mathias dufresne
2015-Dec-02 16:07 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
OK, sorry, I haven't re-read the whole thread carefully enough.>From what I understand sometimes your DNS request are truncated, asking formachineName.windows rahter than machineName.windows.rest.of.your.domain.tld So you have to find what is cutting your DNS requests. If I'm wrong, don't read the rest :p First I would test my DNS resolution using dig, host or nslookup and check with tcpdump if that resolution is working correctly. If request is not truncated your issue comes from something else than your DNS resolution configuration. ex: dig @192.168.127.129 whiskey.windows.corp.XXX.com dig @192.168.127.141 whiskey.windows.corp.XXX.com dig @192.168.112.4 whiskey.windows.corp.XXX.com If it works, I would continue with simple command, perhaps a kinit as that one should, I believe, also launch several DNS query (if your krb5.conf is still alsmot empty). Here you continue to check with tcpdump what DNS request your client is launching (ex: on the client: tcpdump -i eth0 port domain) The point is to define where is the issue, removing points where doubt exists. DNS queries are DNS queries. Kerberos seems to be acting simply just for a kinit. Finally once dig and kinit are working, you could dig into Samba configuration. 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>:> Dnsmasq is not running locally! Disabling it would do nothing but stop > DHCP and DNS forwarding for 2000+ soon to be irate people. > > What I am going to do however is bypass DHCP completely and assign a > static address with DNS pointed straight at active directory. If that still > doesn't work, I think I can definitely narrow this down to a bug in Active > Directory, our AD configuration, or a bug in Samba. > > On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne <infractory at gmail.com> > wrote: > >> Can't you just disable dnsmasq service? >> >> You don't seem to be too much confident in that tool and you have DNS >> issue... >> >> dnsmasq has most certainly a good reason to exist. I just don't know it. >> In >> IT for work we generally don't need such tool as infrastructures of >> companies are meant to be stable. As the clients configuration. >> >> So I would start with dnsmasq removal, then I would [learn how to] >> configure manually this client, then I would re-run test, starting with >> small tests (DNS with dig/nslookup, kinit...) >> >> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >> > So everything with the hostname with now resolving correctly, without >> the >> > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out >> the >> > correct domain, which it is now: >> > >> > $ hostname -d >> > windows.corp.XXX.com >> > $ hostname -f >> > freeradius.windows.corp.XXX.com >> > >> > I deleted all the shared secrets, removed the computer from AD and >> > rejoined... but of course, we're still getting the exact same issue... >> :( >> > It's still trying to query the wrong DNS entry. >> > >> > >> > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < >> > rowlandpenny241155 at gmail.com >> > > wrote: >> > >> > > On 01/12/15 17:27, Jonathan S. Fisher wrote: >> > > >> > >> It isn't running, one of the first things I do when setting up a new >> DC >> > is >> > >>> >> > >> to remove nscd if it is installed. >> > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run as >> a >> > >> member? Otherwise I can remove it. >> > >> >> > > >> > > I would remove it, everything dns wise should come from an AD DC >> > > >> > > >> > >> you get a caching dnsmasq server as standard >> > >>> >> > >> Not on ubuntu server... There is no dnsmasq package installed nor >> is it >> > >> in >> > >> ps -ef >> > >> >> > > >> > > Ah, so no GUI then, ok in this case you probably wont have Network >> > Manager >> > > installed either. >> > > >> > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> > >>> >> > >> problems. >> > >> I'll try to figure out how to get the client to have a FQDN without >> the >> > >> line in /etc/hosts >> > >> >> > > >> > > If this machine is going to be a fileserver, you would probably be >> better >> > > using a fixed ip, but if you going to have other Unix domain members >> > using >> > > dhcp, you need to sort this problem. >> > > >> > > >> > >> I really am starting to hate Active Directory... >> > >> >> > > >> > > I just hate microsoft, it cuts out the middle man :-D >> > > >> > > Rowland >> > > >> > > >> > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >> > >> rowlandpenny241155 at gmail.com >> > >> >> > >>> wrote: >> > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >> > >>> >> > >>> So your client did no DNS lookups?? That's crazy. Could they be >> cached? >> > >>> (Can you disable nscd if you have it running and try again?) >> > >>> >> > >>> >> > >>> It isn't running, one of the first things I do when setting up a >> new DC >> > >>> is >> > >>> to remove nscd if it is installed. >> > >>> >> > >>> >> > >>> Why, in your deity's name, why????? >> > >>>> >> > >>> I'm starting my own caliphate. Seems to be all the rage these days. >> > >>> >> > >>> Dnsmasq isn't running locally... it's the main DNS server at >> > >>> 192.168.127.129. At one time I guess we were running Bind, but he >> > >>> switched >> > >>> to dnsmasq for simplicity. If there's a legit reason why Windows >> needs >> > to >> > >>> handle 100% of the DNS and DHCP for the network... well that's a >> little >> > >>> scary of a thought. Are these things in no way interoperable? >> > >>> >> > >>> >> > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is >> > >>> controlled by Network Manager, this shouldn't be running on an AD >> > client >> > >>> (note this is only from my experience, it seems to interfere with AD >> > >>> dns). >> > >>> >> > >>> DHCP doesn't need to be running on the DC, but it needs to give your >> > >>> client the required info, see my previous post for what mine sends. >> > >>> Your AD clients need to use your AD DCs as their DNS servers, >> anything >> > >>> your DCs don't know about i.e. google should be forwarded to a DNS >> > server >> > >>> that does i.e. your dnsmasq machine >> > >>> >> > >>> Your problem isn't that net is using the workgroup name, it is that >> > your >> > >>> machine doesn't seem to know who it is and where the DCs are :-) >> > >>> >> > >>> >> > >>> Mind you, until you get 'hostname -f' to return your FQDN, it will >> not >> > >>>> >> > >>> work correctly. >> > >>> Well this "works" right now with what I put into /etc/hosts. Are you >> > >>> saying it has to work purely from dhcp? >> > >>> >> > >>> >> > >>> >> > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> > >>> problems. >> > >>> >> > >>> Rowland >> > >>> >> > >>> >> > >>> >> > > >> > > -- >> > > To unsubscribe from this list go to the following URL and read the >> > > instructions: https://lists.samba.org/mailman/options/samba >> > > >> > >> > -- >> > Email Confidentiality Notice: The information contained in this >> > transmission is confidential, proprietary or privileged and may be >> subject >> > to protection under the law, including the Health Insurance Portability >> and >> > Accountability Act (HIPAA). The message is intended for the sole use of >> the >> > individual or entity to whom it is addressed. If you are not the >> intended >> > recipient, you are notified that any use, distribution or copying of the >> > message is strictly prohibited and may subject you to criminal or civil >> > penalties. If you received this transmission in error, please contact >> the >> > sender immediately by replying to this email and delete the material >> from >> > any computer. >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. >
Jonathan S. Fisher
2015-Dec-02 16:27 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Great thanks, I'll start digging into that. So your running theory is that one of the DNS resolution attempts is returning .WINDOWS not . WINDOWS.CORP.XXX.com? On Wed, Dec 2, 2015 at 10:07 AM, mathias dufresne <infractory at gmail.com> wrote:> OK, sorry, I haven't re-read the whole thread carefully enough. > From what I understand sometimes your DNS request are truncated, asking for > machineName.windows rahter than machineName.windows.rest.of.your.domain.tld > > So you have to find what is cutting your DNS requests. If I'm wrong, don't > read the rest :p > > First I would test my DNS resolution using dig, host or nslookup and check > with tcpdump if that resolution is working correctly. If request is not > truncated your issue comes from something else than your DNS resolution > configuration. > ex: > dig @192.168.127.129 whiskey.windows.corp.XXX.com > dig @192.168.127.141 whiskey.windows.corp.XXX.com > dig @192.168.112.4 whiskey.windows.corp.XXX.com > > > If it works, I would continue with simple command, perhaps a kinit as that > one should, I believe, also launch several DNS query (if your krb5.conf is > still alsmot empty). > Here you continue to check with tcpdump what DNS request your client is > launching (ex: on the client: tcpdump -i eth0 port domain) > > The point is to define where is the issue, removing points where doubt > exists. > DNS queries are DNS queries. Kerberos seems to be acting simply just for a > kinit. > > Finally once dig and kinit are working, you could dig into Samba > configuration. > > 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < > jonathan at springventuregroup.com>: > > > Dnsmasq is not running locally! Disabling it would do nothing but stop > > DHCP and DNS forwarding for 2000+ soon to be irate people. > > > > What I am going to do however is bypass DHCP completely and assign a > > static address with DNS pointed straight at active directory. If that > still > > doesn't work, I think I can definitely narrow this down to a bug in > Active > > Directory, our AD configuration, or a bug in Samba. > > > > On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne <infractory at gmail.com> > > wrote: > > > >> Can't you just disable dnsmasq service? > >> > >> You don't seem to be too much confident in that tool and you have DNS > >> issue... > >> > >> dnsmasq has most certainly a good reason to exist. I just don't know it. > >> In > >> IT for work we generally don't need such tool as infrastructures of > >> companies are meant to be stable. As the clients configuration. > >> > >> So I would start with dnsmasq removal, then I would [learn how to] > >> configure manually this client, then I would re-run test, starting with > >> small tests (DNS with dig/nslookup, kinit...) > >> > >> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < > >> jonathan at springventuregroup.com>: > >> > >> > So everything with the hostname with now resolving correctly, without > >> the > >> > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out > >> the > >> > correct domain, which it is now: > >> > > >> > $ hostname -d > >> > windows.corp.XXX.com > >> > $ hostname -f > >> > freeradius.windows.corp.XXX.com > >> > > >> > I deleted all the shared secrets, removed the computer from AD and > >> > rejoined... but of course, we're still getting the exact same issue... > >> :( > >> > It's still trying to query the wrong DNS entry. > >> > > >> > > >> > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < > >> > rowlandpenny241155 at gmail.com > >> > > wrote: > >> > > >> > > On 01/12/15 17:27, Jonathan S. Fisher wrote: > >> > > > >> > >> It isn't running, one of the first things I do when setting up a > new > >> DC > >> > is > >> > >>> > >> > >> to remove nscd if it is installed. > >> > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run > as > >> a > >> > >> member? Otherwise I can remove it. > >> > >> > >> > > > >> > > I would remove it, everything dns wise should come from an AD DC > >> > > > >> > > > >> > >> you get a caching dnsmasq server as standard > >> > >>> > >> > >> Not on ubuntu server... There is no dnsmasq package installed nor > >> is it > >> > >> in > >> > >> ps -ef > >> > >> > >> > > > >> > > Ah, so no GUI then, ok in this case you probably wont have Network > >> > Manager > >> > > installed either. > >> > > > >> > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > >> > >>> > >> > >> problems. > >> > >> I'll try to figure out how to get the client to have a FQDN without > >> the > >> > >> line in /etc/hosts > >> > >> > >> > > > >> > > If this machine is going to be a fileserver, you would probably be > >> better > >> > > using a fixed ip, but if you going to have other Unix domain members > >> > using > >> > > dhcp, you need to sort this problem. > >> > > > >> > > > >> > >> I really am starting to hate Active Directory... > >> > >> > >> > > > >> > > I just hate microsoft, it cuts out the middle man :-D > >> > > > >> > > Rowland > >> > > > >> > > > >> > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < > >> > >> rowlandpenny241155 at gmail.com > >> > >> > >> > >>> wrote: > >> > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: > >> > >>> > >> > >>> So your client did no DNS lookups?? That's crazy. Could they be > >> cached? > >> > >>> (Can you disable nscd if you have it running and try again?) > >> > >>> > >> > >>> > >> > >>> It isn't running, one of the first things I do when setting up a > >> new DC > >> > >>> is > >> > >>> to remove nscd if it is installed. > >> > >>> > >> > >>> > >> > >>> Why, in your deity's name, why????? > >> > >>>> > >> > >>> I'm starting my own caliphate. Seems to be all the rage these > days. > >> > >>> > >> > >>> Dnsmasq isn't running locally... it's the main DNS server at > >> > >>> 192.168.127.129. At one time I guess we were running Bind, but he > >> > >>> switched > >> > >>> to dnsmasq for simplicity. If there's a legit reason why Windows > >> needs > >> > to > >> > >>> handle 100% of the DNS and DHCP for the network... well that's a > >> little > >> > >>> scary of a thought. Are these things in no way interoperable? > >> > >>> > >> > >>> > >> > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is > >> > >>> controlled by Network Manager, this shouldn't be running on an AD > >> > client > >> > >>> (note this is only from my experience, it seems to interfere with > AD > >> > >>> dns). > >> > >>> > >> > >>> DHCP doesn't need to be running on the DC, but it needs to give > your > >> > >>> client the required info, see my previous post for what mine > sends. > >> > >>> Your AD clients need to use your AD DCs as their DNS servers, > >> anything > >> > >>> your DCs don't know about i.e. google should be forwarded to a DNS > >> > server > >> > >>> that does i.e. your dnsmasq machine > >> > >>> > >> > >>> Your problem isn't that net is using the workgroup name, it is > that > >> > your > >> > >>> machine doesn't seem to know who it is and where the DCs are :-) > >> > >>> > >> > >>> > >> > >>> Mind you, until you get 'hostname -f' to return your FQDN, it will > >> not > >> > >>>> > >> > >>> work correctly. > >> > >>> Well this "works" right now with what I put into /etc/hosts. Are > you > >> > >>> saying it has to work purely from dhcp? > >> > >>> > >> > >>> > >> > >>> > >> > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have > dns > >> > >>> problems. > >> > >>> > >> > >>> Rowland > >> > >>> > >> > >>> > >> > >>> > >> > > > >> > > -- > >> > > To unsubscribe from this list go to the following URL and read the > >> > > instructions: https://lists.samba.org/mailman/options/samba > >> > > > >> > > >> > -- > >> > Email Confidentiality Notice: The information contained in this > >> > transmission is confidential, proprietary or privileged and may be > >> subject > >> > to protection under the law, including the Health Insurance > Portability > >> and > >> > Accountability Act (HIPAA). The message is intended for the sole use > of > >> the > >> > individual or entity to whom it is addressed. If you are not the > >> intended > >> > recipient, you are notified that any use, distribution or copying of > the > >> > message is strictly prohibited and may subject you to criminal or > civil > >> > penalties. If you received this transmission in error, please contact > >> the > >> > sender immediately by replying to this email and delete the material > >> from > >> > any computer. > >> > -- > >> > To unsubscribe from this list go to the following URL and read the > >> > instructions: https://lists.samba.org/mailman/options/samba > >> > > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > Email Confidentiality Notice: The information contained in this > > transmission is confidential, proprietary or privileged and may be > subject > > to protection under the law, including the Health Insurance Portability > and > > Accountability Act (HIPAA). The message is intended for the sole use of > the > > individual or entity to whom it is addressed. If you are not the intended > > recipient, you are notified that any use, distribution or copying of the > > message is strictly prohibited and may subject you to criminal or civil > > penalties. If you received this transmission in error, please contact the > > sender immediately by replying to this email and delete the material from > > any computer. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Rowland Penny
2015-Dec-02 16:40 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 02/12/15 16:27, Jonathan S. Fisher wrote:> Great thanks, I'll start digging into that. So your running theory is that > one of the DNS resolution attempts is returning .WINDOWS not . > WINDOWS.CORP.XXX.com?This is not your problem. Rowland> > On Wed, Dec 2, 2015 at 10:07 AM, mathias dufresne <infractory at gmail.com> > wrote: > >> OK, sorry, I haven't re-read the whole thread carefully enough. >> From what I understand sometimes your DNS request are truncated, asking for >> machineName.windows rahter than machineName.windows.rest.of.your.domain.tld >> >> So you have to find what is cutting your DNS requests. If I'm wrong, don't >> read the rest :p >> >> First I would test my DNS resolution using dig, host or nslookup and check >> with tcpdump if that resolution is working correctly. If request is not >> truncated your issue comes from something else than your DNS resolution >> configuration. >> ex: >> dig @192.168.127.129 whiskey.windows.corp.XXX.com >> dig @192.168.127.141 whiskey.windows.corp.XXX.com >> dig @192.168.112.4 whiskey.windows.corp.XXX.com >> >> >> If it works, I would continue with simple command, perhaps a kinit as that >> one should, I believe, also launch several DNS query (if your krb5.conf is >> still alsmot empty). >> Here you continue to check with tcpdump what DNS request your client is >> launching (ex: on the client: tcpdump -i eth0 port domain) >> >> The point is to define where is the issue, removing points where doubt >> exists. >> DNS queries are DNS queries. Kerberos seems to be acting simply just for a >> kinit. >> >> Finally once dig and kinit are working, you could dig into Samba >> configuration. >> >> 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >>> Dnsmasq is not running locally! Disabling it would do nothing but stop >>> DHCP and DNS forwarding for 2000+ soon to be irate people. >>> >>> What I am going to do however is bypass DHCP completely and assign a >>> static address with DNS pointed straight at active directory. If that >> still >>> doesn't work, I think I can definitely narrow this down to a bug in >> Active >>> Directory, our AD configuration, or a bug in Samba. >>> >>> On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne <infractory at gmail.com> >>> wrote: >>> >>>> Can't you just disable dnsmasq service? >>>> >>>> You don't seem to be too much confident in that tool and you have DNS >>>> issue... >>>> >>>> dnsmasq has most certainly a good reason to exist. I just don't know it. >>>> In >>>> IT for work we generally don't need such tool as infrastructures of >>>> companies are meant to be stable. As the clients configuration. >>>> >>>> So I would start with dnsmasq removal, then I would [learn how to] >>>> configure manually this client, then I would re-run test, starting with >>>> small tests (DNS with dig/nslookup, kinit...) >>>> >>>> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < >>>> jonathan at springventuregroup.com>: >>>> >>>>> So everything with the hostname with now resolving correctly, without >>>> the >>>>> 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out >>>> the >>>>> correct domain, which it is now: >>>>> >>>>> $ hostname -d >>>>> windows.corp.XXX.com >>>>> $ hostname -f >>>>> freeradius.windows.corp.XXX.com >>>>> >>>>> I deleted all the shared secrets, removed the computer from AD and >>>>> rejoined... but of course, we're still getting the exact same issue... >>>> :( >>>>> It's still trying to query the wrong DNS entry. >>>>> >>>>> >>>>> On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < >>>>> rowlandpenny241155 at gmail.com >>>>>> wrote: >>>>>> On 01/12/15 17:27, Jonathan S. Fisher wrote: >>>>>> >>>>>>> It isn't running, one of the first things I do when setting up a >> new >>>> DC >>>>> is >>>>>>> to remove nscd if it is installed. >>>>>>> Ah ok... well this isn't a DC, just a member... is NSCD ok to run >> as >>>> a >>>>>>> member? Otherwise I can remove it. >>>>>>> >>>>>> I would remove it, everything dns wise should come from an AD DC >>>>>> >>>>>> >>>>>>> you get a caching dnsmasq server as standard >>>>>>> Not on ubuntu server... There is no dnsmasq package installed nor >>>> is it >>>>>>> in >>>>>>> ps -ef >>>>>>> >>>>>> Ah, so no GUI then, ok in this case you probably wont have Network >>>>> Manager >>>>>> installed either. >>>>>> >>>>>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >>>>>>> problems. >>>>>>> I'll try to figure out how to get the client to have a FQDN without >>>> the >>>>>>> line in /etc/hosts >>>>>>> >>>>>> If this machine is going to be a fileserver, you would probably be >>>> better >>>>>> using a fixed ip, but if you going to have other Unix domain members >>>>> using >>>>>> dhcp, you need to sort this problem. >>>>>> >>>>>> >>>>>>> I really am starting to hate Active Directory... >>>>>>> >>>>>> I just hate microsoft, it cuts out the middle man :-D >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>>>> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >>>>>>> rowlandpenny241155 at gmail.com >>>>>>> >>>>>>>> wrote: >>>>>>>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >>>>>>>> >>>>>>>> So your client did no DNS lookups?? That's crazy. Could they be >>>> cached? >>>>>>>> (Can you disable nscd if you have it running and try again?) >>>>>>>> >>>>>>>> >>>>>>>> It isn't running, one of the first things I do when setting up a >>>> new DC >>>>>>>> is >>>>>>>> to remove nscd if it is installed. >>>>>>>> >>>>>>>> >>>>>>>> Why, in your deity's name, why????? >>>>>>>> I'm starting my own caliphate. Seems to be all the rage these >> days. >>>>>>>> Dnsmasq isn't running locally... it's the main DNS server at >>>>>>>> 192.168.127.129. At one time I guess we were running Bind, but he >>>>>>>> switched >>>>>>>> to dnsmasq for simplicity. If there's a legit reason why Windows >>>> needs >>>>> to >>>>>>>> handle 100% of the DNS and DHCP for the network... well that's a >>>> little >>>>>>>> scary of a thought. Are these things in no way interoperable? >>>>>>>> >>>>>>>> >>>>>>>> On Ubuntu, you get a caching dnsmasq server as standard, this is >>>>>>>> controlled by Network Manager, this shouldn't be running on an AD >>>>> client >>>>>>>> (note this is only from my experience, it seems to interfere with >> AD >>>>>>>> dns). >>>>>>>> >>>>>>>> DHCP doesn't need to be running on the DC, but it needs to give >> your >>>>>>>> client the required info, see my previous post for what mine >> sends. >>>>>>>> Your AD clients need to use your AD DCs as their DNS servers, >>>> anything >>>>>>>> your DCs don't know about i.e. google should be forwarded to a DNS >>>>> server >>>>>>>> that does i.e. your dnsmasq machine >>>>>>>> >>>>>>>> Your problem isn't that net is using the workgroup name, it is >> that >>>>> your >>>>>>>> machine doesn't seem to know who it is and where the DCs are :-) >>>>>>>> >>>>>>>> >>>>>>>> Mind you, until you get 'hostname -f' to return your FQDN, it will >>>> not >>>>>>>> work correctly. >>>>>>>> Well this "works" right now with what I put into /etc/hosts. Are >> you >>>>>>>> saying it has to work purely from dhcp? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> If you have to have that 127.0.1.1 line in /etc/hosts, you have >> dns >>>>>>>> problems. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>> -- >>>>> Email Confidentiality Notice: The information contained in this >>>>> transmission is confidential, proprietary or privileged and may be >>>> subject >>>>> to protection under the law, including the Health Insurance >> Portability >>>> and >>>>> Accountability Act (HIPAA). The message is intended for the sole use >> of >>>> the >>>>> individual or entity to whom it is addressed. If you are not the >>>> intended >>>>> recipient, you are notified that any use, distribution or copying of >> the >>>>> message is strictly prohibited and may subject you to criminal or >> civil >>>>> penalties. If you received this transmission in error, please contact >>>> the >>>>> sender immediately by replying to this email and delete the material >>>> from >>>>> any computer. >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> Email Confidentiality Notice: The information contained in this >>> transmission is confidential, proprietary or privileged and may be >> subject >>> to protection under the law, including the Health Insurance Portability >> and >>> Accountability Act (HIPAA). The message is intended for the sole use of >> the >>> individual or entity to whom it is addressed. If you are not the intended >>> recipient, you are notified that any use, distribution or copying of the >>> message is strictly prohibited and may subject you to criminal or civil >>> penalties. If you received this transmission in error, please contact the >>> sender immediately by replying to this email and delete the material from >>> any computer. >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
mathias dufresne
2015-Dec-03 12:44 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>:> Great thanks, I'll start digging into that. So your running theory is that > one of the DNS resolution attempts is returning .WINDOWS not . > WINDOWS.CORP.XXX.com? >I'm not sure, that's your issue, not mine, but you seemed to mean that FQDN are truncated in some DNS search. At least that's what I understand from your first mail when you wrote: "From Wireshark: Queries _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN Name: _ldap._tcp.pdc._msdcs.WINDOWS" So yes I would say there is something wrong in the way your DNS requests are forged: they are using the domain name. So, for me, the next question is: is that domain reduction happens on all requests or only those made by Samba. To know that the point is to avoid Samba. That's why I proposed to proceed with: - some DNS requests -> you said they worked using the three DNS servers you have (the real one, the two from Samba) -> the system does not seem to truncat by himself / always the requests. - some kinit -> kinit with no configuration to force Kerberos servers should send SRV requests to guess how to contact a kerberos server. You seemed to say kinit was working. Next step I would change my resolv.conf to put as nameserver in it only your DC, no search, no domain. The point here is to test your DNS from Samba, and in parallel to avoid the main DNS server which uses dnsmasq. And I would then redo all these tests, including those proposed by Rowland. If you don't have truncated requests until there, I would suggest you find something strange in Samba. But as long as you didn't performed all that successfully, I would suggest an issue in your DNS resolving stack. Cheers, mathias> > On Wed, Dec 2, 2015 at 10:07 AM, mathias dufresne <infractory at gmail.com> > wrote: > >> OK, sorry, I haven't re-read the whole thread carefully enough. >> From what I understand sometimes your DNS request are truncated, asking >> for >> machineName.windows rahter than >> machineName.windows.rest.of.your.domain.tld >> >> So you have to find what is cutting your DNS requests. If I'm wrong, don't >> read the rest :p >> >> First I would test my DNS resolution using dig, host or nslookup and check >> with tcpdump if that resolution is working correctly. If request is not >> truncated your issue comes from something else than your DNS resolution >> configuration. >> ex: >> dig @192.168.127.129 whiskey.windows.corp.XXX.com >> dig @192.168.127.141 whiskey.windows.corp.XXX.com >> dig @192.168.112.4 whiskey.windows.corp.XXX.com >> >> >> If it works, I would continue with simple command, perhaps a kinit as that >> one should, I believe, also launch several DNS query (if your krb5.conf is >> still alsmot empty). >> Here you continue to check with tcpdump what DNS request your client is >> launching (ex: on the client: tcpdump -i eth0 port domain) >> >> The point is to define where is the issue, removing points where doubt >> exists. >> DNS queries are DNS queries. Kerberos seems to be acting simply just for a >> kinit. >> >> Finally once dig and kinit are working, you could dig into Samba >> configuration. >> >> 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >> > Dnsmasq is not running locally! Disabling it would do nothing but stop >> > DHCP and DNS forwarding for 2000+ soon to be irate people. >> > >> > What I am going to do however is bypass DHCP completely and assign a >> > static address with DNS pointed straight at active directory. If that >> still >> > doesn't work, I think I can definitely narrow this down to a bug in >> Active >> > Directory, our AD configuration, or a bug in Samba. >> > >> > On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne <infractory at gmail.com> >> > wrote: >> > >> >> Can't you just disable dnsmasq service? >> >> >> >> You don't seem to be too much confident in that tool and you have DNS >> >> issue... >> >> >> >> dnsmasq has most certainly a good reason to exist. I just don't know >> it. >> >> In >> >> IT for work we generally don't need such tool as infrastructures of >> >> companies are meant to be stable. As the clients configuration. >> >> >> >> So I would start with dnsmasq removal, then I would [learn how to] >> >> configure manually this client, then I would re-run test, starting with >> >> small tests (DNS with dig/nslookup, kinit...) >> >> >> >> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < >> >> jonathan at springventuregroup.com>: >> >> >> >> > So everything with the hostname with now resolving correctly, without >> >> the >> >> > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out >> >> the >> >> > correct domain, which it is now: >> >> > >> >> > $ hostname -d >> >> > windows.corp.XXX.com >> >> > $ hostname -f >> >> > freeradius.windows.corp.XXX.com >> >> > >> >> > I deleted all the shared secrets, removed the computer from AD and >> >> > rejoined... but of course, we're still getting the exact same >> issue... >> >> :( >> >> > It's still trying to query the wrong DNS entry. >> >> > >> >> > >> >> > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < >> >> > rowlandpenny241155 at gmail.com >> >> > > wrote: >> >> > >> >> > > On 01/12/15 17:27, Jonathan S. Fisher wrote: >> >> > > >> >> > >> It isn't running, one of the first things I do when setting up a >> new >> >> DC >> >> > is >> >> > >>> >> >> > >> to remove nscd if it is installed. >> >> > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run >> as >> >> a >> >> > >> member? Otherwise I can remove it. >> >> > >> >> >> > > >> >> > > I would remove it, everything dns wise should come from an AD DC >> >> > > >> >> > > >> >> > >> you get a caching dnsmasq server as standard >> >> > >>> >> >> > >> Not on ubuntu server... There is no dnsmasq package installed nor >> >> is it >> >> > >> in >> >> > >> ps -ef >> >> > >> >> >> > > >> >> > > Ah, so no GUI then, ok in this case you probably wont have Network >> >> > Manager >> >> > > installed either. >> >> > > >> >> > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> >> > >>> >> >> > >> problems. >> >> > >> I'll try to figure out how to get the client to have a FQDN >> without >> >> the >> >> > >> line in /etc/hosts >> >> > >> >> >> > > >> >> > > If this machine is going to be a fileserver, you would probably be >> >> better >> >> > > using a fixed ip, but if you going to have other Unix domain >> members >> >> > using >> >> > > dhcp, you need to sort this problem. >> >> > > >> >> > > >> >> > >> I really am starting to hate Active Directory... >> >> > >> >> >> > > >> >> > > I just hate microsoft, it cuts out the middle man :-D >> >> > > >> >> > > Rowland >> >> > > >> >> > > >> >> > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >> >> > >> rowlandpenny241155 at gmail.com >> >> > >> >> >> > >>> wrote: >> >> > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >> >> > >>> >> >> > >>> So your client did no DNS lookups?? That's crazy. Could they be >> >> cached? >> >> > >>> (Can you disable nscd if you have it running and try again?) >> >> > >>> >> >> > >>> >> >> > >>> It isn't running, one of the first things I do when setting up a >> >> new DC >> >> > >>> is >> >> > >>> to remove nscd if it is installed. >> >> > >>> >> >> > >>> >> >> > >>> Why, in your deity's name, why????? >> >> > >>>> >> >> > >>> I'm starting my own caliphate. Seems to be all the rage these >> days. >> >> > >>> >> >> > >>> Dnsmasq isn't running locally... it's the main DNS server at >> >> > >>> 192.168.127.129. At one time I guess we were running Bind, but he >> >> > >>> switched >> >> > >>> to dnsmasq for simplicity. If there's a legit reason why Windows >> >> needs >> >> > to >> >> > >>> handle 100% of the DNS and DHCP for the network... well that's a >> >> little >> >> > >>> scary of a thought. Are these things in no way interoperable? >> >> > >>> >> >> > >>> >> >> > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is >> >> > >>> controlled by Network Manager, this shouldn't be running on an AD >> >> > client >> >> > >>> (note this is only from my experience, it seems to interfere >> with AD >> >> > >>> dns). >> >> > >>> >> >> > >>> DHCP doesn't need to be running on the DC, but it needs to give >> your >> >> > >>> client the required info, see my previous post for what mine >> sends. >> >> > >>> Your AD clients need to use your AD DCs as their DNS servers, >> >> anything >> >> > >>> your DCs don't know about i.e. google should be forwarded to a >> DNS >> >> > server >> >> > >>> that does i.e. your dnsmasq machine >> >> > >>> >> >> > >>> Your problem isn't that net is using the workgroup name, it is >> that >> >> > your >> >> > >>> machine doesn't seem to know who it is and where the DCs are :-) >> >> > >>> >> >> > >>> >> >> > >>> Mind you, until you get 'hostname -f' to return your FQDN, it >> will >> >> not >> >> > >>>> >> >> > >>> work correctly. >> >> > >>> Well this "works" right now with what I put into /etc/hosts. Are >> you >> >> > >>> saying it has to work purely from dhcp? >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have >> dns >> >> > >>> problems. >> >> > >>> >> >> > >>> Rowland >> >> > >>> >> >> > >>> >> >> > >>> >> >> > > >> >> > > -- >> >> > > To unsubscribe from this list go to the following URL and read the >> >> > > instructions: https://lists.samba.org/mailman/options/samba >> >> > > >> >> > >> >> > -- >> >> > Email Confidentiality Notice: The information contained in this >> >> > transmission is confidential, proprietary or privileged and may be >> >> subject >> >> > to protection under the law, including the Health Insurance >> Portability >> >> and >> >> > Accountability Act (HIPAA). The message is intended for the sole use >> of >> >> the >> >> > individual or entity to whom it is addressed. If you are not the >> >> intended >> >> > recipient, you are notified that any use, distribution or copying of >> the >> >> > message is strictly prohibited and may subject you to criminal or >> civil >> >> > penalties. If you received this transmission in error, please contact >> >> the >> >> > sender immediately by replying to this email and delete the material >> >> from >> >> > any computer. >> >> > -- >> >> > To unsubscribe from this list go to the following URL and read the >> >> > instructions: https://lists.samba.org/mailman/options/samba >> >> > >> >> -- >> >> To unsubscribe from this list go to the following URL and read the >> >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > >> > >> > Email Confidentiality Notice: The information contained in this >> > transmission is confidential, proprietary or privileged and may be >> subject >> > to protection under the law, including the Health Insurance Portability >> and >> > Accountability Act (HIPAA). The message is intended for the sole use of >> the >> > individual or entity to whom it is addressed. If you are not the >> intended >> > recipient, you are notified that any use, distribution or copying of the >> > message is strictly prohibited and may subject you to criminal or civil >> > penalties. If you received this transmission in error, please contact >> the >> > sender immediately by replying to this email and delete the material >> from >> > any computer. >> > >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. >
Rowland penny
2015-Dec-03 13:15 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 03/12/15 13:07, Rowland Penny wrote:> > > > > 2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher < > jonathan at springventuregroup.com>: > > > Great thanks, I'll start digging into that. So your running theory is that > > one of the DNS resolution attempts is returning .WINDOWS not . > > WINDOWS.CORP.XXX.com? > > > > I'm not sure, that's your issue, not mine, but you seemed to mean that FQDN > are truncated in some DNS search. > At least that's what I understand from your first mail when you wrote: > > "From Wireshark: > > Queries > _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN > Name: _ldap._tcp.pdc._msdcs.WINDOWS" > > So yes I would say there is something wrong in the way your DNS requests > are forged: they are using the domain name. > > So, for me, the next question is: is that domain reduction happens on all > requests or only those made by Samba. > > To know that the point is to avoid Samba. > > That's why I proposed to proceed with: > - some DNS requests -> you said they worked using the three DNS servers you > have (the real one, the two from Samba) -> the system does not seem to > truncat by himself / always the requests. > - some kinit -> kinit with no configuration to force Kerberos servers > should send SRV requests to guess how to contact a kerberos server. You > seemed to say kinit was working. > > Next step I would change my resolv.conf to put as nameserver in it only > your DC, no search, no domain. The point here is to test your DNS from > Samba, and in parallel to avoid the main DNS server which uses dnsmasq. > > And I would then redo all these tests, including those proposed by Rowland. > > If you don't have truncated requests until there, I would suggest you find > something strange in Samba. But as long as you didn't performed all that > successfully, I would suggest an issue in your DNS resolving stack. > > Cheers, > > mathias > >This is basically what I wanted to find out, does the OP have a problem or not, if he answers my post, we may find out and move on from there. Rowland
Jonathan S. Fisher
2015-Dec-03 16:06 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
> host -t SRV _ldap._tcp.windows.corp.XXX.com_ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389 whiskey.windows.corp.XXX.com. _ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389 wine.windows.corp.XXX.com.> host -t SRV _kerberos._udp.windows.corp.XXX.com_kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88 whiskey.windows.corp.XXX.com. _kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88 wine.windows.corp.XXX.com.> host -t A freeradius.windows.corp.XXX.com.freeradius.windows.corp.XXX.com has address 192.168.127.134> host -t SRV 192.168.127.134134.127.168.192.in-addr.arpa domain name pointer freeradius.windows.corp.XXX.com. I tried the same thing with ".WINDOWS" and it doesn't work of course... On Thu, Dec 3, 2015 at 7:15 AM, Rowland penny <rpenny at samba.org> wrote:> On 03/12/15 13:07, Rowland Penny wrote: > >> >> >> >> >> 2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >> > Great thanks, I'll start digging into that. So your running theory is >> that >> > one of the DNS resolution attempts is returning .WINDOWS not . >> > WINDOWS.CORP.XXX.com? >> > >> >> I'm not sure, that's your issue, not mine, but you seemed to mean that >> FQDN >> are truncated in some DNS search. >> At least that's what I understand from your first mail when you wrote: >> >> "From Wireshark: >> >> Queries >> _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN >> Name: _ldap._tcp.pdc._msdcs.WINDOWS" >> >> So yes I would say there is something wrong in the way your DNS requests >> are forged: they are using the domain name. >> >> So, for me, the next question is: is that domain reduction happens on all >> requests or only those made by Samba. >> >> To know that the point is to avoid Samba. >> >> That's why I proposed to proceed with: >> - some DNS requests -> you said they worked using the three DNS servers >> you >> have (the real one, the two from Samba) -> the system does not seem to >> truncat by himself / always the requests. >> - some kinit -> kinit with no configuration to force Kerberos servers >> should send SRV requests to guess how to contact a kerberos server. You >> seemed to say kinit was working. >> >> Next step I would change my resolv.conf to put as nameserver in it only >> your DC, no search, no domain. The point here is to test your DNS from >> Samba, and in parallel to avoid the main DNS server which uses dnsmasq. >> >> And I would then redo all these tests, including those proposed by >> Rowland. >> >> If you don't have truncated requests until there, I would suggest you find >> something strange in Samba. But as long as you didn't performed all that >> successfully, I would suggest an issue in your DNS resolving stack. >> >> Cheers, >> >> mathias >> >> >> > This is basically what I wanted to find out, does the OP have a problem or > not, if he answers my post, we may find out and move on from there. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Possibly Parallel Threads
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command