[Samba] How to Properly Configure Samba's Internal DNS

Marco Shmerykowsky marco at sce-engineers.com
Mon Feb 1 15:33:30 UTC 2021

On 2/1/2021 3:39 AM, L.P.H. van Belle via samba wrote:
> As long i dont see the debug output of the script,
> I and Rowland (and others) are having a hard time to help out here.
> The debugscript i made does show us almost all we need.
> Now what you can do with it.
> Run in it on all you AD-DC's and find the differences.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> if you post the output to the list, dont attach the files and anonymize it where needed.

For the sake of double checking everything again, here is
the anonymized output of one server.  Both servers produce
the same output with the exception of the IP addresses.

Only other exception is these two lines in nsswitch.conf

passwd:         compat winbind systemd
group:          compat winbind systemd

winbind is only listed on one of the servers:

Output of samba-debug-info:

Collected config  --- 2021-02-01-09:14 -----------

Hostname: server1
DNS Domain: ad-domain.company.com
FQDN: server1.ad-domain.company.com


Kerberos SRV _kerberos._tcp.ad-domain.company.com record verified ok, 
sample output:

_kerberos._tcp.ad-domain.company.com   service = 0 100 88 
_kerberos._tcp.ad-domain.company.com   service = 0 100 88 
Samba is running as an AD DC

        Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION="10 (buster)"


This computer is running Debian 10.7 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet scope host lo
     inet6 ::1/128 scope host
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     link/ether 70:85:c2:4d:b4:bb brd ff:ff:ff:ff:ff:ff
     inet brd scope global noprefixroute enp1s0
     inet6 fe80::7285:c2ff:fe4d:b4bb/64 scope link

        Checking file: /etc/hosts       localhost   server1.ad-domain.company.com   server1
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


        Checking file: /etc/resolv.conf

# Generated by NetworkManager
search ad-domain.company.com


        Checking file: /etc/krb5.conf

         default_realm = ad-domain.company.com
         dns_lookup_realm = false
         dns_lookup_kdc = true


        Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind systemd
group:          compat winbind systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


        Checking file: /etc/samba/smb.conf

# Global parameters
         netbios name = server1
         realm = ad-domain.company.com
         workgroup = AD-DOMAIN
         dns forwarder =
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
#       ldap server require strong auth = no
         log level = 3

         path = /var/lib/samba/sysvol/ad-domain.company.com/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No


BIND_DLZ not detected in smb.conf


Installed packages:
ii  acl                                    2.2.53-4 
                 amd64        access control list - utilities
ii  attr                                   1:2.4.48-4 
                 amd64        utilities for manipulating filesystem 
extended attributes
ii  fonts-quicksand                        0.2016-2 
                 all          sans-serif font with round attributes
ii  krb5-config                            2.6 
                 all          Configuration files for Kerberos Version 5
ii  krb5-locales                           1.17-3+deb10u1 
                 all          internationalization support for MIT Kerberos
ii  krb5-user                              1.17-3+deb10u1 
                 amd64        basic programs to authenticate using MIT 
ii  libacl1:amd64                          2.2.53-4 
                 amd64        access control list - shared library
ii  libattr1:amd64                         1:2.4.48-4 
                 amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64                 1.17-3+deb10u1 
                 amd64        MIT Kerberos runtime libraries - krb5 
GSS-API Mechanism
ii  libkrb5-3:amd64                        1.17-3+deb10u1 
                 amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                  1.17-3+deb10u1 
                 amd64        MIT Kerberos runtime libraries - Support 
ii  libnss-winbind:amd64                   2:4.13.2+dfsg-0.1buster1 
                 amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                      4.8-2+deb10u1 
                 amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                   2:4.13.2+dfsg-0.1buster1 
                 amd64        Windows domain authentication integration 
ii  libwbclient0:amd64                     2:4.13.2+dfsg-0.1buster1 
                 amd64        Samba winbind client library
ii  python3-samba                          2:4.13.2+dfsg-0.1buster1 
                 amd64        Python 3 bindings for Samba
ii  samba                                  2:4.13.2+dfsg-0.1buster1 
                 amd64        SMB/CIFS file, print, andlogin server for Unix
ii  samba-common                           2:4.13.2+dfsg-0.1buster1 
                 all          common files used by boththe Samba server 
and client
ii  samba-common-bin                       2:4.13.2+dfsg-0.1buster1 
                 amd64        Samba common files used by both the server 
and the client
ii  samba-dsdb-modules:amd64               2:4.13.2+dfsg-0.1buster1 
                 amd64        Samba Directory Services Database
ii  samba-libs:amd64                       2:4.13.2+dfsg-0.1buster1 
                 amd64        Samba core libraries
ii  samba-vfs-modules:amd64                2:4.13.2+dfsg-0.1buster1 
                 amd64        Samba Virtual FileSystem plugins
ii  spice-client-glib-usb-acl-helper       0.35-2 
                 amd64        Helper tool to validate usb ACLs
ii  winbind                                2:4.13.2+dfsg-0.1buster1 
                 amd64        service to resolve user and group 
information from Windows NT servers


More information about the samba mailing list