[Samba] How to Properly Configure Samba's Internal DNS
Marco Shmerykowsky
marco at sce-engineers.com
Mon Feb 1 15:33:30 UTC 2021
On 2/1/2021 3:39 AM, L.P.H. van Belle via samba wrote:
> As long i dont see the debug output of the script,
> I and Rowland (and others) are having a hard time to help out here.
>
> The debugscript i made does show us almost all we need.
> Now what you can do with it.
>
> Run in it on all you AD-DC's and find the differences.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> if you post the output to the list, dont attach the files and anonymize it where needed.
>
For the sake of double checking everything again, here is
the anonymized output of one server. Both servers produce
the same output with the exception of the IP addresses.
Only other exception is these two lines in nsswitch.conf
passwd: compat winbind systemd
group: compat winbind systemd
winbind is only listed on one of the servers:
Output of samba-debug-info:
Collected config --- 2021-02-01-09:14 -----------
Hostname: server1
DNS Domain: ad-domain.company.com
FQDN: server1.ad-domain.company.com
ipaddress: 192.168.1.1
-----------
Kerberos SRV _kerberos._tcp.ad-domain.company.com record verified ok,
sample output:
Server: 192.168.1.1
Address: 192.168.1.1#53
_kerberos._tcp.ad-domain.company.com service = 0 100 88
server1.ad-domain.company.com.
_kerberos._tcp.ad-domain.company.com service = 0 100 88
server2.ad-domain.company.com.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.7 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 70:85:c2:4d:b4:bb brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global noprefixroute enp1s0
inet6 fe80::7285:c2ff:fe4d:b4bb/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.1.1 server1.ad-domain.company.com server1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search ad-domain.company.com
nameserver 192.168.1.1
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = ad-domain.company.com
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind systemd
group: compat winbind systemd
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = server1
realm = ad-domain.company.com
workgroup = AD-DOMAIN
dns forwarder = 4.2.2.2
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# ldap server require strong auth = no
log level = 3
[netlogon]
path = /var/lib/samba/sysvol/ad-domain.company.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-4
amd64 access control list - utilities
ii attr 1:2.4.48-4
amd64 utilities for manipulating filesystem
extended attributes
ii fonts-quicksand 0.2016-2
all sans-serif font with round attributes
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1
all internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1
amd64 basic programs to authenticate using MIT
Kerberos
ii libacl1:amd64 2.2.53-4
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries - krb5
GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries - Support
library
ii libnss-winbind:amd64 2:4.13.2+dfsg-0.1buster1
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2+deb10u1
amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.13.2+dfsg-0.1buster1
amd64 Windows domain authentication integration
plugin
ii libwbclient0:amd64 2:4.13.2+dfsg-0.1buster1
amd64 Samba winbind client library
ii python3-samba 2:4.13.2+dfsg-0.1buster1
amd64 Python 3 bindings for Samba
ii samba 2:4.13.2+dfsg-0.1buster1
amd64 SMB/CIFS file, print, andlogin server for Unix
ii samba-common 2:4.13.2+dfsg-0.1buster1
all common files used by boththe Samba server
and client
ii samba-common-bin 2:4.13.2+dfsg-0.1buster1
amd64 Samba common files used by both the server
and the client
ii samba-dsdb-modules:amd64 2:4.13.2+dfsg-0.1buster1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.13.2+dfsg-0.1buster1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.2+dfsg-0.1buster1
amd64 Samba Virtual FileSystem plugins
ii spice-client-glib-usb-acl-helper 0.35-2
amd64 Helper tool to validate usb ACLs
ii winbind 2:4.13.2+dfsg-0.1buster1
amd64 service to resolve user and group
information from Windows NT servers
-----------
More information about the samba
mailing list