samba - Jan 2019 - Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname

Rowland, thank You for advice.

I can manage standard A records, but not sure, what to do with the NS. I 
can't figure out, how to delete invalid A subrecord of NS record.

I'm afraid to experiment much. Please, could You point me to some 
working example?

Peter

Dňa 12. 1. 2019 o 15:00 Rowland Penny via samba
napísal(a):
> On Sat, 12 Jan 2019 10:35:59 +0100
> Peter Tuharsky via samba <samba at lists.samba.org> wrote:
>
>> Thank You, Luis, Rowland,
>>
>> for the initial hints. I checked them all.
>>
>>
>> As of system, it is Debian Strech, Bind 9.10.3, Samba 4.5.12 (I know
>> it is old, but is native for distribution, and should work in such
>> simple setup I suppose). I used this howto:
>>
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> The problem with 4.5.12 is that it is, as far as Samba is concerned,
> EOL. it will be even more EOL when 4.10.0 is released at the beginning
> of March. The only Samba supported versions (at the moment) are 4.9.x,
> 4.8.x and 4.7.x. When 4.10.0 is released, 4.7.x will reach EOL.
>
> This is easily fixed on Debian, see here:
>
> http://apt.van-belle.nl/
>
>>
>> As of hosts.conf, there are only localhost and server itself, because
>> everything else should be resolved by DNS anyway...
>>
>> 127.0.0.1    localhost.interbronz.local    localhost
> The above should just be:
>
> 127.0.0.1	localhost
>
> You also shouldn't have used '.local', bit late now, so you
should stop
> Avahi from running.
>
>> --------
>>
>> There is not much in named.conf and surroundings. This is Debian, so
>> the config is scattered here and there, but if I put all includes
>> together, we get this:
>>
>> options {
>>       directory "/var/cache/bind";
>>
>>       // External DNS forwarder
>>
>>       forwarders {
>>            10.10.10.1;
>>        };
>>
>>       dnssec-validation auto;
>>
>>       auth-nxdomain no;    # conform to RFC1035
>>       listen-on-v6 { any; };
>> };
>>
> This is my /etc/bind/named.conf.options:
> options {
>      directory "/var/cache/bind";
>      version "0.0.7";
>      notify no;
>      empty-zones-enable no;
>      allow-query { 127.0.0.1; 192.168.0.0/24; };
>      allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
>      forwarders { 8.8.8.8; 8.8.4.4; };
>      allow-transfer { none; };
>
>      dnssec-validation no;
>      dnssec-enable no;
>      dnssec-lookaside no;
>      listen-on-v6 { none; };
>      listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>
>      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
>> --------------
>>
>> Since there is BIND DLZ in use, I assume that it is up to Samba DNS
>> module to resolve local domain issues for BIND, thus BIND config is
>> of little interest here anyway, it simply gives whatever it takes
>> from Samba. Correct?
> Very Wrong.
>
>> So, it would seem that if anything unusual, it should take place
>> inside Samba DNS records. That is area I have no expertise in. When I
>> do
>>
>> samba-tool dns query -U administrator 10.20.1.1 interbronz.local @ ALL
> The only problem with that is (as far as I am aware), samba-tool goes
> direct to AD bypassing Bind9
>
>> The question is, whether Samba even knows how to, or should it ever,
>> resolve FQDNs.
> It does, or rather, Bind9 with AD does.
>
>> I see there are more NS records for server itself, of whom some
>> belong to interfaces no longer active. But still first 2 are valid,
>> and the hostnames are resolved anyway, so that doesn't seem like
the
>> culprit.
> If you have NS records that do not exist, you need to delete them.
>
> Rowland
>   
>

On Sun, 20 Jan 2019 11:51:21 +0100
Peter Tuharsky via samba <samba at lists.samba.org> wrote:
> Rowland, thank You for advice.
> 
> I can manage standard A records, but not sure, what to do with the
> NS. I can't figure out, how to delete invalid A subrecord of NS
> record.
> 
> I'm afraid to experiment much. Please, could You point me to some 
> working example?
> 
> Peter
> 
This should work, when run a DC:

samba-tool dns delete 127.0.0.1 samdom.example.com @ NS 'FQDN of DC to
remove'

Where: 

'samdom.example.com' is the domain to remove the record from.
'@' is the SOA.
'NS' is the record type.
'FQDN of DC to remove' is the record data to remove i.e. something like:
   dc.samdom.example.com

As always, it is best to test first, it shouldn't damage anything, but
better safe than sorry ;-)

Rowland

Rowland, thank You, but this removes only the NS record, but the faulty
domain A records remain. How to deal with them, I don't know. They
behave unlike the ordinary A records.

Name=, Records=8, Children=0
    SOA: serial=27, refresh=900, retry=600, expire=86400, minttl=3600,
ns=blacktux.interbronz.local., email=hostmaster.interbronz.local.
(flags=600000f0, serial=27, ttl=3600)
    NS: blacktux.interbronz.local. (flags=600000f0, serial=1, ttl=900)
    A: 10.10.10.101 (flags=600000f0, serial=1, ttl=900)
    A: 10.20.1.1 (flags=600000f0, serial=3, ttl=900)
    A: 10.20.2.1 (flags=600000f0, serial=9, ttl=900)
    A: 10.20.3.1 (flags=600000f0, serial=10, ttl=900)
    A: 10.20.4.1 (flags=600000f0, serial=11, ttl=900)
    A: 10.30.1.1 (flags=600000f0, serial=23, ttl=900)

Dňa 20. 1. 2019 o 12:46 Rowland Penny via samba
napísal(a):
> On Sun, 20 Jan 2019 11:51:21 +0100
> Peter Tuharsky via samba <samba at lists.samba.org> wrote:
>
>> Rowland, thank You for advice.
>>
>> I can manage standard A records, but not sure, what to do with the
>> NS. I can't figure out, how to delete invalid A subrecord of NS
>> record.
>>
>> I'm afraid to experiment much. Please, could You point me to some 
>> working example?
>>
>> Peter
>>
> This should work, when run a DC:
>
> samba-tool dns delete 127.0.0.1 samdom.example.com @ NS 'FQDN of DC to
> remove'
>
> Where: 
>
> 'samdom.example.com' is the domain to remove the record from.
> '@' is the SOA.
> 'NS' is the record type.
> 'FQDN of DC to remove' is the record data to remove i.e. something
like:
>    dc.samdom.example.com
>
> As always, it is best to test first, it shouldn't damage anything, but
> better safe than sorry ;-)
>
> Rowland
>