Daniel Carrasco Marín
2015-Apr-18 13:42 UTC
[Samba] Question about domain name with BIND9_DLZ
Thanks!! I've restored the server, i've installed all from backports to start in a clean configuration, and I've tried the suggestions but i've got the same result. The Windows machine is using the router dhcp server, but dns are configured manually to use the server as dns. Anyway I can live with that because I can log using HOME\User and works fine. Only was curiosity. Greetings!! 2015-04-18 14:31 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 18/04/15 13:03, Daniel Carrasco Mar?n wrote: > >> Thanks for you answer. >> >> My OS are Debian 7u8 as server, and Windows 7 as client. >> > > If you enable wheezy backports, you can install bind9.9.5 and will not > have to compile it yourself. > > > I'm doing the test on virtual machines and the dhcp server is a simple >> router. Anyway i'm using a static IP: >> iface eth0 inet static >> address 192.168.1.100 >> netmask 255.255.255.0 >> network 192.168.1.0 >> broadcast 192.168.1.255 >> gateway 192.168.1.1 >> dns-nameservers 192.168.1.100 8.8.8.8 >> dns-search home.red >> > > Yes, but what are the windows clients being given by dhcp ? > > >> and /etc/resolv.conf >> domain HOME >> search HOME >> nameserver 192.168.1.100 >> nameserver 8.8.8.8 >> >> >> > And there is one of of your problems (well several actually) > remove the domain line, 'domain' & 'search' are mutually exclusive in > resolv.conf, the last one wins. > Your dns domain name is not 'HOME', that is your windows workgroup/domain > name, replace it with 'home.red' > remove the 'nameserver 8.8.8.8' line, it belongs in > /etc/bind/named.conf.options as a forwarder. > > > The bind9 config is not setted, because i did some tests on my work with >> a configured bind9 server and the result was the same, then i've not tried >> to set a better configuration: >> include "/usr/local/samba/private/named.conf"; >> include "/etc/bind/rndc.key"; >> >> controls { >> inet 127.0.0.1 port 953 >> allow { 127.0.0.1; 192.168.1.100; } keys { "rndc-key"; }; >> }; >> >> options { >> directory "/var/local/cache/bind"; >> allow-new-zones yes; >> transfers-in 500; >> empty-zones-enable yes; >> //forwarders { 8.8.8.8; 8.8.4.4; }; >> recursion yes; >> //allow-transfer {"none";}; >> allow-query { any; }; >> allow-recursion { any; }; >> >> dnssec-validation auto; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { any; }; >> >> rate-limit { >> responses-per-second 5; >> #window 5; >> #log-only yes; >> }; >> }; >> >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> >> > OK, put the bind9 config files back to what they were. > change /etc/bind/named.conf to match this: > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > NOTE: you will probably have to change the last line because you have > compiled samba4 yourself > > change /etc/bind/named.conf.options to match this: > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the addresses > replacing > // the all-0's placeholder. > > forwarders { 8.8.8.8; 8.8.4.4; }; > // 0.0.0.0; > // }; > > //=======================================================================> // If BIND logs error messages about the root key being expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > //=======================================================================> dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > Again, you will have to change the 'tkey-gssapi-keytab' line. > > The above is taken from my working machine. > > In the client machine i've configured as DNS the Samba server >> >> > Good > > > Greetings!! >> >> >> 2015-04-18 13:25 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>: >> >> >> On 18/04/15 12:11, Daniel Carrasco Mar?n wrote: >> >> Hi, first of all i'm sorry for my english. >> >> I'm doing some tests to migrate a Samba3 domain to Samba4 with >> BIND9_DLZ, >> but the Domain name in Windows information is not correct. Is >> not a problem >> because all works as expected, but i wan't to know if i'm >> doing something >> wrong that can cause problems in future. >> >> I've done the tests with this command: >> >> samba-tool domain provision --use-rfc2307 --realm=home.red >> --domain=HOME >> --adminpass="Pass" --server-role=dc --dns-backend=BIND9_DLZ >> If i use the samba internal backend then the Domain Name in >> Windows is >> right (HOME) and machine don't change (machine), but if I use >> the BIND9_DLZ >> backend then the domain name is changed (home.red) and the >> machine name too >> (machine.home.red). >> >> Samba version is 4.2.1 stable compiled from git, and bind is >> the 9.9.7 >> compiled from source. >> I've used this options to compile: >> Samba >> ./configure --sysconfdir=/etc/samba --bindir=/usr/bin >> --sbindir=/usr/sbin >> --with-winbind >> >> Bind: >> ./configure --with-gssapi=/usr/include/gssapi --with-openssl=/usr >> --enable-largefile --with-dlopen=yes --sysconfdir=/etc/bind >> --bindir=/usr/bin --sbindir=/usr/sbin --enable-threads >> --enable-rrl >> >> and of course i've included the link to "include >> "/usr/local/samba/private/named.conf";" in BIND9 named.conf, >> and i've >> uncommented the right version in that file. >> The command "smbclient -L localhost -U%" shows the right info. >> >> I'm doing something wrong?. >> Can be problematic on future?. >> Is there any way to fix it?. >> >> Thanks!! >> >> >> What OS ? >> >> Do your windows clients get their ipaddresses via dhcp ? >> and if so, is the dhcp server supplying the domain name ? >> >> How have you set up bind9 ? >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 18/04/15 14:42, Daniel Carrasco Mar?n wrote:> Thanks!! > > I've restored the server, i've installed all from backports to start > in a clean configuration, and I've tried the suggestions but i've got > the same result. The Windows machine is using the router dhcp server, > but dns are configured manually to use the server as dns.If the windows machines are setup to use the router for dhcp, but you are overriding the dns server on each windows box, I have to ask, why bother with dhcp at all ? just set an ipaddress etc on each window box and forget dhcp.> > Anyway I can live with that because I can log using HOME\User and > works fine. Only was curiosity.AD depends on DNS, if this gets out of sync, you are in trouble, it would be better to choose one system, either set all machines etc as static dns, or use dhcp and set it up correctly. You could always do what I do, turn off dhcp on the router and run dhcp on the AD server. Rowland> > Greetings!! > > 2015-04-18 14:31 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>: > > On 18/04/15 13:03, Daniel Carrasco Mar?n wrote: > > Thanks for you answer. > > My OS are Debian 7u8 as server, and Windows 7 as client. > > > If you enable wheezy backports, you can install bind9.9.5 and will > not have to compile it yourself. > > > I'm doing the test on virtual machines and the dhcp server is > a simple router. Anyway i'm using a static IP: > iface eth0 inet static > address 192.168.1.100 > netmask 255.255.255.0 > network 192.168.1.0 > broadcast 192.168.1.255 > gateway 192.168.1.1 > dns-nameservers 192.168.1.100 8.8.8.8 > dns-search home.red > > > Yes, but what are the windows clients being given by dhcp ? > > > and /etc/resolv.conf > domain HOME > search HOME > nameserver 192.168.1.100 > nameserver 8.8.8.8 > > > > And there is one of of your problems (well several actually) > remove the domain line, 'domain' & 'search' are mutually exclusive > in resolv.conf, the last one wins. > Your dns domain name is not 'HOME', that is your windows > workgroup/domain name, replace it with 'home.red' > remove the 'nameserver 8.8.8.8' line, it belongs in > /etc/bind/named.conf.options as a forwarder. > > > The bind9 config is not setted, because i did some tests on my > work with a configured bind9 server and the result was the > same, then i've not tried to set a better configuration: > include "/usr/local/samba/private/named.conf"; > include "/etc/bind/rndc.key"; > > controls { > inet 127.0.0.1 port 953 > allow { 127.0.0.1; 192.168.1.100; } keys { "rndc-key"; }; > }; > > options { > directory "/var/local/cache/bind"; > allow-new-zones yes; > transfers-in 500; > empty-zones-enable yes; > //forwarders { 8.8.8.8; 8.8.4.4; }; > recursion yes; > //allow-transfer {"none";}; > allow-query { any; }; > allow-recursion { any; }; > > dnssec-validation auto; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > > rate-limit { > responses-per-second 5; > #window 5; > #log-only yes; > }; > }; > > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > > OK, put the bind9 config files back to what they were. > change /etc/bind/named.conf to match this: > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > > NOTE: you will probably have to change the last line because you > have compiled samba4 yourself > > change /etc/bind/named.conf.options to match this: > > options { > directory "/var/cache/bind"; > > // If there is a firewall between you and nameservers you want > // to talk to, you may need to fix the firewall to allow > multiple > // ports to talk. See http://www.kb.cert.org/vuls/id/800113 > > // If your ISP provided one or more IP addresses for stable > // nameservers, you probably want to use them as forwarders. > // Uncomment the following block, and insert the addresses > replacing > // the all-0's placeholder. > > forwarders { 8.8.8.8; 8.8.4.4; }; > // 0.0.0.0; > // }; > > //=======================================================================> // If BIND logs error messages about the root key being > expired, > // you will need to update your keys. See > https://www.isc.org/bind-keys > //=======================================================================> dnssec-validation no; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > Again, you will have to change the 'tkey-gssapi-keytab' line. > > The above is