[Samba] How to Properly Configure Samba's Internal DNS

Marco Shmerykowsky marco at sce-engineers.com
Sun Jan 31 03:03:15 UTC 2021 

On 2021-01-30 6:33 pm, Marco Shmerykowsky via samba wrote:
> On 2021-01-30 11:09 am, Rowland penny via samba wrote:
>> On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:
>>> 
>>> On 2021-01-30 10:59 am, Rowland penny via samba wrote:
>>>> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote:
>>>>> 
>>>>> On 2021-01-30 10:35 am, Rowland penny via samba wrote:
>>>>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote:
>>>>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote:
>>>>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote:
>>>>>>>>> I have what though was a working Samba4 AD setup.
>>>>>>>>> However, in trying to troubleshoot a user's issues while
>>>>>>>>> connecting via a VPN, I begun to question if DNS
>>>>>>>>> is properly setup up.
>>>>>>>>> 
>>>>>>>>> Each linux server has the following entries in
>>>>>>>>> resolv.conf:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> What do mean by 'linux server' ? are you referring to a Unix 
>>>>>>>> domain
>>>>>>>> member or a Samba AD DC ?
>>>>>>> 
>>>>>>> Two Samba AD DC's
>>>>>>> Two Samba Domain Member Servers
>>>>>>> 
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> search ad-domain.company.com
>>>>>>>>> nameserver ip-of-FSMO-server
>>>>>>>> 
>>>>>>>> I would list all Samba AD DC's on the Unix domain members and 
>>>>>>>> set each
>>>>>>>> DC to use itself.
>>>>>>> 
>>>>>>> I'll make the change and see what results
>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Each linux server has a hosts file with an entry:
>>>>>>>>> 
>>>>>>>>> unique-ip-address  machine#.ad-doamin.company.com machine#
>>>>>>>>> 
>>>>>>>>> However, if I do nnslookup -> set type=SRV -> 
>>>>>>>>> _ldap._tcp.ad-domain.company.com.
>>>>>>>>> 
>>>>>>>>> instead of getting the results shown here:
>>>>>>>>> 
>>>>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records 
>>>>>>>>> I get:
>>>>>>>>> 
>>>>>>>>> Server:         ip-of-FSMO-server
>>>>>>>>> Address:        ip-of-FSMO-server#53
>>>>>>>>> 
>>>>>>>>> _ldap._tcp.ad-domain.company.com       service = 0 100 389 
>>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>>> _ldap._tcp.ad-domain.company.com       service = 0 100 389 
>>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> I get something similar, only my difference is that mine lists 
>>>>>>>> both of
>>>>>>>> my DC's, yours should list all your DC's
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only 
>>>>>>>>> get positive
>>>>>>>>> results on 3 of 4 of my servers:
>>>>>>>>> 
>>>>>>>>> ping ad-domain.company.com -> success
>>>>>>>>> 
>>>>>>>>> ping machine1.ad-domain.company.com -> success
>>>>>>>>> ping machine2.ad-domain.company.com -> success
>>>>>>>>> ping machine3.ad-domain.company.com -> success
>>>>>>>>> ping machine4 -> fails with unknown host
>>>>>>>> 
>>>>>>>> 
>>>>>>>> They should all work, you seem to have dns problems.
>>>>>>> 
>>>>>>> Agreed.  I never noticed it because GPO's and Drive Shares have
>>>>>>> been working well for two years. I just noticed something was
>>>>>>> amiss when we deployed a VPN.
>>>>>>> 
>>>>>>> DNS is being provided by Samba.  How should I trouble shoot this?
>>>>>>> 
>>>>>>>> 
>>>>>>>> Rowland
>>>>>>> 
>>>>>> are you using Bind9 ?
>>>>>> 
>>>>>> if so, it could be the dns.keytab problem (it isn't created in the
>>>>>> bind-dns dir when you join a DC)
>>>>> 
>>>>> No. SAMBA_INTERNAL
>>>>> 
>>>> Pity, it easy to fix bind9 😂
>>> 
>>> Should I switch?
>> 
>> 
>> Entirely up to you, do you need Bind9 ?
> 
> I do not have the expertise to say.  However, I have a simple network
> with 2 Samba AD's, 3 or 4 domain member file servers, about
> 24 windows10 desktops and a Covid-VPN - I'd imagine SAMBA_INTERNAL
> is good enough.
> 
>> 
>> 
>>> 
>>>> You will just have to double check everything 🙁
>>> 
>>> Other than hostname, hosts and resolv.conf, what should I check?
>>> 
>> The actual records in AD, are they all there for each DC ?
>> 
>> Does a forward & reverse record exist for all computers in AD ?
>> 
>> Is replication working correctly ?
> 
> I believe so.  I get the following on both servers:
> 
> 'dig ad-domain.company.com NS +short' returns:
> 
> AD1.ad-domain.company.com.
> AD2.ad-domain.company.com.
> 
> 'dig ad-domain.company.com NS +short' returns:
> 
> 192.168.1.1
> 192.168.1.2
> 
> 'nslookup AD1.ad-domain.company.com' returns
> 
> Server:         192.168.1.1
> Address:        192.168.1.1#53
> 
> Name:   AD1.ad-domain.company.com
> Address: 192.168.1.1
> 
> 'nslookup AD2.ad-domain.company.com' returns
> Server:         192.168.1.1
> Address:        192.168.1.1#53
> 
> Name:   AD2.ad-domain.company.com
> Address: 192.168.1.2
> 
> 'samba-tool dns zonelist ad-domain.company.com -Uadministrator' returns
> 
>  pszZoneName                 : ad-domain.company.com
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.ad-domain.company.com
> 
>   pszZoneName                 : 1.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.ad-domain.company.com
> 
>   pszZoneName                 : _msdcs.ad-domain.company.com
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.ad-domain.company.com
> 
> 'nslookup 192.168.1.1' returns:
> 
> 1.1.168.192.in-addr.arpa      name = AD1.ad-domain.company.com
> 
> 'nslookup 192.168.1.2' returns:
> 
> 2.1.168.192.in-addr.arpa      name = AD2.ad-domain.company.com
> 
> In addition, during the course of checking all this I made the
> following changes:
> * Found Bind running on one AD. Disabled it.  I'm hoping this was the 
> cause
>   of the problem for the VPN user. Not sure how it was installed in the
>   first place
> * removed 'resolvconf' on the domain member servers
> * removed/deactivated 'avahi-daemon' on the AD's and members servers
> 
> I'm using NetworkManager to manage the interface settings.  Other than
> one machine losing the settings on reboot, all the correct settings
> appear to be there and reflected in resolv,conf
> 
> I still have the issue that the hostname for the machine running
> the 32-bit version of buster can not be resolved.
> 
> 'nslookup 32bit-buster-machine'  returns:
> 
> Server:         192.168.1.1
> Address:        192.168.1.1#53
> 
> Non-authoritative answer:
> *** Can't find 32bit-buster-machine: No answer

manually added an A record for '32bit-buster-machine'. Seems to have
taken care of that issue.

> 
>> 
>> Rowland

More information about the samba mailing list