samba - Dec 2023 - Samba Internal DNS not forwarding some zones

On Wed, 13 Dec 2023 10:34:08 +0100
Ralf Spenneberg via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I have a Samba 4.17 running as AD with two DCs. I configured a zone
> in the internal DNS service with a few entries. Later I decided to
> drop the zone in samba again and do the configuration on the
> forwarder DNS.
I take it by 'forwarder DNS', you mean an external (to the AD dns
domain) DNS server, if so, I suggest you stop doing this.
> Unfortunately samba does not forward any request for
> this zone. The zone is deleted.
> samba-tool dns zonelist does not show the zone.
> ldbsearch -H 
>
/var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=AD\,DC\=OCHTRUP\,DC\=DE.ldb
> only shows deleted entries
You shouldn't search anything in the 'sam.ldb.d' directory, only
search in '/var/lib/samba/private/sam.ldb'
> 
> But still. Anything for xyz.net is forwarded but myzone.net is not 
> forwarded to the forwarder. Samba apparently still thinks it is 
> responsible for the zone.
It is.

This is not a Samba thing, it is an Active Directory thing, all AD DCs
when running a dns server (and all Samba AD DCs run a dns server) are
authoritative for the AD dns domain.
All your AD clients should look to a DC as their first nameserver,
anything outside the AD dns domain should be forwarded to an external
dns server, the DC should return records for anything inside the AD dns
domain.
> 
> Unfortunately I do not get the logging to work.
> I tried
> log level = 0 dns:10
> followed by a
> smbcontrol smbd reload-config
> But no logs show up. Is there any kind of caching involved? What can
> I do to further troubleshoot? Any ideas?
I do not think you need to troubleshoot any further, I would suggest
that you put back the zone you deleted and then set your dns up
correctly.

Rowland

Hi Rowland,

thanks for the response. I guess, I did not clarify enough.
Of Course I do have a the AD zone setup and managed by the DCs. I am 
talking about additional external zones not governed by the AD.

So I do have
ad.domain.toplevel
setup and managed by samba

I was talking about an additional actually external zone, that I did 
setup first as an additional manual zone in the internal dns using the 
Windows mmc, but later removed because I wanted to make use of an 
upstream forwarder. Forwarding for all external zones is configured in 
smb.conf.
Am 13.12.23 um 11:17 schrieb Rowland Penny via samba:
> I take it by 'forwarder DNS', you mean an external (to the AD dns
> domain) DNS server, if so, I suggest you stop doing this.
Yes. And I think this is a usual setup for resolving zones on the 
internet. I assume a misunderstanding of my message on your side.
> You shouldn't search anything in the 'sam.ldb.d' directory,
only
> search in '/var/lib/samba/private/sam.ldb'
As I mentioned, this was just for debugging purposes. I know that direct 
write access to these files breaks the replication, etc.
> 
>>
>> But still. Anything for xyz.net is forwarded but myzone.net is not
>> forwarded to the forwarder. Samba apparently still thinks it is
>> responsible for the zone.
> 
> It is.
It should not be responsible, because it is not the AD zone, as 
mentioned abouve but an additional external zone.
> 
Do you have any additional hints?

Kind regards,
RAlf


-- 
OpenSource Security GmbH                https://os-s.de
Am Bahnhof 3                            48565 Steinfurt         Germany
Fon: +49 25 52 927009-0                 Fax: +49 25 52 927009-9
Registergericht: Amtsgericht Steinfurt, HRB 12044
Gesch?ftsf?hrer: Ralf Spenneberg, Hendrik Schwartke
Umsatzsteuer-Identifikationsnummer gem. ?27a UStG: DE815773501