samba - Sep 2017 - Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown

On 2017-09-08 14:21, Rowland Penny via samba wrote:
> OK, you have convinced me ;-)
If you know any other part of AD DNS that is tricky, I'd be interested
to know before AD blows up again. ;-)
> Seeing how you seem to know the required 'magic', do you feel up to
> sharing it, if you do I will add a page to the Samba wiki.
What magic? How to set up dnsmasq as caching proxy? Sure, I can make a
commented example config file.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

On Fri, 8 Sep 2017 14:31:21 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:
> On 2017-09-08 14:21, Rowland Penny via samba wrote:
> > OK, you have convinced me ;-)
> 
> If you know any other part of AD DNS that is tricky, I'd be interested
> to know before AD blows up again. ;-)
> 
> > Seeing how you seem to know the required 'magic', do you feel
up to
> > sharing it, if you do I will add a page to the Samba wiki.
> 
> What magic? How to set up dnsmasq as caching proxy? Sure, I can make a
> commented example config file.
> 
Well, if you don't know how to do something, then it is 'magic' when
it
happens ;-)

Rowland

On Fri, 8 Sep 2017 14:31:21 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:
> On 2017-09-08 14:21, Rowland Penny via samba wrote:
> > OK, you have convinced me ;-)
> 
> If you know any other part of AD DNS that is tricky, I'd be interested
> to know before AD blows up again. ;-)
> 
> > Seeing how you seem to know the required 'magic', do you feel
up to
> > sharing it, if you do I will add a page to the Samba wiki.
> 
> What magic? How to set up dnsmasq as caching proxy? Sure, I can make a
> commented example config file.
> 
Hi Sven, I have been playing around with dnsmasq on a Unix domain
member running in a VM and I just don't understand the value of it in
a Samba AD.

I run two DCs in my small test domain, both using Bind9 instead of the
internal DNS server.

As far as I can see, dnsmasq on the test Unix domain member does not
cache the AD SRV records, it requests them from a DC every time. I
have found that you can add the SRV records to the dnsmasq conf file,
but that, in my opinion, defeats the whole point of using dnsmasq as
a caching nameserver.

Bind9 on the DCs also acts a caching nameserver, if I 'dig'
www.google.com on the Unix domain member (not using dnsmasq) I get:
';; Query time: 105 msec' the first time I run it and:
';; Query time: 8 msec' the second time onwards 

If I 'dig' for the AD domain, I get a similar time as the
'cached'
google record.

So, I cannot actually see any point in running dnsmasq on a Unix domain
member if you are using Bind9 on the DC and, if you are using multiple
DCs, you are probably better off running Bind9  on the DCs.

Rowland

We mainly use it for stuff that's not AD related (aliases for external
domains to avoid NAT loopback e.g., something that's a royal pain in the
ass with AD DNS); caching is just a secondary benefit, and if it doesn't
work for SRV records, meh. ¯\_(ツ)_/¯

On 2017-09-10 15:25, Rowland Penny via samba wrote:
> On Fri, 8 Sep 2017 14:31:21 +0200
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> 
>> On 2017-09-08 14:21, Rowland Penny via samba wrote:
>>> OK, you have convinced me ;-)
>>
>> If you know any other part of AD DNS that is tricky, I'd be
interested
>> to know before AD blows up again. ;-)
>>
>>> Seeing how you seem to know the required 'magic', do you
feel up to
>>> sharing it, if you do I will add a page to the Samba wiki.
>>
>> What magic? How to set up dnsmasq as caching proxy? Sure, I can make a
>> commented example config file.
>>
> 
> Hi Sven, I have been playing around with dnsmasq on a Unix domain
> member running in a VM and I just don't understand the value of it in
> a Samba AD.
> 
> I run two DCs in my small test domain, both using Bind9 instead of the
> internal DNS server.
> 
> As far as I can see, dnsmasq on the test Unix domain member does not
> cache the AD SRV records, it requests them from a DC every time. I
> have found that you can add the SRV records to the dnsmasq conf file,
> but that, in my opinion, defeats the whole point of using dnsmasq as
> a caching nameserver.
> 
> Bind9 on the DCs also acts a caching nameserver, if I 'dig'
> www.google.com on the Unix domain member (not using dnsmasq) I get:
> ';; Query time: 105 msec' the first time I run it and:
> ';; Query time: 8 msec' the second time onwards 
> 
> If I 'dig' for the AD domain, I get a similar time as the
'cached'
> google record.
> 
> So, I cannot actually see any point in running dnsmasq on a Unix domain
> member if you are using Bind9 on the DC and, if you are using multiple
> DCs, you are probably better off running Bind9  on the DCs.
> 
> Rowland 
> 
-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167