Rowland penny
2021-Jan-30 16:09 UTC
[Samba] How to Properly Configure Samba's Internal DNS
On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:> > On 2021-01-30 10:59 am, Rowland penny via samba wrote: >> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote: >>> >>> On 2021-01-30 10:35 am, Rowland penny via samba wrote: >>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote: >>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote: >>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote: >>>>>>> I have what though was a working Samba4 AD setup. >>>>>>> However, in trying to troubleshoot a user's issues while >>>>>>> connecting via a VPN, I begun to question if DNS >>>>>>> is properly setup up. >>>>>>> >>>>>>> Each linux server has the following entries in >>>>>>> resolv.conf: >>>>>> >>>>>> >>>>>> What do mean by 'linux server' ? are you referring to a Unix domain >>>>>> member or a Samba AD DC ? >>>>> >>>>> Two Samba AD DC's >>>>> Two Samba Domain Member Servers >>>>> >>>>>> >>>>>>> >>>>>>> search ad-domain.company.com >>>>>>> nameserver ip-of-FSMO-server >>>>>> >>>>>> I would list all Samba AD DC's on the Unix domain members and set >>>>>> each >>>>>> DC to use itself. >>>>> >>>>> I'll make the change and see what results >>>>> >>>>>>> >>>>>>> Each linux server has a hosts file with an entry: >>>>>>> >>>>>>> unique-ip-address? machine#.ad-doamin.company.com machine# >>>>>>> >>>>>>> However, if I do nnslookup -> set type=SRV -> >>>>>>> _ldap._tcp.ad-domain.company.com. >>>>>>> >>>>>>> instead of getting the results shown here: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records >>>>>>> I get: >>>>>>> >>>>>>> Server:???????? ip-of-FSMO-server >>>>>>> Address:??????? ip-of-FSMO-server#53 >>>>>>> >>>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 >>>>>>> machine1.ad-domain.company.com. >>>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 >>>>>>> machine1.ad-domain.company.com. >>>>>> >>>>>> >>>>>> I get something similar, only my difference is that mine lists >>>>>> both of >>>>>> my DC's, yours should list all your DC's >>>>>> >>>>>>> >>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only >>>>>>> get positive >>>>>>> results on 3 of 4 of my servers: >>>>>>> >>>>>>> ping ad-domain.company.com -> success >>>>>>> >>>>>>> ping machine1.ad-domain.company.com -> success >>>>>>> ping machine2.ad-domain.company.com -> success >>>>>>> ping machine3.ad-domain.company.com -> success >>>>>>> ping machine4 -> fails with unknown host >>>>>> >>>>>> >>>>>> They should all work, you seem to have dns problems. >>>>> >>>>> Agreed.? I never noticed it because GPO's and Drive Shares have >>>>> been working well for two years. I just noticed something was >>>>> amiss when we deployed a VPN. >>>>> >>>>> DNS is being provided by Samba.? How should I trouble shoot this? >>>>> >>>>>> >>>>>> Rowland >>>>> >>>> are you using Bind9 ? >>>> >>>> if so, it could be the dns.keytab problem (it isn't created in the >>>> bind-dns dir when you join a DC) >>> >>> No. SAMBA_INTERNAL >>> >> Pity, it easy to fix bind9 ? > > Should I switch?Entirely up to you, do you need Bind9 ?> >> You will just have to double check everything ? > > Other than hostname, hosts and resolv.conf, what should I check? >The actual records in AD, are they all there for each DC ? Does a forward & reverse record exist for all computers in AD ? Is replication working correctly ? Rowland
Marco Shmerykowsky
2021-Jan-30 23:33 UTC
[Samba] How to Properly Configure Samba's Internal DNS
---
Marco J. Shmerykowsky, P.E.
marco at sce-engineers.com
--------------------------------------------
Shmerykowsky Consulting Engineers
Structural Analysis & Design
102 West 38th Street, 2nd Floor
New York, New York 10018
Tel. (212)719-9700 Fax. (212)719-4822
http://www.sce-engineers.com
--------------------------------------------
On 2021-01-30 11:09 am, Rowland penny via samba wrote:> On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:
>>
>> On 2021-01-30 10:59 am, Rowland penny via samba wrote:
>>> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote:
>>>>
>>>> On 2021-01-30 10:35 am, Rowland penny via samba wrote:
>>>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote:
>>>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote:
>>>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba
wrote:
>>>>>>>> I have what though was a working Samba4 AD
setup.
>>>>>>>> However, in trying to troubleshoot a user's
issues while
>>>>>>>> connecting via a VPN, I begun to question if
DNS
>>>>>>>> is properly setup up.
>>>>>>>>
>>>>>>>> Each linux server has the following entries in
>>>>>>>> resolv.conf:
>>>>>>>
>>>>>>>
>>>>>>> What do mean by 'linux server' ? are you
referring to a Unix
>>>>>>> domain
>>>>>>> member or a Samba AD DC ?
>>>>>>
>>>>>> Two Samba AD DC's
>>>>>> Two Samba Domain Member Servers
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> search ad-domain.company.com
>>>>>>>> nameserver ip-of-FSMO-server
>>>>>>>
>>>>>>> I would list all Samba AD DC's on the Unix
domain members and set
>>>>>>> each
>>>>>>> DC to use itself.
>>>>>>
>>>>>> I'll make the change and see what results
>>>>>>
>>>>>>>>
>>>>>>>> Each linux server has a hosts file with an
entry:
>>>>>>>>
>>>>>>>> unique-ip-address?
machine#.ad-doamin.company.com machine#
>>>>>>>>
>>>>>>>> However, if I do nnslookup -> set type=SRV
->
>>>>>>>> _ldap._tcp.ad-domain.company.com.
>>>>>>>>
>>>>>>>> instead of getting the results shown here:
>>>>>>>>
>>>>>>>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records
>>>>>>>> I get:
>>>>>>>>
>>>>>>>> Server:???????? ip-of-FSMO-server
>>>>>>>> Address:??????? ip-of-FSMO-server#53
>>>>>>>>
>>>>>>>> _ldap._tcp.ad-domain.company.com?????? service
= 0 100 389
>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>> _ldap._tcp.ad-domain.company.com?????? service
= 0 100 389
>>>>>>>> machine1.ad-domain.company.com.
>>>>>>>
>>>>>>>
>>>>>>> I get something similar, only my difference is that
mine lists
>>>>>>> both of
>>>>>>> my DC's, yours should list all your DC's
>>>>>>>
>>>>>>>>
>>>>>>>> Further, if I try pinging hostnames on the
FSMO-server, I only
>>>>>>>> get positive
>>>>>>>> results on 3 of 4 of my servers:
>>>>>>>>
>>>>>>>> ping ad-domain.company.com -> success
>>>>>>>>
>>>>>>>> ping machine1.ad-domain.company.com ->
success
>>>>>>>> ping machine2.ad-domain.company.com ->
success
>>>>>>>> ping machine3.ad-domain.company.com ->
success
>>>>>>>> ping machine4 -> fails with unknown host
>>>>>>>
>>>>>>>
>>>>>>> They should all work, you seem to have dns
problems.
>>>>>>
>>>>>> Agreed.? I never noticed it because GPO's and Drive
Shares have
>>>>>> been working well for two years. I just noticed
something was
>>>>>> amiss when we deployed a VPN.
>>>>>>
>>>>>> DNS is being provided by Samba.? How should I trouble
shoot this?
>>>>>>
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>> are you using Bind9 ?
>>>>>
>>>>> if so, it could be the dns.keytab problem (it isn't
created in the
>>>>> bind-dns dir when you join a DC)
>>>>
>>>> No. SAMBA_INTERNAL
>>>>
>>> Pity, it easy to fix bind9 ?
>>
>> Should I switch?
>
>
> Entirely up to you, do you need Bind9 ?
I do not have the expertise to say. However, I have a simple network
with 2 Samba AD's, 3 or 4 domain member file servers, about
24 windows10 desktops and a Covid-VPN - I'd imagine SAMBA_INTERNAL
is good enough.
>
>
>>
>>> You will just have to double check everything ?
>>
>> Other than hostname, hosts and resolv.conf, what should I check?
>>
> The actual records in AD, are they all there for each DC ?
>
> Does a forward & reverse record exist for all computers in AD ?
>
> Is replication working correctly ?
I believe so. I get the following on both servers:
'dig ad-domain.company.com NS +short' returns:
AD1.ad-domain.company.com.
AD2.ad-domain.company.com.
