> > I followed this url to set up Samba AD DC. > > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18. > 04-samba-AD_DC.txt > > > > I do have it working. I am testing with a Windows 10 VM as a member > > of the domain. > > The machine joins the domain. Also, as administrator, I can create > > and enforce > > Group Policies. from this Windows machine. > > > > I have a Fedora 29 server which serves DHCP and DNS (and DDNS). This > > all works. > > When I installed Samba DC, I specified this DNS server as a > > forwarder. > > Is this dns server also authoritative for the same dns domain as the AD > domain ?Yes, the Fedora29 server is authoritative.> > > > > On the DC server (named dc0) I can enter command, > > > dig other_machine_in_lan > > and get correct response. > > If I enter this command, > > > dig @localhost other_machine_in_lan > > It fails. Dig from domain member of course also fails. > > > > I know you may need more information to diagnose, but there are so > > many files that could > > be part of the problem I do not know which to send. > > > > Lets start with the smb.conf from the DC, your DC's FQDN and ipaddress > (sanitised if you have to) and the same for your Fedora dns server.=== DC server smb.conf ==Ubuntu18.04> less /etc/samba/smb.conf # Global parameters [global] netbios name = DC0 realm = company.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = company idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/company.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No === END DC server smb.conf == DC FQDN - dc0.company.com (172.23.93.25) Fedora server - zaphod.company.com (172.23.93.3) Did you need more from the DNS server? I am also getting this in logs. Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: [2019/04/26 13:22:57.535803, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: [2019/04/26 13:22:57.537622, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: [2019/04/26 13:22:57.537800, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: /usr/sbin/samba_dnsupdate: return self.run(*args, **kwargs) Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: [2019/04/26 13:22:57.537959, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: /usr/sbin/samba_dnsupdate: File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 945, in run Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: [2019/04/26 13:22:57.538110, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: /usr/sbin/samba_dnsupdate: raise e Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: [2019/04/26 13:22:57.547687, 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) Apr 26 13:22:57 samba[1393]: task[dnsupdate][1393]: ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 28 This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
On Fri, 26 Apr 2019 13:35:45 -0600 durwin at mgtsciences.com wrote:> > > I followed this url to set up Samba AD DC. > > > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18. > > 04-samba-AD_DC.txt > > > > > > I do have it working. I am testing with a Windows 10 VM as a > > > member of the domain. > > > The machine joins the domain. Also, as administrator, I can > > > create and enforce > > > Group Policies. from this Windows machine. > > > > > > I have a Fedora 29 server which serves DHCP and DNS (and DDNS). > > > This all works. > > > When I installed Samba DC, I specified this DNS server as a > > > forwarder. > > > > Is this dns server also authoritative for the same dns domain as > > the AD domain ? > > Yes, the Fedora29 server is authoritative. > > > > > > > > > On the DC server (named dc0) I can enter command, > > > > dig other_machine_in_lan > > > and get correct response. > > > If I enter this command, > > > > dig @localhost other_machine_in_lan > > > It fails. Dig from domain member of course also fails. > > > > > > I know you may need more information to diagnose, but there are so > > > many files that could > > > be part of the problem I do not know which to send. > > > > > > > Lets start with the smb.conf from the DC, your DC's FQDN and > > ipaddress (sanitised if you have to) and the same for your Fedora > > dns server. > === DC server smb.conf ==> Ubuntu18.04> less /etc/samba/smb.conf > # Global parameters > [global] > netbios name = DC0 > realm = company.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = company > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/company.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > === END DC server smb.conf ==> > DC FQDN - dc0.company.com (172.23.93.25) > > Fedora server - zaphod.company.com (172.23.93.3)So your DC is authoritative for the 'company.com' dns domain and holds all the AD dns domain records. zaphod is authoritative for 'company.com' dns domain and presumably holds none of the AD dns domain records Can you not not see what is wrong here and why forwarding doesn't work ? You should have used a subdomain of 'company.com' for your AD dns domain (perhaps ad.company.com) When you ask your DC for 'dnsclient.company.com' (where 'dnsclient' is not an AD domain member), your DC will not forward it anywhere because it is authoritative for the 'company.com' dns domain, it will just return 'not known' or words to that effect. I, personally, would transfer all the dns & dhcp roles from zaphod to your DC, or start again with a new subdomain on your DC. Your forwarders need to be outside your AD dns domain. Rowland
> > > > > > Is this dns server also authoritative for the same dns domain as > > > the AD domain ? > > > > Yes, the Fedora29 server is authoritative. > > > > > > > > > > > Lets start with the smb.conf from the DC, your DC's FQDN and > > > ipaddress (sanitised if you have to) and the same for your Fedora > > > dns server. > > === DC server smb.conf ==> > Ubuntu18.04> less /etc/samba/smb.conf > > # Global parameters > > [global] > > netbios name = DC0 > > realm = company.COM > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > workgroup = company > > idmap_ldb:use rfc2307 = yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > === END DC server smb.conf ==> > > > DC FQDN - dc0.company.com (172.23.93.25) > > > > Fedora server - zaphod.company.com (172.23.93.3) > > > So your DC is authoritative for the 'company.com' dns domain and holds > all the AD dns domain records. > zaphod is authoritative for 'company.com' dns domain and presumably > holds none of the AD dns domain recordsIt did not occur to me the AD had to be authoritative. However,I thought if DNS server could not find a record in it's database, it would query a 'Forward' server. I shall repeat the steps and use a subnet. Thank you.> > Can you not not see what is wrong here and why forwarding doesn't work ? > > You should have used a subdomain of 'company.com' for your AD dns > domain (perhaps ad.company.com) > > When you ask your DC for 'dnsclient.company.com' (where 'dnsclient' is > not an AD domain member), your DC will not forward it anywhere because > it is authoritative for the 'company.com' dns domain, it will just > return 'not known' or words to that effect. > > I, personally, would transfer all the dns & dhcp roles from zaphod to > your DC, or start again with a new subdomain on your DC. > > Your forwarders need to be outside your AD dns domain. >This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Previous reply I said I will use subnet. I meant subdomain.> > > > > I followed this url to set up Samba AD DC. > > > > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18. > > > 04-samba-AD_DC.txt > > > > > > > > I do have it working. I am testing with a Windows 10 VM as a > > > > member of the domain. > > > > The machine joins the domain. Also, as administrator, I can > > > > create and enforce > > > > Group Policies. from this Windows machine. > > > > > > > > I have a Fedora 29 server which serves DHCP and DNS (and DDNS). > > > > This all works. > > > > When I installed Samba DC, I specified this DNS server as a > > > > forwarder. > > > > > > Is this dns server also authoritative for the same dns domain as > > > the AD domain ? > > > > Yes, the Fedora29 server is authoritative. > > > > > > > > > > > > > On the DC server (named dc0) I can enter command, > > > > > dig other_machine_in_lan > > > > and get correct response. > > > > If I enter this command, > > > > > dig @localhost other_machine_in_lan > > > > It fails. Dig from domain member of course also fails. > > > > > > > > I know you may need more information to diagnose, but there are so > > > > many files that could > > > > be part of the problem I do not know which to send. > > > > > > > > > > Lets start with the smb.conf from the DC, your DC's FQDN and > > > ipaddress (sanitised if you have to) and the same for your Fedora > > > dns server. > > === DC server smb.conf ==> > Ubuntu18.04> less /etc/samba/smb.conf > > # Global parameters > > [global] > > netbios name = DC0 > > realm = company.COM > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > workgroup = company > > idmap_ldb:use rfc2307 = yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > === END DC server smb.conf ==> > > > DC FQDN - dc0.company.com (172.23.93.25) > > > > Fedora server - zaphod.company.com (172.23.93.3) > > > So your DC is authoritative for the 'company.com' dns domain and holds > all the AD dns domain records. > zaphod is authoritative for 'company.com' dns domain and presumably > holds none of the AD dns domain records > > Can you not not see what is wrong here and why forwarding doesn't work ? > > You should have used a subdomain of 'company.com' for your AD dns > domain (perhaps ad.company.com) > > When you ask your DC for 'dnsclient.company.com' (where 'dnsclient' is > not an AD domain member), your DC will not forward it anywhere because > it is authoritative for the 'company.com' dns domain, it will just > return 'not known' or words to that effect. > > I, personally, would transfer all the dns & dhcp roles from zaphod to > your DC, or start again with a new subdomain on your DC. > > Your forwarders need to be outside your AD dns domain. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThis email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.