[Samba] How to Properly Configure Samba's Internal DNS

Marco Shmerykowsky marco at sce-engineers.com
Sat Jan 30 23:33:39 UTC 2021



---
Marco J. Shmerykowsky, P.E.
marco at sce-engineers.com

--------------------------------------------
     Shmerykowsky Consulting Engineers
        Structural Analysis & Design
      102 West 38th Street, 2nd Floor
         New York, New York 10018
   Tel. (212)719-9700 Fax. (212)719-4822
        http://www.sce-engineers.com
--------------------------------------------

On 2021-01-30 11:09 am, Rowland penny via samba wrote:
> On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:
>> 
>> On 2021-01-30 10:59 am, Rowland penny via samba wrote:
>>> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote:
>>>> 
>>>> On 2021-01-30 10:35 am, Rowland penny via samba wrote:
>>>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote:
>>>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote:
>>>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote:
>>>>>>>> I have what though was a working Samba4 AD setup.
>>>>>>>> However, in trying to troubleshoot a user's issues while
>>>>>>>> connecting via a VPN, I begun to question if DNS
>>>>>>>> is properly setup up.
>>>>>>>> 
>>>>>>>> Each linux server has the following entries in
>>>>>>>> resolv.conf:
>>>>>>> 
>>>>>>> 
>>>>>>> What do mean by 'linux server' ? are you referring to a Unix 
>>>>>>> domain
>>>>>>> member or a Samba AD DC ?
>>>>>> 
>>>>>> Two Samba AD DC's
>>>>>> Two Samba Domain Member Servers
>>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> search ad-domain.company.com
>>>>>>>> nameserver ip-of-FSMO-server
>>>>>>> 
>>>>>>> I would list all Samba AD DC's on the Unix domain members and set 
>>>>>>> each
>>>>>>> DC to use itself.
>>>>>> 
>>>>>> I'll make the change and see what results
>>>>>> 
>>>>>>>> 
>>>>>>>> Each linux server has a hosts file with an entry:
>>>>>>>> 
>>>>>>>> unique-ip-address  machine#.ad-doamin.company.com machine#
>>>>>>>> 
>>>>>>>> However, if I do nnslookup -> set type=SRV -> 
>>>>>>>> _ldap._tcp.ad-domain.company.com.
>>>>>>>> 
>>>>>>>> instead of getting the results shown here:
>>>>>>>> 
>>>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records 
>>>>>>>> I get:
>>>>>>>> 
>>>>>>>> Server:         ip-of-FSMO-server
>>>>>>>> Address:        ip-of-FSMO-server#53
>>>>>>>> 
>>>>>>>> _ldap._tcp.ad-domain.company.com       service = 0 100 389 
>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>> _ldap._tcp.ad-domain.company.com       service = 0 100 389 
>>>>>>>> machine1.ad-domain.company.com.
>>>>>>> 
>>>>>>> 
>>>>>>> I get something similar, only my difference is that mine lists 
>>>>>>> both of
>>>>>>> my DC's, yours should list all your DC's
>>>>>>> 
>>>>>>>> 
>>>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only 
>>>>>>>> get positive
>>>>>>>> results on 3 of 4 of my servers:
>>>>>>>> 
>>>>>>>> ping ad-domain.company.com -> success
>>>>>>>> 
>>>>>>>> ping machine1.ad-domain.company.com -> success
>>>>>>>> ping machine2.ad-domain.company.com -> success
>>>>>>>> ping machine3.ad-domain.company.com -> success
>>>>>>>> ping machine4 -> fails with unknown host
>>>>>>> 
>>>>>>> 
>>>>>>> They should all work, you seem to have dns problems.
>>>>>> 
>>>>>> Agreed.  I never noticed it because GPO's and Drive Shares have
>>>>>> been working well for two years. I just noticed something was
>>>>>> amiss when we deployed a VPN.
>>>>>> 
>>>>>> DNS is being provided by Samba.  How should I trouble shoot this?
>>>>>> 
>>>>>>> 
>>>>>>> Rowland
>>>>>> 
>>>>> are you using Bind9 ?
>>>>> 
>>>>> if so, it could be the dns.keytab problem (it isn't created in the
>>>>> bind-dns dir when you join a DC)
>>>> 
>>>> No. SAMBA_INTERNAL
>>>> 
>>> Pity, it easy to fix bind9 😂
>> 
>> Should I switch?
> 
> 
> Entirely up to you, do you need Bind9 ?

I do not have the expertise to say.  However, I have a simple network
with 2 Samba AD's, 3 or 4 domain member file servers, about
24 windows10 desktops and a Covid-VPN - I'd imagine SAMBA_INTERNAL
is good enough.

> 
> 
>> 
>>> You will just have to double check everything 🙁
>> 
>> Other than hostname, hosts and resolv.conf, what should I check?
>> 
> The actual records in AD, are they all there for each DC ?
> 
> Does a forward & reverse record exist for all computers in AD ?
> 
> Is replication working correctly ?

I believe so.  I get the following on both servers:

'dig ad-domain.company.com NS +short' returns:

AD1.ad-domain.company.com.
AD2.ad-domain.company.com.

'dig ad-domain.company.com NS +short' returns:

192.168.1.1
192.168.1.2

'nslookup AD1.ad-domain.company.com' returns

Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   AD1.ad-domain.company.com
Address: 192.168.1.1

'nslookup AD2.ad-domain.company.com' returns
Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   AD2.ad-domain.company.com
Address: 192.168.1.2

'samba-tool dns zonelist ad-domain.company.com -Uadministrator' returns

  pszZoneName                 : ad-domain.company.com
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT 
DNS_DP_ENLISTED
   pszDpFqdn                   : DomainDnsZones.ad-domain.company.com

   pszZoneName                 : 1.168.192.in-addr.arpa
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT 
DNS_DP_ENLISTED
   pszDpFqdn                   : DomainDnsZones.ad-domain.company.com

   pszZoneName                 : _msdcs.ad-domain.company.com
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT 
DNS_DP_ENLISTED
   pszDpFqdn                   : ForestDnsZones.ad-domain.company.com

'nslookup 192.168.1.1' returns:

1.1.168.192.in-addr.arpa      name = AD1.ad-domain.company.com

'nslookup 192.168.1.2' returns:

2.1.168.192.in-addr.arpa      name = AD2.ad-domain.company.com

In addition, during the course of checking all this I made the following 
changes:
* Found Bind running on one AD. Disabled it.  I'm hoping this was the 
cause
   of the problem for the VPN user. Not sure how it was installed in the
   first place
* removed 'resolvconf' on the domain member servers
* removed/deactivated 'avahi-daemon' on the AD's and members servers

I'm using NetworkManager to manage the interface settings.  Other than
one machine losing the settings on reboot, all the correct settings
appear to be there and reflected in resolv,conf

I still have the issue that the hostname for the machine running
the 32-bit version of buster can not be resolved.

'nslookup 32bit-buster-machine'  returns:

Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
*** Can't find 32bit-buster-machine: No answer

> 
> Rowland



More information about the samba mailing list