[Samba] Secondary DNS on active directory possible?

Tue Dec 20 10:19:19 UTC 2022

Am 19.12.2022 um 20:27 schrieb Rowland Penny via samba:
>
> On 19/12/2022 18:50, Markus Mueller via samba wrote:
>>
>> I run a Samba AD domain (let's call it myAD.mydomain.net) with DLZ 
>> DNS backend (Ubuntu 20.04, vanilla Samba install) which I migrated 
>> from an NT-style domain. Not all machines in my network participate 
>> in the AD (some Linux only machines and guests), which is why I have 
>> a separate 'master' DHCPD/bind9 server (let's call it 
>> master.mydomain.net) serving zone mydomain.net. The AD host 
>> (nameserver.myAD.mydomain.net) serves zone myAD.mydomain.net.
>>
>> Ideally, I would like to have the Samba-DNS serving the requests from 
>> myAD.mydomain.net and the DHCPD/bind9 machine serving mydomain.net 
>> (which they do). But: the samba AD should forward all requests for 
>> mydomain.net to the master nameserver (which it does not, even though 
>> I set the dns forwarder to master.mydomain.net in smb.conf). It 
>> should be possible (in my opinion) by creating a secondary DNS zone 
>> on the Samba AD (nameserver.myAD.mydomain.net). But that doesn't seem 
>> allowed. samba-tool allows me to create that zone, but I couldn't 
>> figure out how to do the slave config (e.g. setting the master 
>> server). The Microsoft DNS tool does not allow me to create a 
>> secondary zone at all.
>>
>> Why do I try so complicated? My general nameserver failed recently 
>> from a segmentation fault and my whole intranet went down (because my 
>> dhcpd relies on client identification via DNS, mainly for historical 
>> reasons). I would like to have a backup nameserver, but I prefer not 
>> to install yet another instance.
>>
>> Cheers
>> Markus
>>
Dear Rowland

thanks a lot for your reply.You really helped me to optimize my settings.

> If your AD DC is using Bind9, then you do not set the forwarder in 
> smb.conf (that is for the internal dns server), you set it the Bind9 
> conf files.
I have not thought about this yet. Always tried to leave the bind9 
config alone and tried to use the samba-tool or Windows DNS only. I did 
set the forwarder in /etc/bind named.conf.options to my master DNS now, 
but it didn't resolve any hosts of mydomain.net. I had to also change 
/etc/resolv.conf to that address and it worked.
>
> You usually do it the other way around, you point your AD clients at 
> the main dns server and this forwards everything for the AD domain 
> (myAD.mydomain.net) to the dns server on the DC.

Sorry, I was unspecific. I actually did it that way. Nevertheless, I 
would like the Samba AD DC to also serve the master domain in case of a 
failure.

This is the zone config on my master DNS:

zone "mydomain.net" in {
         allow-transfer { any; };
         allow-update { AD-DC; };
         also-notify { AD-DC; };
         file "/var/lib/bind/mydomain.net";
         type master;
};
zone "myAD.mydomain.net" in {
         type forward;
         forwarders { AD-DC; };
         forward only;
};

Inspired by your suggestion to modify the config files directly I did so 
and it works! My AD-DC Bind is now serving mydomain.net:)

zone "mydomain.net" in {
       type slave;
       file "/var/lib/bind/mydomain.net";
       masters {myMasterDNS; };
};

Only glitch is that apparmor appears to disallow access to the linked 
zone file. But as far as I understood, that file is not needed as it 
will be loaded from the master.

Dec 20 10:57:53 AD-DC kernel: [3936415.836872] audit: type=1400 
audit(1671530273.221:193): apparmor="DENIED" operation="link" 
profile="/usr/sbin/named" name="/var/lib/bind/db-A7K09h1n" pid=284798 
comm="isc-worker0008" requested_mask="l" denied_mask="l" fsuid=114 
ouid=114 target="/var/lib/bind/mydomain.net"

>
> Why not join your Linux machines to the domain ? they work well.
Some don't really need it (e.g. my webservers). But others certainly are 
domain members.
>
> Rowland
Thanks again
Markus