[Samba] Windows ACLs

Sonic sonicsmith at gmail.com
Fri Sep 23 17:51:52 UTC 2022


On Fri, Sep 23, 2022 at 1:24 PM Rowland Penny via samba > >'domain'
and 'search' are mutually exclusive in /etc/resolv.conf,
> 'search' is known to work in Samba AD, so that is why I recommend it over 'domain'.

Oddly enough the Debian install puts both a search line and a domain
line in resolv.conf. I simplified to domain but have now switched to
search.

> AAAARRRRGGGGHHHH..................

Ha! I get it.

> All AD computers must use a DC as their nameserver, this is because all the AD dns records are stored in AD and each DC is authoritative for the DNS domain.

>The exception to this is where the AD computer uses a nameserver that forwards all AD dns domain requests to a DC (which is pretty much the same thing as using a DC as a nameserver). You cannot rely on a caching nameserver holding the required AD records.

Which is the case here - the local caching nameserver (Unbound) does
contain all of the DC's records (via stub-zones), both forward and
reverse, including all SRV records. There is nothing missing.

Chris



More information about the samba mailing list