thr3ads.net - samba - [Samba] Provisioning new AD Domain Controller [Dec 2023]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2023-Dec-01 20:31 UTC

[Samba] Provisioning new AD Domain Controller

On Fri, 01 Dec 2023 14:45:09 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Fri Dec  1 03:14:31 2023 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On Fri, 01 Dec 2023 01:38:55 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > Should I delete this zone and recreate with
> > > "0.168.192.in-addr.arpa"?
> >
> > Yes, your reversezone at present has space for only one client.
> >
> > Rowland
> 
> OK, that is done! I did:
> 
> samba-tool dns zonedelete dc1 2.0.168.192.in-addr.arpa
> samba-tool dns zonecreate dc1.hprs.locl   0.168.192.in-addr.arpa
> 
> Moving on with the tests. Most are working, but a couple of the tests
> for Verifying DNS,
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS_(Optional)
> have issues. This one gives me a bit different output:
> 
> # host -t A dc1.hprs.locl.
> dc1.hprs.locl has address 192.168.0.2
> dc1.hprs.locl has address 24.142.169.13
> 
> The 192.68.0.2 was expected from the wiki example, but what about the
> 24.142.169.13? That is the public IP for this server. I presume
> that's OK?
No, your AD DC should not be connected to the internet in anyway.
> 
> The next test fails:
> 
> # host -t PTR 192.168.0.2
> Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> 
> The zonecreate was successful, so why the failure? Leaving of the .2
> also fails:
> 
> # host -t PTR 192.168.0
> 192.168.0 has no PTR record
> 
> What did I do wrong?
I have no idea, lets start with the contents of /etc/hosts and your
smb.conf
> 
> Finally, not a question/error yet, but in smb.conf [GLOBAL] I have:
> 
> dns forwarder = 209.18.47.61
Well, it looks okay, but what is '209.18.47.61', it doesn't appear
to
be respond to a ping.
> 
> That was stuck in there by the provision operation. This is an IP for
> my ISP's name server.  I kept the ISP's nameservers in
> /etc/resolv.conf because with just the wiki suggested entries:
Ah, it is a dns server:
host -t PTR 209.18.47.61
61.47.18.209.in-addr.arpa domain name pointer dns-cac-lb-01.rr.com.
> 
> search hprs.locl
> nameserver 192.168.0.2
> 
> I could not resolve public domain names.
It is a dns problem, this is what is supposed to happen:

A client asks for the dns info for dc1.hprs.locl and the Samba dns
server should reply with the correct data, but if the client was to ask
for the dns info for www.samba.org , the Samba dns server will not
know it and should ask the forwarder for the info, which it should
return and the Samba server would then pass this to the client.

That doesn't appear to be happening on your DC, did you add the lines
to your DC smb.conf that you didn't pass during the provision ?

Rowland

Mark Foley

2023-Dec-01 23:25 UTC

head link

[Samba] Provisioning new AD Domain Controller

On Fri Dec  1 15:31:52 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:>
> On Fri, 01 Dec 2023 14:45:09 -0500 Mark Foley via samba <samba at
lists.samba.org> wrote:
>
> > Moving on with the tests. Most are working, but a couple of the tests
> > for Verifying DNS,
> >
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS_(Optional)
> > have issues. This one gives me a bit different output:
> > 
> > # host -t A dc1.hprs.locl.
> > dc1.hprs.locl has address 192.168.0.2
> > dc1.hprs.locl has address 24.142.169.13
> > 
> > The 192.68.0.2 was expected from the wiki example, but what about the
> > 24.142.169.13? That is the public IP for this server. I presume
> > that's OK?
>
> No, your AD DC should not be connected to the internet in anyway.
Well, for now it is because I am doing the configuration remotely to an off-site
location.  I am taking pains to insure there is no intrusion.  In fact, the
old/current DC has always been, and still is, connected to the Internet! When I
put this new one in place, it will not be.  It will be connected to the
firewall/router at 192.168.0.1. 
> > The next test fails:
> > 
> > # host -t PTR 192.168.0.2
> > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> > 
> > The zonecreate was successful, so why the failure? Leaving of the .2
> > also fails:
> > 
> > # host -t PTR 192.168.0
> > 192.168.0 has no PTR record
> > 
> > What did I do wrong?
>
> I have no idea, lets start with the contents of /etc/hosts and your
> smb.conf
/etc/hosts:

127.0.0.1               localhost
192.168.0.2             DC1.hprs.local DC1

/etc/samba/smb.conf:

[global]
        dns forwarder = 209.18.47.61
        netbios name = DC1
        realm = HPRS.LOCL
        server role = active directory domain controller
        workgroup = HPRS
        idmap_ldb:use rfc2307 = yes
        interfaces = lo, eth1
        bind interfaces only = Yes
               
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/hprs.locl/scripts
        read only = No
> > Finally, not a question/error yet, but in smb.conf [GLOBAL] I have:
> > 
> > dns forwarder = 209.18.47.61
>
> Well, it looks okay, but what is '209.18.47.61', it doesn't
appear to
> be respond to a ping.
>
> > 
> > That was stuck in there by the provision operation. This is an IP for
> > my ISP's name server.  I kept the ISP's nameservers in
> > /etc/resolv.conf because with just the wiki suggested entries:
> >
> > search hprs.locl
> > nameserver 192.168.0.2
> > 
> > I could not resolve public domain names.
>
> Ah, it is a dns server:
> host -t PTR 209.18.47.61
> 61.47.18.209.in-addr.arpa domain name pointer dns-cac-lb-01.rr.com.
>
> It is a dns problem, this is what is supposed to happen:
>
> A client asks for the dns info for dc1.hprs.locl and the Samba dns
> server should reply with the correct data, but if the client was to ask
> for the dns info for www.samba.org , the Samba dns server will not
> know it and should ask the forwarder for the info, which it should
> return and the Samba server would then pass this to the client.
>
> That doesn't appear to be happening on your DC, did you add the lines
> to your DC smb.conf that you didn't pass during the provision ?
>
> Rowland
Yes I did add those lines, as you can see from the smb.conf, although maybe I
didn't restart Samba after doing so.  I did that now, but it didn't make
any
difference with the 'host -t PTR 192.168.0.2' test. 

My current zonelist is:

  pszZoneName                 : 0.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.hprs.locl

I could get to www.samba.org, probably because 209.18.47.61 was in the
resolve.conf. I've just now removed the ISP's nameservers and I can get
to
www.samba.org, so I suppose the dns forwarder is doing it's job.

When I actually deploy this DC to production should I remove 209.18.47.61 from
smb.conf? Replace it with 192.168.0.1 (the firewall/router)?

On the current DC there is no ISP DNS server in resolv.conf, but that system
uses BIND9_FLATFILE so the whole bind/named system is in place for public domain
name resolution. On this system I used Samba Internal DNS backend. bind is not
running on this new system. Nevertheless, as just mentioned, I can resolve
public
domains. After starting samba for the 1st time I should probably have removed
209.18.47.61 from resolv.conf. 

--Mark

samba - Dec 2023 - Provisioning new AD Domain Controller

[Samba] Provisioning new AD Domain Controller

[Samba] Provisioning new AD Domain Controller