taken from my working machine. > > In the client machine i've configured as DNS the Samba server > > > Good > > > Greetings!! > > > 2015-04-18 13:25 GMT+02:00 Rowland Penny > <rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com> > <mailto:rowlandpenny at googlemail.com > <mailto:rowlandpenny at googlemail.com>>>: > > > On 18/04/15 12:11, Daniel Carrasco Mar?n wrote: > > Hi, first of all i'm sorry for my english. > > I'm doing some tests to migrate a Samba3 domain to > Samba4 with > BIND9_DLZ, > but the Domain name in Windows information is not > correct. Is > not a problem > because all works as expected, but i wan't to know if i'm > doing something > wrong that can cause problems in future. > > I've done the tests with this command: > > samba-tool domain provision --use-rfc2307 --realm=home.red > --domain=HOME > --adminpass="Pass" --server-role=dc > --dns-backend=BIND9_DLZ > If i use the samba internal backend then the Domain > Name in > Windows is > right (HOME) and machine don't change (machine), but > if I use > the BIND9_DLZ > backend then the domain name is changed (home.red) and the > machine name too > (machine.home.red). > > Samba version is 4.2.1 stable compiled from git, and > bind is > the 9.9.7 > compiled from source. > I've used this options to compile: > Samba > ./configure --sysconfdir=/etc/samba --bindir=/usr/bin > --sbindir=/usr/sbin > --with-winbind > > Bind: > ./configure --with-gssapi=/usr/include/gssapi > --with-openssl=/usr > --enable-largefile --with-dlopen=yes > --sysconfdir=/etc/bind > --bindir=/usr/bin --sbindir=/usr/sbin --enable-threads > --enable-rrl > > and of course i've included the link to "include > "/usr/local/samba/private/named.conf";" in BIND9 > named.conf, > and i've > uncommented the right version in that file. > The command "smbclient -L localhost -U%" shows the > right info. > > I'm doing something wrong?. > Can be problematic on future?. > Is there any way to fix it?. > > Thanks!! > > > What OS ? > > Do your windows clients get their ipaddresses via dhcp ? > and if so, is the dhcp server supplying the domain name ? > > How have you set up bind9 ? > > Rowland > > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Daniel Carrasco Marín
2015-Apr-18 14:37 UTC
[Samba] Question about domain name with BIND9_DLZ
2015-04-18 15:54 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 18/04/15 14:42, Daniel Carrasco Mar?n wrote: > >> Thanks!! >> >> I've restored the server, i've installed all from backports to start in a >> clean configuration, and I've tried the suggestions but i've got the same >> result. The Windows machine is using the router dhcp server, but dns are >> configured manually to use the server as dns. >> > > If the windows machines are setup to use the router for dhcp, but you are > overriding the dns server on each windows box, I have to ask, why bother > with dhcp at all ? just set an ipaddress etc on each window box and forget > dhcp. > > >> Anyway I can live with that because I can log using HOME\User and works >> fine. Only was curiosity. >> > > AD depends on DNS, if this gets out of sync, you are in trouble, it would > be better to choose one system, either set all machines etc as static dns, > or use dhcp and set it up correctly. You could always do what I do, turn > off dhcp on the router and run dhcp on the AD server. >Thanks for the suggestion. I only use the router as dhcp on my test machine because is a personal computer with virtual machines and i don't need a real dhcp server. On production network we have 3 servers to do all the work: - DHCP server - DNS server - Domain server I want to migrate the DNS server (Bind 9.8) and Domain server (Samba 3.6) to a new machine upgrading both to latest versions (Samba4 and Bind 9.9), of course pointing the dns entrie in dhcp server to the new domain/dns server. Greetings!!> Rowland > >> >> Greetings!! >> >> 2015-04-18 14:31 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com>>: >> >> >> On 18/04/15 13:03, Daniel Carrasco Mar?n wrote: >> >> Thanks for you answer. >> >> My OS are Debian 7u8 as server, and Windows 7 as client. >> >> >> If you enable wheezy backports, you can install bind9.9.5 and will >> not have to compile it yourself. >> >> >> I'm doing the test on virtual machines and the dhcp server is >> a simple router. Anyway i'm using a static IP: >> iface eth0 inet static >> address 192.168.1.100 >> netmask 255.255.255.0 >> network 192.168.1.0 >> broadcast 192.168.1.255 >> gateway 192.168.1.1 >> dns-nameservers 192.168.1.100 8.8.8.8 >> dns-search home.red >> >> >> Yes, but what are the windows clients being given by dhcp ? >> >> >> and /etc/resolv.conf >> domain HOME >> search HOME >> nameserver 192.168.1.100 >> nameserver 8.8.8.8 >> >> >> >> And there is one of of your problems (well several actually) >> remove the domain line, 'domain' & 'search' are mutually exclusive >> in resolv.conf, the last one wins. >> Your dns domain name is not 