[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Rowland Penny rpenny at samba.org
Tue Apr 25 12:15:12 UTC 2023 


On 25/04/2023 12:52, Gary Dale via samba wrote:
>>
> Yes. Your answer is out of date. That part is now working as per my 
> reply to my own question at 23:56 last night. I note however that the 
> wiki doesn't actually tell you to do that. It only suggests (optionally) 
> creating the reverse zone. You need to read the Administering DNS Samba 
> wiki to potentially figure out you have to do that.

It is optional, well, because it is optional for AD, but AD does work 
better if it is created.

The Samba wiki was/is written from the point of view that it was using a 
self compiled version of Samba, it was expected that the distros would 
provide there own documentation. Some distros are better at this than 
others.

> 
> There is a poorly-explained example in the DNS wiki that tells you how 
> to do it.  It would be of great help if the wiki established clear 
> standards about what you need to change for your situation and what is a 
> "magic value" that shouldn't be changed. The usual practice of putting 
> variable values in <> and using descriptive names seems to be rarely 
> followed. The wikis seem to believe that you are reading them from start 
> to finish as that is necessary to figure out what parts are magic and 
> what are specific to the example.

The problem is that there isn't anything that shouldn't be changed 
(except for the actual samba-tool commands and such like.)
If you are having problems with the samba-tool command format, try 
adding --help to the command e.g.
samba-tool user create --help
This will show how to use the command and the valid switches.

> 
> e.g. in the DNS wiki under "Adding new records", the first example reads:
> samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 
> samdom.example.com demo A 192.168.0.55
> 
> It starts out well  but then you hit "samdom..." which should be <your 
> realm in lowercase>.

There you see, you are wrong, AD lives and dies on dns, so your <your 
realm in lowercase> should actually be <your dns domain>, the realm 
would be <your dns domain in uppercase>.

> 
> For extra clarity, it could be followed by an example with all the 
> values substituted:
> samba-tool dns add DC1 samdom.example.com demo A 192.168.0.55
> then showing the results of the command. And of course, it should use 
> the -U Administrator option since that seems to be required these days.

The '-U' option isn't actually set in stone, you could get a kerberos 
ticket and use kerberos instead. Your point is valid though, it should 
stick to one way of doing things.

Rowland

More information about the samba mailing list