Marco Shmerykowsky
2021-Jan-30 16:03 UTC
[Samba] How to Properly Configure Samba's Internal DNS
On 2021-01-30 10:59 am, Rowland penny via samba wrote:> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote: >> >> On 2021-01-30 10:35 am, Rowland penny via samba wrote: >>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote: >>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote: >>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote: >>>>>> I have what though was a working Samba4 AD setup. >>>>>> However, in trying to troubleshoot a user's issues while >>>>>> connecting via a VPN, I begun to question if DNS >>>>>> is properly setup up. >>>>>> >>>>>> Each linux server has the following entries in >>>>>> resolv.conf: >>>>> >>>>> >>>>> What do mean by 'linux server' ? are you referring to a Unix domain >>>>> member or a Samba AD DC ? >>>> >>>> Two Samba AD DC's >>>> Two Samba Domain Member Servers >>>> >>>>> >>>>>> >>>>>> search ad-domain.company.com >>>>>> nameserver ip-of-FSMO-server >>>>> >>>>> I would list all Samba AD DC's on the Unix domain members and set >>>>> each >>>>> DC to use itself. >>>> >>>> I'll make the change and see what results >>>> >>>>>> >>>>>> Each linux server has a hosts file with an entry: >>>>>> >>>>>> unique-ip-address? machine#.ad-doamin.company.com machine# >>>>>> >>>>>> However, if I do nnslookup -> set type=SRV -> >>>>>> _ldap._tcp.ad-domain.company.com. >>>>>> >>>>>> instead of getting the results shown here: >>>>>> >>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records >>>>>> I get: >>>>>> >>>>>> Server:???????? ip-of-FSMO-server >>>>>> Address:??????? ip-of-FSMO-server#53 >>>>>> >>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 >>>>>> machine1.ad-domain.company.com. >>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 >>>>>> machine1.ad-domain.company.com. >>>>> >>>>> >>>>> I get something similar, only my difference is that mine lists both >>>>> of >>>>> my DC's, yours should list all your DC's >>>>> >>>>>> >>>>>> Further, if I try pinging hostnames on the FSMO-server, I only get >>>>>> positive >>>>>> results on 3 of 4 of my servers: >>>>>> >>>>>> ping ad-domain.company.com -> success >>>>>> >>>>>> ping machine1.ad-domain.company.com -> success >>>>>> ping machine2.ad-domain.company.com -> success >>>>>> ping machine3.ad-domain.company.com -> success >>>>>> ping machine4 -> fails with unknown host >>>>> >>>>> >>>>> They should all work, you seem to have dns problems. >>>> >>>> Agreed.? I never noticed it because GPO's and Drive Shares have >>>> been working well for two years. I just noticed something was >>>> amiss when we deployed a VPN. >>>> >>>> DNS is being provided by Samba.? How should I trouble shoot this? >>>> >>>>> >>>>> Rowland >>>> >>> are you using Bind9 ? >>> >>> if so, it could be the dns.keytab problem (it isn't created in the >>> bind-dns dir when you join a DC) >> >> No. SAMBA_INTERNAL >> > Pity, it easy to fix bind9 ?Should I switch?> You will just have to double check everything ?Other than hostname, hosts and resolv.conf, what should I check?
Rowland penny
2021-Jan-30 16:09 UTC
[Samba] How to Properly Configure Samba's Internal DNS
On 30/01/2021 16:03, Marco Shmerykowsky via samba wrote:> > On 2021-01-30 10:59 am, Rowland penny via samba wrote: >> On 30/01/2021 15:52, Marco Shmerykowsky via samba wrote: >>> >>> On 2021-01-30 10:35 am, Rowland penny via samba wrote: >>>> On 30/01/2021 15:19, Marco Shmerykowsky via samba wrote: >>>>> On 2021-01-30 9:31 am, Rowland penny via samba wrote: >>>>>> On 30/01/2021 13:48, Marco Shmerykowsky via samba wrote: >>>>>>> I have what though was a working Samba4 AD setup. >>>>>>> However, in trying to troubleshoot a user's issues while >>>>>>> connecting via a VPN, I begun to question if DNS >>>>>>> is properly setup up. >>>>>>> >>>>>>> Each linux server has the following entries in >>>>>>> resolv.conf: >>>>>> >>>>>> >>>>>> What do mean by 'linux server' ? are you referring to a Unix domain >>>>>> member or a Samba AD DC ? >>>>> >>>>> Two Samba AD DC's >>>>> Two Samba Domain Member Servers >>>>> >>>>>> >>>>>>> >>>>>>> search ad-domain.company.com >>>>>>> nameserver ip-of-FSMO-server >>>>>> >>>>>> I would list all Samba AD DC's on the Unix domain members and set >>>>>> each >>>>>> DC to use itself. >>>>> >>>>> I'll make the change and see what results >>>>> >>>>>>> >>>>>>> Each linux server has a hosts file with an entry: >>>>>>> >>>>>>> unique-ip-address? machine#.ad-doamin.company.com machine# >>>>>>> >>>>>>> However, if I do nnslookup -> set type=SRV -> >>>>>>> _ldap._tcp.ad-domain.company.com. >>>>>>> >>>>>>> instead of getting the results shown here: >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Resolving_SRV_Records >>>>>>> I get: >>>>>>> >>>>>>> Server:???????? ip-of-FSMO-server >>>>>>> Address:??????? ip-of-FSMO-server#53 >>>>>>> >>>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 >>>>>>> machine1.ad-domain.company.com. >>>>>>> _ldap._tcp.ad-domain.company.com?????? service = 0 100 389 >>>>>>> machine1.ad-domain.company.com. >>>>>> >>>>>> >>>>>> I get something similar, only my difference is that mine lists >>>>>> both of >>>>>> my DC's, yours should list all your DC's >>>>>> >>>>>>> >>>>>>> Further, if I try pinging hostnames on the FSMO-server, I only >>>>>>> get positive >>>>>>> results on 3 of 4 of my servers: >>>>>>> >>>>>>> ping ad-domain.company.com -> success >>>>>>> >>>>>>> ping machine1.ad-domain.company.com -> success >>>>>>> ping machine2.ad-domain.company.com -> success >>>>>>> ping machine3.ad-domain.company.com -> success >>>>>>> ping machine4 -> fails with unknown host >>>>>> >>>>>> >>>>>> They should all work, you seem to have dns problems. >>>>> >>>>> Agreed.? I never noticed it because GPO's and Drive Shares have >>>>> been working well for two years. I just noticed something was >>>>> amiss when we deployed a VPN. >>>>> >>>>> DNS is being provided by Samba.? How should I trouble shoot this? >>>>> >>>>>> >>>>>> Rowland >>>>> >>>> are you using Bind9 ? >>>> >>>> if so, it could be the dns.keytab problem (it isn't created in the >>>> bind-dns dir when you join a DC) >>> >>> No. SAMBA_INTERNAL >>> >> Pity, it easy to fix bind9 ? > > Should I switch?Entirely up to you, do you need Bind9 ?> >> You will just have to double check everything ? > > Other than hostname, hosts and resolv.conf, what should I check? >The actual records in AD, are they all there for each DC ? Does a forward & reverse record exist for all computers in AD ? Is replication working correctly ? Rowland