samba - Jun 2018 - DNS not resolving particular host from queries from particular subnet

Hi Rowland.

Trying the suggested named.conf broke the local resolve of the storage as
well (for clients in 192.168.26.0), so I reverted back to my old one since
I have computers here using the storage at the moment.
Would you have any other suggestions?

On Fri, Jun 1, 2018 at 1:04 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 1 Jun 2018 12:12:43 +0100
> Zdravko Zdravkov <nirayah at gmail.com> wrote:
>
> > True that! Sorry
> >
> > smb.conf
> >
> >
> > >         [global]
> > >         netbios name = AD
> > >         realm = XXXX.CO.UK
> > >         server role = active directory domain controller
> > >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc,
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >         workgroup = XXXX
> > >         idmap config XXXX:unix_nss_info = yes
>
> You should remove the line above, it should not be in a DC smb.conf
>
> > >         idmap_ldb:use rfc2307 = yes
> > >         log file = /var/log/samba/samba.log
> > >         log level = 3
> >
> >
> >
> > named.conf
> >
> > include "/usr/local/samba/private/named.conf";
> > > options {
> > >         listen-on port 53 { 127.0.0.1; 192.168.26.2; };
> > > //      listen-on-v6 port 53 { ::1; };
> > >         directory       "/var/named";
> > >         dump-file      
"/var/named/data/cache_dump.db";
> > >         statistics-file
"/var/named/data/named_stats.txt";
> > >         memstatistics-file
"/var/named/data/named_mem_stats.txt";
> > >         allow-query     { any; };
> > >         /*
> > >          - If you are building an AUTHORITATIVE DNS server, do
NOT
> > > enable recursion.
> > >          - If you are building a RECURSIVE (caching) DNS server,
> > > you need to enable
> > >            recursion.
> > >          - If your recursive DNS server has a public IP address,
> > > you MUST enable access
> > >            control to limit queries to your legitimate users.
> > > Failing to do so will
> > >            cause your server to become part of large scale DNS
> > > amplification
> > >            attacks. Implementing BCP38 within your network would
> > > greatly reduce such attack surface
> > >         */
> > >         allow-recursion {
> > >         127.0.0.1;
> > >         192.168.26.0/24;
> > >         192.168.27.0/24;
> > >         };
> > >
> > >
> > >         //recursion yes;
> > >         tkey-gssapi-keytab
"/usr/local/samba/private/dns.keytab";
> > >         dnssec-enable yes;
> > >         dnssec-validation yes;
> > >         /* Path to ISC DLV key */
> > >         bindkeys-file "/etc/named.iscdlv.key";
> > >         managed-keys-directory "/var/named/dynamic";
> > >         pid-file "/run/named/named.pid";
> > >         session-keyfile "/run/named/session.key";
> > > };
> > > logging {
> > >         channel default_debug {
> > >                 file "data/named.run";
> > >                 severity dynamic;
> > >         };
> > > };
> > > zone "." IN {
> > >         type hint;
> > >         file "named.ca";
> > > };
> > > //include "/etc/named.rfc1912.zones";
> > > //include "/etc/named.root.key";
> >
> >
>
> There are several things wrong with that named.conf, the biggest being
> that you haven't set any forwarders. The DNS server running on a Samba
> AD DC must be authoritative for its DNS domain, anything outside this
> domain should be forwarded to another DNS server outside the domain.
> Can I suggest you try this named.conf:
>
>  options {
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>
>         forwarders { 8.8.8.8; 8.8.4.4; };
>
>         dnssec-validation no;
>         auth-nxdomain yes;    # conform to RFC1035 =no
>         listen-on-v6 { none; };
>         listen-on port 53 { 127.0.0.1; 192.168.26.2; };
>         notify no;
>         empty-zones-enable no;
>         allow-query { any; };
>         allow-recursion {
>         127.0.0.1/32;
>         192.168.26.0/24;
>         192.168.27.0/24;
>         };
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
> };
>
> include "/usr/local/samba/private/named.conf";
>
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
>
> It is based on your info and my known working set up, though you may
> want to change the forwarders.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 1 Jun 2018 13:21:44 +0100
Zdravko Zdravkov <nirayah at gmail.com> wrote:
> Hi Rowland.
> 
> Trying the suggested named.conf broke the local resolve of the
> storage as well (for clients in 192.168.26.0), so I reverted back to
> my old one since I have computers here using the storage at the
> moment. Would you have any other suggestions?
> 
Not really, it looks like you have a broken AD dns set up. As I said,
the Samba AD DC must be authoritative for the AD domain and should
forward anything outside the domain to another DNS server.
You could look into this though:
If your storage (whatever it is, a NAS I suppose) is not part of the AD
domain but is in the same subnet, then create its dns records in the
Samba AD DNS and point it to the Samba DC as its nameserver.

Rowland

The Isilon storage is joined to the AD, also its using the samba AD as DNS.
The necessary dns and delegation records are created and are working as
intended in the 192.168.26.0 subnet. Problem seems to be in 29.0 only.

On Fri, Jun 1, 2018 at 1:55 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 1 Jun 2018 13:21:44 +0100
> Zdravko Zdravkov <nirayah at gmail.com> wrote:
>
> > Hi Rowland.
> >
> > Trying the suggested named.conf broke the local resolve of the
> > storage as well (for clients in 192.168.26.0), so I reverted back to
> > my old one since I have computers here using the storage at the
> > moment. Would you have any other suggestions?
> >
>
> Not really, it looks like you have a broken AD dns set up. As I said,
> the Samba AD DC must be authoritative for the AD domain and should
> forward anything outside the domain to another DNS server.
> You could look into this though:
> If your storage (whatever it is, a NAS I suppose) is not part of the AD
> domain but is in the same subnet, then create its dns records in the
> Samba AD DNS and point it to the Samba DC as its nameserver.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>