[Samba] Windows ACLs

Rowland Penny rpenny at samba.org
Fri Sep 23 17:57:14 UTC 2022

On 23/09/2022 18:51, Sonic wrote:
> On Fri, Sep 23, 2022 at 1:24 PM Rowland Penny via samba > >'domain'
> and 'search' are mutually exclusive in /etc/resolv.conf,
>> 'search' is known to work in Samba AD, so that is why I recommend it over 'domain'.
> Oddly enough the Debian install puts both a search line and a domain
> line in resolv.conf. I simplified to domain but have now switched to
> search.
>> AAAARRRRGGGGHHHH..................
> Ha! I get it.
>> All AD computers must use a DC as their nameserver, this is because all the AD dns records are stored in AD and each DC is authoritative for the DNS domain.
>> The exception to this is where the AD computer uses a nameserver that forwards all AD dns domain requests to a DC (which is pretty much the same thing as using a DC as a nameserver). You cannot rely on a caching nameserver holding the required AD records.
> Which is the case here - the local caching nameserver (Unbound) does
> contain all of the DC's records (via stub-zones), both forward and
> reverse, including all SRV records. There is nothing missing.
> Chris

OK, how do the records in AD get updated then ? I really suggest you 
change your caching unbound dns server to a forwarding dns server.


More information about the samba mailing list