'HOME', that is your windows >> workgroup/domain name, replace it with 'home.red' >> remove the 'nameserver 8.8.8.8' line, it belongs in >> /etc/bind/named.conf.options as a forwarder. >> >> >> The bind9 config is not setted, because i did some tests on my >> work with a configured bind9 server and the result was the >> same, then i've not tried to set a better configuration: >> include "/usr/local/samba/private/named.conf"; >> include "/etc/bind/rndc.key"; >> >> controls { >> inet 127.0.0.1 port 953 >> allow { 127.0.0.1; 192.168.1.100; } keys { "rndc-key"; }; >> }; >> >> options { >> directory "/var/local/cache/bind"; >> allow-new-zones yes; >> transfers-in 500; >> empty-zones-enable yes; >> //forwarders { 8.8.8.8; 8.8.4.4; }; >> recursion yes; >> //allow-transfer {"none";}; >> allow-query { any; }; >> allow-recursion { any; }; >> >> dnssec-validation auto; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { any; }; >> >> rate-limit { >> responses-per-second 5; >> #window 5; >> #log-only yes; >> }; >> }; >> >> zone "." { >> type hint; >> file "/etc/bind/db.root"; >> }; >> >> >> OK, put the bind9 config files back to what they were. >> change /etc/bind/named.conf to match this: >> >> include "/etc/bind/named.conf.options"; >> include "/etc/bind/named.conf.local"; >> include "/etc/bind/named.conf.default-zones"; >> include "/var/lib/samba/private/named.conf"; >> >> NOTE: you will probably have to change the last line because you >> have compiled samba4 yourself >> >> change /etc/bind/named.conf.options to match this: >> >> options { >> directory "/var/cache/bind"; >> >> // If there is a firewall between you and nameservers you want >> // to talk to, you may need to fix the firewall to allow >> multiple >> // ports to talk. See http://www.kb.cert.org/vuls/id/800113 >> >> // If your ISP provided one or more IP addresses for stable >> // nameservers, you probably want to use them as forwarders. >> // Uncomment the following block, and insert the addresses >> replacing >> // the all-0's placeholder. >> >> forwarders { 8.8.8.8; 8.8.4.4; }; >> // 0.0.0.0; >> // }; >> >> >> //=======================================================================>> // If BIND logs error messages about the root key being >> expired, >> // you will need to update your keys. See >> https://www.isc.org/bind-keys >> >> //=======================================================================>> dnssec-validation no; >> >> auth-nxdomain no; # conform to RFC1035 >> listen-on-v6 { any; }; >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >> }; >> >> Again, you will have to change the 'tkey-gssapi-keytab' line. >> >> The above is taken from my working machine. >> >> In the client machine i've configured as DNS the Samba server >> >> >> Good >> >> >> Greetings!! >> >> >> 2015-04-18 13:25 GMT+02:00 Rowland Penny >> <rowlandpenny at googlemail.com >> <mailto:rowlandpenny at googlemail.com> >> <mailto:rowlandpenny at googlemail.com >> >> <mailto:rowlandpenny at googlemail.com>>>: >> >> >> On 18/04/15 12:11, Daniel Carrasco Mar?n wrote: >> >> Hi, first of all i'm sorry for my english. >> >> I'm doing some tests to migrate a Samba3 domain to >> Samba4 with >> BIND9_DLZ, >> but the Domain name in Windows information is not >> correct. Is >> not a problem >> because all works as expected, but i wan't to know if i'm >> doing something >> wrong that can cause problems in future. >> >> I've done the tests with this command: >> >> samba-tool domain provision --use-rfc2307 --realm=home.red >> --domain=HOME >> --adminpass="Pass" --server-role=dc >> --dns-backend=BIND9_DLZ >> If i use the samba internal backend then the Domain >> Name in >> Windows is >> right (HOME) and machine don't change (machine), but >> if I use >> the BIND9_DLZ >> backend then the domain name is changed (home.red) and the >> machine name too >> (machine.home.red). >> >> Samba version is 4.2.1 stable compiled from git, and >> bind is >> the 9.9.7 >> compiled from source. >> I've used this options to compile: >> Samba >> ./configure --sysconfdir=/etc/samba --bindir=/usr/bin >> --sbindir=/usr/sbin >> --with-winbind >> >> Bind: >> ./configure --with-gssapi=/usr/include/gssapi >> --with-openssl=/usr >> --enable-largefile --with-dlopen=yes >> --sysconfdir=/etc/bind >> --bindir=/usr/bin --sbindir=/usr/sbin --enable-threads >> --enable-rrl >> >> and of course i've included the link to "include >> "/usr/local/samba/private/named.conf";" in BIND9 >> named.conf, >> and i've >> uncommented the right version in that file. >> The command "smbclient -L localhost -U%" shows the >> right info. >> >> I'm doing something wrong?. >> Can be problematic on future?. >> Is there any way to fix it?. >> >> Thanks!! >> >> >> What OS ? >> >> Do your windows clients get their ipaddresses via dhcp ? >> and if so, is the dhcp server supplying the domain name ? >> >> How have you set up bind9 ? >> >> Rowland >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >