[Samba] How to Properly Configure Samba's Internal DNS
L.P.H. van Belle
belle at bazuin.nl
Tue Feb 2 08:05:56 UTC 2021
Hai,
Well, this looks great Marco, the configs below look good, i only see a minor change you can do, so only for correctness, i would change the realm to CAPS in krb5.conf and smb.conf and netbios name in caps.
And yes, you need to add the PTR records if you want a kerberos to work for example with CNAMES in the dns or set rdns = no in krb5.conf
And in controdiction to Rowland, im saying.. by default windows "does" register A and PTR if you use a dynamic DNS setup, at least for the clients.
I really advice to at least add for the AD-DC's the PTR records.
Also, more and more needs the correct setup, so thats what i do recommend.
Add the PTR, minimal for al you servers.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco
> Shmerykowsky via samba
> Verzonden: maandag 1 februari 2021 16:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] How to Properly Configure Samba's Internal DNS
>
> On 2/1/2021 3:39 AM, L.P.H. van Belle via samba wrote:
> > As long i dont see the debug output of the script,
> > I and Rowland (and others) are having a hard time to help out here.
> >
> > The debugscript i made does show us almost all we need.
> > Now what you can do with it.
> >
> > Run in it on all you AD-DC's and find the differences.
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-
> debug-info.sh
> >
> > if you post the output to the list, dont attach the files and anonymize
> it where needed.
> >
>
> For the sake of double checking everything again, here is
> the anonymized output of one server. Both servers produce
> the same output with the exception of the IP addresses.
>
> Only other exception is these two lines in nsswitch.conf
>
> passwd: compat winbind systemd
> group: compat winbind systemd
>
> winbind is only listed on one of the servers:
>
> Output of samba-debug-info:
>
> Collected config --- 2021-02-01-09:14 -----------
>
> Hostname: server1
> DNS Domain: ad-domain.company.com
> FQDN: server1.ad-domain.company.com
> ipaddress: 192.168.1.1
>
> -----------
>
> Kerberos SRV _kerberos._tcp.ad-domain.company.com record verified ok,
> sample output:
> Server: 192.168.1.1
> Address: 192.168.1.1#53
>
> _kerberos._tcp.ad-domain.company.com service = 0 100 88
> server1.ad-domain.company.com.
> _kerberos._tcp.ad-domain.company.com service = 0 100 88
> server2.ad-domain.company.com.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.7 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 70:85:c2:4d:b4:bb brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/24 brd 192.168.1.255 scope global noprefixroute
> enp1s0
> inet6 fe80::7285:c2ff:fe4d:b4bb/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.1.1 server1.ad-domain.company.com server1
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> search ad-domain.company.com
> nameserver 192.168.1.1
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = ad-domain.company.com
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind systemd
> group: compat winbind systemd
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> # Global parameters
> [global]
> netbios name = server1
> realm = ad-domain.company.com
> workgroup = AD-DOMAIN
> dns forwarder = 4.2.2.2
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> # ldap server require strong auth = no
> log level = 3
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad-domain.company.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> -----------
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-4
> amd64 access control list - utilities
> ii attr 1:2.4.48-4
> amd64 utilities for manipulating filesystem
> extended attributes
> ii fonts-quicksand 0.2016-2
> all sans-serif font with round attributes
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> ii krb5-locales 1.17-3+deb10u1
> all internationalization support for MIT
> Kerberos
> ii krb5-user 1.17-3+deb10u1
> amd64 basic programs to authenticate using MIT
> Kerberos
> ii libacl1:amd64 2.2.53-4
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-4
> amd64 extended attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries - krb5
> GSS-API Mechanism
> ii libkrb5-3:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries - Support
> library
> ii libnss-winbind:amd64 2:4.13.2+dfsg-0.1buster1
> amd64 Samba nameservice integration plugins
> ii libpam-krb5:amd64 4.8-2+deb10u1
> amd64 PAM module for MIT Kerberos
> ii libpam-winbind:amd64 2:4.13.2+dfsg-0.1buster1
> amd64 Windows domain authentication integration
> plugin
> ii libwbclient0:amd64 2:4.13.2+dfsg-0.1buster1
> amd64 Samba winbind client library
> ii python3-samba 2:4.13.2+dfsg-0.1buster1
> amd64 Python 3 bindings for Samba
> ii samba 2:4.13.2+dfsg-0.1buster1
> amd64 SMB/CIFS file, print, andlogin server for
> Unix
> ii samba-common 2:4.13.2+dfsg-0.1buster1
> all common files used by boththe Samba server
> and client
> ii samba-common-bin 2:4.13.2+dfsg-0.1buster1
> amd64 Samba common files used by both the server
> and the client
> ii samba-dsdb-modules:amd64 2:4.13.2+dfsg-0.1buster1
> amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.13.2+dfsg-0.1buster1
> amd64 Samba core libraries
> ii samba-vfs-modules:amd64 2:4.13.2+dfsg-0.1buster1
> amd64 Samba Virtual FileSystem plugins
> ii spice-client-glib-usb-acl-helper 0.35-2
> amd64 Helper tool to validate usb ACLs
> ii winbind 2:4.13.2+dfsg-0.1buster1
> amd64 service to resolve user and group
> information from Windows NT servers
>
> -----------
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list