[Samba] How to Properly Configure Samba's Internal DNS
Marco Shmerykowsky
marco at sce-engineers.com
Sun Jan 31 03:03:15 UTC 2021
On 2021-01-30 6:33 pm, Marco Shmerykowsky via samba wrote:
> On 2021-01-30 11:09 am, Rowland penny via samba wrote:
>> On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:
>>>
>>> On 2021-01-30 10:59 am, Rowland penny via samba wrote:
>>>> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote:
>>>>>
>>>>> On 2021-01-30 10:35 am, Rowland penny via samba wrote:
>>>>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote:
>>>>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote:
>>>>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote:
>>>>>>>>> I have what though was a working Samba4 AD setup.
>>>>>>>>> However, in trying to troubleshoot a user's issues while
>>>>>>>>> connecting via a VPN, I begun to question if DNS
>>>>>>>>> is properly setup up.
>>>>>>>>>
>>>>>>>>> Each linux server has the following entries in
>>>>>>>>> resolv.conf:
>>>>>>>>
>>>>>>>>
>>>>>>>> What do mean by 'linux server' ? are you referring to a Unix
>>>>>>>> domain
>>>>>>>> member or a Samba AD DC ?
>>>>>>>
>>>>>>> Two Samba AD DC's
>>>>>>> Two Samba Domain Member Servers
>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> search ad-domain.company.com
>>>>>>>>> nameserver ip-of-FSMO-server
>>>>>>>>
>>>>>>>> I would list all Samba AD DC's on the Unix domain members and
>>>>>>>> set each
>>>>>>>> DC to use itself.
>>>>>>>
>>>>>>> I'll make the change and see what results
>>>>>>>
>>>>>>>>>
>>>>>>>>> Each linux server has a hosts file with an entry:
>>>>>>>>>
>>>>>>>>> unique-ip-address machine#.ad-doamin.company.com machine#
>>>>>>>>>
>>>>>>>>> However, if I do nnslookup -> set type=SRV ->
>>>>>>>>> _ldap._tcp.ad-domain.company.com.
>>>>>>>>>
>>>>>>>>> instead of getting the results shown here:
>>>>>>>>>
>>>>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records
>>>>>>>>> I get:
>>>>>>>>>
>>>>>>>>> Server: ip-of-FSMO-server
>>>>>>>>> Address: ip-of-FSMO-server#53
>>>>>>>>>
>>>>>>>>> _ldap._tcp.ad-domain.company.com service = 0 100 389
>>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>>> _ldap._tcp.ad-domain.company.com service = 0 100 389
>>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>>
>>>>>>>>
>>>>>>>> I get something similar, only my difference is that mine lists
>>>>>>>> both of
>>>>>>>> my DC's, yours should list all your DC's
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only
>>>>>>>>> get positive
>>>>>>>>> results on 3 of 4 of my servers:
>>>>>>>>>
>>>>>>>>> ping ad-domain.company.com -> success
>>>>>>>>>
>>>>>>>>> ping machine1.ad-domain.company.com -> success
>>>>>>>>> ping machine2.ad-domain.company.com -> success
>>>>>>>>> ping machine3.ad-domain.company.com -> success
>>>>>>>>> ping machine4 -> fails with unknown host
>>>>>>>>
>>>>>>>>
>>>>>>>> They should all work, you seem to have dns problems.
>>>>>>>
>>>>>>> Agreed. I never noticed it because GPO's and Drive Shares have
>>>>>>> been working well for two years. I just noticed something was
>>>>>>> amiss when we deployed a VPN.
>>>>>>>
>>>>>>> DNS is being provided by Samba. How should I trouble shoot this?
>>>>>>>
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>> are you using Bind9 ?
>>>>>>
>>>>>> if so, it could be the dns.keytab problem (it isn't created in the
>>>>>> bind-dns dir when you join a DC)
>>>>>
>>>>> No. SAMBA_INTERNAL
>>>>>
>>>> Pity, it easy to fix bind9 😂
>>>
>>> Should I switch?
>>
>>
>> Entirely up to you, do you need Bind9 ?
>
> I do not have the expertise to say. However, I have a simple network
> with 2 Samba AD's, 3 or 4 domain member file servers, about
> 24 windows10 desktops and a Covid-VPN - I'd imagine SAMBA_INTERNAL
> is good enough.
>
>>
>>
>>>
>>>> You will just have to double check everything 🙁
>>>
>>> Other than hostname, hosts and resolv.conf, what should I check?
>>>
>> The actual records in AD, are they all there for each DC ?
>>
>> Does a forward & reverse record exist for all computers in AD ?
>>
>> Is replication working correctly ?
>
> I believe so. I get the following on both servers:
>
> 'dig ad-domain.company.com NS +short' returns:
>
> AD1.ad-domain.company.com.
> AD2.ad-domain.company.com.
>
> 'dig ad-domain.company.com NS +short' returns:
>
> 192.168.1.1
> 192.168.1.2
>
> 'nslookup AD1.ad-domain.company.com' returns
>
> Server: 192.168.1.1
> Address: 192.168.1.1#53
>
> Name: AD1.ad-domain.company.com
> Address: 192.168.1.1
>
> 'nslookup AD2.ad-domain.company.com' returns
> Server: 192.168.1.1
> Address: 192.168.1.1#53
>
> Name: AD2.ad-domain.company.com
> Address: 192.168.1.2
>
> 'samba-tool dns zonelist ad-domain.company.com -Uadministrator' returns
>
> pszZoneName : ad-domain.company.com
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.ad-domain.company.com
>
> pszZoneName : 1.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.ad-domain.company.com
>
> pszZoneName : _msdcs.ad-domain.company.com
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.ad-domain.company.com
>
> 'nslookup 192.168.1.1' returns:
>
> 1.1.168.192.in-addr.arpa name = AD1.ad-domain.company.com
>
> 'nslookup 192.168.1.2' returns:
>
> 2.1.168.192.in-addr.arpa name = AD2.ad-domain.company.com
>
> In addition, during the course of checking all this I made the
> following changes:
> * Found Bind running on one AD. Disabled it. I'm hoping this was the
> cause
> of the problem for the VPN user. Not sure how it was installed in the
> first place
> * removed 'resolvconf' on the domain member servers
> * removed/deactivated 'avahi-daemon' on the AD's and members servers
>
> I'm using NetworkManager to manage the interface settings. Other than
> one machine losing the settings on reboot, all the correct settings
> appear to be there and reflected in resolv,conf
>
> I still have the issue that the hostname for the machine running
> the 32-bit version of buster can not be resolved.
>
> 'nslookup 32bit-buster-machine' returns:
>
> Server: 192.168.1.1
> Address: 192.168.1.1#53
>
> Non-authoritative answer:
> *** Can't find 32bit-buster-machine: No answer
manually added an A record for '32bit-buster-machine'. Seems to have
taken care of that issue.
>
>>
>> Rowland
More information about the samba
mailing list