samba - May 2016 - standalone ADDC with samba_internal dns backend - windows client do not register in dns

good lords of Kobol, that solved my problem !
thank you very much !

As we can consider this as an official workaround, should it be in the 
wiki ? (this is definitively in my docs now :)



On 05/04/2016 07:55 PM, lingpanda101 at gmail.com wrote:
> On 5/4/2016 5:02 AM, David STIEVENARD wrote:
>> Hi
>>
>> first project with samba, first post on this mailing list and, 
>> actually, first time using a mailing list ever ;-)
>>
>>
>>
>> In summary
>> =========================================>> I try to install
samba in a test VMs, everything seems fine but when
>> windows client joins the domain it doesn't register in samba's 
>> internal dns
>>
>>
>>
>> in detail
>> =========================================>> My objective
>> - for a small business (200 users), get rid of an old microsoft AD 
>> and use Samba instead
>> - before going into production, I test the setup on VMs to learn how 
>> the beast behaves
>> - I use the "internal_dns" as a dns backend
>>
>>
>> Problem :
>> - domain provision is ok
>> - all tests are ok
>> - windows client (7pro or 10pro) joins the domain without complaining 
>> but it doesn't register in the dns
>>
>>
>> My source of informations :
>> - for the setup : 
>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>> - for the verification : 
>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_your_Samba_Domain_Controller
>>     - all thoses tests on the domains are ok
>> - I found also this 
>>
https://wiki.samba.org/index.php/Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7
>> but the version I use are older then 4.0.7
>>     - tried ipconfig /registerdns -> same problem
>>
>>
>> The operating systems OS I tested :
>> - samba 4.2.7 binary pkg on FreeBSD 10.2 -> works, I can't find
why
>> - samba 4.3.3 binary pkg or ports on FreeBSD 10.2        -> same
problem
>> - samba 4.3.8 binary pkg on FreeBSD 10.3 -> same problem
>> - samba 4.4.2 with github on Debian 8.4 -> same problem
>>
>>
>> Any suggestion will be appreciated !
>>
>> Thanks
>> DS
>>
>>
>
> David,
>
>     Secure updates are broken on Samba 4.3 and higher when using the 
> internal DNS. You must use 'allow dns updates = nonsecure' in your 
> smb.conf global section. Otherwise use bind.
>
> See bug https://bugzilla.samba.org/show_bug.cgi?id=11520
>

On Thu, 2016-05-05 at 16:52 +0800, David STIEVENARD
wrote:
> good lords of Kobol, that solved my problem !
> thank you very much !
> 
> As we can consider this as an official workaround, should it be in
> the 
> wiki ? (this is definitively in my docs now :)
> 
Turning off DNS update security really should not be recommended at
all.

I realise this is a difficult situation, and we hope to address this
regression soon.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

In short: BIND9_DLZ to avoid issues.

Regarding your issue with internal DNS and client updates, I don't know if
Windows client rely on DNS
I would check SOA record of root zone to verify it is set up correctly (ie
it is aiming a valid DC, up and well running) with:
dig -t SOA your.domain.tld (on linux)
nslookup -type=soa your.domain.tld (on windows)

You must receive a reply. The reply must be a valid DC with working DNS
service because SOA is "where to write updates", if no SOA is
available, no
update can work.

Another point which could help (rather than ill speaking about internal
DNS) is the fact the DNS root zone security tab (available running MS DNS
console from RSAT, then right click on the root zone to get
"properties"
then "security tab") there is a line granting to "authenticated
users" the
right to "create all child objects".
For me, this security configuration is meant to grant any authenticated
user (a computer is also a user) to update the zone to create new entry, so
for machines can create their own DNS entry.

Regarding deletion of DNS entry as the user who creates this entry is the
host itself (my-machine.ad.domain.tld is created by computer-user named
"my-machine$"), the host is owner of the object and as "full
control" on
the entry.




2016-05-14 12:19 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Thu, 2016-05-05 at 16:52 +0800, David STIEVENARD wrote:
> > good lords of Kobol, that solved my problem !
> > thank you very much !
> >
> > As we can consider this as an official workaround, should it be in
> > the
> > wiki ? (this is definitively in my docs now :)
> >
>
> Turning off DNS update security really should not be recommended at
> all.
>
> I realise this is a difficult situation, and we hope to address this
> regression soon.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>