'dig ad-domain.company.com NS +short' returns:
192.168.1.1
192.168.1.2
'nslookup AD1.ad-domain.company.com' returns
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: AD1.ad-domain.company.com
Address: 192.168.1.1
'nslookup AD2.ad-domain.company.com' returns
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: AD2.ad-domain.company.com
Address: 192.168.1.2
'samba-tool dns zonelist ad-domain.company.com -Uadministrator' returns
pszZoneName : ad-domain.company.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.ad-domain.company.com
pszZoneName : 1.168.192.in-addr.arpa
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.ad-domain.company.com
pszZoneName : _msdcs.ad-domain.company.com
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.ad-domain.company.com
'nslookup 192.168.1.1' returns:
1.1.168.192.in-addr.arpa name = AD1.ad-domain.company.com
'nslookup 192.168.1.2' returns:
2.1.168.192.in-addr.arpa name = AD2.ad-domain.company.com
In addition, during the course of checking all this I made the following
changes:
* Found Bind running on one AD. Disabled it. I'm hoping this was the
cause
of the problem for the VPN user. Not sure how it was installed in the
first place
* removed 'resolvconf' on the domain member servers
* removed/deactivated 'avahi-daemon' on the AD's and members servers
I'm using NetworkManager to manage the interface settings. Other than
one machine losing the settings on reboot, all the correct settings
appear to be there and reflected in resolv,conf
I still have the issue that the hostname for the machine running
the 32-bit version of buster can not be resolved.
'nslookup 32bit-buster-machine' returns:
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
*** Can't find 32bit-buster-machine: No answer
>
> Rowland
L.P.H. van Belle
2021-Feb-01 08:39 UTC
[Samba] How to Properly Configure Samba's Internal DNS
As long i dont see the debug output of the script, I and Rowland (and others) are having a hard time to help out here. The debugscript i made does show us almost all we need. Now what you can do with it. Run in it on all you AD-DC's and find the differences. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh if you post the output to the list, dont attach the files and anonymize it where needed. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco > Shmerykowsky via samba > Verzonden: zondag 31 januari 2021 4:03 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] How to Properly Configure Samba's Internal DNS > > On 2021-01-30 6:33 pm, Marco Shmerykowsky via samba wrote: > > On 2021-01-30 11:09 am, Rowland penny via samba wrote: > >> On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote: > >>> > >>> On 2021-01-30 10:59 am, Rowland penny via samba wrote: > >>>> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote: > >>>>> > >>>>> On 2021-01-30 10:35 am, Rowland penny via samba wrote: > >>>>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote: > >>>>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote: > >>>>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote: > >>>>>>>>> I have what though was a working Samba4 AD setup. > >>>>>>>>> However, in trying to troubleshoot a user's issues while > >>>>>>>>> connecting via a VPN, I begun to question if DNS > >>>>>>>>> is properly setup up. > >>>>>>>>> > >>>>>>>>> Each linux server has the following entries in > >>>>>>>>> resolv.conf: > >>>>>>>> > >>>>>>>> > >>>>>>>> What do mean by 'linux server' ? are you referring to a Unix > >>>>>>>> domain > >>>>>>>> member or a Samba AD DC ? > >>>>>>> > >>>>>>> Two Samba AD DC's > >>>>>>> Two Samba Domain Member Servers > >>>>>>> > >>>>>>>> > >>>>>>>>> > >>>>>>>>> search ad-domain.company.com > >>>>>>>>> nameserver ip-of-FSMO-server > >>>>>>>> > >>>>>>>> I would list all Samba AD DC's on the Unix domain members and > >>>>>>>> set each > >>>>>>>> DC to use itself. > >>>>>>> > >>>>>>> I'll make the change and see what results > >>>>>>> > >>>>>>>>> > >>>>>>>>> Each linux server has a hosts file with an entry: > >>>>>>>>> > >>>>>>>>> unique-ip-address? machine#.ad-doamin.company.com machine# > >>>>>>>>> > >>>>>>>>> However, if I do nnslookup -> set type=SRV -> > >>>>>>>>> _ldap._tcp.ad-domain.company.com. > >>>>>>>>> > >>>>>>>>> instead of getting the results shown here: > >>>>>>>>> > >>>>>>>>> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resol > ving_SRV_Records > >>>>>>>>> I get: > >>>>>>>>> > >>>>>>>>> Server:???????? ip-of-FSMO-server > >>>>>>>>> Address:??????? ip-of-FSMO-server#53 > >>>>>>>>> > >>>>>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 > >>>>>>>>> machine1.ad-domain.company.com. > >>>>>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 > >>>>>>>>> machine1.ad-domain.company.com. > >>>>>>>> > >>>>>>>> > >>>>>>>> I get something similar, only my difference is that mine lists > >>>>>>>> both of > >>>>>>>> my DC's, yours should list all your DC's > >>>>>>>> > >>>>>>>>> > >>>>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only > >>>>>>>>> get positive > >>>>>>>>> results on 3 of 4 of my servers: > >>>>>>>>> > >>>>>>>>> ping ad-domain.company.com -> success > >>>>>>>>> > >>>>>>>>> ping machine1.ad-domain.company.com -> success > >>>>>>>>> ping machine2.ad-domain.company.com -> success > >>>>>>>>> ping machine3.ad-domain.company.com -> success > >>>>>>>>> ping machine4 -> fails with unknown host > >>>>>>>> > >>>>>>>> > >>>>>>>> They should all work, you seem to have dns problems. > >>>>>>> > >>>>>>> Agreed.? I never noticed it because GPO's and Drive Shares have > >>>>>>> been working well for two years. I just noticed something was > >>>>>>> amiss when we deployed a VPN. > >>>>>>> > >>>>>>> DNS is being provided by Samba.? How should I trouble shoot this? > >>>>>>> > >>>>>>>> > >>>>>>>> Rowland > >>>>>>> > >>>>>> are you using Bind9 ? > >>>>>> > >>>>>> if so, it could be the dns.keytab problem (it isn't created in the > >>>>>> bind-dns dir when you join a DC) > >>>>> > >>>>> No. SAMBA_INTERNAL > >>>>> > >>>> Pity, it easy to fix bind9 ???? > >>> > >>> Should I switch? > >> > >> > >> Entirely up to you, do you need Bind9 ? > > > > I do not have the expertise to say. However, I have a simple network > > with 2 Samba AD's, 3 or 4 domain member file servers, about > > 24 windows10 desktops and a Covid-VPN - I'd imagine SAMBA_INTERNAL > > is good enough. > > > >> > >> > >>> > >>>> You will just have to double check everything ???? > >>> > >>> Other than hostname, hosts and resolv.conf, what should I check? > >>> > >> The actual records in AD, are they all there for each DC ? > >> > >> Does a forward & reverse record exist for all computers in AD ? > >> > >> Is replication working correctly ? > > > > I believe so. I get the following on both servers: > > > > 'dig ad-domain.company.com NS +short' returns: > > > > AD1.ad-domain.company.com. > > AD2.ad-domain.company.com. > > > > 'dig ad-domain.company.com NS +short' returns: > > > > 192.168.1.1 > > 192.168.1.2 > > > > 'nslookup AD1.ad-domain.company.com' returns > > > > Server: 192.168.1.1 > > Address: 192.168.1.1#53 > > > > Name: AD1.ad-domain.company.com > > Address: 192.168.1.1 > > > > 'nslookup AD2.ad-domain.company.com' returns > > Server: 192.168.1.1 > > Address: 192.168.1.1#53 > > > > Name: AD2.ad-domain.company.com > > Address: 192.168.1.2 > > > > 'samba-tool dns zonelist ad-domain.company.com -Uadministrator' returns > > > > pszZoneName : ad-domain.company.com > > Flags : DNS_RPC_ZONE_DSINTEGRATED > > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.ad-domain.company.com > > > > pszZoneName : 1.168.192.in-addr.arpa > > Flags : DNS_RPC_ZONE_DSINTEGRATED > > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.ad-domain.company.com > > > > pszZoneName : _msdcs.ad-domain.company.com > > Flags : DNS_RPC_ZONE_DSINTEGRATED > > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : ForestDnsZones.ad-domain.company.com > > > > 'nslookup 192.168.1.1' returns: > > > > 1.1.168.192.in-addr.arpa name = AD1.ad-domain.company.com > > > > 'nslookup 192.168.1.2' returns: > > > > 2.1.168.192.in-addr.arpa name = AD2.ad-domain.company.com > > > > In addition, during the course of checking all this I made the > > following changes: > > * Found Bind running on one AD. Disabled it. I'm hoping this was the > > cause > > of the problem for the VPN user. Not sure how it was installed in the > > first place > > * removed 'resolvconf' on the domain member servers > > * removed/deactivated 'avahi-daemon' on the AD's and members servers > > > > I'm using NetworkManager to manage the interface settings. Other than > > one machine losing the settings on reboot, all the correct settings > > appear to be there and reflected in resolv,conf > > > > I still have the issue that the hostname for the machine running > > the 32-bit version of buster can not be resolved. > > > > 'nslookup 32bit-buster-machine' returns: > > > > Server: 192.168.1.1 > > Address: 192.168.1.1#53 > > > > Non-authoritative answer: > > *** Can't find 32bit-buster-machine: No answer > > manually added an A record for '32bit-buster-machine'. Seems to have > taken care of that issue. > > > > >> > >> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba