be there and reflected in resolv,conf
> >
> > I still have the issue that the hostname for the machine running
> > the 32-bit version of buster can not be resolved.
> >
> > 'nslookup 32bit-buster-machine' returns:
> >
> > Server: 192.168.1.1
> > Address: 192.168.1.1#53
> >
> > Non-authoritative answer:
> > *** Can't find 32bit-buster-machine: No answer
>
> manually added an A record for '32bit-buster-machine'. Seems to have
> taken care of that issue.
>
> >
> >>
> >> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list