samba - Dec 2023 - Samba Internal DNS not forwarding some zones

Hi,

I have a Samba 4.17 running as AD with two DCs. I configured a zone in 
the internal DNS service with a few entries. Later I decided to drop the 
zone in samba again and do the configuration on the forwarder DNS.
Unfortunately samba does not forward any request for this zone. The zone 
is deleted.
samba-tool dns zonelist does not show the zone.
ldbsearch -H 
/var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=AD\,DC\=OCHTRUP\,DC\=DE.ldb
only shows deleted entries

But still. Anything for xyz.net is forwarded but myzone.net is not 
forwarded to the forwarder. Samba apparently still thinks it is 
responsible for the zone.

Unfortunately I do not get the logging to work.
I tried
log level = 0 dns:10
followed by a
smbcontrol smbd reload-config
But no logs show up. Is there any kind of caching involved? What can I 
do to further troubleshoot? Any ideas?

Kind regards,
Ralf

On Wed, 13 Dec 2023 10:34:08 +0100
Ralf Spenneberg via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I have a Samba 4.17 running as AD with two DCs. I configured a zone
> in the internal DNS service with a few entries. Later I decided to
> drop the zone in samba again and do the configuration on the
> forwarder DNS.
I take it by 'forwarder DNS', you mean an external (to the AD dns
domain) DNS server, if so, I suggest you stop doing this.
> Unfortunately samba does not forward any request for
> this zone. The zone is deleted.
> samba-tool dns zonelist does not show the zone.
> ldbsearch -H 
>
/var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=AD\,DC\=OCHTRUP\,DC\=DE.ldb
> only shows deleted entries
You shouldn't search anything in the 'sam.ldb.d' directory, only
search in '/var/lib/samba/private/sam.ldb'
> 
> But still. Anything for xyz.net is forwarded but myzone.net is not 
> forwarded to the forwarder. Samba apparently still thinks it is 
> responsible for the zone.
It is.

This is not a Samba thing, it is an Active Directory thing, all AD DCs
when running a dns server (and all Samba AD DCs run a dns server) are
authoritative for the AD dns domain.
All your AD clients should look to a DC as their first nameserver,
anything outside the AD dns domain should be forwarded to an external
dns server, the DC should return records for anything inside the AD dns
domain.
> 
> Unfortunately I do not get the logging to work.
> I tried
> log level = 0 dns:10
> followed by a
> smbcontrol smbd reload-config
> But no logs show up. Is there any kind of caching involved? What can
> I do to further troubleshoot? Any ideas?
I do not think you need to troubleshoot any further, I would suggest
that you put back the zone you deleted and then set your dns up
correctly.

Rowland