Hello,
I provisioned an samba AD with the bind_dlz option. So far so
good. Followed the samba wiki.
I have a DNS for our external access services (website, moodle, etc) and
I'm using it as a forwarder to AD but it is not working.
In a win7 I configured the AD IP as primary DNS and put it in the domain.
When I try to access, for example, "wiki.samba.org" it opens normally,
but
when I try to access our site "www.myinstitution.edu" it does not
open.
I have reviewed the bind and samba settings several times and do not show
any errors.
*Note: All services (www, dns, moodle, etc) and user computers have public
IP.*
*Here are my settings:*
*named.conf*
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";
include "/etc/bind/named.conf.log";
*db.local*
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
addc IN A xxx.xxx.xxx.6
_kerberos._udp.myinstitution.edu. IN SRV 0 100 88 addc
_ldap._tcp.myinstitution.edu. IN SRV 0 100 389 addc
_kpasswd._udp.myinstitution.edu. IN SRV 0 100 464 addc
*named.conf.options*
acl clientes {
127.0.0.1;
mylocalsubnets; # public IP subnets
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query {
clientes;
};
forwarders {
xxx.xxx.xxx.10; # Our DNS
};
forward only;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.6; };
};
xxx.xxx.xxx.6 -> Ip of AD
*smb.conf*
# Global parameters
[global]
netbios name = ADDC
realm = MYINSTITUTION.EDU
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MYINSTITUTION
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/myinstitution.edu/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Am I forgetting something?
--
Elias Pereira
On Tue, 16 May 2017 15:12:38 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote:> Hello, > > I provisioned an samba AD with the bind_dlz option. So far so > good. Followed the samba wiki. > > I have a DNS for our external access services (website, moodle, etc) > and I'm using it as a forwarder to AD but it is not working. > > In a win7 I configured the AD IP as primary DNS and put it in the > domain. When I try to access, for example, "wiki.samba.org" it opens > normally, but when I try to access our site "www.myinstitution.edu" > it does not open. > > I have reviewed the bind and samba settings several times and do not > show any errors. > > *Note: All services (www, dns, moodle, etc) and user computers have > public IP.* > > *Here are my settings:* > > *named.conf* > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > include "/var/lib/samba/private/named.conf"; > include "/etc/bind/named.conf.log"; > > *db.local* > ; > ; BIND data file for local loopback interface > ; > $TTL 604800 > @ IN SOA localhost. root.localhost. ( > 2 ; Serial > 604800 ; Refresh > 86400 ; Retry > 2419200 ; Expire > 604800 ) ; Negative Cache TTL > ; > @ IN NS localhost. > @ IN A 127.0.0.1 > @ IN AAAA ::1 > addc IN A xxx.xxx.xxx.6 > > _kerberos._udp.myinstitution.edu. IN SRV 0 100 88 addc > _ldap._tcp.myinstitution.edu. IN SRV 0 100 389 addc > _kpasswd._udp.myinstitution.edu. IN SRV 0 100 464 addc > > *named.conf.options* > > acl clientes { > 127.0.0.1; > mylocalsubnets; # public IP subnets > }; > > options { > directory "/var/cache/bind"; > > recursion yes; > allow-query { > clientes; > }; > > forwarders { > xxx.xxx.xxx.10; # Our DNS > }; > forward only; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > dnssec-validation auto; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { any; }; > listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.6; }; > }; > xxx.xxx.xxx.6 -> Ip of AD > > *smb.conf* > > # Global parameters > [global] > netbios name = ADDC > realm = MYINSTITUTION.EDU > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = MYINSTITUTION > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/myinstitution.edu/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Am I forgetting something? >Not so much forgetting but not understanding ;-) Your dns for AD should be in AD, all of it, these are my named files: named.conf include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; named.conf.options options { directory "/var/cache/bind"; version "0.0.7"; notify no; empty-zones-enable no; allow-query { 127.0.0.1; 192.168.0.0/24; }; allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; forwarders { 8.8.8.8; }; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; listen-on-v6 { none; }; listen-on port 53 { 192.168.0.2; 127.0.0.1; }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; }; named.conf.local include "/usr/local/samba/private/named.conf"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; /etc/resolv.conf search samdom.example.com nameserver 192.168.0.2 nameserver 192.168.0.7 My dns domain is samdom.example.com and the two DCs are 192.168.0.2 and 192.168.0.7 Rowland
> > Not so much forgetting but not understanding ;-)- Internal DNS that responds to our services (site, moodle, etc) - ns.myinstitution.edu (registered in registro.br) - Samba DNS answering for samba stuff - addc.myinstitution.edu Maybe it's better to use SAMBA_INTERNAL instead of BIND_DLZ? On Tue, May 16, 2017 at 4:29 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 16 May 2017 15:12:38 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > I provisioned an samba AD with the bind_dlz option. So far so > > good. Followed the samba wiki. > > > > I have a DNS for our external access services (website, moodle, etc) > > and I'm using it as a forwarder to AD but it is not working. > > > > In a win7 I configured the AD IP as primary DNS and put it in the > > domain. When I try to access, for example, "wiki.samba.org" it opens > > normally, but when I try to access our site "www.myinstitution.edu" > > it does not open. > > > > I have reviewed the bind and samba settings several times and do not > > show any errors. > > > > *Note: All services (www, dns, moodle, etc) and user computers have > > public IP.* > > > > *Here are my settings:* > > > > *named.conf* > > > > include "/etc/bind/named.conf.options"; > > include "/etc/bind/named.conf.local"; > > include "/etc/bind/named.conf.default-zones"; > > include "/var/lib/samba/private/named.conf"; > > include "/etc/bind/named.conf.log"; > > > > *db.local* > > ; > > ; BIND data file for local loopback interface > > ; > > $TTL 604800 > > @ IN SOA localhost. root.localhost. ( > > 2 ; Serial > > 604800 ; Refresh > > 86400 ; Retry > > 2419200 ; Expire > > 604800 ) ; Negative Cache TTL > > ; > > @ IN NS localhost. > > @ IN A 127.0.0.1 > > @ IN AAAA ::1 > > addc IN A xxx.xxx.xxx.6 > > > > _kerberos._udp.myinstitution.edu. IN SRV 0 100 88 addc > > _ldap._tcp.myinstitution.edu. IN SRV 0 100 389 addc > > _kpasswd._udp.myinstitution.edu. IN SRV 0 100 464 addc > > > > *named.conf.options* > > > > acl clientes { > > 127.0.0.1; > > mylocalsubnets; # public IP subnets > > }; > > > > options { > > directory "/var/cache/bind"; > > > > recursion yes; > > allow-query { > > clientes; > > }; > > > > forwarders { > > xxx.xxx.xxx.10; # Our DNS > > }; > > forward only; > > > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > > > dnssec-validation auto; > > > > auth-nxdomain no; # conform to RFC1035 > > listen-on-v6 { any; }; > > listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.6; }; > > }; > > xxx.xxx.xxx.6 -> Ip of AD > > > > *smb.conf* > > > > # Global parameters > > [global] > > netbios name = ADDC > > realm = MYINSTITUTION.EDU > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = MYINSTITUTION > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/myinstitution.edu/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > Am I forgetting something? > > > > Not so much forgetting but not understanding ;-) > > Your dns for AD should be in AD, all of it, these are my named files: > > named.conf > > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > named.conf.options > > options { > directory "/var/cache/bind"; > version "0.0.7"; > notify no; > empty-zones-enable no; > allow-query { 127.0.0.1; 192.168.0.0/24; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > forwarders { 8.8.8.8; }; > allow-transfer { none; }; > dnssec-validation no; > dnssec-enable no; > > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.2; 127.0.0.1; }; > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > }; > > named.conf.local > > include "/usr/local/samba/private/named.conf"; > > // prime the server with knowledge of the root servers > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > // be authoritative for the localhost forward and reverse zones, and for > // broadcast zones as per RFC 1912 > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > /etc/resolv.conf > > search samdom.example.com > nameserver 192.168.0.2 > nameserver 192.168.0.7 > > My dns domain is samdom.example.com and the two DCs are 192.168.0.2 and > 192.168.0.7 > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira