[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Tue Apr 25 14:37:41 UTC 2023

On 2023-04-25 08:15, Rowland Penny via samba wrote:
>
>
> On 25/04/2023 12:52, Gary Dale via samba wrote:
>>>
>> Yes. Your answer is out of date. That part is now working as per my 
>> reply to my own question at 23:56 last night. I note however that the 
>> wiki doesn't actually tell you to do that. It only suggests 
>> (optionally) creating the reverse zone. You need to read the 
>> Administering DNS Samba wiki to potentially figure out you have to do 
>> that.
>
> It is optional, well, because it is optional for AD, but AD does work 
> better if it is created.
>
> The Samba wiki was/is written from the point of view that it was using 
> a self compiled version of Samba, it was expected that the distros 
> would provide there own documentation. Some distros are better at this 
> than others.
And anyone who dares use the distribution-created documentation gets 
blasted for doing so and told to use the Samba documentation instead. 
Besides, the distribution-created documentation gets outdated just as 
fast as the Samba documentation.
>
>>
>> There is a poorly-explained example in the DNS wiki that tells you 
>> how to do it.  It would be of great help if the wiki established 
>> clear standards about what you need to change for your situation and 
>> what is a "magic value" that shouldn't be changed. The usual practice 
>> of putting variable values in <> and using descriptive names seems to 
>> be rarely followed. The wikis seem to believe that you are reading 
>> them from start to finish as that is necessary to figure out what 
>> parts are magic and what are specific to the example.
>
> The problem is that there isn't anything that shouldn't be changed 
> (except for the actual samba-tool commands and such like.)
> If you are having problems with the samba-tool command format, try 
> adding --help to the command e.g.
> samba-tool user create --help
> This will show how to use the command and the valid switches.
Actually, there is. I pointed out one example below but there are 
others. There should be a clear and consistent standard way of 
identifying what is specific to your instance.
>
>>
>> e.g. in the DNS wiki under "Adding new records", the first example 
>> reads:
>> samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 
>> samdom.example.com demo A 192.168.0.55
>>
>> It starts out well  but then you hit "samdom..." which should be 
>> <your realm in lowercase>.
>
> There you see, you are wrong, AD lives and dies on dns, so your <your 
> realm in lowercase> should actually be <your dns domain>, the realm 
> would be <your dns domain in uppercase>.
I suppose it is possible that <your dns domain> could be different from 
<your realm in lowercase> but can you suggest why anyone would do that?
>
>>
>> For extra clarity, it could be followed by an example with all the 
>> values substituted:
>> samba-tool dns add DC1 samdom.example.com demo A 192.168.0.55
>> then showing the results of the command. And of course, it should use 
>> the -U Administrator option since that seems to be required these days.
>
> The '-U' option isn't actually set in stone, you could get a kerberos 
> ticket and use kerberos instead. Your point is valid though, it should 
> stick to one way of doing things.
Yes. If you follow the example as written, you get an error message.