[Samba] How to Properly Configure Samba's Internal DNS
Marco Shmerykowsky
marco at sce-engineers.com
Sat Jan 30 23:33:39 UTC 2021
---
Marco J. Shmerykowsky, P.E.
marco at sce-engineers.com
--------------------------------------------
Shmerykowsky Consulting Engineers
Structural Analysis & Design
102 West 38th Street, 2nd Floor
New York, New York 10018
Tel. (212)719-9700 Fax. (212)719-4822
http://www.sce-engineers.com
--------------------------------------------
On 2021-01-30 11:09 am, Rowland penny via samba wrote:
> On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:
>>
>> On 2021-01-30 10:59 am, Rowland penny via samba wrote:
>>> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote:
>>>>
>>>> On 2021-01-30 10:35 am, Rowland penny via samba wrote:
>>>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote:
>>>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote:
>>>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote:
>>>>>>>> I have what though was a working Samba4 AD setup.
>>>>>>>> However, in trying to troubleshoot a user's issues while
>>>>>>>> connecting via a VPN, I begun to question if DNS
>>>>>>>> is properly setup up.
>>>>>>>>
>>>>>>>> Each linux server has the following entries in
>>>>>>>> resolv.conf:
>>>>>>>
>>>>>>>
>>>>>>> What do mean by 'linux server' ? are you referring to a Unix
>>>>>>> domain
>>>>>>> member or a Samba AD DC ?
>>>>>>
>>>>>> Two Samba AD DC's
>>>>>> Two Samba Domain Member Servers
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> search ad-domain.company.com
>>>>>>>> nameserver ip-of-FSMO-server
>>>>>>>
>>>>>>> I would list all Samba AD DC's on the Unix domain members and set
>>>>>>> each
>>>>>>> DC to use itself.
>>>>>>
>>>>>> I'll make the change and see what results
>>>>>>
>>>>>>>>
>>>>>>>> Each linux server has a hosts file with an entry:
>>>>>>>>
>>>>>>>> unique-ip-address machine#.ad-doamin.company.com machine#
>>>>>>>>
>>>>>>>> However, if I do nnslookup -> set type=SRV ->
>>>>>>>> _ldap._tcp.ad-domain.company.com.
>>>>>>>>
>>>>>>>> instead of getting the results shown here:
>>>>>>>>
>>>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records
>>>>>>>> I get:
>>>>>>>>
>>>>>>>> Server: ip-of-FSMO-server
>>>>>>>> Address: ip-of-FSMO-server#53
>>>>>>>>
>>>>>>>> _ldap._tcp.ad-domain.company.com service = 0 100 389
>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>> _ldap._tcp.ad-domain.company.com service = 0 100 389
>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>
>>>>>>>
>>>>>>> I get something similar, only my difference is that mine lists
>>>>>>> both of
>>>>>>> my DC's, yours should list all your DC's
>>>>>>>
>>>>>>>>
>>>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only
>>>>>>>> get positive
>>>>>>>> results on 3 of 4 of my servers:
>>>>>>>>
>>>>>>>> ping ad-domain.company.com -> success
>>>>>>>>
>>>>>>>> ping machine1.ad-domain.company.com -> success
>>>>>>>> ping machine2.ad-domain.company.com -> success
>>>>>>>> ping machine3.ad-domain.company.com -> success
>>>>>>>> ping machine4 -> fails with unknown host
>>>>>>>
>>>>>>>
>>>>>>> They should all work, you seem to have dns problems.
>>>>>>
>>>>>> Agreed. I never noticed it because GPO's and Drive Shares have
>>>>>> been working well for two years. I just noticed something was
>>>>>> amiss when we deployed a VPN.
>>>>>>
>>>>>> DNS is being provided by Samba. How should I trouble shoot this?
>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>> are you using Bind9 ?
>>>>>
>>>>> if so, it could be the dns.keytab problem (it isn't created in the
>>>>> bind-dns dir when you join a DC)
>>>>
>>>> No. SAMBA_INTERNAL
>>>>
>>> Pity, it easy to fix bind9 😂
>>
>> Should I switch?
>
>
> Entirely up to you, do you need Bind9 ?
I do not have the expertise to say. However, I have a simple network
with 2 Samba AD's, 3 or 4 domain member file servers, about
24 windows10 desktops and a Covid-VPN - I'd imagine SAMBA_INTERNAL
is good enough.
>
>
>>
>>> You will just have to double check everything 🙁
>>
>> Other than hostname, hosts and resolv.conf, what should I check?
>>
> The actual records in AD, are they all there for each DC ?
>
> Does a forward & reverse record exist for all computers in AD ?
>
> Is replication working correctly ?
I believe so. I get the following on both servers:
'dig ad-domain.company.com NS +short' returns:
AD1.ad-domain.company.com.
AD2.ad-domain.company.com.
'dig ad-domain.company.com NS +short' returns:
192.168.1.1
192.168.1.2
'nslookup AD1.ad-domain.company.com' returns
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: AD1.ad-domain.company.com
Address: 192.168.1.1
'nslookup AD2.ad-domain.company.com' returns
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: AD2.ad-domain.company.com
Address: 192.168.1.2
'samba-tool dns zonelist ad-domain.company.com -Uadministrator' returns
pszZoneName : ad-domain.company.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.ad-domain.company.com
pszZoneName : 1.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.ad-domain.company.com
pszZoneName : _msdcs.ad-domain.company.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.ad-domain.company.com
'nslookup 192.168.1.1' returns:
1.1.168.192.in-addr.arpa name = AD1.ad-domain.company.com
'nslookup 192.168.1.2' returns:
2.1.168.192.in-addr.arpa name = AD2.ad-domain.company.com
In addition, during the course of checking all this I made the following
changes:
* Found Bind running on one AD. Disabled it. I'm hoping this was the
cause
of the problem for the VPN user. Not sure how it was installed in the
first place
* removed 'resolvconf' on the domain member servers
* removed/deactivated 'avahi-daemon' on the AD's and members servers
I'm using NetworkManager to manage the interface settings. Other than
one machine losing the settings on reboot, all the correct settings
appear to be there and reflected in resolv,conf
I still have the issue that the hostname for the machine running
the 32-bit version of buster can not be resolved.
'nslookup 32bit-buster-machine' returns:
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
*** Can't find 32bit-buster-machine: No answer
>
> Rowland
More information about the samba
mailing list