L.P.H. van Belle
2021-Feb-02 08:05 UTC
[Samba] How to Properly Configure Samba's Internal DNS
Hai, Well, this looks great Marco, the configs below look good, i only see a minor change you can do, so only for correctness, i would change the realm to CAPS in krb5.conf and smb.conf and netbios name in caps. And yes, you need to add the PTR records if you want a kerberos to work for example with CNAMES in the dns or set rdns = no in krb5.conf And in controdiction to Rowland, im saying.. by default windows "does" register A and PTR if you use a dynamic DNS setup, at least for the clients. I really advice to at least add for the AD-DC's the PTR records. Also, more and more needs the correct setup, so thats what i do recommend. Add the PTR, minimal for al you servers. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marco > Shmerykowsky via samba > Verzonden: maandag 1 februari 2021 16:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] How to Properly Configure Samba's Internal DNS > > On 2/1/2021 3:39 AM, L.P.H. van Belle via samba wrote: > > As long i dont see the debug output of the script, > > I and Rowland (and others) are having a hard time to help out here. > > > > The debugscript i made does show us almost all we need. > > Now what you can do with it. > > > > Run in it on all you AD-DC's and find the differences. > > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect- > debug-info.sh > > > > if you post the output to the list, dont attach the files and anonymize > it where needed. > > > > For the sake of double checking everything again, here is > the anonymized output of one server. Both servers produce > the same output with the exception of the IP addresses. > > Only other exception is these two lines in nsswitch.conf > > passwd: compat winbind systemd > group: compat winbind systemd > > winbind is only listed on one of the servers: > > Output of samba-debug-info: > > Collected config --- 2021-02-01-09:14 ----------- > > Hostname: server1 > DNS Domain: ad-domain.company.com > FQDN: server1.ad-domain.company.com > ipaddress: 192.168.1.1 > > ----------- > > Kerberos SRV _kerberos._tcp.ad-domain.company.com record verified ok, > sample output: > Server: 192.168.1.1 > Address: 192.168.1.1#53 > > _kerberos._tcp.ad-domain.company.com service = 0 100 88 > server1.ad-domain.company.com. > _kerberos._tcp.ad-domain.company.com service = 0 100 88 > server2.ad-domain.company.com. > Samba is running as an AD DC > > ----------- > Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.7 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 70:85:c2:4d:b4:bb brd ff:ff:ff:ff:ff:ff > inet 192.168.1.1/24 brd 192.168.1.255 scope global noprefixroute > enp1s0 > inet6 fe80::7285:c2ff:fe4d:b4bb/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > 192.168.1.1 server1.ad-domain.company.com server1 > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # Generated by NetworkManager > search ad-domain.company.com > nameserver 192.168.1.1 > > ----------- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = ad-domain.company.com > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind systemd > group: compat winbind systemd > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = server1 > realm = ad-domain.company.com > workgroup = AD-DOMAIN > dns forwarder = 4.2.2.2 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > # ldap server require strong auth = no > log level = 3 > > [netlogon] > path = /var/lib/samba/sysvol/ad-domain.company.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ----------- > > BIND_DLZ not detected in smb.conf > > ----------- > > Installed packages: > ii acl 2.2.53-4 > amd64 access control list - utilities > ii attr 1:2.4.48-4 > amd64 utilities for manipulating filesystem > extended attributes > ii fonts-quicksand 0.2016-2 > all sans-serif font with round attributes > ii krb5-config 2.6 > all Configuration files for Kerberos Version 5 > ii krb5-locales 1.17-3+deb10u1 > all internationalization support for MIT > Kerberos > ii krb5-user 1.17-3+deb10u1 > amd64 basic programs to authenticate using MIT > Kerberos > ii libacl1:amd64 2.2.53-4 > amd64 access control list - shared library > ii libattr1:amd64 1:2.4.48-4 > amd64 extended attribute handling - shared library > ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 > amd64 MIT Kerberos runtime libraries - krb5 > GSS-API Mechanism > ii libkrb5-3:amd64 1.17-3+deb10u1 > amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.17-3+deb10u1 > amd64 MIT Kerberos runtime libraries - Support > library > ii libnss-winbind:amd64 2:4.13.2+dfsg-0.1buster1 > amd64 Samba nameservice integration plugins > ii libpam-krb5:amd64 4.8-2+deb10u1 > amd64 PAM module for MIT Kerberos > ii libpam-winbind:amd64 2:4.13.2+dfsg-0.1buster1 > amd64 Windows domain authentication integration > plugin > ii libwbclient0:amd64 2:4.13.2+dfsg-0.1buster1 > amd64 Samba winbind client library > ii python3-samba 2:4.13.2+dfsg-0.1buster1 > amd64 Python 3 bindings for Samba > ii samba 2:4.13.2+dfsg-0.1buster1 > amd64 SMB/CIFS file, print, andlogin server for > Unix > ii samba-common 2:4.13.2+dfsg-0.1buster1 > all common files used by boththe Samba server > and client > ii samba-common-bin 2:4.13.2+dfsg-0.1buster1 > amd64 Samba common files used by both the server > and the client > ii samba-dsdb-modules:amd64 2:4.13.2+dfsg-0.1buster1 > amd64 Samba Directory Services Database > ii samba-libs:amd64 2:4.13.2+dfsg-0.1buster1 > amd64 Samba core libraries > ii samba-vfs-modules:amd64 2:4.13.2+dfsg-0.1buster1 > amd64 Samba Virtual FileSystem plugins > ii spice-client-glib-usb-acl-helper 0.35-2 > amd64 Helper tool to validate usb ACLs > ii winbind 2:4.13.2+dfsg-0.1buster1 > amd64 service to resolve user and group > information from Windows NT servers > > ----------- > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Marco Shmerykowsky
2021-Feb-02 15:05 UTC
[Samba] How to Properly Configure Samba's Internal DNS
On 2/2/2021 3:05 AM, L.P.H. van Belle via samba wrote:> Hai, > > Well, this looks great Marco, the configs below look good, i only see a minor change you can do, so only for correctness, i would change the realm to CAPS in krb5.conf and smb.conf and netbios name in caps.Is there a technical reason for all caps or is it stylistic just to be able to read the file more clearly?> > And yes, you need to add the PTR records if you want a kerberos to work for example with CNAMES in the dns or set rdns = no in krb5.conf > > And in controdiction to Rowland, im saying.. by default windows "does" register A and PTR if you use a dynamic DNS setup, at least for the clients. > > I really advice to at least add for the AD-DC's the PTR records. > Also, more and more needs the correct setup, so thats what i do recommend. > Add the PTR, minimal for al you servers.This was my inexperienced confusion. I do not remember manually adding either A or PTR records for the hostnames when I set up the AD servers or the domain member servers (but I could be wrong). The two AD's and one domain member server just seemed to "work." I had to do it manually for the second domain member server. From the Sambawiki, it was not clear to me that setting these records was required. It seemed more optional and that thing would work without the manual step. Learing as I go :)