samba - Nov 2013 - Samba internal DNS strange behavior to ssh client lookup request

Running a new install of samba 4.1  AD, also using winbind to handle Linux user,
group authorizing users.

I'm have problems with DNS lookups for ssh client don't work  nslookup
on the same  AD and member system works fine.
For example: I can run nslookup example.com and it returns a valid answer right
way.  If I try to ssh -l username example.com , ssh returns "ssh: Could not
resolve hostname example.com : Name or service not known"

Samba is configured with dns forwarder = external DNS server.

Samba DNS tests work.
Such as host -t SRV _ldap._tcp.example.com
/etc/resolve.conf
Configured with nameserver of the DC as the top item in list.   If I move the DC
nameserver entry lower in the list and place the external DNS at the top then
ssh dns lookups work fine. (but then the samba lookups don't work properly)
Any Advice here?

Thanks
                Derek

On 19/11/13 18:24, Werthmuller, Derek wrote:
> Running a new install of samba 4.1  AD, also using winbind to handle Linux
user, group authorizing users.
>
> I'm have problems with DNS lookups for ssh client don't work 
nslookup on the same  AD and member system works fine.
> For example: I can run nslookup example.com and it returns a valid answer
right way.  If I try to ssh -l username example.com , ssh returns "ssh:
Could not resolve hostname example.com : Name or service not known"
>
> Samba is configured with dns forwarder = external DNS server.
>
> Samba DNS tests work.
> Such as host -t SRV _ldap._tcp.example.com
> /etc/resolve.conf
> Configured with nameserver of the DC as the top item in list.   If I move
the DC nameserver entry lower in the list and place the external DNS at the top
then ssh dns lookups work fine. (but then the samba lookups don't work
properly)
> Any Advice here?
>
> Thanks
>                  Derek
>
>
>
Not that it helps you, but it works from an LM15 client to an S4 server 
with bind9 dns

Rowland

Answers to my own question.

Understand why this behaves this way.  No its not a bug in samba internal DNS. 
I believe its how the resolver libraries work in the ssh client (ssh client
didn't chek multiple nameserver resources).  It also points out a bit how
the Samba AD DNS setup works.
1) my incorrect assumption was that the DNS forwarder address, found in
smb.conf, would be used for any address space the AD DNS was not authority for
and if it didn't have an entry for a system within its authority space.  
The last part about forwarding to another DNS server if the internal AD DNS
doesn't have an entry for it doesn't work, and appears to be by design.
2) My plan was to use the samba DNS only for sort of the windows network, and
leave webservers and such to the other already existing DNS server.  This case
only works if the client resolver will check multiple DNS resources if the
first( being the AD DNS) fails.  Nslookup resolver does check multiple DNS
resources often found in /etc/resolv.conf.  Samab AD documentation states to
place the AD address in the first  nameserver entry for the resolv.conf.
3) my new plan is to place more hosts in the samba AD  DNS than originally
anticipated.  I've seen posts suggesting creating a separate DNS domain for
AD so that you don't have to pull all DNS in the AD for a given
domain/subnet.  Not sure if this is a good idea - it seems that if a host have
multiple roles and would be found in both DNS server than the clients resolvers
and cache could become confused.

Cheers
   Derek

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Werthmuller, Derek
Sent: Tuesday, November 19, 2013 1:25 PM
To: samba at lists.samba.org
Subject: [Samba] Samba internal DNS strange behavior to ssh client lookup
request

Running a new install of samba 4.1  AD, also using winbind to handle Linux user,
group authorizing users.

I'm have problems with DNS lookups for ssh client don't work  nslookup
on the same  AD and member system works fine.
For example: I can run nslookup example.com and it returns a valid answer right
way.  If I try to ssh -l username example.com , ssh returns "ssh: Could not
resolve hostname example.com : Name or service not known"

Samba is configured with dns forwarder = external DNS server.

Samba DNS tests work.
Such as host -t SRV _ldap._tcp.example.com /etc/resolve.conf
Configured with nameserver of the DC as the top item in list.   If I move the DC
nameserver entry lower in the list and place the external DNS at the top then
ssh dns lookups work fine. (but then the samba lookups don't work properly)
Any Advice here?

Thanks
                Derek



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba