[Samba] Provisioning new AD Domain Controller

Mark Foley mfoley at novatec-inc.com
Fri Dec 1 23:25:43 UTC 2023


On Fri Dec  1 15:31:52 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Fri, 01 Dec 2023 14:45:09 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > Moving on with the tests. Most are working, but a couple of the tests
> > for Verifying DNS,
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS_(Optional)
> > have issues. This one gives me a bit different output:
> > 
> > # host -t A dc1.hprs.locl.
> > dc1.hprs.locl has address 192.168.0.2
> > dc1.hprs.locl has address 24.142.169.13
> > 
> > The 192.68.0.2 was expected from the wiki example, but what about the
> > 24.142.169.13? That is the public IP for this server. I presume
> > that's OK?
>
> No, your AD DC should not be connected to the internet in anyway.

Well, for now it is because I am doing the configuration remotely to an off-site
location.  I am taking pains to insure there is no intrusion.  In fact, the
old/current DC has always been, and still is, connected to the Internet! When I
put this new one in place, it will not be.  It will be connected to the
firewall/router at 192.168.0.1. 

> > The next test fails:
> > 
> > # host -t PTR 192.168.0.2
> > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> > 
> > The zonecreate was successful, so why the failure? Leaving of the .2
> > also fails:
> > 
> > # host -t PTR 192.168.0
> > 192.168.0 has no PTR record
> > 
> > What did I do wrong?
>
> I have no idea, lets start with the contents of /etc/hosts and your
> smb.conf

/etc/hosts:

127.0.0.1               localhost
192.168.0.2             DC1.hprs.local DC1

/etc/samba/smb.conf:

[global]
        dns forwarder = 209.18.47.61
        netbios name = DC1
        realm = HPRS.LOCL
        server role = active directory domain controller
        workgroup = HPRS
        idmap_ldb:use rfc2307 = yes
        interfaces = lo, eth1
        bind interfaces only = Yes
               
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/hprs.locl/scripts
        read only = No

> > Finally, not a question/error yet, but in smb.conf [GLOBAL] I have:
> > 
> > dns forwarder = 209.18.47.61
>
> Well, it looks okay, but what is '209.18.47.61', it doesn't appear to
> be respond to a ping.
>
> > 
> > That was stuck in there by the provision operation. This is an IP for
> > my ISP's name server.  I kept the ISP's nameservers in
> > /etc/resolv.conf because with just the wiki suggested entries:
> >
> > search hprs.locl
> > nameserver 192.168.0.2
> > 
> > I could not resolve public domain names.
>
> Ah, it is a dns server:
> host -t PTR 209.18.47.61
> 61.47.18.209.in-addr.arpa domain name pointer dns-cac-lb-01.rr.com.
>
> It is a dns problem, this is what is supposed to happen:
>
> A client asks for the dns info for dc1.hprs.locl and the Samba dns
> server should reply with the correct data, but if the client was to ask
> for the dns info for www.samba.org , the Samba dns server will not
> know it and should ask the forwarder for the info, which it should
> return and the Samba server would then pass this to the client.
>
> That doesn't appear to be happening on your DC, did you add the lines
> to your DC smb.conf that you didn't pass during the provision ?
>
> Rowland

Yes I did add those lines, as you can see from the smb.conf, although maybe I
didn't restart Samba after doing so.  I did that now, but it didn't make any
difference with the 'host -t PTR 192.168.0.2' test. 

My current zonelist is:

  pszZoneName                 : 0.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
  pszDpFqdn                   : DomainDnsZones.hprs.locl

I could get to www.samba.org, probably because 209.18.47.61 was in the
resolve.conf. I've just now removed the ISP's nameservers and I can get to
www.samba.org, so I suppose the dns forwarder is doing it's job.

When I actually deploy this DC to production should I remove 209.18.47.61 from
smb.conf? Replace it with 192.168.0.1 (the firewall/router)?

On the current DC there is no ISP DNS server in resolv.conf, but that system
uses BIND9_FLATFILE so the whole bind/named system is in place for public domain
name resolution. On this system I used Samba Internal DNS backend. bind is not
running on this new system. Nevertheless, as just mentioned, I can resolve public
domains. After starting samba for the 1st time I should probably have removed
209.18.47.61 from resolv.conf. 

--Mark



More information about the samba mailing list