[Samba] samba_dlz: add another A record for domain (@ record)

Rowland Penny rpenny at samba.org
Sun Mar 13 14:56:56 UTC 2022 

On Sun, 2022-03-13 at 13:51 +0100, Dario Lesca via samba wrote:
> Il giorno sab, 12/03/2022 alle 14.48 +0000, Rowland Penny via samba
> ha
> scritto:
> > Is there some reason that you are not using a subdomain for your
> > Samba
> > AD domain ?
> 
> I didn't know I was must to use a subdomain for my Samba AD domain.
> So, several years ago i set up a fancy local domain like
> "domain.loc".
> Is this limitation written into some how to that I am lost?

Try reading this:
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ

It explains the situation.

> 
> So, after several years that the AD worked without problems, last
> week
> I had to set up an new intranet web server and on AD I have add the
> corresponding A record for "domain.loc" pointed to this server IP.

Yes, but where was it pointing from ? Your AD DC's or your non AD dns
server that appears to be using the same dns domain as your AD.

> 
> > Your Samba AD DC's should be masters for the AD dns domain,
> 
> My Samba AD DC is master for the AD dns domain, record NS point to
> it,
> I want change only the record A of @, not SOA or NS or MX

The '@' is the SOA

> 
> > so you should be pointing your AD clients at your main dns server
> 
> My all clients are already pointed to my main dns server, the AD
> 
> > and this should forward anything to do with the AD dns domain to
> > the
> > DC's.
> My DNS server is AD, then it does not need forward anything to other
> server.

>From my understanding of what you posted, you have at least one Samba
AD DC (which should be the dns server for the AD ) and another dns
server that is also using the same domain. If this is the case, you 
shouldn't be doing this.
 
> 
> Question:
> 
> a) It's possible point the A record of @, like I do on a Windows DC
> server, to another server different dal DC, without after few minutes
> the DC change it to itself?

No, mainly because of two things, a Samba DC is setup to create any
missing dns records and the '@' record should show each DC as being the
dns domain master (it is known as multi-master).
I suggest you turn off the non-AD dns server.
 
> 
> b) why DC has to change this record?

see above.

>  
> > There is also another potential problem, are your DC's running on
> > Fedora 35 with the OS Samba packages ? If so, are you aware that
> > the
> > Fedora packages use MIT and are classed as experimental.
> 
> This is another thing and it is relevant only if my problem occurs
> only
> in this scenario.

Are you using Fedora as an AD DC ? I know it has nothing to do with
this problem, but you shouldn't be using it in production, that is why
I mentioned it.

> 
> Do you mean that the samba Debian version "not MIT" does NOT have
> this
> A record substitution for @ and it's possible change it?

No, it is Samba acting correctly.

Rowland

More information about the samba mailing list