Hi,>What i hoped it to try to "upgrade" you internal DNS to bind9_dlz >And with doing that, avoid this bug.My production DCs use DNS Internal, so can I join a new DC using Bin9_dlz without problems? Regards, M?rcio Bacci Em qua, 28 de ago de 2019 ?s 12:14, L.P.H. van Belle via samba < samba at lists.samba.org> escreveu:> Hai Marcio, > > > ________________________________ > > Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] > Verzonden: woensdag 28 augustus 2019 15:57 > Aan: L.P.H. van Belle; sambalist > Onderwerp: Re: [Samba] Problems joining station in domain > > > Hi, > > >What is in /etc/ldap/ldap.conf > >Does it have : TLS_REQCERT allow ? > >If not add it. > Do I add this to all DC's? > > Yes, but as Andrew did say, we could/should use an other setting these > days. > He confirmed its still a bug in the DNS partitioning. > What i hoped it to try to "upgrade" you internal DNS to bind9_dlz > And with doing that, avoid this bug. > > I suggest you read: > Then we are left with the 2 possible workarounds as mentions in the list > before. > See: https://www.spinics.net/lists/samba/msg158588.html > Adjust the code of samba a bit. > > Dennis pointed out, and option to upgrade/create partitions on w2k3 before > the joins. > Found here: https://lists.samba.org/archive/samba/2019-July/224515.html > But as far i know that server is gone. > > > >You installed a new server, why did you not choose debian buster > but installed debian stretch? > Because our Debian distribution is customized and packaged > according to the institution's security rules. I depend on making this > distribution available in Debian 10. > > Well ok, i can only respect this. > Then i strongly suggeset you also read the subject on the list : > TLS_REQCERT and Samba AD DC > Because if you have security rules, then this should not be an option, and > you should have your own CA running. > > > Sso far, (office is closing), untill tomorrow. > > > Greetz, > > Louis > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi, I have installed bind9 bind9utils, but There isn't the file "dns.keytab" in my server: tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; There isn't the file "named.conf" in the follow path: include "/var/lib/samba/private/named.conf"; Are these files generated after joining the domain? Regards, M?rcio Bacci Em qua, 28 de ago de 2019 ?s 13:17, Marcio Demetrio Bacci < marciobacci at gmail.com> escreveu:> Hi, > > >What i hoped it to try to "upgrade" you internal DNS to bind9_dlz > >And with doing that, avoid this bug. > My production DCs use DNS Internal, so can I join a new DC using Bin9_dlz > without problems? > > Regards, > > M?rcio Bacci > > Em qua, 28 de ago de 2019 ?s 12:14, L.P.H. van Belle via samba < > samba at lists.samba.org> escreveu: > >> Hai Marcio, >> >> >> ________________________________ >> >> Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] >> Verzonden: woensdag 28 augustus 2019 15:57 >> Aan: L.P.H. van Belle; sambalist >> Onderwerp: Re: [Samba] Problems joining station in domain >> >> >> Hi, >> >> >What is in /etc/ldap/ldap.conf >> >Does it have : TLS_REQCERT allow ? >> >If not add it. >> Do I add this to all DC's? >> >> Yes, but as Andrew did say, we could/should use an other setting these >> days. >> He confirmed its still a bug in the DNS partitioning. >> What i hoped it to try to "upgrade" you internal DNS to bind9_dlz >> And with doing that, avoid this bug. >> >> I suggest you read: >> Then we are left with the 2 possible workarounds as mentions in the list >> before. >> See: https://www.spinics.net/lists/samba/msg158588.html >> Adjust the code of samba a bit. >> >> Dennis pointed out, and option to upgrade/create partitions on w2k3 >> before the joins. >> Found here: https://lists.samba.org/archive/samba/2019-July/224515.html >> But as far i know that server is gone. >> >> >> >You installed a new server, why did you not choose debian buster >> but installed debian stretch? >> Because our Debian distribution is customized and packaged >> according to the institution's security rules. I depend on making this >> distribution available in Debian 10. >> >> Well ok, i can only respect this. >> Then i strongly suggeset you also read the subject on the list : >> TLS_REQCERT and Samba AD DC >> Because if you have security rules, then this should not be an option, >> and you should have your own CA running. >> >> >> Sso far, (office is closing), untill tomorrow. >> >> >> Greetz, >> >> Louis >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
On 28/08/2019 19:20, Marcio Demetrio Bacci via samba wrote:> Hi, > > I have installed bind9 bind9utils, but > > There isn't the file "dns.keytab" in my server: > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > There isn't the file "named.conf" in the follow path: > include "/var/lib/samba/private/named.conf"; > > Are these files generated after joining the domain? >If you are using the internal dns server, you need to do more than just install bind9, see here: https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC Rowland