[Samba] Windows ACLs

Rowland Penny rpenny at samba.org
Fri Sep 23 17:22:48 UTC 2022

On 23/09/2022 17:37, Sonic wrote:
> On Fri, Sep 23, 2022 at 12:19 PM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
>> It should be:
>> search pizza.example.com
>> in /etc/resolv.conf instead of:
>> domain pizza.example.com
> Technically yes, although domain does work, but since it's deprecated
> I will change it.

'domain' and 'search' are mutually exclusive in /etc/resolv.conf, 
'search' is known to work in Samba AD, so that is why I recommend it 
over 'domain'.

>> also is 'nameserver' a typo, because your DC appears to use '' as its ipaddress.
> Not a typo, I've tested it both ways. I generally point to the
> network's local cache instead of the DC. But I also always test direct
> to the DC just in case it does make a difference (never has in any of
> my single DC environments).

Please excuse me for the next line:


All AD computers must use a DC as their nameserver, this is because all 
the AD dns records are stored in AD and each DC is authoritative for the 
DNS domain. The exception to this is where the AD computer uses a 
nameserver that forwards all AD dns domain requests to a DC (which is 
pretty much the same thing as using a DC as a nameserver). You cannot 
rely on a caching nameserver holding the required AD records.


More information about the samba mailing list