[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
Gary Dale
gary at extremeground.com
Tue Apr 25 03:56:55 UTC 2023
On 2023-04-24 17:03, Gary Dale via samba wrote:
> As near as I can tell, my Samba AD DC is working. I'm getting no
> errors when I bring up and use Active Directory Users and Computers.
>
> When I do the testing (verifying) for the file server, DNS and
> Kerberos from
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller,
> everything works. To be clear, the DC is NOT running as a file server
> - that is simply the terminology used by the wiki page.
>
> I did the Create a reverse zone section but the reverse lookup fails.
> root at DC1:~# host 192.168.1.13
> Host 13.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
>
> Here's the output from my DNS information commands:
>
> root at DC1:~# samba-tool dns zonelist DC1 -U Administrator
> Password for [HOME\Administrator]:
> 3 zone(s) found
>
> pszZoneName : 1.168.192.in-addr.arpa
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.home.rahim-dale.org
>
> pszZoneName : home.rahim-dale.org
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.home.rahim-dale.org
>
> pszZoneName : _msdcs.home.rahim-dale.org
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.home.rahim-dale.org
>
>
> root at DC1:~# samba-tool dns zoneinfo DC1 home.rahim-dale.org -U
> Administrator
> Password for [HOME\Administrator]:
> pszZoneName : home.rahim-dale.org
> dwZoneType : DNS_ZONE_TYPE_PRIMARY
> fReverse : FALSE
> fAllowUpdate : DNS_ZONE_UPDATE_SECURE
> fPaused : FALSE
> fShutdown : FALSE
> fAutoCreated : FALSE
> fUseDatabase : TRUE
> pszDataFile : None
> aipMasters : []
> fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
> fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
> aipSecondaries : []
> aipNotify : []
> fUseWins : FALSE
> fUseNbstat : FALSE
> fAging : FALSE
> dwNoRefreshInterval : 168
> dwRefreshInterval : 168
> dwAvailForScavengeTime : 0
> aipScavengeServers : []
> dwRpcStructureVersion : 0x2
> dwForwarderTimeout : 0
> fForwarderSlave : 0
> aipLocalMasters : []
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.home.rahim-dale.org
> pwszZoneDn :
> DC=home.rahim-dale.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=rahim-dale,DC=org
> dwLastSuccessfulSoaCheck : 0
> dwLastSuccessfulXfr : 0
> fQueuedForBackgroundLoad : FALSE
> fBackgroundLoadInProgress : FALSE
> fReadOnlyZone : FALSE
> dwLastXfrAttempt : 0
> dwLastXfrResult : 0
>
> root at DC1:~# samba-tool dns query DC1 home.rahim-dale.org @ ALL -U
> Administrator
> Password for [HOME\Administrator]:
> Name=, Records=3, Children=0
> SOA: serial=136, refresh=900, retry=600, expire=86400,
> minttl=3600, ns=dc1.home.rahim-dale.org.,
> email=hostmaster.home.rahim-dale.org. (flags=600000f0, serial=136,
> ttl=3600)
> NS: dc1.home.rahim-dale.org. (flags=600000f0, serial=1, ttl=900)
> A: 192.168.1.13 (flags=600000f0, serial=1, ttl=900)
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=5
> Name=_udp, Records=0, Children=2
> Name=dc1, Records=4, Children=0
> A: 192.168.1.13 (flags=f0, serial=1, ttl=900)
> SRV: dc1.home.rahim-dale.org. (8080, 0, 100) (flags=f0,
> serial=129, ttl=900)
> SRV: dc1.home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=130,
> ttl=900)
> SRV: home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=131,
> ttl=900)
> Name=DomainDnsZones, Records=0, Children=2
> Name=ForestDnsZones, Records=0, Children=2
> Name=GHOSTWHEEL10, Records=1, Children=0
> A: 192.168.1.41 (flags=f0, serial=110, ttl=1200)
> Name=thelibrarian, Records=1, Children=0
> A: 192.168.1.14 (flags=f0, serial=110, ttl=3600)
> Name=transponder, Records=1, Children=0
> A: 192.168.1.20 (flags=f0, serial=110, ttl=3600)
>
> GhostWheel10 is my Windows 10 VM which gets its IP, etc. via DCHP from
> my router. I note that it allows me to specify both the DNS and WINS
> server addresses, both set to 192.168.1.13.
>
> My Linux boxes (real and virtual) have their IP set statically.
> /etc/resolv.conf reads (in all cases, including DC1):
> nameserver 192.168.1.13
> search home.rahim-dale.org
>
> The reverse lookup (using nslookup) also fails on the Windows VM.
>
>
> The /etc/samba/smb.conf on the DC is
> # Global parameters
> [global]
> dns forwarder = 192.168.1.1
> netbios name = DC1
> realm = HOME.RAHIM-DALE.ORG
> server role = active directory domain controller
> workgroup = HOME
> idmap_ldb:use rfc2307 = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/home.rahim-dale.org/scripts
> read only = No
>
> The dns forwarder points to the router.
>
> Anyway, the failure of the reverse lookup seems to be a symptom of
> whatever is causing the "session setup failed:
> NT_STATUS_NO_LOGON_SERVERS" messages I keep getting when trying to
> connect to anything but the DC or from any Linux machine.
>
> Can anyone suggest what I am doing wrong and/or how to fix it?
>
> Thanks.
>
Nope. I found the problem with the reverse lookup by using the Window 10
DNS Manager and corrected it. Now I'm getting the reverse lookup
correctly everywhere but still getting the NT_STATUS_NO_LOGON_SERVERS
from my Linux workstation:
$ smbclient -L //TheLibrarian -U gary
Password for [HOME\gary]:
session setup failed: NT_STATUS_LOGON_FAILURE
$ smbclient -L //DC1 -U gary
Password for [HOME\gary]:
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.17.7-Debian)
SMB1 disabled -- no workgroup available
wbinfo --ping-dc succeeds from the workstation (and from the file+print
server):
$ wbinfo --ping-dc
checking the NETLOGON for domain[HOME] dc connection to
"dc1.home.rahim-dale.org" succeeded
I really miss the way things used to just work with Samba. And I hate
that virtually all of the wiki pages from Samba are no longer accurate
and/or don't really explain what you need to do. After following the
advice from a member of this forum, at this point all I've got is an
extra VM running with neither the ability to authenticate my Linux
workstation against the AD DC nor connect to shares from the file+print
sever.
Instead of having one Samba server, I've got two that require different
setups. And the setup is apparently now spread out over umpteen programs
that need to work perfectly in sync.
Anyway, here's the current smb.conf from the file & print server:
[global]
netbios name = THELIBRARIAN
realm = HOME.RAHIM-DALE.ORG
restrict anonymous = 2
security = ADS
server role = member server
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind use default domain = Yes
workgroup = HOME
idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config HOME:unix_nss_info = yes
idmap config HOME:range = 10000-999999
idmap config HOME:schema_mode = rfc2307
idmap config HOME:backend = ad
map acl inherit = Yes
printing = cups
store dos attributes = Yes
vfs objects = acl_xattr
I've set up a samba-only file share as:
[taxes]
path = /srv/taxes
read only = No
which is owned by root:Domain Admins. This shows up in Linux as:
root at TheLibrarian:~# ls -l /srv/
total 4
drwxr-xr-x 2 root 110512 4096 Apr 23 11:30 taxes
but when I try to connect from the Windows 10 VM using the same account
I am logged in as, it rejects my password. It's late & I'm tired. If
anyone has any ideas, I'd appreciate the help when I return to this in
the morning.
More information about the samba
mailing list