[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Tue Apr 25 21:59:02 UTC 2023

On 2023-04-25 11:22, Rowland Penny via samba wrote:
>
>
> On 25/04/2023 15:37, Gary Dale via samba wrote:
>> On 2023-04-25 08:15, Rowland Penny via samba wrote:
>>>
>>>
>>> On 25/04/2023 12:52, Gary Dale via samba wrote:
>>>>>
>>>> Yes. Your answer is out of date. That part is now working as per my 
>>>> reply to my own question at 23:56 last night. I note however that 
>>>> the wiki doesn't actually tell you to do that. It only suggests 
>>>> (optionally) creating the reverse zone. You need to read the 
>>>> Administering DNS Samba wiki to potentially figure out you have to 
>>>> do that.
>>>
>>> It is optional, well, because it is optional for AD, but AD does 
>>> work better if it is created.
>>>
>>> The Samba wiki was/is written from the point of view that it was 
>>> using a self compiled version of Samba, it was expected that the 
>>> distros would provide there own documentation. Some distros are 
>>> better at this than others.
>> And anyone who dares use the distribution-created documentation gets 
>> blasted for doing so and told to use the Samba documentation instead. 
>> Besides, the distribution-created documentation gets outdated just as 
>> fast as the Samba documentation.
>
> The Samba documentation isn't that far out of date, yes there are 
> problems, but not that many. Samba has no control over the distros 
> documentation, some of which is good, what is really bad is the wealth 
> of howtos out there on the internet, written by an 'expert'.
>
>>>>
>>>> e.g. in the DNS wiki under "Adding new records", the first example 
>>>> reads:
>>>> samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 
>>>> samdom.example.com demo A 192.168.0.55
>>>>
>>>> It starts out well  but then you hit "samdom..." which should be 
>>>> <your realm in lowercase>.
>>>
>>> There you see, you are wrong, AD lives and dies on dns, so your 
>>> <your realm in lowercase> should actually be <your dns domain>, the 
>>> realm would be <your dns domain in uppercase>.
>> I suppose it is possible that <your dns domain> could be different 
>> from <your realm in lowercase> but can you suggest why anyone would 
>> do that?
>
> What I was trying to point out was that you appear to be thinking in 
> the wrong direction, the dns domain comes first and the realm devolves 
> from that, hence <your dns domain> rather than <your realm in 
> lowercase>. The dns domain should always be in lowercase and the realm 
> always referred to in uppercase.
>
>>>
>>>>
>>>> For extra clarity, it could be followed by an example with all the 
>>>> values substituted:
>>>> samba-tool dns add DC1 samdom.example.com demo A 192.168.0.55
>>>> then showing the results of the command. And of course, it should 
>>>> use the -U Administrator option since that seems to be required 
>>>> these days.
>>>
>>> The '-U' option isn't actually set in stone, you could get a 
>>> kerberos ticket and use kerberos instead. Your point is valid 
>>> though, it should stick to one way of doing things.
>> Yes. If you follow the example as written, you get an error message.
>>
>
> I have updated https://wiki.samba.org/index.php/DNS_Administration
>
> Hopefully it is nearer to what is required now, but if you find any 
> other errors or omissions, please let us know, we can only fix such 
> things if we are told about them.
>
> Rowland
>
I actually think you went in the wrong direction there. By removing the 
<some meaningful information>  and putting in just the actual values, 
it's harder to distinguish what is magic and what is user-provided. For 
example, in adding an A record, demo is the name of the new host being 
added while A is the record type being created and 192.168.0.55 is the 
IPV4 address of the demo host.

I think it would be clearer to write the example as:
$ samba-tool dns add <dns server> <dns domain> <name to add> A <IPV4 
address to add> -U administrator

The example now shows people unnecessarily writing the FQDN of the DNS 
server when only the name is really needed.

The omission would be a test that shows why my setup isn't working.